hxxp://outlook[.]office[.]com

Analysis

max time kernel
194s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2023, 22:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://outlook.office.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000f8cb5b35455c0b3b8b5976b131b8a1899641a46fa9b04f56621acd4b9b8e5bbb000000000e80000000020000200000008f4b2ca316a65caafc154a768acfcabeaf785a03309cafbdc23b8dc368d09ce32000000049c8f737679b797d517f99b4aecaef5f25cf800219a86dcf3038bd528ab4bb6a4000000078264ec3420b6b890bd345f7799a70b3fec5546798aafedb7b849cdae1b14afb396d2912db82d8f2764d9178b214d69696f3b3bab339543583adefcf7d409581	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31032025"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390445006"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4126427680"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051d6db365ce0f843a8e6cfaf226c4d2b00000000020000000000106600000001000020000000cd34a47fac6942117b23792da793bdee18949c7375f5676b46c8f3a22454b13f000000000e8000000002000020000000ca27b732591385676c2fee29a9ed46a0ef3321c96542144a252cfa0ca998803220000000c2a51f5574ffd5ceeb844a5fcb750c8bada0fd052b78d8de89ba4fef1648f25f40000000eee22c554256aef4b1782da7d55184a45da1c7399524c3ac36aaf2f27df92c24a8730a88c40c4095249d0e8ed3b09160b878c17c18f0035ca4fd44e7018ebe05	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0663a20da82d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31032025"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4126427680"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f089e828da82d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{19A751C8-EECD-11ED-8227-CEBAE7FD2CA5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4016	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4016	iexplore.exe
4016	iexplore.exe
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 1548	4016	iexplore.exe	81
PID 4016 wrote to memory of 1548	4016	iexplore.exe	81
PID 4016 wrote to memory of 1548	4016	iexplore.exe	81

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://outlook.office.com
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4016 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1548

Network

DNS

14.110.152.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.110.152.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

2.36.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.36.159.162.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

outlook.office.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

outlook.office.com

IN A

Response

outlook.office.com

IN CNAME

substrate.office.com

substrate.office.com

IN CNAME

outlook.office365.com

outlook.office365.com

IN CNAME

outlook.ha.office365.com

outlook.ha.office365.com

IN CNAME

outlook.ms-acdc.office.com

outlook.ms-acdc.office.com

IN CNAME

AMS-efz.ms-acdc.office.com

AMS-efz.ms-acdc.office.com

IN A

40.101.83.194

AMS-efz.ms-acdc.office.com

IN A

52.97.200.178

AMS-efz.ms-acdc.office.com

IN A

52.97.250.210

AMS-efz.ms-acdc.office.com

IN A

40.101.18.242
DNS

outlook.office.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

outlook.office.com

IN A

Response

outlook.office.com

IN CNAME

substrate.office.com

substrate.office.com

IN CNAME

outlook.office365.com

outlook.office365.com

IN CNAME

outlook.ha.office365.com

outlook.ha.office365.com

IN CNAME

outlook.ms-acdc.office.com

outlook.ms-acdc.office.com

IN CNAME

AMS-efz.ms-acdc.office.com

AMS-efz.ms-acdc.office.com

IN A

40.99.204.210

AMS-efz.ms-acdc.office.com

IN A

40.101.12.130

AMS-efz.ms-acdc.office.com

IN A

40.101.12.82

AMS-efz.ms-acdc.office.com

IN A

40.99.204.146
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
GET

http://outlook.office.com/

IEXPLORE.EXE

Remote address:

40.101.12.130:80

Request

GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: outlook.office.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Cache-Control: no-cache
Pragma: no-cache
Location: https://outlook.office.com/
Server: Microsoft-IIS/10.0
request-id: 081427e8-b8b3-7f0c-34fa-75e3c3c27bcc
X-FEServer: AM3PR07CA0128
X-RequestId: 6861e2b2-3ead-4791-845f-87f721d33595
X-FEProxyInfo: AM3PR07CA0128.EURPRD07.PROD.OUTLOOK.COM
X-FEEFZInfo: AMS
MS-CV: 6CcUCLO4DH80+nXjw8J7zA.0
X-Powered-By: ASP.NET
X-FEServer: AM3PR07CA0128
Date: Tue, 09 May 2023 22:54:29 GMT
Connection: close
Content-Length: 0
DNS

130.12.101.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

130.12.101.40.in-addr.arpa

IN PTR

Response
DNS

200.232.18.117.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.232.18.117.in-addr.arpa

IN PTR

Response
DNS

146.204.99.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.204.99.40.in-addr.arpa

IN PTR

Response
DNS

76.38.195.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.38.195.152.in-addr.arpa

IN PTR

Response
GET

https://outlook.office.com/

IEXPLORE.EXE

Remote address:

40.99.204.146:443

Request

GET / HTTP/2.0
host: outlook.office.com
accept: text/html, application/xhtml+xml, image/jxr, */*
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 302

cache-control: no-cache
pragma: no-cache
location: https://outlook.office.com/owa/
server: Microsoft-IIS/10.0
request-id: d046907f-039d-85d2-b82c-1afa41580d9c
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-feserver: AS4P191CA0019
x-requestid: 5d037bf6-0392-4b3c-b3b7-0953ebde38e2
x-feproxyinfo: AS4P191CA0019.EURP191.PROD.OUTLOOK.COM
x-feefzinfo: AMS
ms-cv: f5BG0J0D0oW4LBr6QVgNnA.0
x-powered-by: ASP.NET
x-feserver: AS4P191CA0019
date: Tue, 09 May 2023 22:55:06 GMT
content-length: 0
GET

https://outlook.office.com/owa/

IEXPLORE.EXE

Remote address:

40.99.204.146:443

Request

GET /owa/ HTTP/2.0
host: outlook.office.com
accept: text/html, application/xhtml+xml, image/jxr, */*
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 302

content-length: 783
content-type: text/html; charset=utf-8
location: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=66784a05-f965-86d6-f4fb-9c9787e08a6a&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=638192697066238635.004ce895-bad9-4e21-97f6-8fc5d9270b02&state=Dcs5FoAgDABR0OdxIiFIluOwtpZe3xR_uokhhNMdLqInCBfNRmyCzFSUS70Rn7HUKvQ2DZ5FGUw2g-5Rp5FgR4r-Xun9WvoB
server: Microsoft-IIS/10.0
request-id: 66784a05-f965-86d6-f4fb-9c9787e08a6a
strict-transport-security: max-age=31536000; includeSubDomains; preload
alt-svc: h3=":443",h3-29=":443"
x-calculatedfetarget: VI1PR07CU008.internal.outlook.com
x-backendhttpstatus: 302
p3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
set-cookie: ClientId=67F3BDAFC6B14BC39F8A4BA3C71412FA; expires=Thu, 09-May-2024 22:55:06 GMT; path=/;SameSite=None; secure
set-cookie: ClientId=67F3BDAFC6B14BC39F8A4BA3C71412FA; expires=Thu, 09-May-2024 22:55:06 GMT; path=/;SameSite=None; secure
set-cookie: OIDC=1; expires=Thu, 09-Nov-2023 22:55:06 GMT; path=/;SameSite=None; secure; HttpOnly
set-cookie: RoutingKeyCookie=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.token.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.token.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.id_token.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.code.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_nonce.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_correlation_id=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.tokenPostPath=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.id_token.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.code.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_nonce.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_correlation_id=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.tokenPostPath=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.nonce.v3.ofLw1aLVO78I9SSLXhEePfiha7WWij6anJO4cFYwe1I=638192697066238635.004ce895-bad9-4e21-97f6-8fc5d9270b02; expires=Tue, 09-May-2023 23:55:06 GMT; path=/;SameSite=None; secure; HttpOnly
set-cookie: HostSwitchPrg=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OptInPrg=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: SuiteServiceProxyKey=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: ClientId=67F3BDAFC6B14BC39F8A4BA3C71412FA; expires=Thu, 09-May-2024 22:55:06 GMT; path=/;SameSite=None; secure
set-cookie: OIDC=1; expires=Thu, 09-Nov-2023 22:55:06 GMT; path=/;SameSite=None; secure; HttpOnly
set-cookie: RoutingKeyCookie=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.token.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.token.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.id_token.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.code.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_nonce.v1=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_correlation_id=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.tokenPostPath=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.id_token.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.code.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_nonce.v1=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.idp_correlation_id=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.tokenPostPath=; domain=outlook.office.com; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OpenIdConnect.nonce.v3.ofLw1aLVO78I9SSLXhEePfiha7WWij6anJO4cFYwe1I=638192697066238635.004ce895-bad9-4e21-97f6-8fc5d9270b02; expires=Tue, 09-May-2023 23:55:06 GMT; path=/;SameSite=None; secure; HttpOnly
set-cookie: HostSwitchPrg=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: OptInPrg=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: SuiteServiceProxyKey=; expires=Sun, 09-May-1993 22:55:06 GMT; path=/; secure
set-cookie: X-OWA-RedirectHistory=ArLym14Bq7LhbuBQ2wg; expires=Wed, 10-May-2023 04:57:06 GMT; path=/;SameSite=None; secure; HttpOnly
x-calculatedbetarget: VI1P191MB0032.EURP191.PROD.OUTLOOK.COM
x-backendhttpstatus: 302
x-rum-validated: 1
x-rum-notupdatequeriedpath: 1
x-rum-notupdatequerieddbcopy: 1
x-content-type-options: nosniff
x-besku: Gen9
x-owa-diagnosticsinfo: 1;0;0
x-iids: 0
x-backend-begin: 2023-05-09T22:55:06.623
x-backend-end: 2023-05-09T22:55:06.623
x-diaginfo: VI1P191MB0032
x-beserver: VI1P191MB0032
x-ua-compatible: IE=EmulateIE7
x-proxy-routingcorrectness: 1
x-proxy-backendserverstatus: 302
x-feproxyinfo: AS4P191CA0019.EURP191.PROD.OUTLOOK.COM
x-feefzinfo: AMS
x-feserver: VI1PR07CA0249
report-to: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=&FrontEnd=Cafe&DestinationEndpoint=AMS"}],"include_subdomains":true}
nel: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
x-firsthopcafeefz: AMS
x-feserver: AS4P191CA0019
date: Tue, 09 May 2023 22:55:06 GMT
DNS

login.microsoftonline.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

login.microsoftonline.com

IN A

Response

login.microsoftonline.com

IN CNAME

login.mso.msidentity.com

login.mso.msidentity.com

IN CNAME

ak.privatelink.msidentity.com

ak.privatelink.msidentity.com

IN CNAME

www.tm.ak.prd.aadg.trafficmanager.net

www.tm.ak.prd.aadg.trafficmanager.net

IN A

20.190.160.20

www.tm.ak.prd.aadg.trafficmanager.net

IN A

40.126.32.133

www.tm.ak.prd.aadg.trafficmanager.net

IN A

40.126.32.138

www.tm.ak.prd.aadg.trafficmanager.net

IN A

20.190.160.22

www.tm.ak.prd.aadg.trafficmanager.net

IN A

40.126.32.68

www.tm.ak.prd.aadg.trafficmanager.net

IN A

40.126.32.134

www.tm.ak.prd.aadg.trafficmanager.net

IN A

20.190.160.17

www.tm.ak.prd.aadg.trafficmanager.net

IN A

40.126.32.74
GET

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=66784a05-f965-86d6-f4fb-9c9787e08a6a&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=638192697066238635.004ce895-bad9-4e21-97f6-8fc5d9270b02&state=Dcs5FoAgDABR0OdxIiFIluOwtpZe3xR_uokhhNMdLqInCBfNRmyCzFSUS70Rn7HUKvQ2DZ5FGUw2g-5Rp5FgR4r-Xun9WvoB

IEXPLORE.EXE

Remote address:

40.126.32.133:443

Request

GET /common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=66784a05-f965-86d6-f4fb-9c9787e08a6a&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=638192697066238635.004ce895-bad9-4e21-97f6-8fc5d9270b02&state=Dcs5FoAgDABR0OdxIiFIluOwtpZe3xR_uokhhNMdLqInCBfNRmyCzFSUS70Rn7HUKvQ2DZ5FGUw2g-5Rp5FgR4r-Xun9WvoB HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: login.microsoftonline.com

Response

HTTP/1.1 200 OK

Cache-Control: no-store, no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Expires: -1
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Link: <https://aadcdn.msftauth.net>; rel=preconnect; crossorigin
Link: <https://aadcdn.msftauth.net>; rel=dns-prefetch
Link: <https://aadcdn.msauth.net>; rel=dns-prefetch
X-DNS-Prefetch-Control: on
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
x-ms-request-id: 72c3929e-a559-45de-a649-361df06c6900
x-ms-ests-server: 2.1.15319.9 - NEULR1 ProdSlices
X-XSS-Protection: 0
Set-Cookie: buid=0.AUcAMe_N-B6jSkuT5F9XHpElWgIAAAAAAPEPzgAAAAAAAAABAAA.AQABAAEAAAD--DLA3VO7QrddgJg7Wevrf94x604c9eVnyD8VFR5QtbiR9qsGSLoHTDUWV9wpjTA9IBwmSjm0RYVEljt2dP_RcWjipm17wOojU7QLeo8hn85borLFDx6kq9hS2EkOJHAgAA; expires=Thu, 08-Jun-2023 22:55:16 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: esctx=PAQABAAEAAAD--DLA3VO7QrddgJg7WevrW7CCNve69iMY7RCDliNXKnthRRBsJs73H4xcL9tmBn2rmKol0EjWGOBXkULCeYrzhaTcO_ii-2CixZsqWddGjPK6TKS4qY-KXLodHNaRlW2EUcCZU_bv32M_8cKy2gRUYfArPVkWrmhkztb4LTd4zEXdkVZanbcR43OlwpztwmGKMwbY6NzL79ZV8fwj7gOttkaCAMoT5B5ypKq4Rs7AKXe3T0-L2GZOCDpEWsBZ774gAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=Ag5ZnhpKOO5IlzTFX-5bGVOerOTJAQAAAFPG7NsOAAAA; expires=Thu, 08-Jun-2023 22:55:16 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Tue, 09 May 2023 22:55:15 GMT
Content-Length: 51133
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

aadcdn.msftauth.net

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

aadcdn.msftauth.net

IN A

Response

aadcdn.msftauth.net

IN CNAME

cs1100.wpc.omegacdn.net

cs1100.wpc.omegacdn.net

IN A

152.199.39.242
DNS

aadcdn.msauth.net

iexplore.exe

Remote address:

8.8.8.8:53

Request

aadcdn.msauth.net

IN A

Response

aadcdn.msauth.net

IN CNAME

aadcdnoriginwus2.azureedge.net

aadcdnoriginwus2.azureedge.net

IN CNAME

aadcdnoriginwus2.afd.azureedge.net

aadcdnoriginwus2.afd.azureedge.net

IN CNAME

firstparty-azurefd-prod.trafficmanager.net

firstparty-azurefd-prod.trafficmanager.net

IN CNAME

shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net

shed.dual-low.part-0020.t-0009.fdv2-t-msedge.net

IN CNAME

global-entry-afdthirdparty-fallback-first.trafficmanager.net

global-entry-afdthirdparty-fallback-first.trafficmanager.net

IN CNAME

shed.dual-low.part-0020.t-0009.fb-t-msedge.net

shed.dual-low.part-0020.t-0009.fb-t-msedge.net

IN CNAME

part-0020.t-0009.fb-t-msedge.net

part-0020.t-0009.fb-t-msedge.net

IN A

13.107.253.48

part-0020.t-0009.fb-t-msedge.net

IN A

13.107.226.48
GET

https://aadcdn.msftauth.net/shared/1.0/content/js/ConvergedLogin_PCore_vWbrOmVW6hkWOywpyVm8-A2.js

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/js/ConvergedLogin_PCore_vWbrOmVW6hkWOywpyVm8-A2.js HTTP/2.0
host: aadcdn.msftauth.net
accept: application/javascript, */*;q=0.8
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
origin: https://login.microsoftonline.com
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 2005639
cache-control: public, max-age=31536000
content-md5: 45Qv8sv65y9z0OgE08hhTA==
content-type: application/x-javascript
date: Tue, 09 May 2023 22:55:24 GMT
etag: 0x8DB3CB2194453A2
last-modified: Fri, 14 Apr 2023 06:33:02 GMT
server: ECAcc (hkc/BDA3)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: dc2ef554-801e-000e-678b-701f6b000000
x-ms-version: 2009-09-19
content-length: 115022
GET

https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/2.0
host: aadcdn.msftauth.net
accept: */*
accept-encoding: gzip, deflate
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Response

HTTP/2.0 200

accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding
age: 1893923
cache-control: public, max-age=31536000
content-md5: EuPayFgGHQiAI7K9SOL6lg==
content-type: image/x-icon
date: Tue, 09 May 2023 22:55:31 GMT
etag: 0x8D8731240E548EB
last-modified: Sun, 18 Oct 2020 03:02:30 GMT
server: ECAcc (hkc/BD67)
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: b80dfb9d-c01e-0086-548f-71c001000000
x-ms-version: 2009-09-19
content-length: 17174
GET

https://aadcdn.msftauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_6d0f034edc7f959d3b0d.js

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_6d0f034edc7f959d3b0d.js HTTP/2.0
host: aadcdn.msftauth.net
accept: application/javascript, */*;q=0.8
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 5883817
cache-control: public, max-age=31536000
content-md5: OQp8wyezCVBxxlQ0oNEkXg==
content-type: application/x-javascript
date: Tue, 09 May 2023 22:55:31 GMT
etag: 0x8DB192A2C7B783B
last-modified: Tue, 28 Feb 2023 01:21:52 GMT
server: ECAcc (hkc/BD4A)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 6ed4994c-c01e-002d-6946-4d925a000000
x-ms-version: 2009-09-19
content-length: 32199
GET

https://aadcdn.msftauth.net/shared/1.0/content/images/appbackgrounds/49-small_e58aafc980614a9cd7796bea7b5ea8f0.jpg

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/images/appbackgrounds/49-small_e58aafc980614a9cd7796bea7b5ea8f0.jpg HTTP/2.0
host: aadcdn.msftauth.net
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding
age: 26630020
cache-control: public, max-age=31536000
content-md5: 5YqvyYBhSpzXeWvqe16o8A==
content-type: image/jpeg
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8D7D287001BC861
last-modified: Fri, 27 Mar 2020 19:42:36 GMT
server: ECAcc (hkc/BD45)
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 634caf7a-d01e-0062-5e96-90511b000000
x-ms-version: 2009-09-19
content-length: 987
GET

https://aadcdn.msftauth.net/shared/1.0/content/images/appbackgrounds/49_7916a894ebde7d29c2cc29b267f1299f.jpg

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/images/appbackgrounds/49_7916a894ebde7d29c2cc29b267f1299f.jpg HTTP/2.0
host: aadcdn.msftauth.net
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding
age: 26886697
cache-control: public, max-age=31536000
content-md5: eRaolOvefSnCzCmyZ/Epnw==
content-type: image/jpeg
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8D7D2870015D3DE
last-modified: Fri, 27 Mar 2020 19:42:36 GMT
server: ECAcc (hkc/BD2A)
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 9864f4af-801e-004b-6a40-8ef668000000
x-ms-version: 2009-09-19
content-length: 17453
GET

https://aadcdn.msftauth.net/shared/1.0/content/images/applogos/53_8b36337037cff88c3df203bb73d58e41.png

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/images/applogos/53_8b36337037cff88c3df203bb73d58e41.png HTTP/2.0
host: aadcdn.msftauth.net
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 3610540
cache-control: public, max-age=31536000
content-md5: izYzcDfP+Iw98gO7c9WOQQ==
content-type: image/png
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8D7AF695D6C58F2
last-modified: Wed, 12 Feb 2020 03:12:17 GMT
server: ECAcc (hkc/BD3F)
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 13693549-201e-001f-39f2-615e4e000000
x-ms-version: 2009-09-19
content-length: 5139
GET

https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/2.0
host: aadcdn.msftauth.net
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding
age: 23482458
cache-control: public, max-age=31536000
content-md5: nzaLxFgP7ZB3dfMcaybWzw==
content-type: image/svg+xml
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8D79A1B9F5E121A
last-modified: Thu, 16 Jan 2020 00:32:52 GMT
server: ECAcc (hkc/BD8D)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 76c730b2-001e-0087-1837-ad3e0c000000
x-ms-version: 2009-09-19
content-length: 1435
GET

https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ri9kuwotliet3wfbgspsga2.css

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /ests/2.1/content/cdnbundles/converged.v2.login.min_ri9kuwotliet3wfbgspsga2.css HTTP/2.0
host: aadcdn.msftauth.net
accept: */*
referer: https://login.microsoftonline.com/
accept-language: en-US
origin: https://login.microsoftonline.com
accept-encoding: gzip, deflate
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 5373895
cache-control: public, max-age=31536000
content-md5: ChFamsxirG9fmBt4/kbQ4Q==
content-type: text/css
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8DB1F522EBD9183
last-modified: Tue, 07 Mar 2023 21:23:23 GMT
server: ECAcc (hkc/BDAF)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 02ab6d60-201e-0095-36e9-518c49000000
x-ms-version: 2009-09-19
content-length: 20004
GET

https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_dxpr-5j5ntliiuj7keh9jq2.js

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_dxpr-5j5ntliiuj7keh9jq2.js HTTP/2.0
host: aadcdn.msftauth.net
accept: */*
referer: https://login.microsoftonline.com/
accept-language: en-US
origin: https://login.microsoftonline.com
accept-encoding: gzip, deflate
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 2144904
cache-control: public, max-age=31536000
content-md5: Co/ZGOhOoUnVtGCjmlYOhQ==
content-type: application/x-javascript
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8DB3C92663D70B9
last-modified: Fri, 14 Apr 2023 02:46:08 GMT
server: ECAcc (hkc/BDC1)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 3d0cee11-401e-004a-1a47-6f0865000000
x-ms-version: 2009-09-19
content-length: 14135
GET

https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_dxpr-5j5ntliiuj7keh9jq2.js

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_dxpr-5j5ntliiuj7keh9jq2.js HTTP/2.0
host: aadcdn.msftauth.net
accept: */*
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 2144904
cache-control: public, max-age=31536000
content-md5: Co/ZGOhOoUnVtGCjmlYOhQ==
content-type: application/x-javascript
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8DB3C92663D70B9
last-modified: Fri, 14 Apr 2023 02:46:08 GMT
server: ECAcc (hkc/BDC1)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 3d0cee11-401e-004a-1a47-6f0865000000
x-ms-version: 2009-09-19
content-length: 14135
GET

https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ri9kuwotliet3wfbgspsga2.css

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /ests/2.1/content/cdnbundles/converged.v2.login.min_ri9kuwotliet3wfbgspsga2.css HTTP/2.0
host: aadcdn.msftauth.net
accept: */*
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 5373895
cache-control: public, max-age=31536000
content-md5: ChFamsxirG9fmBt4/kbQ4Q==
content-type: text/css
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8DB1F522EBD9183
last-modified: Tue, 07 Mar 2023 21:23:23 GMT
server: ECAcc (hkc/BDAF)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 02ab6d60-201e-0095-36e9-518c49000000
x-ms-version: 2009-09-19
content-length: 20004
GET

https://aadcdn.msftauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper_12d145c6db04e5f655d1.js

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper_12d145c6db04e5f655d1.js HTTP/2.0
host: aadcdn.msftauth.net
accept: application/javascript, */*;q=0.8
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 5866257
cache-control: public, max-age=31536000
content-md5: UGdLnNjQ2ANqAZtcyoAOCg==
content-type: application/x-javascript
date: Tue, 09 May 2023 22:55:44 GMT
etag: 0x8DB192A2D6B421E
last-modified: Tue, 28 Feb 2023 01:21:54 GMT
server: ECAcc (hkc/BD9A)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 9f0b253e-d01e-0064-326e-4db7da000000
x-ms-version: 2009-09-19
content-length: 35822
GET

https://aadcdn.msftauth.net/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.svg

IEXPLORE.EXE

Remote address:

152.199.39.242:443

Request

GET /shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.svg HTTP/2.0
host: aadcdn.msftauth.net
accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
referer: https://login.microsoftonline.com/
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

content-encoding: gzip
accept-ranges: bytes
access-control-allow-origin: *
access-control-expose-headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding
age: 6990730
cache-control: public, max-age=31536000
content-md5: R2FAVxfpONfnQAuxVxXbHg==
content-type: image/svg+xml
date: Tue, 09 May 2023 22:55:46 GMT
etag: 0x8D8852A740F01B9
last-modified: Tue, 10 Nov 2020 03:41:05 GMT
server: ECAcc (hkc/BD6B)
vary: Accept-Encoding
x-cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 74b6496a-601e-005e-7434-435ce1000000
x-ms-version: 2009-09-19
content-length: 621
DNS

242.39.199.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

242.39.199.152.in-addr.arpa

IN PTR

Response
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

outlook.office365.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

outlook.office365.com

IN A

Response

outlook.office365.com

IN CNAME

outlook.ha.office365.com

outlook.ha.office365.com

IN CNAME

outlook.ms-acdc.office.com

outlook.ms-acdc.office.com

IN CNAME

AMS-efz.ms-acdc.office.com

AMS-efz.ms-acdc.office.com

IN A

52.97.144.2

AMS-efz.ms-acdc.office.com

IN A

40.99.204.66

AMS-efz.ms-acdc.office.com

IN A

40.99.204.34

AMS-efz.ms-acdc.office.com

IN A

40.101.18.242
GET

https://outlook.office365.com/owa/prefetch.aspx

IEXPLORE.EXE

Remote address:

52.97.144.2:443

Request

GET /owa/prefetch.aspx HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: https://login.microsoftonline.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: outlook.office365.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Cache-Control: private, no-store
Content-Length: 1236
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
request-id: d8b88db7-fc6b-6cc8-41dc-8d0d17127587
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443",h3-29=":443"
X-CalculatedFETarget: DB6PR0301CU001.internal.outlook.com
X-BackEndHttpStatus: 200
Set-Cookie: ClientId=A97B7C142C5040D5A389C6B3DE5F95C3; expires=Thu, 09-May-2024 22:55:31 GMT; path=/;SameSite=None; secure
Set-Cookie: ClientId=A97B7C142C5040D5A389C6B3DE5F95C3; expires=Thu, 09-May-2024 22:55:31 GMT; path=/;SameSite=None; secure
Set-Cookie: OIDC=1; expires=Thu, 09-Nov-2023 22:55:31 GMT; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: OWAPF=v:15.20.6363.33&l:mouse; path=/
X-CalculatedBETarget: DB6PR0801MB2085.eurprd08.PROD.OUTLOOK.COM
X-BackEndHttpStatus: 200
X-RUM-Validated: 1
X-RUM-NotUpdateQueriedPath: 1
X-RUM-NotUpdateQueriedDbCopy: 1
X-Content-Type-Options: nosniff
X-BeSku: Gen9
X-OWA-Version: 15.20.6363.33
X-OWA-DiagnosticsInfo: 2;0;0
X-IIDs: 0
X-BackEnd-Begin: 2023-05-09T22:55:31.875
X-BackEnd-End: 2023-05-09T22:55:31.875
X-DiagInfo: DB6PR0801MB2085
X-BEServer: DB6PR0801MB2085
X-UA-Compatible: IE=EmulateIE7
X-Proxy-RoutingCorrectness: 1
X-Proxy-BackendServerStatus: 200
X-FEProxyInfo: AM0PR08CA0023.EURPRD08.PROD.OUTLOOK.COM
X-FEEFZInfo: AMS
X-FEServer: DB6PR0301CA0002
Report-To: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=&FrontEnd=Cafe&DestinationEndpoint=AMS"}],"include_subdomains":true}
NEL: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
X-FirstHopCafeEFZ: AMS
X-FEServer: AM0PR08CA0023
Date: Tue, 09 May 2023 22:55:30 GMT
DNS

2.144.97.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.144.97.52.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

r4.res.office365.com

IEXPLORE.EXE

Remote address:

8.8.8.8:53

Request

r4.res.office365.com

IN A

Response

r4.res.office365.com

IN CNAME

r4.res.office365.com.edgekey.net

r4.res.office365.com.edgekey.net

IN CNAME

e40491.dscg.akamaiedge.net

e40491.dscg.akamaiedge.net

IN A

104.77.161.168

e40491.dscg.akamaiedge.net

IN A

104.77.161.167
GET

https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.0.mouse.js

IEXPLORE.EXE

Remote address:

104.77.161.168:443

Request

GET /owa/prem/15.20.6363.33/scripts/boot.worldwide.0.mouse.js HTTP/2.0
host: r4.res.office365.com
accept: text/css, */*
referer: https://outlook.office365.com/owa/prefetch.aspx
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
content-type: application/x-javascript
last-modified: Mon, 08 May 2023 01:01:58 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
content-length: 179692
cache-control: public,max-age=630720000, s-maxage=630720000
date: Tue, 09 May 2023 22:55:44 GMT
timing-allow-origin: *
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains
GET

https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.1.mouse.js

IEXPLORE.EXE

Remote address:

104.77.161.168:443

Request

GET /owa/prem/15.20.6363.33/scripts/boot.worldwide.1.mouse.js HTTP/2.0
host: r4.res.office365.com
accept: text/css, */*
referer: https://outlook.office365.com/owa/prefetch.aspx
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
content-type: application/x-javascript
last-modified: Mon, 08 May 2023 01:01:47 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
content-length: 163064
cache-control: public,max-age=630720000, s-maxage=630720000
date: Tue, 09 May 2023 22:55:44 GMT
timing-allow-origin: *
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains
GET

https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.2.mouse.js

IEXPLORE.EXE

Remote address:

104.77.161.168:443

Request

GET /owa/prem/15.20.6363.33/scripts/boot.worldwide.2.mouse.js HTTP/2.0
host: r4.res.office365.com
accept: text/css, */*
referer: https://outlook.office365.com/owa/prefetch.aspx
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
content-type: application/x-javascript
last-modified: Mon, 08 May 2023 01:01:59 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
content-length: 169666
cache-control: public,max-age=630720000, s-maxage=630720000
date: Tue, 09 May 2023 22:55:45 GMT
timing-allow-origin: *
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains
GET

https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.3.mouse.js

IEXPLORE.EXE

Remote address:

104.77.161.168:443

Request

GET /owa/prem/15.20.6363.33/scripts/boot.worldwide.3.mouse.js HTTP/2.0
host: r4.res.office365.com
accept: text/css, */*
referer: https://outlook.office365.com/owa/prefetch.aspx
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
content-type: application/x-javascript
last-modified: Mon, 08 May 2023 01:01:47 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
content-length: 145599
cache-control: public,max-age=630720000, s-maxage=630720000
date: Tue, 09 May 2023 22:55:46 GMT
timing-allow-origin: *
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains
GET

https://r4.res.office365.com/owa/prem/15.20.6363.33/resources/images/0/sprite1.mouse.png

IEXPLORE.EXE

Remote address:

104.77.161.168:443

Request

GET /owa/prem/15.20.6363.33/resources/images/0/sprite1.mouse.png HTTP/2.0
host: r4.res.office365.com
accept: text/css, */*
referer: https://outlook.office365.com/owa/prefetch.aspx
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
content-length: 132
content-type: image/png
last-modified: Mon, 08 May 2023 01:11:00 GMT
server: AkamaiNetStorage
cache-control: public,max-age=630720000, s-maxage=630720000
date: Tue, 09 May 2023 22:55:46 GMT
timing-allow-origin: *
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains
GET

https://r4.res.office365.com/owa/prem/15.20.6363.33/resources/images/0/sprite1.mouse.css

IEXPLORE.EXE

Remote address:

104.77.161.168:443

Request

GET /owa/prem/15.20.6363.33/resources/images/0/sprite1.mouse.css HTTP/2.0
host: r4.res.office365.com
accept: text/css, */*
referer: https://outlook.office365.com/owa/prefetch.aspx
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
content-type: text/css
last-modified: Mon, 08 May 2023 01:10:58 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
content-length: 288
cache-control: public,max-age=630720000, s-maxage=630720000
date: Tue, 09 May 2023 22:55:46 GMT
timing-allow-origin: *
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains
GET

https://r4.res.office365.com/owa/prem/15.20.6363.33/resources/styles/0/boot.worldwide.mouse.css

IEXPLORE.EXE

Remote address:

104.77.161.168:443

Request

GET /owa/prem/15.20.6363.33/resources/styles/0/boot.worldwide.mouse.css HTTP/2.0
host: r4.res.office365.com
accept: text/css, */*
referer: https://outlook.office365.com/owa/prefetch.aspx
accept-language: en-US
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
accept-encoding: gzip, deflate

Response

HTTP/2.0 200

accept-ranges: bytes
content-type: text/css
last-modified: Mon, 08 May 2023 01:11:28 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
content-length: 44144
cache-control: public,max-age=630720000, s-maxage=630720000
date: Tue, 09 May 2023 22:55:46 GMT
timing-allow-origin: *
access-control-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains
DNS

168.161.77.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.161.77.104.in-addr.arpa

IN PTR

Response

168.161.77.104.in-addr.arpa

IN PTR

a104-77-161-168deploystaticakamaitechnologiescom
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response

52.152.110.14:443

276 B
6
52.152.110.14:443

260 B
5
209.197.3.8:80

322 B
7
20.42.73.25:443

322 B
7
173.223.113.164:443

322 B
7
173.223.113.131:80

322 B
7
204.79.197.203:80

322 B
7
40.99.204.210:80

outlook.office.com

IEXPLORE.EXE

156 B
3
40.99.204.210:80

outlook.office.com

IEXPLORE.EXE

156 B
3
40.101.12.130:80

outlook.office.com

IEXPLORE.EXE

156 B
3
40.101.12.130:80

http://outlook.office.com/

http

IEXPLORE.EXE

495 B
636 B
5
3

HTTP Request

GET http://outlook.office.com/

HTTP Response

301
40.101.12.130:443

outlook.office.com

IEXPLORE.EXE

156 B
3
40.101.12.82:80

outlook.office.com

IEXPLORE.EXE

156 B
3
40.101.12.82:443

outlook.office.com

IEXPLORE.EXE

156 B
3
40.99.204.146:80

outlook.office.com

IEXPLORE.EXE

190 B
92 B
4
2
40.99.204.146:443

https://outlook.office.com/owa/

tls, http2

IEXPLORE.EXE

1.5kB
9.7kB
19
14

HTTP Request

GET https://outlook.office.com/

HTTP Response

302

HTTP Request

GET https://outlook.office.com/owa/

HTTP Response

302
40.126.32.133:443

login.microsoftonline.com

tls

IEXPLORE.EXE

868 B
4.5kB
11
6
40.126.32.133:443

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=66784a05-f965-86d6-f4fb-9c9787e08a6a&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=638192697066238635.004ce895-bad9-4e21-97f6-8fc5d9270b02&state=Dcs5FoAgDABR0OdxIiFIluOwtpZe3xR_uokhhNMdLqInCBfNRmyCzFSUS70Rn7HUKvQ2DZ5FGUw2g-5Rp5FgR4r-Xun9WvoB

tls, http

IEXPLORE.EXE

3.5kB
59.1kB
49
46

HTTP Request

GET https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=66784a05-f965-86d6-f4fb-9c9787e08a6a&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=638192697066238635.004ce895-bad9-4e21-97f6-8fc5d9270b02&state=Dcs5FoAgDABR0OdxIiFIluOwtpZe3xR_uokhhNMdLqInCBfNRmyCzFSUS70Rn7HUKvQ2DZ5FGUw2g-5Rp5FgR4r-Xun9WvoB

HTTP Response

200
152.199.39.242:443

https://aadcdn.msftauth.net/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.svg

tls, http2

IEXPLORE.EXE

13.5kB
314.1kB
254
238

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/js/ConvergedLogin_PCore_vWbrOmVW6hkWOywpyVm8-A2.js

HTTP Response

200

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pcustomizationloader_6d0f034edc7f959d3b0d.js

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/images/appbackgrounds/49-small_e58aafc980614a9cd7796bea7b5ea8f0.jpg

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/images/appbackgrounds/49_7916a894ebde7d29c2cc29b267f1299f.jpg

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/images/applogos/53_8b36337037cff88c3df203bb73d58e41.png

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg

HTTP Request

GET https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ri9kuwotliet3wfbgspsga2.css

HTTP Request

GET https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_dxpr-5j5ntliiuj7keh9jq2.js

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/ux.converged.login.strings-en.min_dxpr-5j5ntliiuj7keh9jq2.js

HTTP Request

GET https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ri9kuwotliet3wfbgspsga2.css

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/js/asyncchunk/convergedlogin_pstringcustomizationhelper_12d145c6db04e5f655d1.js

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://aadcdn.msftauth.net/shared/1.0/content/images/signin-options_4e48046ce74f4b89d45037c90576bfac.svg

HTTP Response

200
152.199.39.242:443

aadcdn.msftauth.net

tls, http2

IEXPLORE.EXE

1.1kB
5.7kB
14
11
204.79.197.200:443

ieonline.microsoft.com

iexplore.exe

156 B
3
204.79.197.200:443

ieonline.microsoft.com

tls, http2

iexplore.exe

1.5kB
8.1kB
15
14
52.97.144.2:443

outlook.office365.com

tls

IEXPLORE.EXE

864 B
5.0kB
11
6
52.97.144.2:443

https://outlook.office365.com/owa/prefetch.aspx

tls, http

IEXPLORE.EXE

1.3kB
8.3kB
13
10

HTTP Request

GET https://outlook.office365.com/owa/prefetch.aspx

HTTP Response

200
104.77.161.168:443

r4.res.office365.com

tls, http2

IEXPLORE.EXE

1.3kB
6.9kB
18
17
104.77.161.168:443

https://r4.res.office365.com/owa/prem/15.20.6363.33/resources/styles/0/boot.worldwide.mouse.css

tls, http2

IEXPLORE.EXE

27.3kB
740.1kB
569
563

HTTP Request

GET https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.0.mouse.js

HTTP Response

200

HTTP Request

GET https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.1.mouse.js

HTTP Response

200

HTTP Request

GET https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.2.mouse.js

HTTP Response

200

HTTP Request

GET https://r4.res.office365.com/owa/prem/15.20.6363.33/scripts/boot.worldwide.3.mouse.js

HTTP Response

200

HTTP Request

GET https://r4.res.office365.com/owa/prem/15.20.6363.33/resources/images/0/sprite1.mouse.png

HTTP Response

200

HTTP Request

GET https://r4.res.office365.com/owa/prem/15.20.6363.33/resources/images/0/sprite1.mouse.css

HTTP Response

200

HTTP Request

GET https://r4.res.office365.com/owa/prem/15.20.6363.33/resources/styles/0/boot.worldwide.mouse.css

HTTP Response

200

8.8.8.8:53

14.110.152.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

14.110.152.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

2.36.159.162.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

2.36.159.162.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

outlook.office.com

dns

IEXPLORE.EXE

64 B
261 B
1
1

DNS Request

outlook.office.com

DNS Response

40.101.83.194

52.97.200.178

52.97.250.210

40.101.18.242
8.8.8.8:53

outlook.office.com

dns

IEXPLORE.EXE

64 B
261 B
1
1

DNS Request

outlook.office.com

DNS Response

40.99.204.210

40.101.12.130

40.101.12.82

40.99.204.146
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

130.12.101.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

130.12.101.40.in-addr.arpa
8.8.8.8:53

200.232.18.117.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

200.232.18.117.in-addr.arpa
8.8.8.8:53

146.204.99.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.204.99.40.in-addr.arpa
8.8.8.8:53

76.38.195.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

76.38.195.152.in-addr.arpa
8.8.8.8:53

login.microsoftonline.com

dns

IEXPLORE.EXE

71 B
314 B
1
1

DNS Request

login.microsoftonline.com

DNS Response

20.190.160.20

40.126.32.133

40.126.32.138

20.190.160.22

40.126.32.68

40.126.32.134

20.190.160.17

40.126.32.74
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

aadcdn.msftauth.net

dns

IEXPLORE.EXE

65 B
115 B
1
1

DNS Request

aadcdn.msftauth.net

DNS Response

152.199.39.242
8.8.8.8:53

aadcdn.msauth.net

dns

iexplore.exe

63 B
410 B
1
1

DNS Request

aadcdn.msauth.net

DNS Response

13.107.253.48

13.107.226.48
8.8.8.8:53

242.39.199.152.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

242.39.199.152.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

outlook.office365.com

dns

IEXPLORE.EXE

67 B
215 B
1
1

DNS Request

outlook.office365.com

DNS Response

52.97.144.2

40.99.204.66

40.99.204.34

40.101.18.242
8.8.8.8:53

2.144.97.52.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

2.144.97.52.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

r4.res.office365.com

dns

IEXPLORE.EXE

66 B
181 B
1
1

DNS Request

r4.res.office365.com

DNS Response

104.77.161.168

104.77.161.167
8.8.8.8:53

168.161.77.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

168.161.77.104.in-addr.arpa
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
bd71617256882953841a8337a4dd5d5c

SHA1
d9b47492fafc72a5fbca10c56229fe6a2757331a

SHA256
8f2693e8b656256ad2faa63c3421eb6f1a4e278d2e2e3cc97d5acd5642f97ba2

SHA512
2d40d636e04523d2095e6896f24a911c523d581b93d486af41275b3b6dc94e05bf5e4de8e2c8479886e4c3f2ff87215fd25c028846ba5a868258875dcca3fa2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
0272d2900d6aeff33dcb8ea2b59b9d9c

SHA1
977189c7ef9a019ff50124db814885d98fb45b36

SHA256
6a34c756af6b94c93919d06c35d849d7fe1e845a80ba62fb37c818fe432718b4

SHA512
c79ea29f9fd0921fed554a6920e72daf64be5f4d8047823d0ad700b98eaf36d755d1a9c6d8792bf2299a3e2d11b5ab0f6a9bbaade64c7b5ac0f560260740f6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cz9baam\imagestore.dat

Filesize
17KB

MD5
f0e7503d6d0ee04aaa7d3dd7b40005d8

SHA1
4c81db92da135ed007aeaff6f380695b42ffd945

SHA256
ec833ed89e59c2c87ba771400c55afda018b131011abf46f014abbcb0642d9e5

SHA512
a6ff660260f84e4f1417b9729d5c12b0d0e66e49113a0d2e93624daa87072a9dc05f392f7268a6b882236da634a94d1c47664b51823c62de96d00ede2ddbbdf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cz9baam\imagestore.dat

Filesize
18KB

MD5
bf279b73485d854c49fbad32c9a1d212

SHA1
bd3e8030e499339c9db0a7d1cb8ecee3f49d9819

SHA256
26baf8fc0406c9ffc7a0211d80a4b184ae1cdba80c73f95a6aeadffde3c45398

SHA512
45b2aab5bd90d48a13b1b1cacfd4b944ea4a37b2ee0db0185970186d21681df9781ad44a9a07216a70e5247033e678b240e5a8f33c84d37fece601d20ed10adb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\favicon_a_eupayfgghqiai7k9sol6lg2[1].ico

Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request