Edit tour

Windows Analysis Report
https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9

Overview

General Information

Sample URL:	https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9
Analysis ID:	611550
Infos:

Detection

HTMLPhisher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on shot template match)

Yara detected HtmlPhish10

Antivirus detection for URL or domain

Yara detected HtmlPhish7

Phishing site detected (based on various OCR indicators)

Phishing site detected (based on image similarity)

No HTML title found

HTML body contains low number of good links

Classification

Process Tree

System is w10x64

chrome.exe (PID: 4968 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9 MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 5740 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,13177790799417537543,18028638101351105962,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
67024.3.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
67024.3.pages.csv	JoeSecurity_HtmlPhish_7	Yara detected HtmlPhish_7	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: 1drv.ms

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9 HTTP/1.1Host: 1drv.msConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /o/GetImage.ashx?&WOPIsrc=https%3A%2F%2Fwopi%2Eonedrive%2Ecom%2Fwopi%2Ffiles%2FE2AFA75B515F2435%21396&access_token=4wXXOs55hCBkuM%2DGueQLkkCXikgVkbv%5FJ6RzZa5J3pzKVu51V2j1kaB1%2DGqIUIIFp2z%2D6d0hv5siq%2DZpZmhbcIHlkgZCOcw5JqHLoqzjGQqsnvQQzcbX40gJpiuaUDDwa5wUPxMrUUBHe2X9lIe27tgoXmeRTTt2MFPV5wq5hGtkc&access_token_ttl=1652209391149&ObjectDataBlobId=%7B0dbcce29-f141-4b95-9b39-4c9b09e8268c%7D%7B1%7D&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&build=16.0.15128.41022&waccluster=PNL1&wdwacuseragent=MSWACONSync&DataUrlEnabled=true HTTP/1.1Host: onenote.officeapps.live.comConnection: keep-alivehaep: 1X-WacFrontEnd: AM4PEPF00006B54X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8X-OfficeVersion: 16.0.15128.41022X-Key: vXhHJxtHQGT6RxXdWMOps17SbTSxQp1/phscllTMC40=,637859917928282131X-WacUserAgent: MSWACONSyncUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36X-Requested-With: XMLHttpRequestX-UserType: WOPIX-xhr: 1X-IsCoauthSession: trueX-WacCluster: PNL1Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBootAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Source: global traffic	HTTP traffic detected: GET /o/App_Scripts/Acl/Acl1033.js HTTP/1.1Host: onenote.officeapps.live.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBootAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: OneNotePenInkColorAndThickness=%7B%22color%22%3A%224210752%22%2C%22Tyd%22%3A%223%22%7D; xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Source: global traffic	HTTP traffic detected: GET /c.gif?DI=15347&wlxid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&reqid=002dade0b0e&csiperf=ANON%3D%26NL%3D0%26TP%3D0%26CL%3DRD00155D7C17F6%26MA%3Den-US%26B%3D0.0.0%26TR%3DNA%252ANA%252A%253ASDX.Skydrive%252AWac.view.F.U.%26PLT%3D16636%26IR%3D1%26EX%3D0%26L.h%3D2707%26L.bc%3D3233%26L.ac%3D3233%26L.f%3D3394%26L.sjs%3D16188%26L.ttg%3D9609%26C.st%3D1650427388334%26N.domIn%3D3394%26N.tcp%3D375%26N.req%3D2367%26N.resp%3D243%26N.navType%3D0%26N.redirectCount%3D0&r=0.7634972786336327&CtsSyncId=357C9A5742DF4828BD37A87F9351A7B6&RedC=c.live.com&MXFR=369389C43CCC6FBA1FF3984F38CC6BCE HTTP/1.1Host: c.bing.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://onedrive.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /me?partner=OneNoteOnline&version=10.21153.1&market=EN-US&wrapperId=suiteshell HTTP/1.1Host: amcdn.msftauth.netConnection: keep-aliveOrigin: https://onenote.officeapps.live.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://onenote.officeapps.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /o/AddinServiceHandler.ashx?action=laststoreupdate&app=4&lc=EN-US&WOPIsrc=https%3A%2F%2Fwopi%2Eonedrive%2Ecom%2Fwopi%2Ffolders%2FE2AFA75B515F2435%21394&access_token=4wGPVnpMVT07tsQgwPpSKKj7fS83GhpdGdrnabEdo9bNwZQLIv44DGEMRcO%5FuFyUe%2DjX%2DDmDILzQh9FOyJvqq6KSrZpMPPItz77iijKDoSsI0IT5vyVG94eRfaOVZLhKnkm0xHpQkFzBZaBJr1TEfe3WDUGAWv4Jkn5u%2DzJ9W5eMw&access_token_ttl=1652209391149 HTTP/1.1Host: onenote.officeapps.live.comConnection: keep-alivehaep: 1X-WacFrontEnd: AM4PEPF00006B54X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8X-OfficeVersion: 16.0.15128.41022X-Key: vXhHJxtHQGT6RxXdWMOps17SbTSxQp1/phscllTMC40=,637859917928282131X-WacUserAgent: MSWACONSyncUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36X-Requested-With: XMLHttpRequestX-UserType: WOPIX-xhr: 1X-IsCoauthSession: trueX-WacCluster: PNL1Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBootAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: OneNotePenInkColorAndThickness=%7B%22color%22%3A%224210752%22%2C%22Tyd%22%3A%223%22%7D; xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000; ShCLSessionID=1650427404723_0.6187468110137586; BP=l=SDX.Skydrive&FR=&ST=; MUID=369389C43CCC6FBA1FF3984F38CC6BCE
Source: global traffic	HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mydata/myprofile/expressionprofile/profilephoto:UserTileStatic,UserTileSmall/MeControlMediumUserTile?ck=1&ex=24&fofoff=1&sc=1650427407209 HTTP/1.1Host: storage.live.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://onenote.officeapps.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; BP=l=SDX.Skydrive&FR=&ST=; MUID=369389C43CCC6FBA1FF3984F38CC6BCE
Source: global traffic	HTTP traffic detected: GET /o/AppSettingsHandler.ashx?app=OneNote&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&build=16.0.15211.41020 HTTP/1.1Host: onenote.officeapps.live.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Origin: https://onedrive.live.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://onedrive.live.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000 HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/ HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.0.0/css/bootstrap.min.css HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://partosasasic.cfUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/css/hover.css HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.0.0/js/bootstrap.min.js HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://partosasasic.cfUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://partosasasic.cfUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/images/adobe.jpg HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/images/outlook1.png HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/images/office3651.png HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/images/other1.png HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/images/gmail.png HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/images/8.jpg HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://partosasasic.cf/000/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /000/images/outlook1.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: partosasasic.cf
Source: global traffic	HTTP traffic detected: GET /000/images/adobe.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: partosasasic.cf
Source: global traffic	HTTP traffic detected: GET /000/images/office3651.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: partosasasic.cf
Source: global traffic	HTTP traffic detected: GET /000/images/other1.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: partosasasic.cf
Source: global traffic	HTTP traffic detected: GET /000/images/gmail.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: partosasasic.cf
Source: global traffic	HTTP traffic detected: GET /000/images/8.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: partosasasic.cf
Source: global traffic	HTTP traffic detected: GET /000 HTTP/1.1Host: partosasasic.cfConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: unknown	HTTPS traffic detected: 162.0.209.120:443 -> 192.168.2.3:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.209.120:443 -> 192.168.2.3:49987 version: TLS 1.2

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,13177790799417537543,18028638101351105962,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,13177790799417537543,18028638101351105962,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1920 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-625F85F6-1368.pma

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Temp\8cc95f9f-90ea-4ddd-9a66-6604cc048e76.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.phis.win@31/103@23/15

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	4 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	5 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
https://onedrive.live.com/view.aspx?resid=E2AFA75B515F2435!394&ithint=onenote&authkey=!AkHGdlNxucEHnOo	100%	SlashNext	Credential Stealing type: Phishing & Social Engineering
https://partosasasic.cf/000/images/adobe.jpg	0%	Avira URL Cloud	safe
https://amcdn.msftauth.net/me?partner=OneNoteOnline&version=10.21153.1&market=EN-US&wrapperId=suiteshell	0%	Virustotal		Browse
https://amcdn.msftauth.net/me?partner=OneNoteOnline&version=10.21153.1&market=EN-US&wrapperId=suiteshell	0%	Avira URL Cloud	safe
https://partosasasic.cf/000/images/other1.png	0%	Avira URL Cloud	safe
https://dns.google	0%	URL Reputation	safe
https://www.google.com;	0%	Avira URL Cloud	safe
http://partosasasic.cf/000	0%	Avira URL Cloud	safe
https://partosasasic.cf/000/css/hover.css	0%	Avira URL Cloud	safe
https://partosasasic.cf/000/images/8.jpg	0%	Avira URL Cloud	safe
https://partosasasic.cf/000	0%	Avira URL Cloud	safe
https://partosasasic.cf/000/images/gmail.png	0%	Avira URL Cloud	safe
https://partosasasic.cf/favicon.ico	0%	Avira URL Cloud	safe
https://partosasasic.cf/000/images/office3651.png	0%	Avira URL Cloud	safe
https://partosasasic.cf/000/images/outlook1.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
b-0016.b-msedge.net	13.107.6.171	true	false	unknown
gstaticadssl.l.google.com	142.250.74.195	true	false	high
i-db3p-cor004.api.p001.1drv.com	13.104.208.162	true	false	high
accounts.google.com	142.250.185.237	true	false	high
dual-a-0001.a-msedge.net	204.79.197.200	true	false	unknown
cdnjs.cloudflare.com	104.17.25.14	true	false	high
partosasasic.cf	162.0.209.120	true	false	unknown
part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
maxcdn.bootstrapcdn.com	104.18.11.207	true	false	high
clients.l.google.com	142.250.184.238	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.65	true	false	high
1drv.ms	157.55.109.224	true	false	high
onenoteonlinesync.onenote.com	unknown	unknown	false	high
ka-f.fontawesome.com	unknown	unknown	false	high
kit.fontawesome.com	unknown	unknown	false	high
messaging.office.com	unknown	unknown	false	high
c.live.com	unknown	unknown	false	high
storage.live.com	unknown	unknown	false	high
ajax.aspnetcdn.com	unknown	unknown	false	high
clients2.googleusercontent.com	unknown	unknown	false	high
clients2.google.com	unknown	unknown	false	high
code.jquery.com	unknown	unknown	false	high
onedrive.live.com	unknown	unknown	false	high
p.sfx.ms	unknown	unknown	false	high
amcdn.msftauth.net	unknown	unknown	false	unknown
spoprod-a.akamaihd.net	unknown	unknown	false	high
www.onenote.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://clients2.googleusercontent.com/crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx	false		high
https://onedrive.live.com/redir?resid=E2AFA75B515F2435%21394&authkey=%21AkHGdlNxucEHnOo&page=View&wd=target%28Quick%20Notes.one%7Ce3e51500-5c6b-4624-8225-2bf56ea6c902%2FNEW%20DOCUMENT%20FROM%C2%A0ROLLING%20HILLS%20HEALTHCARE%20AND%20REHABILITATION%20CENTER%7C12739060-f64b-4e91-8560-198a97f0458e%2F%29	false		high
https://partosasasic.cf/000/images/adobe.jpg	true	Avira URL Cloud: safe	unknown
https://amcdn.msftauth.net/me?partner=OneNoteOnline&version=10.21153.1&market=EN-US&wrapperId=suiteshell	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://partosasasic.cf/000/images/other1.png	true	Avira URL Cloud: safe	unknown
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	false		high
https://partosasasic.cf/000/	true		unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://partosasasic.cf/000/	true		unknown
http://partosasasic.cf/000	false	Avira URL Cloud: safe	unknown
https://partosasasic.cf/000/css/hover.css	true	Avira URL Cloud: safe	unknown
https://partosasasic.cf/000/images/8.jpg	true	Avira URL Cloud: safe	unknown
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css	false		high
https://partosasasic.cf/000	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	false		high
https://partosasasic.cf/000/images/gmail.png	true	Avira URL Cloud: safe	unknown
https://partosasasic.cf/favicon.ico	false	Avira URL Cloud: safe	unknown
https://1drv.ms/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9	false		high
https://onedrive.live.com/view.aspx?resid=E2AFA75B515F2435!394&ithint=onenote&authkey=!AkHGdlNxucEHnOo	false	SlashNext: Credential Stealing type: Phishing & Social Engineering	high
https://partosasasic.cf/000/images/office3651.png	true	Avira URL Cloud: safe	unknown
https://partosasasic.cf/000/images/outlook1.png	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/images/cleardot.gif	craw_window.js.0.dr	false		high
https://onedrive.live.com/view.aspx?resid=E2AFA75B515F2435	History Provider Cache.0.dr	false		high
https://play.google.com	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	craw_window.js.0.dr, manifest.json0.0.dr	false		high
https://accounts.google.com/MergeSession	craw_window.js.0.dr	false		high
https://www.google.com	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, manifest.json1.0.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false		high
https://accounts.google.com	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, manifest.json1.0.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false		high
https://1drv.ms/o/s	History Provider Cache.0.dr	false		high
https://apis.google.com	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, manifest.json1.0.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false		high
https://www.google.com/accounts/OAuthLogin?issueuberauth=1	craw_window.js.0.dr	false		high
https://www-googleapis-staging.sandbox.google.com	craw_window.js.0.dr, craw_background.js.0.dr	false		high
https://clients2.google.com	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false		high
https://dns.google	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 98cf5bfa-92b0-42de-92a7-39c110d2f8a0.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	craw_window.js.0.dr, craw_background.js.0.dr	false		high
https://www.google.com/intl/en-US/chrome/blank.html	craw_background.js.0.dr	false		high
https://ogs.google.com	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false		high
https://payments.google.com/payments/v4/js/integrator.js	craw_window.js.0.dr, manifest.json0.0.dr	false		high
https://www.google.com;	manifest.json1.0.dr	false	Avira URL Cloud: safe	low
https://hangouts.google.com/	manifest.json1.0.dr	false		high
https://www.google.com/images/x2.gif	craw_window.js.0.dr	false		high
https://www.google.com/images/dot2.gif	craw_window.js.0.dr	false		high
https://clients2.googleusercontent.com	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	false		high
https://spoprod-a.akamaihd.net	cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr	false		high
https://www.google.com/	manifest.json0.0.dr	false		high
https://feedback.googleusercontent.com	manifest.json1.0.dr	false		high
https://onedrive.live.com/redir?resid=E2AFA75B515F2435	History Provider Cache.0.dr	false		high
https://clients2.google.com/service/update2/crx	manifest.json1.0.dr, manifest.json0.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
204.79.197.200	dual-a-0001.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.6.171	b-0016.b-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.60	part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.104.208.162	i-db3p-cor004.api.p001.1drv.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.74.195	gstaticadssl.l.google.com	United States	15169	GOOGLEUS	false
142.250.185.65	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
142.250.185.237	accounts.google.com	United States	15169	GOOGLEUS	false
104.18.11.207	maxcdn.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
157.55.109.224	1drv.ms	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.0.209.120	partosasasic.cf	Canada	35893	ACPCA	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.238	clients.l.google.com	United States	15169	GOOGLEUS	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	611550
Start date and time: 19/04/202221:02:03	2022-04-19 21:02:03 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.phis.win@31/103@23/15
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Browse: http://partosasasic.cf/000

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.206, 173.194.187.74, 34.104.35.123, 23.101.173.60, 142.250.184.195, 80.67.82.219, 80.67.82.209, 13.81.118.91, 23.36.156.220, 23.213.170.132, 52.109.76.47, 52.109.76.68, 20.50.201.195, 142.250.181.234, 23.213.168.66, 52.142.114.2, 52.109.76.78, 52.182.143.210, 52.109.88.2, 40.126.32.132, 20.190.160.13, 40.126.32.139, 40.126.32.135, 20.190.160.15, 40.126.32.137, 40.126.32.73, 40.126.32.69, 152.199.19.160, 23.203.68.253, 23.203.67.116, 20.190.159.1, 20.190.159.5, 40.126.31.64, 20.190.159.22, 20.190.159.72, 20.190.159.69, 20.190.159.3, 20.190.159.70, 69.16.175.42, 69.16.175.10, 142.250.186.106, 216.58.212.170, 104.18.23.52, 104.18.22.52, 188.114.97.7, 188.114.96.7, 142.250.185.195, 142.250.185.170, 142.250.185.202, 142.250.185.234, 142.250.184.202, 172.217.16.138, 142.250.184.234, 142.250.186.42, 142.250.186.74, 142.250.186.138, 172.217.18.106, 142.250.186.170, 172.217.23.106, 216.58.212.138, 142.250.185.74, 20.189.173.14, 20.189.173.13, 80.67.82.235, 80.67.82
Excluded domains from analysis (whitelisted): odwebp.trafficmanager.net, e2682.g.akamaiedge.net, cds.s5x3j6q5.hwcdn.net, ka-f.fontawesome.com.cdn.cloudflare.net, r5.sn-4g5e6nsk.gvt1.com, c1-wildcard.cdn.office.net-c.edgekey.net.globalredir.akadns.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, appsforoffice.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, cdn.onenote.net.edgekey.net, star-azurefd-prod.trafficmanager.net, login.live.com, odwebpl.trafficmanager.net, shell.cdn.office.net, update.googleapis.com, officeclient.microsoft.com, www.gstatic.com, onenoteonlinesync.onenote.trafficmanager.net, onedscolprdcus10.centralus.cloudapp.azure.com, westeurope0-odwebp.cloudapp.net, omexmessaging.osi.office.net, fonts.googleapis.com, fs.microsoft.com, content-autofill.googleapis.com, onedscolprdwus13.westus.cloudapp.azure.com, northcentralus0-odwebpl.cloudapp.net, ajax.googleapis.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadn
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	451603
Entropy (8bit):	5.009711072558331
Encrypted:	false
SSDEEP:	12288:ZHfRTyGZ6lup8Cfrvq4JBPKh+FBlESBw4p6:NfOCzvRKhGvwJ
MD5:	A78AD14E77147E7DE3647E61964C0335
SHA1:	CECC3DD41F4CEA0192B24300C71E1911BD4FCE45
SHA-256:	0D6803758FF8F87081FAFD62E90F0950DFB2DD7991E9607FE76A8F92D0E893FA
SHA-512:	DDE24D5AD50D68FC91E9E325D31E66EF8F624B6BB3A07D14FFED1104D3AB5F4EF1D7969A5CDE0DFBB19CB31C506F7DE97AF67C2F244F7E7E8E10648EA8321101
Malicious:	false
Reputation:	low
Preview:	BDic.... ....6...."..Z..4g....6.2...{/...3...5....AF 1363.AF nm.AF pt.AF n1.AF p.AF tc.AF SM.AF M.AF S.AF MS.AF MNR.AF GDS.AF MNT.AF MH.AF MR.AF SZMR.AF MJ.AF MT.AF MY.AF MRZ.AF MN.AF MG.AF RM.AF N.AF MV.AF XM.AF DSM.AF SD.AF G.AF R.AF MNX.AF MRS.AF MD.AF MNRB.AF B.AF ZSMR.AF PM.AF SMNGJ.AF SMN.AF ZMR.AF SMGB.AF MZR.AF GM.AF SMR.AF SMDG.AF RMZ.AF ZM.AF MDG.AF MDT.AF SMNXT.AF SDY.AF LSDG.AF LGDS.AF GLDS.AF UY.AF U.AF DSGNX.AF GNDSX.AF DSG.AF Y.AF GS.AF IEMS.AF YP.AF ZGDRS.AF XGNVDS.AF UT.AF GNDS.AF GVDS.AF MYPS.AF XGNDS.AF TPRY.AF MDSG.AF ZGSDR.AF DYSG.AF PMYTNS.AF AGDS.AF DRZGS.AF PY.AF GSPMDY.AF EGVDS.AF SL.AF GNXDS.AF DSBG.AF IM.AF I.AF MDGS.AF SMY.AF DSGN.AF DSLG.AF GMDS.AF MDSBG.AF SGD.AF IY.AF P.AF DSMG.AF BLZGDRS.AF TR.AF AGSD.AF ZGBDRSL.AF PTRY.AF ASDGV.AF ASM.AF ICANGSD.AF ICAM.AF IKY.AF AMS.AF PMYTRS.AF BZGVDRS.AF SDRBZG.AF GVMDS.AF PSM.AF DGLS.AF GNVXDS.AF AGDSL.AF DGS.AF XDSGNV.AF BZGDRS.AF AM.AF AS.AF A.AF LDSG.AF AGVDS.AF SDG.AF LDSMG.AF EDSMG.AF EY.AF DRSMZG.AF PRYT.AF LZ

Source: Screenshots	OCR Text: Waiting for onedrive.live.com... O Type here to search E Waiting for onedrive.live.com... O Type here to search E Waiting for onemte.ofhceappsjive.com... O Type here to search Waiting for onemte.ofhceappsjive.com... O Type here to search Establishing secure connection.., O Type here to search Waiting for onemte.ofhceappsjive.com... O Type here to search a NEW DOCUMENT FROM RHH A X + O X <- e onedrive.live.com/redir?resid= E2AFA75 B515F2435%21394&authkey=%21AKHGdlNxucEHnOo&page=View&wd =target%28Ouick%20Notes.one%7Ce3e51500-... * e i III 0i NEW DOCUMENT FROM RHH AND RC re p ( Quick NotesNEW DOCUMENT FROM... NEW DOCUMENT FROM ROLLING HILLS HEALTHCARE AND REHABILITATION CENTER Wednesday,Apri1 20, 2022 127 AM Rolling H ills ^_Healthcare KINDLYCLICKTHE LINK BELOWTO vy THE NEW DOCUMENTS FROM ROLLING HILLS HEALTHCARE AND REHABILITATION CENTER VIEW THE NEW DOCUMENT III 0i NEW DOCUMENT FROM RHH AND RC re p ( Quick NotesNEW DOCUMENT FROM... NEW DOCUMENT FROM ROLLING HILLS HEALTHCARE AND REHABILITATION CENTER Wednesday,Apri1 20, 2022 127 AM Rolling H ills ^_Healthcare KINDLY CLICK THE LINK BELOWTO VIEW THE NEW DOCUMENTS FROM ROLLING HILLS HEALTHCARE AND REHABILITATION CENTER VIEW THE NEW DOCUMENT a NEW DOCUMENT FROM RHH A X 0 Share Point Online e e partosasasic.d/000/ Chrome is being controlled by automated test software. X + dL Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe. - a X i X ~ I 0 a NEW DOCUMENT FROM RHH A X 0 Share Point Online e e partosasasic.d/000/ Chrome is being controlled by automated test software. X + dL Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe. - a X i X ~ I 0 a NEW DOCUMENT FROM RHH A X 0 Share Point Online e e partosasasic.d/000/ Chrome is being controlled by automated test software. X + dL Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe. - a X *i X ~ I 0
Source: Screenshots	OCR Text: dL Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe.

Source: https://partosasasic.cf/000/	Matcher: Found strong image similarity, brand: Microsoft image: 67024.3.img.2.gfk.csv C3FC46C5799C76F9107504028F39190F
Source: https://partosasasic.cf/000/	Matcher: Found strong image similarity, brand: Microsoft image: 67024.3.img.3.gfk.csv FE22440D79FFA34950F512EF4A718B2A

Source: https://partosasasic.cf/000/	HTTP Parser: HTML title missing
Source: https://partosasasic.cf/000/	HTTP Parser: HTML title missing

Source: https://partosasasic.cf/000/	HTTP Parser: Number of links: 0
Source: https://partosasasic.cf/000/	HTTP Parser: Number of links: 0

Source: https://partosasasic.cf/000/	HTTP Parser: No <meta name="author".. found
Source: https://partosasasic.cf/000/	HTTP Parser: No <meta name="author".. found

Source: https://partosasasic.cf/000/	HTTP Parser: No <meta name="copyright".. found
Source: https://partosasasic.cf/000/	HTTP Parser: No <meta name="copyright".. found

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenCache-Control: privateContent-Length: 1233Content-Type: text/htmlP3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR"Set-Cookie: X-CorrelationId: 30cb340b-4eae-4e31-8f9e-600655ea9a95X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8Strict-Transport-Security: max-age=31536000Timing-Allow-Origin: *X-OfficeFE: AM4PEPF00006957X-OfficeVersion: 16.0.15128.41022X-OfficeCluster: PNL1X-OFFICEFD: AM4PEPF00006957X-Cache: CONFIG_NOCACHEX-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wacinfra4,afd_wacinfra5X-MSEdge-Ref: Ref A: A230FF1131364E3595C4985CF6A8F8C8 Ref B: AMS04EDGE2205 Ref C: 2022-04-19T19:03:27ZDate: Tue, 19 Apr 2022 19:03:26 GMTConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Tue, 19 Apr 2022 19:03:54 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: close

Source: History Provider Cache.0.dr	String found in binary or memory: https://1drv.ms/o/s
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, manifest.json1.0.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://accounts.google.com
Source: craw_window.js.0.dr	String found in binary or memory: https://accounts.google.com/MergeSession
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr	String found in binary or memory: https://ajax.googleapis.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, manifest.json1.0.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://apis.google.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json1.0.dr, manifest.json0.0.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr	String found in binary or memory: https://content-autofill.googleapis.com
Source: manifest.json1.0.dr	String found in binary or memory: https://content.googleapis.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 98cf5bfa-92b0-42de-92a7-39c110d2f8a0.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://dns.google
Source: manifest.json1.0.dr	String found in binary or memory: https://feedback.googleusercontent.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json1.0.dr	String found in binary or memory: https://fonts.googleapis.com;
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json1.0.dr	String found in binary or memory: https://fonts.gstatic.com;
Source: craw_window.js.0.dr, craw_background.js.0.dr	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: manifest.json1.0.dr	String found in binary or memory: https://hangouts.google.com/
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://ogs.google.com
Source: History Provider Cache.0.dr	String found in binary or memory: https://onedrive.live.com/redir?resid=E2AFA75B515F2435
Source: History Provider Cache.0.dr	String found in binary or memory: https://onedrive.live.com/view.aspx?resid=E2AFA75B515F2435
Source: craw_window.js.0.dr, manifest.json0.0.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://play.google.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr	String found in binary or memory: https://r5---sn-4g5e6nsk.gvt1.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr	String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.0.dr, manifest.json0.0.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr	String found in binary or memory: https://spoprod-a.akamaihd.net
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://ssl.gstatic.com
Source: craw_window.js.0.dr, craw_background.js.0.dr	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, manifest.json1.0.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://www.google.com
Source: manifest.json0.0.dr	String found in binary or memory: https://www.google.com/
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.0.dr	String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.0.dr	String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: manifest.json1.0.dr	String found in binary or memory: https://www.google.com;
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, craw_window.js.0.dr, craw_background.js.0.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://www.googleapis.com
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json0.0.dr	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json1.0.dr	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: cabd9804-db96-41fc-916b-6d567750f0d1.tmp.1.dr, 26bad074-eadd-4542-9f4f-159f4f608e97.tmp.1.dr	String found in binary or memory: https://www.gstatic.com
Source: manifest.json1.0.dr	String found in binary or memory: https://www.gstatic.com;

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2022 21:03:06.350907087 CEST	57421	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:06.356874943 CEST	65358	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:06.357667923 CEST	49873	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:06.369791031 CEST	53	57421	8.8.8.8	192.168.2.3
Apr 19, 2022 21:03:06.376045942 CEST	53	49873	8.8.8.8	192.168.2.3
Apr 19, 2022 21:03:06.383917093 CEST	53	65358	8.8.8.8	192.168.2.3
Apr 19, 2022 21:03:06.966741085 CEST	63548	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:11.296519041 CEST	61380	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:11.386622906 CEST	63146	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:13.325977087 CEST	50778	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:15.793863058 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:15.817312002 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.821122885 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:15.844619036 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.844685078 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.844724894 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.844763041 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.845186949 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:15.846323013 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:15.888319016 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:15.888686895 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:15.911847115 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.924352884 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.924408913 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.924441099 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.942302942 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:15.998879910 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:16.111066103 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:16.210933924 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:16.211276054 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:16.211354971 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:16.211447001 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:16.228907108 CEST	443	59798	142.250.184.238	192.168.2.3
Apr 19, 2022 21:03:16.268400908 CEST	59798	443	192.168.2.3	142.250.184.238
Apr 19, 2022 21:03:21.479895115 CEST	53816	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:25.874419928 CEST	49723	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:26.112303972 CEST	52581	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:26.770358086 CEST	56639	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:27.302424908 CEST	52427	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:27.327166080 CEST	53	52427	8.8.8.8	192.168.2.3
Apr 19, 2022 21:03:27.648703098 CEST	62724	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:28.077030897 CEST	64941	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:28.541934013 CEST	54960	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:45.823362112 CEST	51779	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:45.862898111 CEST	53	51779	8.8.8.8	192.168.2.3
Apr 19, 2022 21:03:49.798881054 CEST	62701	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:49.799118042 CEST	53524	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:49.799637079 CEST	61555	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:49.820117950 CEST	53	62701	8.8.8.8	192.168.2.3
Apr 19, 2022 21:03:50.105811119 CEST	62547	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:50.109472990 CEST	54096	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:50.127921104 CEST	53	54096	8.8.8.8	192.168.2.3
Apr 19, 2022 21:03:55.469851971 CEST	57829	53	192.168.2.3	8.8.8.8
Apr 19, 2022 21:03:55.497900963 CEST	53	57829	8.8.8.8	192.168.2.3
Apr 19, 2022 21:04:30.486996889 CEST	59065	53	192.168.2.3	8.8.8.8

Timestamp	kBytes transferred	Direction	Data
Apr 19, 2022 21:03:46.382301092 CEST	23657	OUT	GET /000 HTTP/1.1 Host: partosasasic.cf Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Apr 19, 2022 21:03:46.553565979 CEST	23658	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Tue, 19 Apr 2022 19:03:46 GMT server: LiteSpeed location: https://partosasasic.cf/000 x-turbo-charged-by: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:06 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-85.0.4183.121 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-04-19 19:03:06 UTC	1	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-9hw3eJ80IuoSyQcmtOII9w' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 19 Apr 2022 19:03:06 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5587 X-Daystart: 43386 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-04-19 19:03:06 UTC	2	IN	Data Raw: 35 31 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 35 38 37 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 34 33 33 38 36 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 51e<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5587" elapsed_seconds="43386"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2022-04-19 19:03:06 UTC	2	IN	Data Raw: 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 70 Data Ascii: mhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><ap
2022-04-19 19:03:06 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:06 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-04-19 19:03:06 UTC	1	OUT	Data Raw: 20 Data Ascii:
2022-04-19 19:03:06 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 19 Apr 2022 19:03:06 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce-nsftbfeHiNkyldOUThneWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'nonce-nsftbfeHiNkyldOUThneWw' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Report-To: {"group":"IdentityListAccountsHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external"}]} Cross-Origin-Opener-Policy: same-origin; report-to="IdentityListAccountsHttp" Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-04-19 19:03:06 UTC	5	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2022-04-19 19:03:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:14 UTC	271	OUT	POST /o/RemoteUls.ashx?build=16.0.15128.41022&waccluster=PNL1 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 0 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 X-BrowserUlsBeacon: [{"Index":3,"MsSinceStart":1293,"Value":"Get cells response received:200","Type":"BootLogs"}] Accept: / Origin: https://onenote.officeapps.live.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:14 UTC	273	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 61d42e7b-641f-47fa-b5ab-dafbcc9aaef0 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006957 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onenote.officeapps.live.com Access-Control-Expose-Headers: X-EndSession, X-CorrelationId, X-OfficeFE, X-NewKey, X-bULS-SuppressionETag, X-bULS-SuppressedTags Cross-Origin-Resource-Policy: cross-origin X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006957 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_visioslice,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: B53E1B21F915480898EA93872E7D483A Ref B: AMS04EDGE2216 Ref C: 2022-04-19T19:03:14Z Date: Tue, 19 Apr 2022 19:03:14 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:15 UTC	274	OUT	POST /o/RemoteUls.ashx?build=16.0.15128.41022&waccluster=PNL1 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 0 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 X-BrowserUlsBeacon: [{"Index":4,"MsSinceStart":1298,"Value":"Launching FastView from entry point WacBootGetCells","Type":"BootLogs"},{"Index":5,"MsSinceStart":1301,"Value":"RecordContentDisplayed","Type":"BootPhaseCompleted"}] Accept: / Origin: https://onenote.officeapps.live.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:15 UTC	276	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 77960de3-a69a-418c-8130-264f6d9e2653 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006022 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onenote.officeapps.live.com Access-Control-Expose-Headers: X-EndSession, X-CorrelationId, X-OfficeFE, X-NewKey, X-bULS-SuppressionETag, X-bULS-SuppressedTags Cross-Origin-Resource-Policy: cross-origin X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006022 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_visioslice,afd_wordcapacity_2,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: D6C88FC320044C5E82B79F385D0AF55B Ref B: AM3EDGE1021 Ref C: 2022-04-19T19:03:15Z Date: Tue, 19 Apr 2022 19:03:14 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:15 UTC	277	OUT	POST /o/OneNoteS2SHandler.ashx?action=educationuser&WOPIsrc=https%3A%2F%2Fwopi%2Eonedrive%2Ecom%2Fwopi%2Ffolders%2FE2AFA75B515F2435%21394&access_token=4wGPVnpMVT07tsQgwPpSKKj7fS83GhpdGdrnabEdo9bNwZQLIv44DGEMRcO%5FuFyUe%2DjX%2DDmDILzQh9FOyJvqq6KSrZpMPPItz77iijKDoSsI0IT5vyVG94eRfaOVZLhKnkm0xHpQkFzBZaBJr1TEfe3WDUGAWv4Jkn5u%2DzJ9W5eMw&access_token_ttl=1652209391149 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 0 haep: 1 X-WacFrontEnd: AM4PEPF00006B54 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 X-OfficeVersion: 16.0.15128.41022 X-Key: vXhHJxtHQGT6RxXdWMOps17SbTSxQp1/phscllTMC40=,637859917928282131 X-WacUserAgent: MSWACONSync Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 X-Requested-With: XMLHttpRequest X-UserType: WOPI X-xhr: 1 X-IsCoauthSession: false X-WacCluster: PNL1 Accept: / Origin: https://onenote.officeapps.live.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:15 UTC	279	IN	HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Expires: -1 P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: e443cfa5-2bbd-4189-87d4-49603060802e X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006959 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006959 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_excelslice,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: DA6335A485C74FDA9BCF47EA3D222253 Ref B: AM3EDGE0320 Ref C: 2022-04-19T19:03:15Z Date: Tue, 19 Apr 2022 19:03:15 GMT Connection: close
2022-04-19 19:03:15 UTC	280	IN	Data Raw: 62 64 0d 0a 7b 22 52 65 73 70 6f 6e 73 65 73 22 3a 5b 5b 36 30 2c 7b 22 69 73 45 64 75 63 61 74 69 6f 6e 22 3a 66 61 6c 73 65 2c 22 69 73 54 65 61 63 68 65 72 22 3a 66 61 6c 73 65 2c 22 69 73 53 74 75 64 65 6e 74 22 3a 66 61 6c 73 65 2c 22 69 73 4f 33 36 35 53 75 62 73 63 72 69 62 65 72 22 3a 66 61 6c 73 65 2c 22 4f 70 65 72 61 74 69 6f 6e 49 64 22 3a 30 2c 22 53 74 61 74 75 73 43 6f 64 65 22 3a 30 2c 22 52 61 77 43 65 6c 6c 53 74 6f 72 61 67 65 45 72 72 6f 72 43 6f 64 65 22 3a 22 22 2c 22 53 65 72 76 65 72 50 61 67 65 53 74 61 74 73 54 72 61 63 65 22 3a 22 22 7d 5d 5d 7d 0d 0a Data Ascii: bd{"Responses":[[60,{"isEducation":false,"isTeacher":false,"isStudent":false,"isO365Subscriber":false,"OperationId":0,"StatusCode":0,"RawCellStorageErrorCode":"","ServerPageStatsTrace":""}]]}
2022-04-19 19:03:15 UTC	280	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:20 UTC	282	OUT	POST /o/RemoteUls.ashx?build=16.0.15128.41022&waccluster=PNL1 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 0 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 X-BrowserUlsBeacon: [{"Index":7,"MsSinceStart":5480,"Value":"RecordAppInteractive","Type":"BootPhaseCompleted"}] Accept: / Origin: https://onenote.officeapps.live.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:20 UTC	286	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 823204c1-75c5-4f6f-a4b4-5f2fb008597e X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006020 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onenote.officeapps.live.com Access-Control-Expose-Headers: X-EndSession, X-CorrelationId, X-OfficeFE, X-NewKey, X-bULS-SuppressionETag, X-bULS-SuppressedTags Cross-Origin-Resource-Policy: cross-origin X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006020 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_pptcapacity,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: 15A901F8BF3848AE88641932E8F93BF6 Ref B: AM3EDGE1014 Ref C: 2022-04-19T19:03:20Z Date: Tue, 19 Apr 2022 19:03:19 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:20 UTC	284	OUT	GET /o/GetImage.ashx?&WOPIsrc=https%3A%2F%2Fwopi%2Eonedrive%2Ecom%2Fwopi%2Ffiles%2FE2AFA75B515F2435%21396&access_token=4wXXOs55hCBkuM%2DGueQLkkCXikgVkbv%5FJ6RzZa5J3pzKVu51V2j1kaB1%2DGqIUIIFp2z%2D6d0hv5siq%2DZpZmhbcIHlkgZCOcw5JqHLoqzjGQqsnvQQzcbX40gJpiuaUDDwa5wUPxMrUUBHe2X9lIe27tgoXmeRTTt2MFPV5wq5hGtkc&access_token_ttl=1652209391149&ObjectDataBlobId=%7B0dbcce29-f141-4b95-9b39-4c9b09e8268c%7D%7B1%7D&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&build=16.0.15128.41022&waccluster=PNL1&wdwacuseragent=MSWACONSync&DataUrlEnabled=true HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive haep: 1 X-WacFrontEnd: AM4PEPF00006B54 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 X-OfficeVersion: 16.0.15128.41022 X-Key: vXhHJxtHQGT6RxXdWMOps17SbTSxQp1/phscllTMC40=,637859917928282131 X-WacUserAgent: MSWACONSync User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 X-Requested-With: XMLHttpRequest X-UserType: WOPI X-xhr: 1 X-IsCoauthSession: true X-WacCluster: PNL1 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:20 UTC	287	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 18970 Content-Type: text/plain; charset=utf-8 Expires: Wed, 19 Apr 2023 19:03:20 GMT ETag: "WOPIsrc=https%3A%2F%2Fwopi%2Eonedrive%2Ecom%2Fwopi%2Ffiles%2FE2AFA75B515F2435%21396&access_token=4wXXOs55hCBkuM%2DGueQLkkCXikgVkbv%5FJ6RzZa5J3pzKVu51V2j1kaB1%2DGqIUIIFp2z%2D6d0hv5siq%2DZpZmhbcIHlkgZCOcw5JqHLoqzjGQqsnvQQzcbX40gJpiuaUDDwa5wUPxMrUUBHe2X9lIe27tgoXmeRTTt2MFPV5wq5hGtkc&access_token_ttl=1652209391149{0dbcce29-f141-4b95-9b39-4c9b09e8268c}{1}" P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 0ac2da19-ce0b-4281-8c7b-83b5779e95ba X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006B55 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006B55 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: 0C70B3F6F0D24F238E099672BA44C1D0 Ref B: AM3EDGE0720 Ref C: 2022-04-19T19:03:20Z Date: Tue, 19 Apr 2022 19:03:19 GMT Connection: close
2022-04-19 19:03:20 UTC	288	IN	Data Raw: 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 75 49 41 41 41 43 33 43 41 59 41 41 41 42 58 50 7a 74 53 41 41 41 41 41 58 4e 53 52 30 49 41 72 73 34 63 36 51 41 41 41 41 52 6e 51 55 31 42 41 41 43 78 6a 77 76 38 59 51 55 41 41 41 41 4a 63 45 68 5a 63 77 41 41 43 78 4d 41 41 41 73 54 41 51 43 61 6e 42 67 41 41 44 63 58 53 55 52 42 56 48 68 65 37 5a 31 68 6a 42 7a 6e 65 64 2f 66 64 2f 5a 34 5a 49 73 41 5a 4e 42 38 61 4f 48 47 59 74 70 38 45 6d 72 70 68 4b 43 69 4a 55 51 69 42 54 4f 69 47 63 6a 51 47 55 30 74 70 69 5a 74 36 6b 4d 72 31 2f 71 67 6f 34 79 4b 41 6b 47 4a 52 34 6b 67 4c 4b 4d 52 54 78 38 59 57 45 42 52 55 53 58 64 30 45 59 4c 6e 57 41 69 74 4a 77 7a 64 Data Ascii: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAuIAAAC3CAYAAABXPztSAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAACxMAAAsTAQCanBgAADcXSURBVHhe7Z1hjBzned/fd/Z4ZIsAZNB8aOHGYtp8EmrphKCiJUQiBTOiGcjQGU0tpiZt6kMr1/qgo4yKAkGJR4kgLKMRTx8YWEBRUSXd0EYLnWAitJwzd
2022-04-19 19:03:20 UTC	290	IN	Data Raw: 38 46 6d 59 37 4b 2f 4c 33 79 69 33 42 55 47 6c 6c 48 64 43 4e 43 48 70 72 4c 55 58 59 50 51 67 67 68 33 71 45 51 62 7a 6a 49 37 43 45 43 39 53 4f 5a 72 55 61 46 7a 47 4c 5a 33 70 34 49 35 69 47 6d 33 58 49 71 49 74 75 4f 69 46 79 49 58 62 65 71 71 6d 79 50 37 53 70 5a 6a 35 57 51 44 59 45 6f 50 37 50 33 59 5a 6b 37 62 56 63 49 69 4a 49 6a 75 38 65 33 66 6a 49 4f 33 79 47 45 45 46 49 71 46 4f 49 4e 42 51 4c 74 70 51 74 58 35 35 45 57 7a 36 30 61 46 2b 35 48 5a 56 41 33 50 78 52 52 4b 6b 49 52 74 63 34 48 58 71 64 42 61 72 76 52 63 55 41 6d 46 37 64 4d 69 42 2f 6d 39 70 34 56 41 62 35 66 78 59 4d 4a 49 63 5a 44 38 39 31 6f 6e 68 42 43 69 44 63 6f 78 42 74 49 46 41 57 66 57 50 6e 4c 68 6c 74 52 2b 6f 4b 49 4e 73 36 42 57 78 78 49 4f 4e 45 71 49 78 31 68 55 Data Ascii: 8FmY7K/L3yi3BUGllHdCNCHprLUXYPQggh3qEQbzjI7CEC9SOZrUaFzGLZ3p4I5iGm3XIqItuOiFyIXbeqqmyP7SpZj5WQDYEoP7P3YZk7bVcIiJIju8e3fjIO3yGEEFIqFOINBQLtpQtX55EWz60aF+5HZVA3PxRRKkIRtc4HXqdBarvRcUAmF7dMiB/m9p4VAb5fxYMJIcZD891onhBCiDcoxBtIFAWfWPnLhltR+oKINs6BWxxIONEqIx1hU
2022-04-19 19:03:20 UTC	298	IN	Data Raw: 47 69 62 77 2f 34 78 52 38 74 7a 57 6d 74 70 70 37 61 74 78 75 66 68 52 42 43 43 43 6d 4d 32 67 74 78 65 36 74 37 30 38 70 2b 53 36 31 41 7a 33 44 41 46 71 6b 4b 46 4f 54 44 59 63 64 36 33 4a 35 79 69 36 6f 4d 4b 78 6b 73 4b 55 45 51 76 47 2b 4d 65 75 50 41 46 33 63 33 6f 74 67 53 49 59 53 51 36 6c 4a 72 49 54 36 67 75 69 47 72 59 70 4a 4b 67 2f 61 37 47 70 6f 5a 2b 53 66 4d 36 69 46 6e 53 58 69 50 77 4a 4b 79 73 68 4c 41 32 72 4a 64 61 2f 33 30 56 78 35 2f 6c 4f 65 56 45 45 4a 49 6f 64 52 57 69 4c 76 55 68 50 44 64 72 76 4f 57 79 6b 47 64 5a 41 45 50 55 68 63 77 71 44 4f 63 43 41 34 62 70 51 37 4c 59 70 59 42 6a 44 65 6c 7a 5a 39 6a 6d 38 2f 48 39 39 39 62 51 73 51 39 75 6b 75 68 64 66 6a 41 56 78 35 2f 6a 48 66 52 43 43 47 45 46 45 6f 74 68 66 6a 4c 35 Data Ascii: Gibw/4xR8tzWmtpp7atxufhRBCCCmM2gtxe6t708p+S61Az3DAFqkKFOTDYcd63J5yi6oMKxksKUEQvG+MeuPAF3c3otgSIYSQ6lJrIT6guiGrYpJKg/a7GpoZ+SfM6iFnSXiPwJKyshLA2rJda/30Vx5/lOeVEEJIodRWiLvUhPDdrvOWykGdZAEPUhcwqDOcCA4bpQ7LYpYBjDelzZ9jm8/H999bQsQ9ukuhdfjAVx5/jHfRCCGEFEothfjL5
2022-04-19 19:03:20 UTC	303	IN	Data Raw: 69 59 6e 77 31 2b 58 2f 38 41 76 47 36 50 65 67 41 42 79 4c 78 75 57 37 52 43 62 49 75 6a 50 47 42 4e 38 39 50 33 33 6c 6a 36 56 36 52 77 71 42 73 61 44 57 57 4d 67 69 41 39 38 38 64 47 35 72 2b 7a 62 50 66 33 55 76 74 30 37 6b 50 2f 59 47 48 30 45 4e 68 4e 35 32 75 63 2f 30 59 51 30 79 4e 2b 51 78 78 4e 42 45 4c 77 76 6e 38 66 49 74 43 6a 54 4c 50 7a 74 39 69 58 46 67 59 68 38 34 6a 6a 6c 38 44 4b 66 32 37 48 46 33 56 56 41 52 48 71 33 74 4b 39 64 64 68 6e 69 4f 5a 37 55 76 35 44 70 36 7a 30 54 6f 67 41 6e 45 6c 50 30 2f 76 55 54 52 54 67 68 59 77 38 73 42 6b 6a 4e 42 6f 7a 35 5a 76 52 59 42 45 45 69 34 4a 52 56 4c 4d 61 44 2f 55 67 48 6c 4c 37 48 39 55 4f 30 2b 6f 37 75 44 4b 4c 30 53 5a 32 75 58 56 6e 74 65 55 67 6f 78 46 4f 53 46 4f 59 48 48 6e 39 30 Data Ascii: iYnw1+X/8AvG6PegAByLxuW7RCbIujPGBN89P33lj6V6RwqBsaDWWMgiA988dG5r+zbPf3Uvt07kP/YGH0ENhN52uc/0YQ0yN+QxxNBELwvn8fItCjTLPzt9iXFgYh84jjl8DKf27HF3VVARHq3tK9ddhniOZ7Uv5Dp6z0TogAnElP0/vUTRTghYw8sBkjNBoz5ZvRYBEEi4JRVLMaD/UgHlL7H9UO0+o7uDKL0SZ2uXVnteUgoxFOSFOYHHn90

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:21 UTC	307	OUT	POST /o/RemoteUls.ashx?build=16.0.15128.41022&waccluster=PNL1 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 15046 X-WacFrontEnd: AM4PEPF00006B54 X-OfficeVersion: 16.0.15128.41022 X-Key: vXhHJxtHQGT6RxXdWMOps17SbTSxQp1/phscllTMC40=,637859917928282131 X-WacUserAgent: MSWACONSync X-bULS-SuppressionETag: 6C1139DD5A0A78408103B6543CCEBA76871E3829 X-AccessTokenTtl: 1652209391149 X-Requested-With: XMLHttpRequest X-xhr: 1 haep: 1 X-AccessToken: 4wGPVnpMVT07tsQgwPpSKKj7fS83GhpdGdrnabEdo9bNwZQLIv44DGEMRcO_uFyUe-jX-DmDILzQh9FOyJvqq6KSrZpMPPItz77iijKDoSsI0IT5vyVG94eRfaOVZLhKnkm0xHpQkFzBZaBJr1TEfe3WDUGAWv4Jkn5u-zJ9W5eMw X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-UserType: WOPI X-IsCoauthSession: true X-WacCluster: PNL1 Accept: / Origin: https://onenote.officeapps.live.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:21 UTC	309	OUT	Data Raw: 7b 22 54 22 3a 31 36 35 30 34 32 37 33 39 34 38 35 33 2c 22 4c 22 3a 5b 7b 22 47 22 3a 32 30 30 32 35 36 37 39 2c 22 54 22 3a 2d 32 38 39 2c 22 4d 22 3a 22 53 65 74 41 70 70 49 6e 69 74 69 61 6c 69 7a 61 74 69 6f 6e 53 74 61 74 75 73 3a 20 61 70 70 43 74 6f 72 53 74 61 72 74 69 6e 67 22 2c 22 43 22 3a 33 30 36 2c 22 44 22 3a 35 30 7d 2c 7b 22 47 22 3a 35 39 32 34 38 37 38 39 32 2c 22 54 22 3a 2d 32 37 34 2c 22 4d 22 3a 22 49 73 48 6f 73 74 46 72 61 6d 65 54 72 75 73 74 65 64 3a 32 22 2c 22 43 22 3a 33 30 36 2c 22 44 22 3a 35 30 7d 2c 7b 22 47 22 3a 33 39 30 38 39 31 31 33 2c 22 54 22 3a 2d 32 36 34 2c 22 4d 22 3a 22 53 53 45 44 3a 73 74 61 72 74 73 65 73 73 69 6f 6e 20 69 6e 66 6f 20 73 65 6e 74 20 74 6f 20 4f 74 65 6c 22 2c 22 43 22 3a 33 30 36 2c 22 44 Data Ascii: {"T":1650427394853,"L":[{"G":20025679,"T":-289,"M":"SetAppInitializationStatus: appCtorStarting","C":306,"D":50},{"G":592487892,"T":-274,"M":"IsHostFrameTrusted:2","C":306,"D":50},{"G":39089113,"T":-264,"M":"SSED:startsession info sent to Otel","C":306,"D
2022-04-19 19:03:21 UTC	324	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: d05e69df-3d9a-457d-81df-a9a168c76dd0 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006957 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onenote.officeapps.live.com Access-Control-Expose-Headers: X-EndSession, X-CorrelationId, X-OfficeFE, X-NewKey, X-bULS-SuppressionETag, X-bULS-SuppressedTags Cross-Origin-Resource-Policy: cross-origin X-bULS-SuppressionETag: 6C1139DD5A0A78408103B6543CCEBA76871E3829 X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006957 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: 5DAD2A0793A04995BCD19B7A49471607 Ref B: AM3EDGE1014 Ref C: 2022-04-19T19:03:21Z Date: Tue, 19 Apr 2022 19:03:21 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:21 UTC	323	OUT	POST /o/RemoteTelemetry.ashx HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 125 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://onedrive.live.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://onedrive.live.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:21 UTC	324	OUT	Data Raw: 7b 22 74 79 70 65 22 3a 22 4a 53 41 50 49 5f 53 54 41 54 45 22 2c 22 70 61 79 6c 6f 61 64 4a 73 6f 6e 22 3a 22 7b 5c 22 61 70 70 6c 69 63 61 74 69 6f 6e 5c 22 3a 5c 22 4f 6e 65 4e 6f 74 65 5c 22 2c 5c 22 62 75 69 6c 64 5c 22 3a 5c 22 31 36 2e 30 2e 31 35 32 31 31 2e 34 31 30 32 30 5c 22 2c 5c 22 73 74 61 74 65 5c 22 3a 5c 22 62 6f 6f 74 53 75 63 63 65 73 73 5c 22 7d 22 7d Data Ascii: {"type":"JSAPI_STATE","payloadJson":"{\"application\":\"OneNote\",\"build\":\"16.0.15211.41020\",\"state\":\"bootSuccess\"}"}
2022-04-19 19:03:21 UTC	326	IN	HTTP/1.1 200 OK Cache-Control: private P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: e04460e8-528a-428a-8e36-a1a47918e9b2 X-UserSessionId: e04460e8-528a-428a-8e36-a1a47918e9b2 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006B52 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onedrive.live.com X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006B52 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: 72E7735ACF8B42D2B5F2F70ADBE2E9FA Ref B: AMS04EDGE2208 Ref C: 2022-04-19T19:03:21Z Date: Tue, 19 Apr 2022 19:03:21 GMT Connection: close Content-Length: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

C:\Users\user\AppData\Local\Google\Chrome\User Data\10f9ed52-1525-4254-b07d-ad71977953e4.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\6215877a-0c6f-4e71-bd57-70daa8ab2293.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\6f011a48-73e4-420f-a85e-ad645980264f.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\882e3715-2255-4b15-8446-27bb6b178ccd.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\8efb36de-b0a2-4f28-9d68-393d48e70a5c.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\0562a1f0-0ddd-48df-85ca-a78745fafba5.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\1f6855c5-52e1-4cab-afe5-3f5ef8e5c3db.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\26bad074-eadd-4542-9f4f-159f4f608e97.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\32fc9946-a08d-4bb8-a356-4599630aabbc.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\41f253be-f999-44d3-a0a8-8347f735a35e.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\644d4fcf-499e-4f90-aa4f-f84b9d2c5926.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\8c7ed202-1527-4308-bbe5-2cdaa9e24595.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.log

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_onenote.officeapps.live.com_0.indexeddb.leveldb\000001.dbtmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_onenote.officeapps.live.com_0.indexeddb.leveldb\CURRENT (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_onenote.officeapps.live.com_0.indexeddb.leveldb\MANIFEST-000001

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\98cf5bfa-92b0-42de-92a7-39c110d2f8a0.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache\data_1

Windows Analysis Report
https://1drv.ms:443/o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:21 UTC	326	OUT	POST /o/RemoteUls.ashx?usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&officeserverversion=16.0.15211.41020 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 4849 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://onedrive.live.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty Referer: https://onedrive.live.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:21 UTC	327	OUT	Data Raw: 7b 22 54 22 3a 31 36 35 30 34 32 37 33 39 32 32 32 37 2c 22 4c 22 3a 5b 7b 22 47 22 3a 35 39 35 37 31 34 37 31 35 2c 22 54 22 3a 32 34 31 2c 22 4d 22 3a 22 52 65 63 65 69 76 65 64 20 6d 65 73 73 61 67 65 49 64 3a 20 57 61 63 5f 41 70 70 42 6f 6f 74 53 74 61 74 65 2c 20 63 6f 72 72 65 6c 61 74 69 6f 6e 3a 20 75 6e 64 65 66 69 6e 65 64 22 2c 22 43 22 3a 33 37 39 2c 22 44 22 3a 35 30 7d 2c 7b 22 47 22 3a 35 39 36 34 36 34 32 38 38 2c 22 54 22 3a 32 34 31 2c 22 4d 22 3a 22 50 72 6f 63 65 73 73 69 6e 67 20 6d 65 73 73 61 67 65 3a 20 57 61 63 5f 41 70 70 42 6f 6f 74 53 74 61 74 65 22 2c 22 43 22 3a 33 37 39 2c 22 44 22 3a 35 30 7d 2c 7b 22 47 22 3a 35 39 35 37 31 34 32 37 31 2c 22 54 22 3a 32 34 31 2c 22 4d 22 3a 22 57 41 43 20 42 6f 6f 74 20 41 70 70 20 73 74 Data Ascii: {"T":1650427392227,"L":[{"G":595714715,"T":241,"M":"Received messageId: Wac_AppBootState, correlation: undefined","C":379,"D":50},{"G":596464288,"T":241,"M":"Processing message: Wac_AppBootState","C":379,"D":50},{"G":595714271,"T":241,"M":"WAC Boot App st
2022-04-19 19:03:22 UTC	332	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 40b72dab-0257-4753-ba30-94ef30fd2668 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006B55 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onedrive.live.com Access-Control-Expose-Headers: X-EndSession, X-CorrelationId, X-OfficeFE, X-NewKey, X-bULS-SuppressionETag, X-bULS-SuppressedTags Cross-Origin-Resource-Policy: cross-origin X-bULS-SuppressionETag: 6C1139DD5A0A78408103B6543CCEBA76871E3829 X-bULS-SuppressedTags: 378069,1671813,2209344,3290144,4298965,4298968,4298969,4751696,5306497,5904476,6375195,6572226,6948167,7463498,17085210,17085216,17162522,17358857,19743902,21627712,21631370,22401293,22410500,22598977,22680210,22680213,22680214,22836558,22946650,23909858,24401375,24462656,24515087,25514973,33592839,34388130,35682372,36472266,36546380,36546381,36546382,36569418,36708451,36773964,36791688,36811158,36811159,36963655,37288035,37876293,37876294,37889309,38293640,38535900,38543496,38580697,38637954,38922202,39076766,39076767,39105358,39408129,39613840,39966341,40437001,40935455,40957978,40957979,41003225,41207258,41502555,41711299,41952657,41964821,41964885,42272991,42496725,42513088,42815875,42857251,50406866,50431969,50619726,50622685,50622687,51451613,51504083,51667010,538543587,539874723,540378699,540378700,542700237,542994947,545783884,557077970,557389507,557670930,558735363,559423838,559424262,559486496,559760215,559760216,570507662,571549507,571786073,571786074,574468116,575157663,575157664,575157665,575157666,575157667,575157696,575157697,575157698,575157699,575157700,575157701,575157702,577295376,577626581,577831138,578164000,587862985,591684683,591729363,592259104,592556551,592843145,593780815,593838232,594134597,594392640,594392649,594392666,594396706,594830612,595137156,595714715,595895774,596115913,596444186,596464289,845836083,845836084,845836085,846166132,876178018,963472182,1630679666,1630679667,1633958006,1647605351,1664576567,1698260075,1718235956,1765045358,1802139698,1986689397,1986689633,1986689647,1986748791,1986748793,1986749030,1986749288,1986749546,2004443760,2004444278,2004448354 X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006B55 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: 2A51B954525741C498C35447469F3D73 Ref B: AMS04EDGE2909 Ref C: 2022-04-19T19:03:22Z Date: Tue, 19 Apr 2022 19:03:21 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:23 UTC	335	OUT	GET /o/App_Scripts/Acl/Acl1033.js HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: OneNotePenInkColorAndThickness=%7B%22color%22%3A%224210752%22%2C%22Tyd%22%3A%223%22%7D; xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:23 UTC	336	IN	HTTP/1.1 200 OK Cache-Control: public,max-age=31536000 Content-Length: 19181 Content-Type: application/javascript Last-Modified: Fri, 28 Jan 2022 02:25:38 GMT Accept-Ranges: bytes ETag: "d5448e56ee13d81:0" P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: d0b9ab50-2ebd-492b-a212-44ba92bf0190 X-UserSessionId: d0b9ab50-2ebd-492b-a212-44ba92bf0190 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF0000695D X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 X-OFFICEFD: AM4PEPF0000695D X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wordcapacity_2_control,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: 600EDB68D6354D3D92BDCE4F7A1ABF17 Ref B: AMS04EDGE3406 Ref C: 2022-04-19T19:03:23Z Date: Tue, 19 Apr 2022 19:03:23 GMT Connection: close
2022-04-19 19:03:23 UTC	337	IN	Data Raw: ef bb bf 76 61 72 20 41 75 74 6f 43 6f 72 72 65 63 74 4c 69 73 74 3d 7b 22 28 63 29 22 3a 22 c2 a9 22 2c 22 28 72 29 22 3a 22 c2 ae 22 2c 22 28 74 6d 29 22 3a 22 e2 84 a2 22 2c 22 2e 2e 2e 22 3a 22 e2 80 a6 22 2c 22 61 62 62 6f 75 74 22 3a 22 61 62 6f 75 74 22 2c 22 61 62 6f 74 75 22 3a 22 61 62 6f 75 74 22 2c 22 61 62 6f 75 74 61 22 3a 22 61 62 6f 75 74 20 61 22 2c 22 61 62 6f 75 74 69 74 22 3a 22 61 62 6f 75 74 20 69 74 22 2c 22 61 62 6f 75 74 74 68 65 22 3a 22 61 62 6f 75 74 20 74 68 65 22 2c 22 61 62 73 63 65 6e 63 65 22 3a 22 61 62 73 65 6e 63 65 22 2c 22 61 63 63 65 73 6f 72 69 65 73 22 3a 22 61 63 63 65 73 73 6f 72 69 65 73 22 2c 22 61 63 63 69 64 61 6e 74 22 3a 22 61 63 63 69 64 65 6e 74 22 2c 22 61 63 63 6f 6d 6f 64 61 74 65 22 3a 22 61 63 63 6f Data Ascii: var AutoCorrectList={"(c)":"","(r)":"","(tm)":"","...":"","abbout":"about","abotu":"about","abouta":"about a","aboutit":"about it","aboutthe":"about the","abscence":"absence","accesories":"accessories","accidant":"accident","accomodate":"acco
2022-04-19 19:03:23 UTC	340	IN	Data Raw: 6b 22 2c 22 63 68 6e 61 67 65 22 3a 22 63 68 61 6e 67 65 22 2c 22 63 69 65 6c 69 6e 67 22 3a 22 63 65 69 6c 69 6e 67 22 2c 22 63 69 72 63 75 74 22 3a 22 63 69 72 63 75 69 74 22 2c 22 63 6c 61 65 72 22 3a 22 63 6c 65 61 72 22 2c 22 63 6c 61 65 72 65 64 22 3a 22 63 6c 65 61 72 65 64 22 2c 22 63 6c 61 65 72 6c 79 22 3a 22 63 6c 65 61 72 6c 79 22 2c 22 63 6c 69 61 6e 74 22 3a 22 63 6c 69 65 6e 74 22 2c 22 63 6c 69 63 68 65 22 3a 22 63 6c 69 63 68 c3 a9 22 2c 22 63 6e 61 22 3a 22 63 61 6e 22 2c 22 63 6f 6c 65 63 74 69 6f 6e 22 3a 22 63 6f 6c 6c 65 63 74 69 6f 6e 22 2c 22 63 6f 6d 61 6e 69 65 73 22 3a 22 63 6f 6d 70 61 6e 69 65 73 22 2c 22 63 6f 6d 61 6e 79 22 3a 22 63 6f 6d 70 61 6e 79 22 2c 22 63 6f 6d 61 70 6e 69 65 73 22 3a 22 63 6f 6d 70 61 6e 69 65 73 22 Data Ascii: k","chnage":"change","cieling":"ceiling","circut":"circuit","claer":"clear","claered":"cleared","claerly":"clearly","cliant":"client","cliche":"clich","cna":"can","colection":"collection","comanies":"companies","comany":"company","comapnies":"companies"
2022-04-19 19:03:23 UTC	348	IN	Data Raw: 3a 22 6e 65 76 65 72 22 2c 22 6e 77 65 22 3a 22 6e 65 77 22 2c 22 6e 77 6f 22 3a 22 6e 6f 77 22 2c 22 6f 62 65 64 69 61 6e 74 22 3a 22 6f 62 65 64 69 65 6e 74 22 2c 22 6f 63 61 73 69 6f 6e 22 3a 22 6f 63 63 61 73 69 6f 6e 22 2c 22 6f 63 63 61 73 73 69 6f 6e 22 3a 22 6f 63 63 61 73 69 6f 6e 22 2c 22 6f 63 63 75 72 65 64 22 3a 22 6f 63 63 75 72 72 65 64 22 2c 22 6f 63 63 75 72 65 6e 63 65 22 3a 22 6f 63 63 75 72 72 65 6e 63 65 22 2c 22 6f 63 63 75 72 72 61 6e 63 65 22 3a 22 6f 63 63 75 72 72 65 6e 63 65 22 2c 22 6f 63 75 72 22 3a 22 6f 63 63 75 72 22 2c 22 6f 65 70 72 61 74 6f 72 22 3a 22 6f 70 65 72 61 74 6f 72 22 2c 22 6f 66 69 74 73 22 3a 22 6f 66 20 69 74 73 22 2c 22 6f 66 74 20 68 65 22 3a 22 6f 66 20 74 68 65 22 2c 22 6f 66 74 68 65 22 3a 22 6f 66 20 Data Ascii: :"never","nwe":"new","nwo":"now","obediant":"obedient","ocasion":"occasion","occassion":"occasion","occured":"occurred","occurence":"occurrence","occurrance":"occurrence","ocur":"occur","oeprator":"operator","ofits":"of its","oft he":"of the","ofthe":"of
2022-04-19 19:03:23 UTC	352	IN	Data Raw: 66 69 63 69 65 6e 74 22 2c 22 73 75 70 6f 73 65 64 22 3a 22 73 75 70 70 6f 73 65 64 22 2c 22 73 75 70 70 6f 73 73 65 64 22 3a 22 73 75 70 70 6f 73 65 64 22 2c 22 73 75 70 72 69 73 65 22 3a 22 73 75 72 70 72 69 73 65 22 2c 22 73 75 70 72 69 73 65 64 22 3a 22 73 75 72 70 72 69 73 65 64 22 2c 22 73 77 69 6d 69 6e 67 22 3a 22 73 77 69 6d 6d 69 6e 67 22 2c 22 74 61 68 6e 22 3a 22 74 68 61 6e 22 2c 22 74 61 68 74 22 3a 22 74 68 61 74 22 2c 22 74 61 6c 65 6b 64 22 3a 22 74 61 6c 6b 65 64 22 2c 22 74 61 6c 6b 69 67 6e 22 3a 22 74 61 6c 6b 69 6e 67 22 2c 22 74 61 74 68 22 3a 22 74 68 61 74 22 2c 22 74 65 63 6e 69 63 61 6c 22 3a 22 74 65 63 68 6e 69 63 61 6c 22 2c 22 74 65 68 22 3a 22 74 68 65 22 2c 22 74 65 68 79 22 3a 22 74 68 65 79 22 2c 22 74 65 6c 6c 74 20 68 Data Ascii: ficient","suposed":"supposed","suppossed":"supposed","suprise":"surprise","suprised":"surprised","swiming":"swimming","tahn":"than","taht":"that","talekd":"talked","talkign":"talking","tath":"that","tecnical":"technical","teh":"the","tehy":"they","tellt h

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:06 UTC	5	OUT	GET /o/s!BDUkX1Fbp6_igwpBxnZTcbnBB5zq?e=90f04oI-vEKlpr0bwyVv1w&at=9 HTTP/1.1 Host: 1drv.ms Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-04-19 19:03:06 UTC	5	IN	HTTP/1.1 301 Moved Permanently Content-Length: 0 Location: https://onedrive.live.com/redir?resid=E2AFA75B515F2435!394&authkey=!AkHGdlNxucEHnOo&ithint=onenote&e=90f04oI-vEKlpr0bwyVv1w&at=9 X-MSNSERVER: DM5SCH102222803 Strict-Transport-Security: max-age=31536000; includeSubDomains MS-CV: NAphclYttUGu7BDVlu72Ug.0 X-AsmVersion: UNKNOWN; 19.891.405.2005 Date: Tue, 19 Apr 2022 19:03:06 GMT Connection: close

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:24 UTC	356	OUT	POST /o/RemoteTelemetry.ashx HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 2551 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://onenote.officeapps.live.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: OneNotePenInkColorAndThickness=%7B%22color%22%3A%224210752%22%2C%22Tyd%22%3A%223%22%7D; xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-04-19 19:03:24 UTC	357	OUT	Data Raw: 7b 22 64 22 3a 7b 22 61 22 3a 22 4f 6e 65 4e 6f 74 65 22 2c 22 62 22 3a 22 65 6e 2d 55 53 22 2c 22 63 22 3a 22 56 69 65 77 22 2c 22 64 22 3a 22 56 49 45 57 22 2c 22 65 22 3a 22 31 36 2e 30 2e 31 35 31 32 38 2e 34 31 30 32 32 22 2c 22 66 22 3a 22 43 68 72 6f 6d 65 22 2c 22 67 22 3a 22 65 6e 2d 55 53 22 2c 22 68 22 3a 22 38 35 22 2c 22 69 22 3a 22 38 35 2e 30 2e 34 31 38 33 22 2c 22 6a 22 3a 22 31 36 2e 30 2e 31 35 31 32 38 2e 34 31 30 32 32 22 2c 22 6b 22 3a 22 50 4e 4c 31 22 2c 22 6c 22 3a 22 65 6e 2d 55 53 22 2c 22 6d 22 3a 22 5c 22 57 4c 38 53 46 65 44 66 47 75 30 6e 37 64 70 54 30 59 6a 6b 46 59 38 5a 48 55 50 62 6d 76 77 62 45 77 6d 32 44 6c 45 39 30 4b 59 3d 5c 22 22 2c 22 6e 22 3a 22 4f 6e 65 44 72 69 76 65 57 4f 50 49 22 2c 22 6f 22 3a 74 72 75 65 Data Ascii: {"d":{"a":"OneNote","b":"en-US","c":"View","d":"VIEW","e":"16.0.15128.41022","f":"Chrome","g":"en-US","h":"85","i":"85.0.4183","j":"16.0.15128.41022","k":"PNL1","l":"en-US","m":"\"WL8SFeDfGu0n7dpT0YjkFY8ZHUPbmvwbEwm2DlE90KY=\"","n":"OneDriveWOPI","o":true
2022-04-19 19:03:24 UTC	360	IN	HTTP/1.1 200 OK Cache-Control: private P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 28081568-d65f-4e20-8507-4417a1fe0f94 X-UserSessionId: 28081568-d65f-4e20-8507-4417a1fe0f94 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006960 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onenote.officeapps.live.com X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF00006960 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wordcapacity_2_control,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: F8DE0EE1D3F44B7FBBD680B8233C9D9C Ref B: AMS04EDGE2006 Ref C: 2022-04-19T19:03:24Z Date: Tue, 19 Apr 2022 19:03:24 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:26 UTC	361	OUT	POST /o/RemoteUls.ashx?build=16.0.15128.41022&waccluster=PNL1 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive Content-Length: 19100 X-WacFrontEnd: AM4PEPF00006B54 X-OfficeVersion: 16.0.15128.41022 X-Key: vXhHJxtHQGT6RxXdWMOps17SbTSxQp1/phscllTMC40=,637859917928282131 X-WacUserAgent: MSWACONSync X-bULS-SuppressionETag: 6C1139DD5A0A78408103B6543CCEBA76871E3829 X-AccessTokenTtl: 1652209391149 X-Requested-With: XMLHttpRequest X-xhr: 1 haep: 1 X-AccessToken: 4wGPVnpMVT07tsQgwPpSKKj7fS83GhpdGdrnabEdo9bNwZQLIv44DGEMRcO_uFyUe-jX-DmDILzQh9FOyJvqq6KSrZpMPPItz77iijKDoSsI0IT5vyVG94eRfaOVZLhKnkm0xHpQkFzBZaBJr1TEfe3WDUGAWv4Jkn5u-zJ9W5eMw X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-UserType: WOPI X-IsCoauthSession: true X-WacCluster: PNL1 Accept: / Origin: https://onenote.officeapps.live.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: OneNotePenInkColorAndThickness=%7B%22color%22%3A%224210752%22%2C%22Tyd%22%3A%223%22%7D; xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000; ShCLSessionID=1650427404723_0.6187468110137586; BP=l=SDX.Skydrive&FR=&ST=
2022-04-19 19:03:26 UTC	363	OUT	Data Raw: 7b 22 54 22 3a 31 36 35 30 34 32 37 34 30 31 33 38 32 2c 22 4c 22 3a 5b 7b 22 47 22 3a 35 31 34 30 31 38 30 32 2c 22 54 22 3a 33 2c 22 4d 22 3a 22 52 65 73 70 6f 6e 73 65 20 72 65 61 64 79 20 66 6f 72 20 68 74 74 70 73 3a 2f 2f 6f 66 66 69 63 65 63 6c 69 65 6e 74 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 63 6f 6e 66 69 67 31 36 3f 66 6c 69 67 68 74 73 3d 43 6c 69 65 6e 74 2e 52 65 73 6f 75 72 63 65 53 65 72 76 69 63 65 34 48 69 64 64 65 6e 26 73 65 72 76 69 63 65 73 3d 52 65 73 6f 75 72 63 65 53 65 72 76 69 63 65 45 6e 64 70 6f 69 6e 74 32 22 2c 22 43 22 3a 33 32 34 2c 22 44 22 3a 35 30 7d 2c 7b 22 47 22 3a 34 32 35 37 30 32 38 2c 22 54 22 3a 34 2c 22 4d 22 3a 22 53 74 6f 70 77 61 74 63 68 20 73 74 6f 70 70 65 64 3a 20 7b 5c 22 4f 70 65 72 61 74 69 6f Data Ascii: {"T":1650427401382,"L":[{"G":51401802,"T":3,"M":"Response ready for https://officeclient.microsoft.com/config16?flights=Client.ResourceService4Hidden&services=ResourceServiceEndpoint2","C":324,"D":50},{"G":4257028,"T":4,"M":"Stopwatch stopped: {\"Operatio
2022-04-19 19:03:26 UTC	379	OUT	Data Raw: 30 30 30 30 30 30 30 30 30 33 2c 5c 22 65 6e 64 54 69 6d 65 5c 22 3a 31 33 34 36 37 2e 31 32 30 30 30 30 30 30 30 30 30 38 2c 5c 22 64 75 72 61 74 69 6f 6e 4d 73 5c 22 3a 31 39 31 36 7d 22 2c 22 43 22 3a 33 34 30 2c 22 44 22 3a 35 30 7d 2c 7b 22 47 22 3a 35 39 35 36 38 32 32 34 37 2c 22 54 22 3a 34 32 39 39 2c 22 4d 22 3a 22 52 65 61 63 74 48 65 61 64 65 72 20 44 6f 63 75 6d 65 6e 74 20 54 69 74 6c 65 20 66 69 72 73 74 20 72 65 6e 64 65 72 20 74 69 6d 65 3a 20 31 39 31 36 20 6d 73 22 2c 22 43 22 3a 33 34 30 2c 22 44 22 3a 35 30 7d 2c 7b 22 47 22 3a 32 30 30 32 35 36 37 39 2c 22 54 22 3a 34 32 39 39 2c 22 4d 22 3a 22 53 65 74 41 70 70 49 6e 69 74 69 61 6c 69 7a 61 74 69 6f 6e 53 74 61 74 75 73 3a 20 64 6f 63 75 6d 65 6e 74 54 69 74 6c 65 52 65 6e 64 65 72 Data Ascii: 0000000003,\"endTime\":13467.120000000008,\"durationMs\":1916}","C":340,"D":50},{"G":595682247,"T":4299,"M":"ReactHeader Document Title first render time: 1916 ms","C":340,"D":50},{"G":20025679,"T":4299,"M":"SetAppInitializationStatus: documentTitleRender
2022-04-19 19:03:26 UTC	381	IN	HTTP/1.1 200 OK Cache-Control: private Content-Type: text/plain P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 9a234d36-ad1b-4830-a2ed-19f4fabe39f0 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF0000695D X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 Access-Control-Allow-Origin: https://onenote.officeapps.live.com Access-Control-Expose-Headers: X-EndSession, X-CorrelationId, X-OfficeFE, X-NewKey, X-bULS-SuppressionETag, X-bULS-SuppressedTags Cross-Origin-Resource-Policy: cross-origin X-bULS-SuppressionETag: 6C1139DD5A0A78408103B6543CCEBA76871E3829 X-Content-Type-Options: nosniff X-Download-Options: noopen Content-Disposition: attachment X-OFFICEFD: AM4PEPF0000695D X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wordcapacity_2_control,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: 1513AB7F48EF438B92DBDE78C48993F4 Ref B: AM3EDGE0820 Ref C: 2022-04-19T19:03:26Z Date: Tue, 19 Apr 2022 19:03:25 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:26 UTC	383	OUT	GET /c.gif?DI=15347&wlxid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&reqid=002dade0b0e&csiperf=ANON%3D%26NL%3D0%26TP%3D0%26CL%3DRD00155D7C17F6%26MA%3Den-US%26B%3D0.0.0%26TR%3DNA%252ANA%252A%253ASDX.Skydrive%252AWac.view.F.U.%26PLT%3D16636%26IR%3D1%26EX%3D0%26L.h%3D2707%26L.bc%3D3233%26L.ac%3D3233%26L.f%3D3394%26L.sjs%3D16188%26L.ttg%3D9609%26C.st%3D1650427388334%26N.domIn%3D3394%26N.tcp%3D375%26N.req%3D2367%26N.resp%3D243%26N.navType%3D0%26N.redirectCount%3D0&r=0.7634972786336327&CtsSyncId=357C9A5742DF4828BD37A87F9351A7B6&RedC=c.live.com&MXFR=369389C43CCC6FBA1FF3984F38CC6BCE HTTP/1.1 Host: c.bing.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://onedrive.live.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-04-19 19:03:26 UTC	384	IN	HTTP/1.1 302 Redirect Cache-Control: private, no-cache, proxy-revalidate, no-store Pragma: no-cache Location: https://c.live.com/c.gif?DI=15347&wlxid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&reqid=002dade0b0e&csiperf=ANON%3D%26NL%3D0%26TP%3D0%26CL%3DRD00155D7C17F6%26MA%3Den-US%26B%3D0.0.0%26TR%3DNA%252ANA%252A%253ASDX.Skydrive%252AWac.view.F.U.%26PLT%3D16636%26IR%3D1%26EX%3D0%26L.h%3D2707%26L.bc%3D3233%26L.ac%3D3233%26L.f%3D3394%26L.sjs%3D16188%26L.ttg%3D9609%26C.st%3D1650427388334%26N.domIn%3D3394%26N.tcp%3D375%26N.req%3D2367%26N.resp%3D243%26N.navType%3D0%26N.redirectCount%3D0&r=0.7634972786336327&CtsSyncId=357C9A5742DF4828BD37A87F9351A7B6&MUID=369389C43CCC6FBA1FF3984F38CC6BCE P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: MUID=369389C43CCC6FBA1FF3984F38CC6BCE; domain=.bing.com; expires=Sun, 14-May-2023 19:03:26 GMT; path=/; SameSite=None; Secure; Priority=High; Set-Cookie: SRM_B=369389C43CCC6FBA1FF3984F38CC6BCE; domain=c.bing.com; expires=Sun, 14-May-2023 19:03:26 GMT; path=/; SameSite=None; Secure; Set-Cookie: SRM_L=369389C43CCC6FBA1FF3984F38CC6BCE; domain=c.bing.com; expires=Sun, 14-May-2023 19:03:26 GMT; path=/; SameSite=None; Secure; X-Powered-By: ASP.NET X-Cache: CONFIG_NOCACHE Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 0FCEBCD4ACE14EE59750EA772BC9D053 Ref B: FRA31EDGE0613 Ref C: 2022-04-19T19:03:26Z Date: Tue, 19 Apr 2022 19:03:25 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:26 UTC	385	OUT	GET /me?partner=OneNoteOnline&version=10.21153.1&market=EN-US&wrapperId=suiteshell HTTP/1.1 Host: amcdn.msftauth.net Connection: keep-alive Origin: https://onenote.officeapps.live.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Referer: https://onenote.officeapps.live.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-04-19 19:03:27 UTC	386	IN	HTTP/1.1 200 OK Cache-Control: public, no-transform, max-age=43200 Content-Length: 28119 Content-Type: application/javascript Expires: Wed, 20 Apr 2022 07:03:26 GMT X-Cache: TCP_MISS X-Content-Type-Options: nosniff Access-Control-Allow-Origin: * X-UA-Compatible: IE=edge Strict-Transport-Security: max-age=31536000; includeSubDomains X-Azure-Ref-OriginShield: 0fgdfYgAAAADoZlCFssZzS6P4BDvaIyABQU1TMDRFREdFMTgwOABlYWM1ZjQ5Zi1lMDJkLTRmNDEtYjBhNi0yZDUwZjlmY2Y4NGE= X-Azure-Ref: 0fgdfYgAAAADmFuWGB8wjQovdp/JKhlDJRlJBMzFFREdFMDkwOQA5ZmU2YzNmMS0xNzE4LTRhOTMtOTI1NS02M2NkM2Y4Y2E1YWI= X-Cache: CONFIG_NOCACHE Date: Tue, 19 Apr 2022 19:03:26 GMT Connection: close
2022-04-19 19:03:27 UTC	386	IN	Data Raw: 77 69 6e 64 6f 77 2e 4d 53 41 3d 77 69 6e 64 6f 77 2e 4d 53 41 7c 7c 7b 7d 3b 77 69 6e 64 6f 77 2e 4d 53 41 2e 4d 65 43 6f 6e 74 72 6f 6c 3d 77 69 6e 64 6f 77 2e 4d 53 41 2e 4d 65 43 6f 6e 74 72 6f 6c 7c 7c 7b 7d 3b 77 69 6e 64 6f 77 2e 4d 53 41 2e 4d 65 43 6f 6e 74 72 6f 6c 2e 43 6f 6e 66 69 67 3d 7b 22 76 65 72 22 3a 22 31 30 2e 32 32 30 35 39 2e 35 22 2c 22 6d 6b 74 22 3a 22 65 6e 2d 55 53 22 2c 22 70 74 6e 22 3a 22 6f 6e 65 6e 6f 74 65 6f 6e 6c 69 6e 65 22 2c 22 67 66 78 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 65 6d 2e 67 66 78 2e 6d 73 22 2c 22 64 62 67 22 3a 66 61 6c 73 65 2c 22 61 61 64 22 3a 74 72 75 65 2c 22 69 6e 74 22 3a 66 61 6c 73 65 2c 22 70 78 79 22 3a 74 72 75 65 2c 22 6d 73 54 78 74 22 3a 66 61 6c 73 65 2c 22 72 77 64 22 3a 74 72 75 65 2c 22 Data Ascii: window.MSA=window.MSA\|\|{};window.MSA.MeControl=window.MSA.MeControl\|\|{};window.MSA.MeControl.Config={"ver":"10.22059.5","mkt":"en-US","ptn":"onenoteonline","gfx":"https://mem.gfx.ms","dbg":false,"aad":true,"int":false,"pxy":true,"msTxt":false,"rwd":true,"
2022-04-19 19:03:27 UTC	390	IN	Data Raw: 6e 28 77 29 3b 72 65 74 75 72 6e 20 62 2e 74 65 73 74 28 74 29 7c 7c 28 74 3d 43 2b 77 2b 74 29 2c 74 7d 76 61 72 20 45 3d 22 4d 65 43 6f 6e 74 72 6f 6c 45 72 72 6f 72 3a 3a 22 3b 66 75 6e 63 74 69 6f 6e 20 53 28 65 2c 6e 29 7b 76 6f 69 64 20 30 3d 3d 3d 6e 26 26 28 6e 3d 21 31 29 3b 76 61 72 20 74 3d 6e 65 77 20 45 72 72 6f 72 28 22 22 2b 45 2b 65 29 3b 72 65 74 75 72 6e 20 74 2e 6d 63 49 73 54 69 6d 65 6f 75 74 3d 6e 2c 74 7d 76 61 72 20 54 3d 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 4e 2e 70 72 6f 74 6f 74 79 70 65 2c 22 64 65 66 61 75 6c 74 50 72 65 76 65 6e 74 65 64 22 2c 7b 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 5f 64 65 66 61 75 6c 74 50 72 65 76 65 6e 74 65 64 7d 2c 65 6e 75 6d Data Ascii: n(w);return b.test(t)\|\|(t=C+w+t),t}var E="MeControlError::";function S(e,n){void 0===n&&(n=!1);var t=new Error(""+E+e);return t.mcIsTimeout=n,t}var T=(Object.defineProperty(N.prototype,"defaultPrevented",{get:function(){return this._defaultPrevented},enum
2022-04-19 19:03:27 UTC	398	IN	Data Raw: 2c 6b 65 28 6e 29 7d 63 61 74 63 68 28 65 29 7b 4c 65 28 6e 2c 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 4c 65 28 65 2c 6e 29 7b 65 2e 5f 73 74 61 74 65 3d 32 2c 65 2e 5f 76 61 6c 75 65 3d 6e 2c 6b 65 28 65 29 7d 66 75 6e 63 74 69 6f 6e 20 6b 65 28 65 29 7b 32 3d 3d 3d 65 2e 5f 73 74 61 74 65 26 26 30 3d 3d 3d 65 2e 5f 64 65 66 65 72 72 65 64 73 2e 6c 65 6e 67 74 68 26 26 78 65 2e 5f 69 6d 6d 65 64 69 61 74 65 46 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 65 2e 5f 68 61 6e 64 6c 65 64 7c 7c 78 65 2e 5f 75 6e 68 61 6e 64 6c 65 64 52 65 6a 65 63 74 69 6f 6e 46 6e 28 65 2e 5f 76 61 6c 75 65 29 7d 29 3b 66 6f 72 28 76 61 72 20 6e 3d 30 2c 74 3d 65 2e 5f 64 65 66 65 72 72 65 64 73 2e 6c 65 6e 67 74 68 3b 6e 3c 74 3b 6e 2b 2b 29 44 65 28 65 2c 65 2e 5f 64 65 66 65 72 Data Ascii: ,ke(n)}catch(e){Le(n,e)}}function Le(e,n){e._state=2,e._value=n,ke(e)}function ke(e){2===e._state&&0===e._deferreds.length&&xe._immediateFn(function(){e._handled\|\|xe._unhandledRejectionFn(e._value)});for(var n=0,t=e._deferreds.length;n<t;n++)De(e,e._defer
2022-04-19 19:03:27 UTC	402	IN	Data Raw: 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 56 65 2e 70 6f 70 28 29 3b 69 66 28 6e 29 7b 76 61 72 20 74 3d 7b 7d 2c 65 3d 78 65 2e 61 6c 6c 28 6e 2e 64 65 70 73 2e 6d 61 70 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 22 65 78 70 6f 72 74 73 22 3d 3d 3d 65 3f 74 3a 48 65 28 65 29 7d 29 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 6e 2e 66 61 63 74 6f 72 79 2e 61 70 70 6c 79 28 6e 2c 65 29 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 7d 29 2c 72 3d 4a 65 28 6e 2e 69 64 29 3b 72 3f 72 2e 65 78 70 6f 72 74 73 3d 65 3a 71 65 28 6e 2e 69 64 2c 65 2c 65 29 7d 7d 3b 56 65 2e 6c 65 6e 67 74 68 3b 29 65 28 29 7d 66 75 6e 63 74 69 6f 6e 20 7a 65 28 65 2c 6e 2c 74 2c 72 2c 6f 29 7b 4e Data Ascii: ar e=function(){var n=Ve.pop();if(n){var t={},e=xe.all(n.deps.map(function(e){return"exports"===e?t:He(e)})).then(function(e){n.factory.apply(n,e)}).then(function(){return t}),r=Je(n.id);r?r.exports=e:qe(n.id,e,e)}};Ve.length;)e()}function ze(e,n,t,r,o){N
2022-04-19 19:03:27 UTC	410	IN	Data Raw: 65 3a 65 2e 72 6f 6c 65 4e 61 6d 65 2c 73 65 73 73 69 6f 6e 49 64 3a 65 2e 73 65 73 73 69 6f 6e 49 64 2c 63 69 64 3a 65 2e 63 69 64 2c 70 72 6f 66 69 6c 65 3a 68 6e 28 65 29 7d 7d 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 67 6e 28 65 29 7b 73 77 69 74 63 68 28 65 2e 74 6f 53 74 72 69 6e 67 28 29 29 7b 63 61 73 65 22 33 22 3a 72 65 74 75 72 6e 22 6e 6f 74 53 69 67 6e 65 64 49 6e 22 3b 63 61 73 65 22 31 22 3a 72 65 74 75 72 6e 22 73 69 67 6e 65 64 49 6e 22 3b 63 61 73 65 22 32 22 3a 72 65 74 75 72 6e 22 73 69 67 6e 65 64 49 6e 49 44 50 4f 6e 6c 79 22 3b 64 65 66 61 75 6c 74 3a 72 65 74 75 72 6e 22 6e 6f 74 53 69 67 6e 65 64 49 6e 22 7d 7d 66 75 6e 63 74 69 6f 6e 20 68 6e 28 65 29 7b 72 65 74 75 72 6e 20 65 2e 6e 69 63 6b 4e 61 6d 65 26 26 22 22 21 3d 3d 65 Data Ascii: e:e.roleName,sessionId:e.sessionId,cid:e.cid,profile:hn(e)}}(e)}}function gn(e){switch(e.toString()){case"3":return"notSignedIn";case"1":return"signedIn";case"2":return"signedInIDPOnly";default:return"notSignedIn"}}function hn(e){return e.nickName&&""!==e

Timestamp	kBytes transferred	Direction	Data
2022-04-19 19:03:27 UTC	414	OUT	GET /o/AddinServiceHandler.ashx?action=laststoreupdate&app=4&lc=EN-US&WOPIsrc=https%3A%2F%2Fwopi%2Eonedrive%2Ecom%2Fwopi%2Ffolders%2FE2AFA75B515F2435%21394&access_token=4wGPVnpMVT07tsQgwPpSKKj7fS83GhpdGdrnabEdo9bNwZQLIv44DGEMRcO%5FuFyUe%2DjX%2DDmDILzQh9FOyJvqq6KSrZpMPPItz77iijKDoSsI0IT5vyVG94eRfaOVZLhKnkm0xHpQkFzBZaBJr1TEfe3WDUGAWv4Jkn5u%2DzJ9W5eMw&access_token_ttl=1652209391149 HTTP/1.1 Host: onenote.officeapps.live.com Connection: keep-alive haep: 1 X-WacFrontEnd: AM4PEPF00006B54 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 X-OfficeVersion: 16.0.15128.41022 X-Key: vXhHJxtHQGT6RxXdWMOps17SbTSxQp1/phscllTMC40=,637859917928282131 X-WacUserAgent: MSWACONSync User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 X-Requested-With: XMLHttpRequest X-UserType: WOPI X-xhr: 1 X-IsCoauthSession: true X-WacCluster: PNL1 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://onenote.officeapps.live.com/o/onenoteframe.aspx?edit=0&ui=en-US&rs=en-US&hid=Joy1tBJnHUGuK2qcvhlKFw.0&wopisrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffolders%2FE2AFA75B515F2435!394&wdo=2&sc=host%3D%26qt%3DDefault&wdp=3&uih=OneDrive&wdorigin=Unknown&wdhostclicktime=1650427388334&jsapi=1&jsapiver=v1&newsession=1&corrid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&usid=c19f13eb-be4c-441a-9f7a-6c44d2574fa8&sftc=1&readonly=1&wdredirectionreason=Force_SingleStepBoot Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: OneNotePenInkColorAndThickness=%7B%22color%22%3A%224210752%22%2C%22Tyd%22%3A%223%22%7D; xid=347342b3-11d3-45d5-b2cb-ecdd3543ba52&&RD00155D7453B5&147; wla42=; mkt=en-US; xidseq=3; E=P:lMj4Pzci2og=:h0Y+yBeDD8MAeiLRDbOCiqko3yzPyfHHk8q+LZyj9qg=:F; DcLcid=ui=1033&data=1033; BIGipCookie=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000; ShCLSessionID=1650427404723_0.6187468110137586; BP=l=SDX.Skydrive&FR=&ST=; MUID=369389C43CCC6FBA1FF3984F38CC6BCE
2022-04-19 19:03:27 UTC	416	IN	HTTP/1.1 403 Forbidden Cache-Control: private Content-Length: 1233 Content-Type: text/html P3P: CP="CAO DSP COR ADMa DEV CONi TELi CUR PSA PSD TAI IVDi OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR" Set-Cookie: X-CorrelationId: 30cb340b-4eae-4e31-8f9e-600655ea9a95 X-UserSessionId: c19f13eb-be4c-441a-9f7a-6c44d2574fa8 Strict-Transport-Security: max-age=31536000 Timing-Allow-Origin: * X-OfficeFE: AM4PEPF00006957 X-OfficeVersion: 16.0.15128.41022 X-OfficeCluster: PNL1 X-OFFICEFD: AM4PEPF00006957 X-Cache: CONFIG_NOCACHE X-MSEdge-Flight: 2i49=afd_wacinfra4,2i4a=afd_wacinfra5 X-MSEdge-Features: typeheadertest,afd_waccluster,afd_wacinfra4,afd_wacinfra5 X-MSEdge-Ref: Ref A: A230FF1131364E3595C4985CF6A8F8C8 Ref B: AMS04EDGE2205 Ref C: 2022-04-19T19:03:27Z Date: Tue, 19 Apr 2022 19:03:26 GMT Connection: close
2022-04-19 19:03:27 UTC	417	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 2d 20 46 6f 72 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>403 - For
2022-04-19 19:03:27 UTC	417	IN	Data Raw: 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 Data Ascii: size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000