Edit tour

Windows Analysis Report
https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102

Overview

General Information

Sample URL:	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102
Analysis ID:	1581294
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Misleading page title found

HTML body contains low number of good links

HTML body contains password input but no form action

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 1132 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2180,i,5626952089802990509,6601934023122150340,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4068 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

HTTP traffic detected: POST /api/landingPage/web_interaction HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveContent-Length: 76sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: https://online-ops.mypasschange.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 27 Dec 2024 09:36:03 GMTContent-Type: text/htmlContent-Length: 548Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 27 Dec 2024 09:36:12 GMTContent-Type: text/html; charset=utf-8Content-Length: 9Connection: closeX-Frame-Options: SAMEORIGINVary: origin

Source: chromecache_69.3.dr, chromecache_72.3.dr	String found in binary or memory: http://www.passwordmeter.com/)
Source: chromecache_69.3.dr, chromecache_72.3.dr	String found in binary or memory: http://www.todnem.com/)
Source: chromecache_69.3.dr, chromecache_72.3.dr	String found in binary or memory: https://github.com/mvhenten/string-entropy/blob/master/index.js

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: classification engine

Classification label: mal64.phis.win@16/29@6/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2180,i,5626952089802990509,6601934023122150340,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 --field-trial-handle=2180,i,5626952089802990509,6601934023122150340,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	100%	Avira URL Cloud	phishing
https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering

Source	Detection	Scanner	Label
http://www.todnem.com/)	0%	Avira URL Cloud	safe
https://online-ops.mypasschange.com/favicon.ico	100%	Avira URL Cloud	phishing
https://online-ops.mypasschange.com/static/images/phishing/DocusignDigitallySignDocument/landingPage/docusign_background.png	100%	Avira URL Cloud	phishing
https://online-ops.mypasschange.com/api/v2/decoy/web/login	100%	Avira URL Cloud	phishing
http://www.passwordmeter.com/)	0%	Avira URL Cloud	safe
https://online-ops.mypasschange.com/static/lib/jquery-1.11.1.min.js	100%	Avira URL Cloud	phishing
https://online-ops.mypasschange.com/static/css/landing/landing.css	100%	Avira URL Cloud	phishing
https://online-ops.mypasschange.com/api/landingPage/web_interaction	100%	Avira URL Cloud	phishing
https://online-ops.mypasschange.com/static/lib/password-meter.js	100%	Avira URL Cloud	phishing
https://online-ops.mypasschange.com/static/images/phishing/DocusignDigitallySignDocument/landingPage/login-form.png	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.google.com	142.250.181.68	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
online-ops.mypasschange.com	52.53.112.200	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://online-ops.mypasschange.com/static/images/phishing/DocusignDigitallySignDocument/landingPage/docusign_background.png	false	Avira URL Cloud: phishing	unknown
https://online-ops.mypasschange.com/favicon.ico	false	Avira URL Cloud: phishing	unknown
https://online-ops.mypasschange.com/static/lib/password-meter.js	false	Avira URL Cloud: phishing	unknown
https://online-ops.mypasschange.com/static/images/phishing/DocusignDigitallySignDocument/landingPage/login-form.png	false	Avira URL Cloud: phishing	unknown
https://online-ops.mypasschange.com/api/v2/decoy/web/login	false	Avira URL Cloud: phishing	unknown
https://online-ops.mypasschange.com/static/css/landing/landing.css	false	Avira URL Cloud: phishing	unknown
https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102	true		unknown
https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	true		unknown
https://online-ops.mypasschange.com/static/lib/jquery-1.11.1.min.js	false	Avira URL Cloud: phishing	unknown
https://online-ops.mypasschange.com/api/landingPage/web_interaction	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.todnem.com/)	chromecache_69.3.dr, chromecache_72.3.dr	false	Avira URL Cloud: safe	unknown
http://www.passwordmeter.com/)	chromecache_69.3.dr, chromecache_72.3.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mvhenten/string-entropy/blob/master/index.js	chromecache_69.3.dr, chromecache_72.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.68	www.google.com	United States	15169	GOOGLEUS	false
52.53.112.200	online-ops.mypasschange.com	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.9

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581294
Start date and time:	2024-12-27 10:34:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.phis.win@16/29@6/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.21.35, 142.250.181.142, 173.194.220.84, 216.58.208.234, 142.250.181.74, 172.217.19.202, 142.250.181.42, 172.217.19.10, 172.217.17.74, 142.250.181.138, 142.250.181.106, 172.217.19.234, 142.250.181.10, 172.217.17.42, 192.229.221.95, 172.217.17.35, 13.107.246.63, 23.218.208.109, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, azureedge-t-prod.trafficmanager.net, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102

Input	Output
URL: https://online-ops.mypasschange.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": true, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: https://online-ops.mypasschange.com
URL: https://online-ops.mypasschange.com/landingPage/2/... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet appears to be extracting email_guid and step_id_number from the current URL path, which is a common practice for web applications. This behavior does not indicate any high-risk or malicious activities, and it is likely part of legitimate functionality." }
var path = window.location.pathname; lastSlashIndex = path.lastIndexOf('/'); prevSlashIndex = path.lastIndexOf('/', lastSlashIndex-1); email_guid = path.substring(lastSlashIndex+1); step_id_number = path.substring(prevSlashIndex+1,lastSlashIndex);
URL: https://online-ops.mypasschange.com/landingPage/2/... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script appears to be collecting the user's local IP address using WebRTC, which is a moderate-risk behavior. However, there are no clear indicators of data exfiltration or other malicious intent, and the script seems to be focused on gathering technical information rather than sensitive user data. Overall, the script exhibits some potentially concerning behaviors, but the intent appears to be more benign than malicious." }
var path = window.location.pathname; lastSlashIndex = path.lastIndexOf('/'); prevSlashIndex = path.lastIndexOf('/', lastSlashIndex-1); email_guid = path.substring(lastSlashIndex+1); step_id_number = path.substring(prevSlashIndex+1,lastSlashIndex); var localIp = ""; $(function(){ try{ getLocalIp(); } catch(err){ return true; } var path = window.location.pathname; }); function getPluginsInfo(){ dataPlugins={}; return dataPlugins; } function getLocalIp(){ var RTCPeerConnection = window.webkitRTCPeerConnection \|\| window.mozRTCPeerConnection; var pc; if(RTCPeerConnection){ pc = new RTCPeerConnection({ "iceServers": [] }); if (1 \|\| window.mozRTCPeerConnection) pc.createDataChannel('', {reliable:false}); pc.onicecandidate = function (evt) { if (evt.candidate) { if (!localIp) { localIp = getIpFromString( evt.candidate.candidate ); } } }; pc.createOffer(function (offerDesc) {; pc.setLocalDescription(offerDesc); }, function (e) { console.error(e); }); function getIpFromString(a) { var r = a.match(/\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\b/); if (r == null) return null; return r[0]; } } }
URL: https://online-ops.mypasschange.com/landingPage/2/... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet appears to be a legitimate implementation of a web interaction tracking functionality. It uses standard web APIs like `fetch` and `setTimeout` to record user interactions on a landing page. The code does not exhibit any high-risk indicators, such as dynamic code execution, data exfiltration, or suspicious redirects. The use of a delay function and the conditional check for a single session execution are common practices to mitigate bot-related issues. Overall, this script seems to be a benign implementation of a typical web analytics or user interaction tracking feature." }
function sleep(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } document.addEventListener("DOMContentLoaded", async () => { const guid = path.substring(lastSlashIndex + 1); const step_id_number = "2"; const qr_request = "False".toLowerCase() === "true"; // Ensure the function is called only once per session const params = { guid, step_id: step_id_number, qr_request}; await sleep(1000); // assuming that it might help against bot clicks fetch("/api/landingPage/web_interaction", { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(params) }).then(response => { if (response.ok) { console.log("Interaction recorded successfully"); } else { console.error("Failed to record interaction"); } }).catch(error => { console.error("Error:", error); }); });
URL: https://online-ops.mypasschange.com/static/lib/jqu... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "This appears to be the standard jQuery library, which is a widely used and trusted JavaScript library. It does not contain any high-risk indicators, such as dynamic code execution, data exfiltration, or suspicious redirects. The code is well-structured and does not exhibit any obfuscation or aggressive DOM manipulation. Overall, this is a low-risk script that is commonly used for legitimate web development purposes." }
/! jQuery v1.11.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license / !function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject\|\|this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]\|\|{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]\|\|{},h++),"object"==typeof g\|\|m.isFunction(g)\|\|(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(m.isPlainObject(c)\|\|(b=m.isArray(c)))?(b?(b=!1,f=a&&m.isArray(a)?a:[]):f=a&&m.isPlainObject(a)?a:{},g[d]=m.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},m.extend({expando:"jQuery"+(l+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===m.type(a)},isArray:Array.isArray\|\|function(a){return"array"===m.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){return!m.isArray(a)&&a-parseFloat(a)>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a\|\|"object"!==m.type(a)\|\|a.nodeType\|\|m.isWindow(a))return!1;try{if(a.constructor&&!j.call(a,"constructor")&&!j.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(k.ownLast)for(b in a)return j.call(a,b);for(b in a);return void 0===b\|\|j.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a\|\|"function"==typeof a?h[i.call(a)]\|\|"object":typeof a},globalEval:function(b){b&&m.trim(b)&&(a.execScript\|\|function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(o,"ms-").replace(p,q)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b,c){var d,e=0,f=a.length,g=r(a);if(c){if(g){for(;f>e;e++)if(d=b.apply(a[e],c),d===!1)break}else for(e in a)if(d=b.apply(a[e],c),d===!1)break}else if(g){for(;f>e;e++)if(d=b.call(a[e],e,a[e]),d===!1)break}else for(e in a)if(d=b.call(a[e],e,a[e]),d===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(n,"")},makeArray:function(a,b){var c=b\|\|[];return null!=a&&(r(Object(a))?m.merge(c,"string"==typeof a?[a]:a):f.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(g)return g.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,f=0,g=a.length,h=r(a),i=[];if(h)for(;g>f;f++)d=b(a[f],f,c),null!=d&&i.push(d);else for(f in a)d=b(a[f],f,c),null!=d&&i.push(d);return e.apply([],i)},guid:1,proxy:function(a,b){var c,e,f;return"string"==typeof b&&(f=a[b],b=a,a=f),m.isFunction(a)?(c=d.cal
URL: https://online-ops.mypasschange.com/landingPage/2/... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The provided JavaScript snippet has a mix of low-risk and moderate-risk indicators. While it does not contain any high-risk behaviors like dynamic code execution or data exfiltration, it has some concerning aspects, such as sending user data to a server without clear transparency and aggressive DOM manipulation. Additionally, the use of a custom password complexity check function could potentially introduce security vulnerabilities if not implemented properly. Overall, the script requires further review to ensure it is not misusing user data or introducing security risks." }
$(document).ready(function () { var current_date = new Date(); var datetime = "Last Sync: " + current_date.getDate() + "/" + (current_date.getMonth()+1) + "/" + current_date.getFullYear() + " @ " + current_date.getHours() + ":" + current_date.getMinutes() + ":" + current_date.getSeconds(); $("#password-form").on("click", "button", function (e) { e.preventDefault(); e.returnValue = false; var inputs = $(":input") var optional = inputs.not(':password'); var bucket = {}; bucket.password = inputs.filter(':password').map(function(){ var key = $(this).attr('name') \|\| $(this).attr('id'); var value = $(this).val(); if (key == 'clear-password') { // collect password - do not substitute the password with anythign else } else if (key == 'partial-password') { if (value && (value.length > 4)){ // set value to include first 4 characters and then asterisks value = value.substring(0, Math.min(value.length,4)) + Array(Math.max(0,value.length-3)).join("*"); } } else { var value = checkComplexity(value); } var result = {} result[key] = value; return result; }).get(); bucket.unformatted = optional.not('[format]').map(function() { var key = $(this).attr('name') \|\| $(this).attr('id'); var value = $(this).val(); var result = {} result[key] = value; return result; }).get(); optional.filter('[format]').each(function(){ var format = $(this).attr('format') var key = $(this).attr('name') \|\| $(this).attr('id'); var value = $(this).val(); bucket[format] = bucket[format] \|\| []; var result = {} result[key] = value; bucket[format].push(result); }); optional.filter('[format]').each(function(){ var format = $(this).attr('format') var key = $(this).attr('name') \|\| $(this).attr('id'); var value = $(this).val(); }); bucket.guid = email_guid; bucket.step_id = step_id_number; $.post("/api/v2/decoy/web/login", JSON.stringify(bucket)).success(function (data) { if (data.redirect && data.redirect != "") { window.location = data.redirect; } else if (data.dialog && data.dialog != "") { $('#success-dialog').show(); $('#success-dialog').css("left", $(window).innerWidth() / 2 - 200); $('.dialog-text').html(data.dialog); $("#password-form").off("click", "button"); } }); }); $("#static-ack").on("click", "button", function (e) { e.preventDefault(); e.returnValue = false; $.post("/ack", { guid: email_guid, step_id : step_id_number, type: 61, redirect: true}).success(function(data) { if (data.redirect && data.redirect != "") { window.location = data.redirect; } }); }); }); function checkComplexity(password) { pm = new PasswordMeter(); pm.checkPassword(password); var complexity = pm.Complexity.value; if (isEmpty(password)) { return ("Empty"); } else if (complexity == pm.COMPLEXITY.VERYWEAK) { return("Very Weak"); } else if (complexity == pm.COMPLEXITY.WEAK) { return("Weak"); } else if (complexity == pm.COMPLEXITY.FAIR) { return("Fair"); } else if (complexity == pm.CO
URL: https://online-ops.mypasschange.com/landingPage/3/... Model: Joe Sandbox AI	{ "risk_score": 2, "reasoning": "The provided JavaScript snippet appears to be a legitimate implementation of a web interaction tracking functionality. It uses standard web APIs like `fetch` and `setTimeout` to record user interactions on a landing page. The code does not exhibit any high-risk indicators, such as dynamic code execution, data exfiltration, or suspicious redirects. The use of a delay before the API call is a common practice to mitigate bot clicks. Overall, this script seems to be a benign implementation of a typical web analytics or user interaction tracking feature." }
function sleep(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } document.addEventListener("DOMContentLoaded", async () => { const guid = path.substring(lastSlashIndex + 1); const step_id_number = "3"; const qr_request = "False".toLowerCase() === "true"; // Ensure the function is called only once per session const params = { guid, step_id: step_id_number, qr_request}; await sleep(1000); // assuming that it might help against bot clicks fetch("/api/landingPage/web_interaction", { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(params) }).then(response => { if (response.ok) { console.log("Interaction recorded successfully"); } else { console.error("Failed to record interaction"); } }).catch(error => { console.error("Error:", error); }); });
URL: https://online-ops.mypasschange.com/landingPage/3/... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be primarily focused on extracting information from the current URL path, such as an email GUID and a step ID number. It also attempts to retrieve the user's local IP address using the WebRTC API, but this functionality is wrapped in a try-catch block, indicating it may be a non-critical feature. The script does not exhibit any high-risk behaviors like dynamic code execution, data exfiltration, or redirects to suspicious domains. The IP address retrieval could be considered a moderate-risk indicator, but the overall context suggests this is likely for legitimate purposes, such as analytics or telemetry. Therefore, the risk score is assessed as low, with a score of 3." }
var path = window.location.pathname; lastSlashIndex = path.lastIndexOf('/'); prevSlashIndex = path.lastIndexOf('/', lastSlashIndex-1); email_guid = path.substring(lastSlashIndex+1); step_id_number = path.substring(prevSlashIndex+1,lastSlashIndex); var localIp = ""; $(function(){ try{ getLocalIp(); } catch(err){ return true; } var path = window.location.pathname; }); function getPluginsInfo(){ dataPlugins={}; return dataPlugins; } function getLocalIp(){ var RTCPeerConnection = window.webkitRTCPeerConnection \|\| window.mozRTCPeerConnection; var pc; if(RTCPeerConnection){ pc = new RTCPeerConnection({ "iceServers": [] }); if (1 \|\| window.mozRTCPeerConnection) pc.createDataChannel('', {reliable:false}); pc.onicecandidate = function (evt) { if (evt.candidate) { if (!localIp) { localIp = getIpFromStrin
URL: https://online-ops.mypasschange.com/static/lib/pas... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "The provided JavaScript code appears to be a password meter utility that analyzes the strength of a password. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The code is well-documented, open-source, and licensed under the MIT license, indicating a legitimate purpose. While it uses some legacy APIs like `XDomainRequest`, these pose minor risks and are not inherently malicious. Overall, this script is likely benign and can be considered low risk." }
/ Original File: password-meter.js Created by: Rene Schwietzke (mail@03146f06.net) Created on: 2008-12-01 Last modified: 2014-08-20 Version: 2.0.0 The MIT License (MIT) ------------------------------------------------------------------------- Copyright (C) 2014 Rene Schwietzke Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Inspired by work by Jeff Todnem published under GPL 2. Original File: pwd_meter.js (http://www.passwordmeter.com/) Created by: Jeff Todnem (http://www.todnem.com/) History: ------------------------------------------------------------------------- v1.0.0 : initial version v1.0.1 : fixed rounding problem by adjusting float2str v1.0.2 : fixed influence of redundancy on long passwords. More bad characters after a good start should not be punished v1.1.0 : Introduced significance to cover the case of old system, where you can type in long passwords, but only the first 8 characters are considered. So now, the first characters are more important and a good end cannot fix the password when it started bad. v2.0.0 : Pay more attention to length. Tests Refactored code Changed license to MIT-license ToDo: ------------------------------------------------------------------------- ** * Punish first or last letter uppercase characters only ** * Punish numbers only at the end ** * Filter common patterns, such as 12.12.2008 12/20/2009 2008-12-13 **/ PasswordMeter.prototype = ( { // the version of the password meter version: "2.0.0", COMPLEXITY: { VERYWEAK: 0, WEAK: 1, FAIR: 2, GOOD: 3, STRONG: 4 }, STATUS: { FAILED: 0, PASSED: 1, EXCEEDED: 2 }, // little string helper to reverse a string strReverse: function(str) { var newstring = ""; for (var s = 0; s < str.length; s++) { newstring = str.charAt(s) + newstring; } return newstring; }, int2str: function(aNumber) { if (aNumber == 0) { return "0"; } else { return parseInt(aNumber, 10); } }, float2str: function(aNumber) { if (aNumber == 0) { return "0.00"; } else { return parseFloat(aNumber.toFixed(2)); } }, // helper for the status // <0 failed // 0 passed // >0 exceeded determineStatus: function(aNumber) { if (aNumber == 0) { return this.STATUS.PASSED; } else if (aNumber > 0) { return this.STATUS.EXCEEDED; } else { return this.STATUS.FAILED; } }, // helper for the st
URL: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": [ "username" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Dec 27 08:35:49 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9806734868773015
Encrypted:	false
SSDEEP:	48:8+EdlTghpHMidAKZdA1P4ehwiZUklqehTy+3:8+CMhAOgy
MD5:	7DDD8B68DE83AFCE4F9D5B2499603C28
SHA1:	C00E0BC0CB4BD5EC9571D6E94C948C4156C1D91C
SHA-256:	490207825F58DF99B9880376C68102200D740E89D3FDDD55015E7145F075230C
SHA-512:	30D1E9A4BCEC72EA2EE2C215F9D5A5B38F08C5D9444521851B896576C916C1D45BE71D6FE37C9CDAF4DD8CD53A59CD2DE1AC1FB9901A73545058BD2D4FA8676F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.......BX....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.YuL....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.YvL....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.YvL....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.YvL.............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.YyL...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........=..w.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Avira URL Cloud: detection malicious, Label: phishing
Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social Engineering

Source: https://online-ops.mypasschange.com/favicon.ico	Avira URL Cloud: Label: phishing
Source: https://online-ops.mypasschange.com/static/images/phishing/DocusignDigitallySignDocument/landingPage/docusign_background.png	Avira URL Cloud: Label: phishing
Source: https://online-ops.mypasschange.com/api/v2/decoy/web/login	Avira URL Cloud: Label: phishing
Source: https://online-ops.mypasschange.com/static/lib/jquery-1.11.1.min.js	Avira URL Cloud: Label: phishing
Source: https://online-ops.mypasschange.com/static/css/landing/landing.css	Avira URL Cloud: Label: phishing
Source: https://online-ops.mypasschange.com/api/landingPage/web_interaction	Avira URL Cloud: Label: phishing
Source: https://online-ops.mypasschange.com/static/lib/password-meter.js	Avira URL Cloud: Label: phishing
Source: https://online-ops.mypasschange.com/static/images/phishing/DocusignDigitallySignDocument/landingPage/login-form.png	Avira URL Cloud: Label: phishing

Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Page Title: Docusign Corporate Login
Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	Page Title: Docusign Corporate Login
Source: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102	Page Title: Docusign Corporate Login
Source: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102	Page Title: Docusign Corporate Login

Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: Number of links: 0
Source: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: Number of links: 0

Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: No favicon
Source: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: No favicon

Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: No <meta name="author".. found
Source: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: No <meta name="author".. found

Source: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: No <meta name="copyright".. found
Source: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102	HTTP Parser: No <meta name="copyright".. found

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /landingPage/2/fbb0559ebe1911efb53c0242ac190102 HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/lib/jquery-1.11.1.min.js HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/css/landing/landing.css HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/lib/password-meter.js HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/lib/jquery-1.11.1.min.js HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/lib/password-meter.js HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/docusign_background.png HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/login-form.png HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/docusign_background.png HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/landingPage/web_interaction HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/login-form.png HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/v2/decoy/web/login HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /landingPage/3/fbb0559ebe1911efb53c0242ac190102 HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /api/landingPage/web_interaction HTTP/1.1Host: online-ops.mypasschange.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: online-ops.mypasschange.com

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 10:35:48.218617916 CET	53	62075	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:48.239243984 CET	53	62073	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:51.092479944 CET	53	58955	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:52.262567043 CET	55442	53	192.168.2.9	1.1.1.1
Dec 27, 2024 10:35:52.262736082 CET	63643	53	192.168.2.9	1.1.1.1
Dec 27, 2024 10:35:52.399391890 CET	53	63643	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:52.400815010 CET	53	55442	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:53.552648067 CET	50336	53	192.168.2.9	1.1.1.1
Dec 27, 2024 10:35:53.552917957 CET	65138	53	192.168.2.9	1.1.1.1
Dec 27, 2024 10:35:53.895411015 CET	53	65138	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:53.899023056 CET	53	50336	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:56.794296980 CET	51726	53	192.168.2.9	1.1.1.1
Dec 27, 2024 10:35:56.794543028 CET	51717	53	192.168.2.9	1.1.1.1
Dec 27, 2024 10:35:56.939702034 CET	53	51726	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:57.007400036 CET	53	51717	1.1.1.1	192.168.2.9
Dec 27, 2024 10:35:58.350368023 CET	53	57589	1.1.1.1	192.168.2.9
Dec 27, 2024 10:36:08.025568962 CET	53	49596	1.1.1.1	192.168.2.9
Dec 27, 2024 10:36:26.884841919 CET	53	49774	1.1.1.1	192.168.2.9
Dec 27, 2024 10:36:35.394517899 CET	138	138	192.168.2.9	192.168.2.255
Dec 27, 2024 10:36:47.651978016 CET	53	56195	1.1.1.1	192.168.2.9
Dec 27, 2024 10:36:49.951437950 CET	53	51218	1.1.1.1	192.168.2.9

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 10:35:39.791903019 CET	1.1.1.1	192.168.2.9	0xc8b5	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 27, 2024 10:35:39.791903019 CET	1.1.1.1	192.168.2.9	0xc8b5	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 27, 2024 10:35:52.399391890 CET	1.1.1.1	192.168.2.9	0x2c87	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 27, 2024 10:35:52.400815010 CET	1.1.1.1	192.168.2.9	0xd393	No error (0)	www.google.com		142.250.181.68	A (IP address)	IN (0x0001)	false
Dec 27, 2024 10:35:53.899023056 CET	1.1.1.1	192.168.2.9	0xfb7b	No error (0)	online-ops.mypasschange.com		52.53.112.200	A (IP address)	IN (0x0001)	false
Dec 27, 2024 10:35:56.939702034 CET	1.1.1.1	192.168.2.9	0x8e96	No error (0)	online-ops.mypasschange.com		52.53.112.200	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:35:55 UTC	716	OUT	GET /landingPage/2/fbb0559ebe1911efb53c0242ac190102 HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:35:55 UTC	326	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:35:55 GMT Content-Type: text/html; charset=utf-8 Content-Length: 10668 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block
2024-12-27 09:35:55 UTC	10668	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 0a 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6c 69 62 2f 6a 71 75 65 72 79 2d 31 2e 31 31 2e 31 2e 6d 69 6e 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 0a 09 0a 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6c 69 62 2f 70 61 73 73 77 6f 72 64 2d 6d 65 74 65 72 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: <!DOCTYPE HTML PUBLIC><html><head><meta charset="utf-8"><script src="/static/lib/jquery-1.11.1.min.js" type="text/javascript"></script><script src="/static/lib/password-meter.js" type="text/javascript"></script><link rel="stylesheet" href=

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:35:55 UTC	616	OUT	GET /static/lib/jquery-1.11.1.min.js HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:35:56 UTC	373	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:35:56 GMT Content-Type: application/javascript Content-Length: 95790 Last-Modified: Sun, 30 May 2021 15:57:16 GMT Connection: close ETag: "60b3b5dc-1762e" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:35:56 UTC	16011	IN	Data Raw: 2f 2a 21 20 6a 51 75 65 72 79 20 76 31 2e 31 31 2e 31 20 7c 20 28 63 29 20 32 30 30 35 2c 20 32 30 31 34 20 6a 51 75 65 72 79 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 7c 20 6a 71 75 65 72 79 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 20 2a 2f 0d 0a 21 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 61 2e 64 6f 63 75 6d 65 6e 74 3f 62 28 61 2c 21 30 29 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 21 61 2e 64 6f 63 75 6d 65 6e 74 29 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 6a 51 75 65 72 79 20 72 65 71 75 69 72 65 73 20 61 20 77 69 Data Ascii: /! jQuery v1.11.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a wi
2024-12-27 09:35:56 UTC	16384	IN	Data Raw: 3d 68 28 61 2e 72 65 70 6c 61 63 65 28 52 2c 22 24 31 22 29 29 3b 72 65 74 75 72 6e 20 64 5b 75 5d 3f 68 62 28 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 65 29 7b 76 61 72 20 66 2c 67 3d 64 28 61 2c 6e 75 6c 6c 2c 65 2c 5b 5d 29 2c 68 3d 61 2e 6c 65 6e 67 74 68 3b 77 68 69 6c 65 28 68 2d 2d 29 28 66 3d 67 5b 68 5d 29 26 26 28 61 5b 68 5d 3d 21 28 62 5b 68 5d 3d 66 29 29 7d 29 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 65 2c 66 29 7b 72 65 74 75 72 6e 20 62 5b 30 5d 3d 61 2c 64 28 62 2c 6e 75 6c 6c 2c 66 2c 63 29 2c 21 63 2e 70 6f 70 28 29 7d 7d 29 2c 68 61 73 3a 68 62 28 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 66 62 28 61 2c 62 29 2e 6c 65 6e 67 74 68 3e 30 7d 7d 29 2c 63 6f 6e 74 61 69 Data Ascii: =h(a.replace(R,"$1"));return d[u]?hb(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),!c.pop()}}),has:hb(function(a){return function(b){return fb(a,b).length>0}}),contai
2024-12-27 09:35:56 UTC	16384	IN	Data Raw: 6a 5b 6b 5d 2e 64 61 74 61 2c 62 29 29 2c 67 3d 6a 5b 6b 5d 2c 65 7c 7c 28 67 2e 64 61 74 61 7c 7c 28 67 2e 64 61 74 61 3d 7b 7d 29 2c 67 3d 67 2e 64 61 74 61 29 2c 76 6f 69 64 20 30 21 3d 3d 64 26 26 28 67 5b 6d 2e 63 61 6d 65 6c 43 61 73 65 28 62 29 5d 3d 64 29 2c 22 73 74 72 69 6e 67 22 3d 3d 74 79 70 65 6f 66 20 62 3f 28 66 3d 67 5b 62 5d 2c 6e 75 6c 6c 3d 3d 66 26 26 28 66 3d 67 5b 6d 2e 63 61 6d 65 6c 43 61 73 65 28 62 29 5d 29 29 3a 66 3d 67 2c 66 7d 7d 66 75 6e 63 74 69 6f 6e 20 52 28 61 2c 62 2c 63 29 7b 69 66 28 6d 2e 61 63 63 65 70 74 44 61 74 61 28 61 29 29 7b 76 61 72 20 64 2c 65 2c 66 3d 61 2e 6e 6f 64 65 54 79 70 65 2c 67 3d 66 3f 6d 2e 63 61 63 68 65 3a 61 2c 68 3d 66 3f 61 5b 6d 2e 65 78 70 61 6e 64 6f 5d 3a 6d 2e 65 78 70 61 6e 64 6f 3b Data Ascii: j[k].data,b)),g=j[k],e\|\|(g.data\|\|(g.data={}),g=g.data),void 0!==d&&(g[m.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[m.camelCase(b)])):f=g,f}}function R(a,b,c){if(m.acceptData(a)){var d,e,f=a.nodeType,g=f?m.cache:a,h=f?a[m.expando]:m.expando;
2024-12-27 09:35:56 UTC	16384	IN	Data Raw: 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 64 69 76 22 29 29 3b 72 62 2e 6f 70 74 67 72 6f 75 70 3d 72 62 2e 6f 70 74 69 6f 6e 2c 72 62 2e 74 62 6f 64 79 3d 72 62 2e 74 66 6f 6f 74 3d 72 62 2e 63 6f 6c 67 72 6f 75 70 3d 72 62 2e 63 61 70 74 69 6f 6e 3d 72 62 2e 74 68 65 61 64 2c 72 62 2e 74 68 3d 72 62 2e 74 64 3b 66 75 6e 63 74 69 6f 6e 20 75 62 28 61 2c 62 29 7b 76 61 72 20 63 2c 64 2c 65 3d 30 2c 66 3d 74 79 70 65 6f 66 20 61 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 21 3d 3d 4b 3f 61 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 62 7c 7c 22 2a 22 29 3a 74 79 70 65 6f 66 20 61 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 21 3d 3d 4b 3f 61 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 62 7c 7c 22 2a Data Ascii: reateElement("div"));rb.optgroup=rb.option,rb.tbody=rb.tfoot=rb.colgroup=rb.caption=rb.thead,rb.th=rb.td;function ub(a,b){var c,d,e=0,f=typeof a.getElementsByTagName!==K?a.getElementsByTagName(b\|\|""):typeof a.querySelectorAll!==K?a.querySelectorAll(b\|\|"
2024-12-27 09:35:56 UTC	16384	IN	Data Raw: 6e 6f 64 65 54 79 70 65 26 26 61 2e 65 6c 65 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 26 26 28 61 2e 65 6c 65 6d 5b 61 2e 70 72 6f 70 5d 3d 61 2e 6e 6f 77 29 7d 7d 2c 6d 2e 65 61 73 69 6e 67 3d 7b 6c 69 6e 65 61 72 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 2c 73 77 69 6e 67 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 2e 35 2d 4d 61 74 68 2e 63 6f 73 28 61 2a 4d 61 74 68 2e 50 49 29 2f 32 7d 7d 2c 6d 2e 66 78 3d 5a 62 2e 70 72 6f 74 6f 74 79 70 65 2e 69 6e 69 74 2c 6d 2e 66 78 2e 73 74 65 70 3d 7b 7d 3b 76 61 72 20 24 62 2c 5f 62 2c 61 63 3d 2f 5e 28 3f 3a 74 6f 67 67 6c 65 7c 73 68 6f 77 7c 68 69 64 65 29 24 2f 2c 62 63 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5e 28 3f 3a 28 5b 2b 2d 5d 29 3d 7c 29 28 22 2b 53 2b 22 29 28 5b Data Ascii: nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},m.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2}},m.fx=Zb.prototype.init,m.fx.step={};var $b,_b,ac=/^(?:toggle\|show\|hide)$/,bc=new RegExp("^(?:([+-])=\|)("+S+")([
2024-12-27 09:35:56 UTC	14243	IN	Data Raw: 61 74 61 54 79 70 65 73 3b 77 68 69 6c 65 28 22 2a 22 3d 3d 3d 69 5b 30 5d 29 69 2e 73 68 69 66 74 28 29 2c 76 6f 69 64 20 30 3d 3d 3d 65 26 26 28 65 3d 61 2e 6d 69 6d 65 54 79 70 65 7c 7c 62 2e 67 65 74 52 65 73 70 6f 6e 73 65 48 65 61 64 65 72 28 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 29 29 3b 69 66 28 65 29 66 6f 72 28 67 20 69 6e 20 68 29 69 66 28 68 5b 67 5d 26 26 68 5b 67 5d 2e 74 65 73 74 28 65 29 29 7b 69 2e 75 6e 73 68 69 66 74 28 67 29 3b 62 72 65 61 6b 7d 69 66 28 69 5b 30 5d 69 6e 20 63 29 66 3d 69 5b 30 5d 3b 65 6c 73 65 7b 66 6f 72 28 67 20 69 6e 20 63 29 7b 69 66 28 21 69 5b 30 5d 7c 7c 61 2e 63 6f 6e 76 65 72 74 65 72 73 5b 67 2b 22 20 22 2b 69 5b 30 5d 5d 29 7b 66 3d 67 3b 62 72 65 61 6b 7d 64 7c 7c 28 64 3d 67 29 7d 66 3d 66 7c 7c 64 Data Ascii: ataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType\|\|b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]\|\|a.converters[g+" "+i[0]]){f=g;break}d\|\|(d=g)}f=f\|\|d

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:35:57 UTC	629	OUT	GET /static/css/landing/landing.css HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:35:57 UTC	355	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:35:57 GMT Content-Type: text/css Content-Length: 526 Last-Modified: Sun, 30 May 2021 15:57:14 GMT Connection: close ETag: "60b3b5da-20e" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:35:57 UTC	526	IN	Data Raw: 23 73 75 63 63 65 73 73 2d 64 69 61 6c 6f 67 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 34 30 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 32 30 30 70 78 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 39 39 39 39 3b 0d 0a 20 20 20 20 74 6f 70 3a 20 32 35 25 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 30 20 30 20 31 30 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 34 29 3b 0d 0a 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 Data Ascii: #success-dialog { position: absolute; display: none; width: 400px; height: 200px; z-index: 9999; top: 25%; background:white; border: 1px solid black; -webkit-box-shadow:0 0 10px rgba(0,0,0,0.4); -moz-box-s

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:35:57 UTC	613	OUT	GET /static/lib/password-meter.js HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:35:58 UTC	372	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:35:57 GMT Content-Type: application/javascript Content-Length: 36758 Last-Modified: Sun, 30 May 2021 15:57:16 GMT Connection: close ETag: "60b3b5dc-8f96" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:35:58 UTC	16012	IN	Data Raw: 2f 2a 2a 0d 0a 20 2a 2a 20 20 20 20 4f 72 69 67 69 6e 61 6c 20 46 69 6c 65 3a 20 70 61 73 73 77 6f 72 64 2d 6d 65 74 65 72 2e 6a 73 0d 0a 20 2a 2a 20 20 20 20 43 72 65 61 74 65 64 20 62 79 3a 20 52 65 6e 65 20 53 63 68 77 69 65 74 7a 6b 65 20 28 6d 61 69 6c 40 30 33 31 34 36 66 30 36 2e 6e 65 74 29 0d 0a 20 2a 2a 20 20 20 20 43 72 65 61 74 65 64 20 6f 6e 3a 20 32 30 30 38 2d 31 32 2d 30 31 0d 0a 20 2a 2a 20 20 20 20 4c 61 73 74 20 6d 6f 64 69 66 69 65 64 3a 20 32 30 31 34 2d 30 38 2d 32 30 0d 0a 20 2a 2a 20 20 20 20 56 65 72 73 69 6f 6e 3a 20 32 2e 30 2e 30 0d 0a 20 2a 2a 0d 0a 20 2a 2a 20 20 20 20 54 68 65 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 28 4d 49 54 29 0d 0a 20 2a 2a 20 20 20 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d Data Ascii: / Original File: password-meter.js Created by: Rene Schwietzke (mail@03146f06.net) Created on: 2008-12-01 Last modified: 2014-08-20 Version: 2.0.0 The MIT License (MIT) ** -----------------------
2024-12-27 09:35:58 UTC	16384	IN	Data Raw: 20 3d 3d 20 31 29 0d 0a 20 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 20 3d 20 31 2e 30 3b 0d 0a 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 65 6c 73 65 0d 0a 20 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 20 3d 20 30 2e 30 3b 0d 0a 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 20 3d 20 4e 75 6d 62 65 72 28 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 29 3b 0d 0a 20 20 20 20 72 65 74 75 72 6e 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 3b 0d 0a 20 20 7d 3b 0d 0a 0d 0a 20 20 2f 2f 20 43 68 65 63 6b 20 66 6f Data Ascii: == 1) { this.Redundancy.count = 1.0; } else { this.Redundancy.count = 0.0; } } this.Redundancy.count = Number(this.Redundancy.count); return this.Redundancy.count; }; // Check fo
2024-12-27 09:35:58 UTC	4362	IN	Data Raw: 73 69 63 52 65 71 75 69 72 65 6d 65 6e 74 73 2e 63 6f 75 6e 74 2b 2b 3b 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 2f 2f 20 6e 75 6d 65 72 69 63 73 0d 0a 20 20 20 20 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 73 74 61 74 75 73 20 3d 20 74 68 69 73 2e 64 65 74 65 72 6d 69 6e 65 53 74 61 74 75 73 28 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 63 6f 75 6e 74 20 2d 20 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 6d 69 6e 69 6d 75 6d 29 3b 0d 0a 20 20 20 20 69 66 20 28 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 73 74 61 74 75 73 20 21 3d 20 74 68 69 73 2e 53 54 41 54 55 53 2e 46 41 49 4c 45 44 29 0d 0a 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 2f 2f 20 72 65 71 75 69 72 65 6d 65 6e 74 20 6d 65 74 0d 0a 20 20 20 20 20 20 74 68 69 73 2e 42 61 73 69 63 52 65 71 75 69 72 Data Ascii: sicRequirements.count++; } // numerics this.Numerics.status = this.determineStatus(this.Numerics.count - this.Numerics.minimum); if (this.Numerics.status != this.STATUS.FAILED) { // requirement met this.BasicRequir

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:35:59 UTC	379	OUT	GET /static/lib/password-meter.js HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:00 UTC	372	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:35:59 GMT Content-Type: application/javascript Content-Length: 36758 Last-Modified: Sun, 30 May 2021 15:57:16 GMT Connection: close ETag: "60b3b5dc-8f96" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:36:00 UTC	16012	IN	Data Raw: 2f 2a 2a 0d 0a 20 2a 2a 20 20 20 20 4f 72 69 67 69 6e 61 6c 20 46 69 6c 65 3a 20 70 61 73 73 77 6f 72 64 2d 6d 65 74 65 72 2e 6a 73 0d 0a 20 2a 2a 20 20 20 20 43 72 65 61 74 65 64 20 62 79 3a 20 52 65 6e 65 20 53 63 68 77 69 65 74 7a 6b 65 20 28 6d 61 69 6c 40 30 33 31 34 36 66 30 36 2e 6e 65 74 29 0d 0a 20 2a 2a 20 20 20 20 43 72 65 61 74 65 64 20 6f 6e 3a 20 32 30 30 38 2d 31 32 2d 30 31 0d 0a 20 2a 2a 20 20 20 20 4c 61 73 74 20 6d 6f 64 69 66 69 65 64 3a 20 32 30 31 34 2d 30 38 2d 32 30 0d 0a 20 2a 2a 20 20 20 20 56 65 72 73 69 6f 6e 3a 20 32 2e 30 2e 30 0d 0a 20 2a 2a 0d 0a 20 2a 2a 20 20 20 20 54 68 65 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 28 4d 49 54 29 0d 0a 20 2a 2a 20 20 20 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d Data Ascii: / Original File: password-meter.js Created by: Rene Schwietzke (mail@03146f06.net) Created on: 2008-12-01 Last modified: 2014-08-20 Version: 2.0.0 The MIT License (MIT) ** -----------------------
2024-12-27 09:36:00 UTC	16384	IN	Data Raw: 20 3d 3d 20 31 29 0d 0a 20 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 20 3d 20 31 2e 30 3b 0d 0a 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 65 6c 73 65 0d 0a 20 20 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 20 3d 20 30 2e 30 3b 0d 0a 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 20 3d 20 4e 75 6d 62 65 72 28 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 29 3b 0d 0a 20 20 20 20 72 65 74 75 72 6e 20 74 68 69 73 2e 52 65 64 75 6e 64 61 6e 63 79 2e 63 6f 75 6e 74 3b 0d 0a 20 20 7d 3b 0d 0a 0d 0a 20 20 2f 2f 20 43 68 65 63 6b 20 66 6f Data Ascii: == 1) { this.Redundancy.count = 1.0; } else { this.Redundancy.count = 0.0; } } this.Redundancy.count = Number(this.Redundancy.count); return this.Redundancy.count; }; // Check fo
2024-12-27 09:36:00 UTC	4362	IN	Data Raw: 73 69 63 52 65 71 75 69 72 65 6d 65 6e 74 73 2e 63 6f 75 6e 74 2b 2b 3b 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 2f 2f 20 6e 75 6d 65 72 69 63 73 0d 0a 20 20 20 20 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 73 74 61 74 75 73 20 3d 20 74 68 69 73 2e 64 65 74 65 72 6d 69 6e 65 53 74 61 74 75 73 28 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 63 6f 75 6e 74 20 2d 20 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 6d 69 6e 69 6d 75 6d 29 3b 0d 0a 20 20 20 20 69 66 20 28 74 68 69 73 2e 4e 75 6d 65 72 69 63 73 2e 73 74 61 74 75 73 20 21 3d 20 74 68 69 73 2e 53 54 41 54 55 53 2e 46 41 49 4c 45 44 29 0d 0a 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 2f 2f 20 72 65 71 75 69 72 65 6d 65 6e 74 20 6d 65 74 0d 0a 20 20 20 20 20 20 74 68 69 73 2e 42 61 73 69 63 52 65 71 75 69 72 Data Ascii: sicRequirements.count++; } // numerics this.Numerics.status = this.determineStatus(this.Numerics.count - this.Numerics.minimum); if (this.Numerics.status != this.STATUS.FAILED) { // requirement met this.BasicRequir

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:35:59 UTC	710	OUT	POST /api/landingPage/web_interaction HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive Content-Length: 76 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/json Accept: / Origin: https://online-ops.mypasschange.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:35:59 UTC	76	OUT	Data Raw: 7b 22 67 75 69 64 22 3a 22 66 62 62 30 35 35 39 65 62 65 31 39 31 31 65 66 62 35 33 63 30 32 34 32 61 63 31 39 30 31 30 32 22 2c 22 73 74 65 70 5f 69 64 22 3a 22 32 22 2c 22 71 72 5f 72 65 71 75 65 73 74 22 3a 66 61 6c 73 65 7d Data Ascii: {"guid":"fbb0559ebe1911efb53c0242ac190102","step_id":"2","qr_request":false}
2024-12-27 09:36:00 UTC	330	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:36:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin, Cookie Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:35:59 UTC	733	OUT	GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/docusign_background.png HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:00 UTC	356	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:35:59 GMT Content-Type: image/png Content-Length: 335 Last-Modified: Sun, 04 Jul 2021 12:23:36 GMT Connection: close ETag: "60e1a848-14f" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:36:00 UTC	335	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 07 d0 00 00 00 96 04 03 00 00 00 74 b0 0e b5 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 30 50 4c 54 45 1b 49 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 2b 22 18 00 00 00 09 70 48 59 73 00 00 0e c1 00 00 0e c1 01 b8 91 6b ed 00 00 00 a8 49 44 41 54 78 da ed c1 01 01 00 00 00 82 20 ff af 6e 48 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: PNGIHDRtsRGBgAMAa0PLTEI+"pHYskIDATx nH@

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:00 UTC	724	OUT	GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/login-form.png HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:01 UTC	358	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:36:00 GMT Content-Type: image/png Content-Length: 9364 Last-Modified: Wed, 01 Jun 2022 12:19:23 GMT Connection: close ETag: "6297594b-2494" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:36:01 UTC	9364	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 4b 00 00 01 0e 08 02 00 00 00 d7 2c 1b d7 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c0 00 00 0e c0 01 6a d6 89 09 00 00 24 29 49 44 41 54 78 5e ed dd 0f 74 13 d7 a1 e7 f1 31 36 b2 9d d8 24 a9 1d 82 cd 1f 8b 4d 2a a7 2d 6a b7 35 69 2b 93 2c a6 7f 64 7a 62 d3 2d 22 6d 0c e9 c3 79 67 1f b4 59 9c cd c1 39 4d e0 b5 07 38 0d a6 4d 71 5e 36 66 9b 42 5e 0e 26 0d b8 7d 0f 93 06 3b 09 b8 ed 22 da 62 a7 2f e8 74 17 c1 36 56 53 90 09 d8 09 d8 84 20 13 db e2 8f f7 ce 1f 59 b2 2c 19 d9 92 f8 73 f3 fd 54 15 73 47 d2 cc dc 99 1b eb e7 7b 67 c6 29 83 83 83 0a 00 00 00 24 32 c1 f8 17 00 00 00 b2 20 e1 01 00 00 c8 86 84 07 00 00 20 1b 12 1e Data Ascii: PNGIHDRK,sRGBgAMAapHYsj$)IDATx^t16$M*-j5i+,dzb-"mygY9M8Mq^6fB^&};"b/t6VS Y,sTsG{g)$2

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 69

Chrome Cache Entry: 70

Chrome Cache Entry: 71

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

Windows Analysis Report
https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:01 UTC	439	OUT	GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/docusign_background.png HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:02 UTC	356	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:36:02 GMT Content-Type: image/png Content-Length: 335 Last-Modified: Sun, 04 Jul 2021 12:23:36 GMT Connection: close ETag: "60e1a848-14f" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:36:02 UTC	335	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 07 d0 00 00 00 96 04 03 00 00 00 74 b0 0e b5 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 30 50 4c 54 45 1b 49 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 2b 22 18 00 00 00 09 70 48 59 73 00 00 0e c1 00 00 0e c1 01 b8 91 6b ed 00 00 00 a8 49 44 41 54 78 da ed c1 01 01 00 00 00 82 20 ff af 6e 48 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: PNGIHDRtsRGBgAMAa0PLTEI+"pHYskIDATx nH@

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:01 UTC	382	OUT	GET /api/landingPage/web_interaction HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:02 UTC	209	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Fri, 27 Dec 2024 09:36:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin, Cookie

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:02 UTC	430	OUT	GET /static/images/phishing/DocusignDigitallySignDocument/landingPage/login-form.png HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:03 UTC	358	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:36:03 GMT Content-Type: image/png Content-Length: 9364 Last-Modified: Wed, 01 Jun 2022 12:19:23 GMT Connection: close ETag: "6297594b-2494" Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes
2024-12-27 09:36:03 UTC	9364	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 4b 00 00 01 0e 08 02 00 00 00 d7 2c 1b d7 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c0 00 00 0e c0 01 6a d6 89 09 00 00 24 29 49 44 41 54 78 5e ed dd 0f 74 13 d7 a1 e7 f1 31 36 b2 9d d8 24 a9 1d 82 cd 1f 8b 4d 2a a7 2d 6a b7 35 69 2b 93 2c a6 7f 64 7a 62 d3 2d 22 6d 0c e9 c3 79 67 1f b4 59 9c cd c1 39 4d e0 b5 07 38 0d a6 4d 71 5e 36 66 9b 42 5e 0e 26 0d b8 7d 0f 93 06 3b 09 b8 ed 22 da 62 a7 2f e8 74 17 c1 36 56 53 90 09 d8 09 d8 84 20 13 db e2 8f f7 ce 1f 59 b2 2c 19 d9 92 f8 73 f3 fd 54 15 73 47 d2 cc dc 99 1b eb e7 7b 67 c6 29 83 83 83 0a 00 00 00 24 32 c1 f8 17 00 00 00 b2 20 e1 01 00 00 c8 86 84 07 00 00 20 1b 12 1e Data Ascii: PNGIHDRK,sRGBgAMAapHYsj$)IDATx^t16$M*-j5i+,dzb-"mygY9M8Mq^6fB^&};"b/t6VS Y,sTsG{g)$2

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:02 UTC	656	OUT	GET /favicon.ico HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:03 UTC	143	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 27 Dec 2024 09:36:03 GMT Content-Type: text/html Content-Length: 548 Connection: close
2024-12-27 09:36:03 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:10 UTC	768	OUT	POST /api/v2/decoy/web/login HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive Content-Length: 156 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Accept: / Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: https://online-ops.mypasschange.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:10 UTC	156	OUT	Data Raw: 7b 22 70 61 73 73 77 6f 72 64 22 3a 5b 7b 22 70 61 73 73 77 6f 72 64 22 3a 22 47 6f 6f 64 22 7d 5d 2c 22 75 6e 66 6f 72 6d 61 74 74 65 64 22 3a 5b 7b 22 75 73 65 72 6e 61 6d 65 22 3a 22 22 7d 2c 7b 22 75 6e 64 65 66 69 6e 65 64 22 3a 22 22 7d 2c 7b 22 75 6e 64 65 66 69 6e 65 64 22 3a 22 22 7d 5d 2c 22 67 75 69 64 22 3a 22 66 62 62 30 35 35 39 65 62 65 31 39 31 31 65 66 62 35 33 63 30 32 34 32 61 63 31 39 30 31 30 32 22 2c 22 73 74 65 70 5f 69 64 22 3a 22 32 22 7d Data Ascii: {"password":[{"password":"Good"}],"unformatted":[{"username":""},{"undefined":""},{"undefined":""}],"guid":"fbb0559ebe1911efb53c0242ac190102","step_id":"2"}
2024-12-27 09:36:11 UTC	315	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:36:11 GMT Content-Type: application/json Content-Length: 98 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block
2024-12-27 09:36:11 UTC	98	IN	Data Raw: 7b 22 72 65 64 69 72 65 63 74 22 3a 20 22 68 74 74 70 73 3a 2f 2f 6f 6e 6c 69 6e 65 2d 6f 70 73 2e 6d 79 70 61 73 73 63 68 61 6e 67 65 2e 63 6f 6d 2f 6c 61 6e 64 69 6e 67 50 61 67 65 2f 33 2f 66 62 62 30 35 35 39 65 62 65 31 39 31 31 65 66 62 35 33 63 30 32 34 32 61 63 31 39 30 31 30 32 22 7d Data Ascii: {"redirect": "https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102"}

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:12 UTC	373	OUT	GET /api/v2/decoy/web/login HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:13 UTC	199	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 27 Dec 2024 09:36:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 9 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin
2024-12-27 09:36:13 UTC	9	IN	Data Raw: 46 6f 72 62 69 64 64 65 6e Data Ascii: Forbidden

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:12 UTC	816	OUT	GET /landingPage/3/fbb0559ebe1911efb53c0242ac190102 HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:13 UTC	326	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:36:13 GMT Content-Type: text/html; charset=utf-8 Content-Length: 10199 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block
2024-12-27 09:36:13 UTC	10199	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 0a 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6c 69 62 2f 6a 71 75 65 72 79 2d 31 2e 31 31 2e 31 2e 6d 69 6e 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 0a 09 0a 09 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 74 61 74 69 63 2f 6c 69 62 2f 70 61 73 73 77 6f 72 64 2d 6d 65 74 65 72 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: <!DOCTYPE HTML PUBLIC><html><head><meta charset="utf-8"><script src="/static/lib/jquery-1.11.1.min.js" type="text/javascript"></script><script src="/static/lib/password-meter.js" type="text/javascript"></script><link rel="stylesheet" href=

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:14 UTC	710	OUT	POST /api/landingPage/web_interaction HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive Content-Length: 76 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: application/json Accept: / Origin: https://online-ops.mypasschange.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://online-ops.mypasschange.com/landingPage/3/fbb0559ebe1911efb53c0242ac190102 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:14 UTC	76	OUT	Data Raw: 7b 22 67 75 69 64 22 3a 22 66 62 62 30 35 35 39 65 62 65 31 39 31 31 65 66 62 35 33 63 30 32 34 32 61 63 31 39 30 31 30 32 22 2c 22 73 74 65 70 5f 69 64 22 3a 22 33 22 2c 22 71 72 5f 72 65 71 75 65 73 74 22 3a 66 61 6c 73 65 7d Data Ascii: {"guid":"fbb0559ebe1911efb53c0242ac190102","step_id":"3","qr_request":false}
2024-12-27 09:36:15 UTC	330	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 27 Dec 2024 09:36:15 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin, Cookie Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block

Timestamp	Bytes transferred	Direction	Data
2024-12-27 09:36:16 UTC	382	OUT	GET /api/landingPage/web_interaction HTTP/1.1 Host: online-ops.mypasschange.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-27 09:36:17 UTC	209	IN	HTTP/1.1 400 Bad Request Server: nginx Date: Fri, 27 Dec 2024 09:36:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Connection: close X-Frame-Options: SAMEORIGIN Vary: origin, Cookie

Target ID:	1
Start time:	04:35:42
Start date:	27/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff6b2cb0000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false