Edit tour

Windows Analysis Report
Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx

Overview

General Information

Sample name:	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx
Analysis ID:	1451035
MD5:	de2f137fa5723fe4c79f433bec139e88
SHA1:	55bb1d26d0f6c95b0b33a1332db33ee63c149482
SHA256:	35fd887399057dfcc4cc150462c7df803987613b54b000409e1ae43cb6c5e7a0
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Stores files to the Windows start menu directory

Unable to load, office file is protected or invalid

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6484 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2240,i,4638376767373001243,5637970318286738540,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

EXCEL.EXE (PID: 5776 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.42, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5776, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 54177

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 54177, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 5776, Protocol: tcp, SourceIp: 13.107.246.42, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49736 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.3.187.198:443 -> 192.168.2.5:54172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:54173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:54174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:54175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54181 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.5:54171 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49736 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5pC4Y4cpzEw+3b3&MD=vyxT2ADH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5pC4Y4cpzEw+3b3&MD=vyxT2ADH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5pC4Y4cpzEw+3b3&MD=vyxT2ADH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324007v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: http://www.allvuesystems.com
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://adfs4.sts.altareturn.com:443/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3aportal%3aberkshire&wctx=ht
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://mindmup.github.io/3rdpartycookiecheck/start.html
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://pwrecover.altareturn.com
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://sp13ip.altareturn.com
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://spdevrecover2019.verticetech.com
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://stgpwrecover2019.altareturn.com
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://usadfspublic.blob.core.windows.net/adfs4loginpageresource/
Source: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	String found in binary or memory: https://usadfspublic.blob.core.windows.net/adfs4loginpageresource/How%20to%20enable%20cross-site%20c

Source: unknown	Network traffic detected: HTTP traffic on port 54177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54179
Source: unknown	Network traffic detected: HTTP traffic on port 54183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 54174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 54181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54174
Source: unknown	Network traffic detected: HTTP traffic on port 54175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54179 -> 443

Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.3.187.198:443 -> 192.168.2.5:54172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:54173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:54174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:54175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.42:443 -> 192.168.2.5:54181 version: TLS 1.2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Window title found: microsoft excel okexcel cannot open the file 'berkshire fund viii-a l.p._berkshire portfolio company summary - 3.31.24 - f8.xlsx' because the file format or file extension is not valid. verify that the file has not been corrupted and that the file extension matches the format of the file.

Source: classification engine

Classification label: clean4.winXLSX@29/12@3/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{086BE64C-F38A-4EE0-ABC1-0E6BB5D2AA54} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2240,i,4638376767373001243,5637970318286738540,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2240,i,4638376767373001243,5637970318286738540,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
s-part-0014.t-0009.t-msedge.net	13.107.246.42	true	false	unknown
www.google.com	172.217.18.4	true	false	unknown
198.187.3.20.in-addr.arpa	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://sp13ip.altareturn.com	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	false	unknown
https://adfs4.sts.altareturn.com:443/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3aportal%3aberkshire&wctx=ht	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	false	unknown
https://stgpwrecover2019.altareturn.com	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	false	unknown
https://mindmup.github.io/3rdpartycookiecheck/start.html	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	false	unknown
https://spdevrecover2019.verticetech.com	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	false	unknown
http://www.allvuesystems.com	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	false	unknown
https://pwrecover.altareturn.com	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx, 4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp.0.dr	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.42	s-part-0014.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.18.4	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.7
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1451035
Start date and time:	2024-06-03 14:34:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx
Detection:	CLEAN
Classification:	clean4.winXLSX@29/12@3/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsx

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 64.233.167.84, 142.250.185.206, 142.250.185.99, 34.104.35.123, 142.250.185.170, 172.217.16.138, 142.250.185.106, 142.250.185.234, 142.250.184.202, 142.250.184.234, 142.250.185.138, 216.58.206.74, 142.250.185.74, 172.217.23.106, 216.58.206.42, 172.217.18.106, 142.250.186.74, 142.250.186.42, 142.250.181.234, 142.250.185.202, 52.109.32.97, 184.28.90.27, 52.109.28.47, 52.113.194.132, 93.184.221.240, 192.229.221.95, 104.208.16.90, 172.217.18.3, 142.250.181.238, 142.250.186.110, 142.250.186.46
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, wu.azureedge.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, clients2.google.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, optimizationguide-pa.googleapis.com, clients1.google.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, accounts.google.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.246.42	https://1drv.ms/o/s!Ale5u7cgFrqDgrU1Y9FuTirE1RVPjA?e=U3XZbQ	Get hash	malicious	SharepointPhisher	Browse
	Quarantined Messages.zip	Get hash	malicious	HTMLPhisher	Browse
	Account_Verification.htm	Get hash	malicious	Unknown	Browse
	https://video2.skills-academy.com/de-de/power-bi/connect-data/service-datasets-manage-access-permissions	Get hash	malicious	Unknown	Browse
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	Unknown	Browse
	UrfBRh4Hs5.exe	Get hash	malicious	AsyncRAT	Browse
	Invoice for 23-05-24 halboutevents.com-infected.html	Get hash	malicious	HTMLPhisher	Browse
	IT1_Individual_Resident_Return_XLS.zip	Get hash	malicious	Unknown	Browse
	Items.xls	Get hash	malicious	Unknown	Browse
	http://trq21files6468h65fdtr65g67h85deploy869.pages.dev/	Get hash	malicious	TechSupportScam	Browse
239.255.255.250	https://asap911.com/	Get hash	malicious	Unknown	Browse
	http://telegrum.xyz	Get hash	malicious	Unknown	Browse
	https://voicemail-amityregion5.webflow.io/	Get hash	malicious	Unknown	Browse
	https://pmchri.ac.in/login/Exceloffice.html	Get hash	malicious	HTMLPhisher	Browse
	https://assets-eur.mkt.dynamics.com/21f9f50d-1320-ef11-8406-000d3adc9e50/digitalassets/standaloneforms/3a7ec846-5e21-ef11-840a-0022489c8b2d?code=FnYBDrD1	Get hash	malicious	Unknown	Browse
	https://mailtrack.io/l/95aacca2537b6b72fbedc193596da82ad5881695#=Y3VzdG9tZXJzZXJ2aWNlQG9mZmljaWFscGF5bWVudHMuY29t	Get hash	malicious	HTMLPhisher	Browse
	https://www.gearupbooster.com/ru/	Get hash	malicious	Unknown	Browse
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0014.t-0009.t-msedge.net	https://1drv.ms/o/s!Ale5u7cgFrqDgrU1Y9FuTirE1RVPjA?e=U3XZbQ	Get hash	malicious	SharepointPhisher	Browse	13.107.246.42
	Quarantined Messages.zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	Account_Verification.htm	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://video2.skills-academy.com/de-de/power-bi/connect-data/service-datasets-manage-access-permissions	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	Unknown	Browse	13.107.246.42
	IT1_Individual_Resident_Return_XLS.zip	Get hash	malicious	Unknown	Browse	13.107.246.42
	Items.xls	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://microsoftedge.microsoft.com/addons/detail/rocketreach-edge-extensio/ldjlhlheoidifojmfkjfijmdhlagakni	Get hash	malicious	Unknown	Browse	13.107.246.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://assets-eur.mkt.dynamics.com/21f9f50d-1320-ef11-8406-000d3adc9e50/digitalassets/standaloneforms/3a7ec846-5e21-ef11-840a-0022489c8b2d?code=FnYBDrD1	Get hash	malicious	Unknown	Browse	52.146.128.240
	https://www.gearupbooster.com/ru/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://dawatywmaitzdzmys.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	51.104.148.203
	Ticket (WS455-6593).msg	Get hash	malicious	Unknown	Browse	20.189.173.8
	1EasyTally (Classic) V 1.2.1.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	CHKS2400304.pdf.vbs	Get hash	malicious	FormBook, GuLoader	Browse	13.107.137.11

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://telegrum.xyz	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://pmchri.ac.in/login/Exceloffice.html	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	http://hedegaardsauto.dk/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://url.emailprotection.link/?bfTS_KrNiCShMSk4JMdvONeCZogDcLbz5FpmqaWv5_rv04QOH9b6Kmd7I2qCiUKsv5q5t0vck4irt9qK1Ha4DzFeAO0jjH8TqkD8_rnXp7Hb_Z2NvhP5RRBPj-wTHvqzH3uWgwkA5ntmGsn_nQmoSqXg9ZA99cuf-YoREOfJYdxDOydNBrZanG4AjtkOBRG8jIYlVsNNW5m0VQXzj53pdlrIuvxEIXshgoyxys-1O7YY3TXyKX91l31dM71wVeSwnEfdV41Ae6S_Qz94sYwSpHTmtde2cL52gfFzC2-9V1C4uP_zO_-8UqGHHy_EuldxFEsUQnyqSjqeNOcNLtDKqZk_YFZPSMI2uoVDXHMIsE7bzz0WyMM5JE8h_E3PM6G3BXBxylvRaP9pgn2SUBMmD4MikUNFlgdO8l0F2GTjTWZ1iamreK1TgsgJZU5n3HdhTP-FR-6GO9e5TUim70dwnMYLSymCeNheZWD28SdMdEq15nmik9cacgtLBurT14jJh_0pROu_pGf-E3UrWHRr0UA45EqC2EJESTkvmRpfgvknl3VTE5ALfrvQt-vml8LuHw1iE_hpL4YS9F9MIqs1-th8X3GC1yR0LkfTTrX5edJxG-rlLXrryMntFIA_PAflBl2-kK2SIlZGVNYATnrQi9yKbK70wOUwPIQn-b83tFxm-yj4nvBfB8LMAJkc9C9odqhAaLU1pgemaAlR1eltYR_00Ujep2NF6a4onO3YUQA9N3PhobVIQ7vswLz4pwyXUAjlowSupgC3RBx3ll15alNvnU9ORi5E7VwgP0vO27L_HSOZWUTwe_kS0iMHUWAbg4aTAUCAyg2uGKp28eGvIdJcxffqxabruTMd5AaFmXlDEU6yKi1DztscBp_z_GWRo	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://parivacycomunitysprostandards.pages.dev/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://bnb-id8205.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://linkx-paylaters.webnew.biz.id/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://fanciful-banoffee-dea204.netlify.app/appeal.html/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://a1-8st.pages.dev/	Get hash	malicious	TechSupportScam	Browse	23.1.237.91
	https://polite-valkyrie-edec0a.netlify.app/form.html/	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	https://asap911.com/	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	http://telegrum.xyz	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://voicemail-amityregion5.webflow.io/	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://pmchri.ac.in/login/Exceloffice.html	Get hash	malicious	HTMLPhisher	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://assets-eur.mkt.dynamics.com/21f9f50d-1320-ef11-8406-000d3adc9e50/digitalassets/standaloneforms/3a7ec846-5e21-ef11-840a-0022489c8b2d?code=FnYBDrD1	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://mailtrack.io/l/95aacca2537b6b72fbedc193596da82ad5881695#=Y3VzdG9tZXJzZXJ2aWNlQG9mZmljaWFscGF5bWVudHMuY29t	Get hash	malicious	HTMLPhisher	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://www.gearupbooster.com/ru/	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
	https://supersimple365.com/microsoft-lists-user-experience-update-mid-2023/	Get hash	malicious	Unknown	Browse	20.190.159.73 13.85.23.86 40.127.169.103 20.3.187.198
a0e9f5d64349fb13191bc781f81f42e1	https://www.gearupbooster.com/ru/	Get hash	malicious	Unknown	Browse	13.107.246.42
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	1EasyTally (Classic) V 1.2.1.xls	Get hash	malicious	Unknown	Browse	13.107.246.42
	Homes Needed.lnk	Get hash	malicious	Unknown	Browse	13.107.246.42
	Setup_v1.9.3.exe	Get hash	malicious	LummaC	Browse	13.107.246.42
	xWVWqU5rd5.exe	Get hash	malicious	RisePro Stealer	Browse	13.107.246.42
	SecuriteInfo.com.Program.Unwanted.4903.10559.20508.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	SecuriteInfo.com.Program.Unwanted.4903.10559.20508.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	fKSMq1IQV6.exe	Get hash	malicious	RisePro Stealer	Browse	13.107.246.42
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer	Browse	13.107.246.42

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	7.946747821604857
Encrypted:	false
SSDEEP:	96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
MD5:	1BFE591A4FE3D91B03CDF26EAACD8F89
SHA1:	719C37C320F518AC168C86723724891950911CEA
SHA-256:	9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
SHA-512:	02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.)......Y@...(..).R."E..D^6........u....\|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O...R..........D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;\|.h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.z..2.Py...A..s...z..@...4..........4.....Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._\|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.174857563182266
Encrypted:	false
SSDEEP:	3:kkFklM+1fllXlE/0htlX16pFRltB+SliQlP8F+RlTRe86A+iRlERMta9b3+AL0Wy:kK3RN+SkQlPlEGYRMY9z+s3Ql2DUevat
MD5:	B18598E1948D35E64E946C78B6F7C077
SHA1:	D2FD0C6291BBABBD73C65B6BA8D78C0EF8D25ED6
SHA-256:	4326D4D47CBA6474E0EC1A1422906EA5F03AC58B8B729027A9E8CD282E52C333
SHA-512:	6A6079DAB6ED3D8A01D70626FBBECF1FDA96A0870E8070F7B2EDAA7528D4D3AB61CDA559CEDE8F6B49335A81C0F8FADD1410E59FFA430D7965BEAEC58001C6F4
Malicious:	false
Reputation:	low
Preview:	p...... ...............(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 3 11:35:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.974221286365199
Encrypted:	false
SSDEEP:	48:86dTTb73HFidAKZdA19ehwiZUklqehSy+3:8C7H1y
MD5:	05A71E9CD714C49D4EB8668505E05B37
SHA1:	189C82081690E2F3B1DFEA026D6AEA2E37730DDE
SHA-256:	06DA403844C5D8B553FFEB17A6EE52A309FC758EBD2EDD7B9D053BB673109B87
SHA-512:	6F2484241947486034AB35E48FC03EB18D6C0985FD733D19AA2B83ED552510B87C60F6B7F981A24F1AD30C091C15A69532D6794CB858CB70CD9EDCBB5C9F9443
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xsd....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xsd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xsd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xsd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xud...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............JW......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 3 11:35:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9919241713542135
Encrypted:	false
SSDEEP:	48:8BEdTTb73HFidAKZdA1weh/iZUkAQkqehly+2:8B87t9Q4y
MD5:	700D2B5E7152721D067E7B629A046A79
SHA1:	1A674D11824139C4430DD882BF21DAC9BF9B2C97
SHA-256:	4802983F483BDECD395436314873AF4D3EE8D7A760ABD07ED7F2CE52687AD6C9
SHA-512:	A21AB1FBE63C31603757C620429C2D074612363E71ECACF8CCEE42103FC526182C687E71FAD3EA4A651B9E5F4AC5CAC9B7477330AB0E385CE6CDFFE569D58F69
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xsd....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xsd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xsd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xsd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xud...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............JW......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.002919006004547
Encrypted:	false
SSDEEP:	48:8xEdTTb7sHFidAKZdA14tseh7sFiZUkmgqeh7sry+BX:8x87Enpy
MD5:	25DFB9406BEE68FFA4D274BBBB9DE9EA
SHA1:	E86B6A7F3CA51B1AFB7CD6A7C1A9826F20380DB6
SHA-256:	9BF84C35CFB20156F6644A428590661D28E069C1D7E7489032C093DEE74C145F
SHA-512:	F445058B2DE35FAD16FF8302181BA06F339EDCEF08A6F8A2C11BC8F83B6BF15517CC7EA7647B550516213EFDD771CF9660BD3D6F52FADD6D8413BB54B134A110
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xsd....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xsd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xsd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xsd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............JW......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 3 11:35:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.989010342695176
Encrypted:	false
SSDEEP:	48:8VdTTb73HFidAKZdA1vehDiZUkwqehRy+R:877OTy
MD5:	2DD4DFCF4298613DD211CB77B890BFEE
SHA1:	329A44AB6EF2769D0CC12981BD9703A1462BDBF0
SHA-256:	AC2091CBC00B973D21ADB853D4D103219463644A6115B8046A0C72DCC863BAD0
SHA-512:	600F4C9B94E3263152D49A13B838F304480DFB004037A6A1951E9A58AAF324D3A564CB84E2C0A6273260D8F397F9C92B5F786DA40C58CA75FE6E5AC564DA58CB
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,............N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xsd....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xsd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xsd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xsd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xud...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............JW......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 3 11:35:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.976912090866836
Encrypted:	false
SSDEEP:	48:8NdTTb73HFidAKZdA1hehBiZUk1W1qehfy+C:8T7+9/y
MD5:	4996EBC230D61B0492D872B9CEEDC090
SHA1:	407E31F6CEEF9C4C73B3BBD4B3B9AAE2511EC0F2
SHA-256:	0F8932B86B69F7C63220ABAF9E60046F7897889AA84114F9BD4955FD9878A102
SHA-512:	122D6F3C29D263FC98195186B96360C17F0BFFF83123FE908A6223B57B7395ABBC9393FD144607497A4F477036B0038F262449C74EBEACDD4B38869B497457A3
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,.....Q......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xsd....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xsd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xsd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xsd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xud...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............JW......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jun 3 11:35:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.990410375814637
Encrypted:	false
SSDEEP:	48:86dTTb73HFidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbpy+yT+:8C7gT/TbxWOvTbpy7T
MD5:	F5F0089A023C53D1A0D73B3DBA1B5344
SHA1:	5FCDF1041B83F27B06B1143DB4369C1326F730C2
SHA-256:	E8FB0AE8B1CFD5F2E7DB6497E51F9DB377EDC6EF134F5A557FCF34E874E6DC96
SHA-512:	501020551AC440FEB2B22701D28A2B7CBF2ACB2CCB293DCBBD1AF11710C58295A31B9D3B4F66438D0929A5B7E0B215BC522E24A50D780DCF9462E37BB70A0E22
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....\|A....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xsd....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xsd....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xsd....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xsd..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xud...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............JW......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2069), with CRLF line terminators
Category:	dropped
Size (bytes):	42019
Entropy (8bit):	5.082417726325476
Encrypted:	false
SSDEEP:	768:r19I5EnqQwH+lDX8HicGsDmwKKs3Nhidsu4Y6JnrhMXtBOBYaUhWQpHCQPfHzCxK:rrI5EFq+lDX8HicGsDmwKKs3Nhidsu4I
MD5:	DE2F137FA5723FE4C79F433BEC139E88
SHA1:	55BB1D26D0F6C95B0B33A1332DB33EE63C149482
SHA-256:	35FD887399057DFCC4CC150462C7DF803987613B54B000409E1AE43CB6C5E7A0
SHA-512:	55037A68207346AB985EF72A12DFAC956FE8B0299EAC1201BC253956821CF1A8A5F4BB9AD46DBEAC2B9F72D8833E86F00118DA1F7AA3B8024D79C91FC5355355
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html lang="en-US">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge"/>.. <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=1"/>.. <meta http-equiv="content-type" content="text/html;charset=UTF-8" />.. <meta http-equiv="cache-control" content="no-cache,no-store"/>.. <meta http-equiv="pragma" content="no-cache"/>.. <meta http-equiv="expires" content="-1"/>.. <meta name='mswebdialog-title' content='Connecting to AltaReturn Authentication'/>.... <title>Sign In</title>.. <script type='text/javascript'>..//<![CDATA[..function LoginErrors(){this.userNameFormatError = 'Enter your user ID in the format \u0026quot;domain\\user\u0026quot; or \u0026quot;user@domain\u0026quot;.'; this.passwordEmpty = 'Enter your password.'; this.passwordTooLong = 'Password is too long (\u0026gt; 128 characters).';}; var maxPasswordLength = 128;..// ..</script>....<script type='text/

C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2069), with CRLF line terminators
Category:	dropped
Size (bytes):	42019
Entropy (8bit):	5.082417726325476
Encrypted:	false
SSDEEP:	768:r19I5EnqQwH+lDX8HicGsDmwKKs3Nhidsu4Y6JnrhMXtBOBYaUhWQpHCQPfHzCxK:rrI5EFq+lDX8HicGsDmwKKs3Nhidsu4I
MD5:	DE2F137FA5723FE4C79F433BEC139E88
SHA1:	55BB1D26D0F6C95B0B33A1332DB33EE63C149482
SHA-256:	35FD887399057DFCC4CC150462C7DF803987613B54B000409E1AE43CB6C5E7A0
SHA-512:	55037A68207346AB985EF72A12DFAC956FE8B0299EAC1201BC253956821CF1A8A5F4BB9AD46DBEAC2B9F72D8833E86F00118DA1F7AA3B8024D79C91FC5355355
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en-US">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge"/>.. <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=1"/>.. <meta http-equiv="content-type" content="text/html;charset=UTF-8" />.. <meta http-equiv="cache-control" content="no-cache,no-store"/>.. <meta http-equiv="pragma" content="no-cache"/>.. <meta http-equiv="expires" content="-1"/>.. <meta name='mswebdialog-title' content='Connecting to AltaReturn Authentication'/>.... <title>Sign In</title>.. <script type='text/javascript'>..//<![CDATA[..function LoginErrors(){this.userNameFormatError = 'Enter your user ID in the format \u0026quot;domain\\user\u0026quot; or \u0026quot;user@domain\u0026quot;.'; this.passwordEmpty = 'Enter your password.'; this.passwordTooLong = 'Password is too long (\u0026gt; 128 characters).';}; var maxPasswordLength = 128;..// ..</script>....<script type='text/

C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (2069), with CRLF line terminators
Category:	dropped
Size (bytes):	42019
Entropy (8bit):	5.082417726325476
Encrypted:	false
SSDEEP:	768:r19I5EnqQwH+lDX8HicGsDmwKKs3Nhidsu4Y6JnrhMXtBOBYaUhWQpHCQPfHzCxK:rrI5EFq+lDX8HicGsDmwKKs3Nhidsu4I
MD5:	DE2F137FA5723FE4C79F433BEC139E88
SHA1:	55BB1D26D0F6C95B0B33A1332DB33EE63C149482
SHA-256:	35FD887399057DFCC4CC150462C7DF803987613B54B000409E1AE43CB6C5E7A0
SHA-512:	55037A68207346AB985EF72A12DFAC956FE8B0299EAC1201BC253956821CF1A8A5F4BB9AD46DBEAC2B9F72D8833E86F00118DA1F7AA3B8024D79C91FC5355355
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en-US">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge"/>.. <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=1"/>.. <meta http-equiv="content-type" content="text/html;charset=UTF-8" />.. <meta http-equiv="cache-control" content="no-cache,no-store"/>.. <meta http-equiv="pragma" content="no-cache"/>.. <meta http-equiv="expires" content="-1"/>.. <meta name='mswebdialog-title' content='Connecting to AltaReturn Authentication'/>.... <title>Sign In</title>.. <script type='text/javascript'>..//<![CDATA[..function LoginErrors(){this.userNameFormatError = 'Enter your user ID in the format \u0026quot;domain\\user\u0026quot; or \u0026quot;user@domain\u0026quot;.'; this.passwordEmpty = 'Enter your password.'; this.passwordTooLong = 'Password is too long (\u0026gt; 128 characters).';}; var maxPasswordLength = 128;..// ..</script>....<script type='text/

C:\Users\user\Downloads\~$Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.5231029153786204
Encrypted:	false
SSDEEP:	3:sYp5lFltt:sYp5Nv
MD5:	B77267835A6BEAC785C351BDE8E1A61C
SHA1:	FABD93A92989535D43233E3DB9C6579D8174740E
SHA-256:	3B222E766EADC8BC9A8A90AC32FA591F313545B7E8C5D481D378AE307FA798C3
SHA-512:	FFFCBA958E9BD56F284DA19592F124C48B013FCDA2FBE65B3EB38BB644C2B0C978E6DAE99EF213B054813C7212E119B09236A6FFF342D32E52C84DD26DE1E033
Malicious:	false
Preview:	.user ..a.l.f.o.n.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	HTML document, Unicode text, UTF-8 text, with very long lines (2069), with CRLF line terminators
Entropy (8bit):	5.082417726325476
TrID:	HyperText Markup Language (12502/1) 100.00%
File name:	Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx
File size:	42'019 bytes
MD5:	de2f137fa5723fe4c79f433bec139e88
SHA1:	55bb1d26d0f6c95b0b33a1332db33ee63c149482
SHA256:	35fd887399057dfcc4cc150462c7df803987613b54b000409e1ae43cb6c5e7a0
SHA512:	55037a68207346ab985ef72a12dfac956fe8b0299eac1201bc253956821cf1a8a5f4bb9ad46dbeac2b9f72d8833e86f00118da1f7aa3b8024d79c91fc5355355
SSDEEP:	768:r19I5EnqQwH+lDX8HicGsDmwKKs3Nhidsu4Y6JnrhMXtBOBYaUhWQpHCQPfHzCxK:rrI5EFq+lDX8HicGsDmwKKs3Nhidsu4I
TLSH:	FA13D69A6445082252736376EBFE4608FFB541230A029D08F8EC96D91FB1E0587E7EFC
File Content Preview:	<!DOCTYPE html>..<html lang="en-US">.. <head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge"/>.. <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=1"/>.. <meta http-equiv="content-type" co

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 303
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2024 14:35:37.345375061 CEST	49674	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:35:37.345392942 CEST	49675	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:35:37.470408916 CEST	49673	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:35:46.657138109 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:46.657180071 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:46.657242060 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:46.657577038 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:46.657591105 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:47.014524937 CEST	49674	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:35:47.045803070 CEST	49675	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:35:47.248913050 CEST	49673	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:35:47.530864954 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:47.551057100 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:47.551083088 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:47.552268028 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:47.552320004 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:48.334943056 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:48.335283995 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:48.452034950 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:48.452064991 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:48.639524937 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:48.827769041 CEST	443	49703	23.1.237.91	192.168.2.5
Jun 3, 2024 14:35:48.828032970 CEST	49703	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:35:51.869204044 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:51.869240046 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:51.869474888 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:51.870522022 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:51.870533943 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:52.943888903 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:52.944116116 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.000332117 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.000365019 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.000957012 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.002687931 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.002708912 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.002815962 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.366733074 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.423501968 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.423512936 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.424595118 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.424786091 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.425172091 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.425276041 CEST	443	49722	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.425343990 CEST	49722	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.459629059 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.459671021 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.459803104 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.460022926 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.460038900 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.754252911 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.754297972 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:53.754458904 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.754693031 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:53.754707098 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.517369986 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.517482042 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:54.535082102 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:54.535099983 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.535417080 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.536298990 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:54.536325932 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:54.536355972 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.808146000 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.808939934 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:54.808954000 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.839396000 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:54.839409113 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:54.839449883 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:54.839464903 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:55.100475073 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:55.100569010 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:55.100773096 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:55.101151943 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:55.101171970 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:55.101255894 CEST	49724	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:55.101260900 CEST	443	49724	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.432651043 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.432682991 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.432701111 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.432760954 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.432774067 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.432835102 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.432851076 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.432851076 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.432987928 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.433543921 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.433543921 CEST	49725	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.433553934 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.433562040 CEST	443	49725	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.764353991 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.764364958 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:56.764434099 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.770752907 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:56.770761967 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:57.526300907 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:57.526369095 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:57.526549101 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:57.769568920 CEST	49711	443	192.168.2.5	172.217.18.4
Jun 3, 2024 14:35:57.769609928 CEST	443	49711	172.217.18.4	192.168.2.5
Jun 3, 2024 14:35:57.887232065 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:57.887830973 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:57.887866020 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:57.888577938 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:57.888590097 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:57.888612032 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:57.888622046 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.169562101 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:58.169625044 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:58.169693947 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:58.170917988 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:58.170943975 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:58.616420031 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.616453886 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.616503000 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.616543055 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.616564989 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.616576910 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.619182110 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.619194031 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.619215012 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.619364023 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.619400978 CEST	443	49730	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.619904995 CEST	49730	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.832803011 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.832848072 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.832918882 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.833806992 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:35:58.833820105 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:58.935575962 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:58.935662031 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:58.959225893 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:58.959261894 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:58.959645987 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.001422882 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.604506969 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.652497053 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856230974 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856261015 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856268883 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856285095 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856318951 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856329918 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.856355906 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856369019 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.856369019 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.856414080 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.856858969 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.856933117 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.856940031 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.857472897 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.857521057 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.947679043 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:35:59.974631071 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.974659920 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.974678040 CEST	49734	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:35:59.974684954 CEST	443	49734	13.85.23.86	192.168.2.5
Jun 3, 2024 14:35:59.998670101 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.079260111 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.079279900 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.080178022 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.080183983 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.080236912 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.080246925 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.439661980 CEST	49703	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:00.439661980 CEST	49703	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:00.444097042 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:00.444156885 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:00.444612980 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:00.444753885 CEST	443	49703	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:00.444760084 CEST	443	49703	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:00.445378065 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:00.445394993 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:00.595506907 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.595535040 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.595544100 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.595573902 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.595660925 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.595695972 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.596652031 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.596652031 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.596682072 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.596859932 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.596893072 CEST	443	49735	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.596956015 CEST	49735	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.710275888 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.710300922 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:00.710787058 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.711205959 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:00.711225986 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:01.105272055 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:01.105360031 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:01.785022020 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:01.786694050 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:01.786709070 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:01.789123058 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:01.789123058 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:01.789134979 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:01.789158106 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:01.859332085 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:01.859370947 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:01.860446930 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:01.860510111 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:01.863496065 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:01.863554955 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:01.863785982 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:01.863795042 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:02.095741987 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:02.095837116 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:02.096054077 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:02.096107006 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:02.096138000 CEST	443	49736	23.1.237.91	192.168.2.5
Jun 3, 2024 14:36:02.096194029 CEST	49736	443	192.168.2.5	23.1.237.91
Jun 3, 2024 14:36:02.164244890 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.164263010 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.164416075 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.164427996 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.164757967 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.164783001 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.164860964 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.164937019 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.164973974 CEST	443	49737	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.165034056 CEST	49737	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.195763111 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.195806026 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.196006060 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.196237087 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.196258068 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.207020044 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.207055092 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:02.207109928 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.207245111 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:02.207257986 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.281086922 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.281663895 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.281685114 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.282562971 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.282567978 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.282618999 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.282628059 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.286860943 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.286936998 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.289607048 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.289635897 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.289871931 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.290307045 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.290307045 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.290343046 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.661410093 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.661442041 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.661518097 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.661536932 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.661845922 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.661845922 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.662122011 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.662178040 CEST	443	49738	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.662233114 CEST	49738	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.808741093 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.808784008 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.808821917 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.808845997 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.808860064 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.808871031 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.809240103 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.809251070 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.809259892 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.809426069 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.809458971 CEST	443	49739	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.809495926 CEST	49739	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.879342079 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.879405975 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:03.879528046 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.879767895 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:03.879781961 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:04.933023930 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:04.933809996 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:04.933825016 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:04.934950113 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:04.934963942 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:04.935060024 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:04.935074091 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.289509058 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.289530039 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.289582014 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.289621115 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.289642096 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.289705992 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.290118933 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.290118933 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.290138960 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.290378094 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.290406942 CEST	443	49740	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.290469885 CEST	49740	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.352139950 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.352176905 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:05.352475882 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.352475882 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:05.352511883 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.416522980 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.417891026 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.417891979 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.417891979 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.417927980 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.417946100 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.417956114 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.779684067 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.779710054 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.779750109 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.779772043 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.779788017 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.779840946 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.780875921 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.780883074 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.781059027 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.781064034 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.781090975 CEST	443	49741	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.781145096 CEST	49741	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.846075058 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.846108913 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:06.846189022 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.846705914 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:06.846719980 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:07.913631916 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:07.916584969 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:07.916608095 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:07.917567968 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:07.917573929 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:07.917606115 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:07.917617083 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.286083937 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.286139011 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.286211014 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:08.286226034 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.286257029 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.286283016 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:08.287260056 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:08.287267923 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.287324905 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:08.287648916 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.287733078 CEST	443	49742	20.190.159.73	192.168.2.5
Jun 3, 2024 14:36:08.287781000 CEST	49742	443	192.168.2.5	20.190.159.73
Jun 3, 2024 14:36:14.507458925 CEST	54171	53	192.168.2.5	162.159.36.2
Jun 3, 2024 14:36:14.512293100 CEST	53	54171	162.159.36.2	192.168.2.5
Jun 3, 2024 14:36:14.512490034 CEST	54171	53	192.168.2.5	162.159.36.2
Jun 3, 2024 14:36:14.517419100 CEST	53	54171	162.159.36.2	192.168.2.5
Jun 3, 2024 14:36:15.099426985 CEST	54171	53	192.168.2.5	162.159.36.2
Jun 3, 2024 14:36:15.104587078 CEST	53	54171	162.159.36.2	192.168.2.5
Jun 3, 2024 14:36:15.104667902 CEST	54171	53	192.168.2.5	162.159.36.2
Jun 3, 2024 14:36:15.118796110 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:15.118823051 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:15.118954897 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:15.119333029 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:15.119342089 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.064605951 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.064716101 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:16.067426920 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:16.067454100 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.067714930 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.069650888 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:16.112512112 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.253752947 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.253956079 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:16.253984928 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.253995895 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:16.254329920 CEST	443	54172	20.3.187.198	192.168.2.5
Jun 3, 2024 14:36:16.254391909 CEST	54172	443	192.168.2.5	20.3.187.198
Jun 3, 2024 14:36:16.278637886 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:16.278665066 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:16.278743982 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:16.279093027 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:16.279108047 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.043690920 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.043776035 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:17.045198917 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:17.045213938 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.045500040 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.046657085 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:17.088499069 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.177747965 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.177999973 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:17.178024054 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.178034067 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:17.178145885 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.178174973 CEST	443	54173	13.85.23.86	192.168.2.5
Jun 3, 2024 14:36:17.178225040 CEST	54173	443	192.168.2.5	13.85.23.86
Jun 3, 2024 14:36:18.247785091 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:18.247814894 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:18.247900963 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:18.248301983 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:18.248317957 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.317019939 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.317095995 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.318541050 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.318548918 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.318768978 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.319909096 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.364504099 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.675332069 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.675367117 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.675384998 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.675472021 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.675492048 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.675612926 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.675995111 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.676090956 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.676098108 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.678097010 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.678097010 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.678109884 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.678282022 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.678323030 CEST	443	54174	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.678371906 CEST	54174	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.805767059 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.805820942 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:19.805932999 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.806319952 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:19.806333065 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:20.862929106 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:20.863782883 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:20.941072941 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:20.941109896 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:20.941451073 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:20.959327936 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.004503965 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.310559988 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.310591936 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.310607910 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.310657024 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.310687065 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.310703993 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.310735941 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.310770988 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.310820103 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.310828924 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.310838938 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.311470032 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.313869953 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.313888073 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.313910007 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:21.314141989 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.314188004 CEST	443	54175	40.127.169.103	192.168.2.5
Jun 3, 2024 14:36:21.314241886 CEST	54175	443	192.168.2.5	40.127.169.103
Jun 3, 2024 14:36:52.508766890 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.508805037 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.508887053 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.508900881 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.508905888 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.509017944 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.509243965 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.509262085 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.509367943 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.509381056 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.519884109 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.519936085 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.520015955 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.520231009 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.520261049 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.522651911 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.522681952 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.522753954 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.522957087 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.522968054 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.525974035 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.525996923 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:52.526269913 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.526437998 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:52.526463032 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.237025976 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.237138987 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.238703012 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.238720894 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.238996983 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.239614964 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.240032911 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.240108967 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.240326881 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.240326881 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.241692066 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.241724968 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.241928101 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.241934061 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.241997004 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.242218971 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.243405104 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.243850946 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.247220039 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.247397900 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.247819901 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.247937918 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.249042034 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.249061108 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.249072075 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.249078035 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.249311924 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.249722004 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.250926018 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.251132965 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.284498930 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.284502029 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.288505077 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.296502113 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.296503067 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.369148016 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.369167089 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.369183064 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.369270086 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.369313002 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.369313002 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.372626066 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.372626066 CEST	54177	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.372646093 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.372658968 CEST	443	54177	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.374766111 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.374941111 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.374985933 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.375099897 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.375122070 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.375135899 CEST	54181	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.375143051 CEST	443	54181	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.377669096 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.377763033 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.377811909 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.378129959 CEST	54179	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.378143072 CEST	443	54179	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.381031036 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.381064892 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.381136894 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.381367922 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.381377935 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.384620905 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.384645939 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.384975910 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.384975910 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.384975910 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.385001898 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.385010958 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.385432005 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.385596991 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.385837078 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.385837078 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.385838032 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.385838032 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.385838032 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.385854006 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.391680002 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.391701937 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.391974926 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.392115116 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.392123938 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.521011114 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.521029949 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.521120071 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.521192074 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.521301031 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.521429062 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.521450043 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.521588087 CEST	54178	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.521595001 CEST	443	54178	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.528973103 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.529011011 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.529067993 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.529239893 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.529246092 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:53.686906099 CEST	54180	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:53.686937094 CEST	443	54180	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.103182077 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.103873968 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.103890896 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.104662895 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.104670048 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.107295990 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.108894110 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.108910084 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.109802961 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.109807968 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.112140894 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.112546921 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.112564087 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.113550901 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.113563061 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.119460106 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.119849920 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.119857073 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.120636940 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.120640993 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.231149912 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.231338024 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.231592894 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.231625080 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.231625080 CEST	54184	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.231642962 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.231661081 CEST	443	54184	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.241368055 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.241473913 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.241555929 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.241761923 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.241775990 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.241790056 CEST	54182	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.241796970 CEST	443	54182	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.243448019 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.243526936 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.244113922 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.244113922 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.244215965 CEST	54183	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.244226933 CEST	443	54183	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.249759912 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.249823093 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.249866009 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.250030041 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.250035048 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.250045061 CEST	54185	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.250049114 CEST	443	54185	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.253918886 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.254404068 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.254419088 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.255289078 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.255296946 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.383364916 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.383450985 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.383507013 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.383733988 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.383758068 CEST	443	54186	13.107.246.42	192.168.2.5
Jun 3, 2024 14:36:54.383773088 CEST	54186	443	192.168.2.5	13.107.246.42
Jun 3, 2024 14:36:54.383780003 CEST	443	54186	13.107.246.42	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 3, 2024 14:35:42.750698090 CEST	53	62309	1.1.1.1	192.168.2.5
Jun 3, 2024 14:35:42.755105972 CEST	53	64940	1.1.1.1	192.168.2.5
Jun 3, 2024 14:35:44.267718077 CEST	53	54275	1.1.1.1	192.168.2.5
Jun 3, 2024 14:35:46.647341967 CEST	59248	53	192.168.2.5	1.1.1.1
Jun 3, 2024 14:35:46.647828102 CEST	51964	53	192.168.2.5	1.1.1.1
Jun 3, 2024 14:35:46.651995897 CEST	53	61974	1.1.1.1	192.168.2.5
Jun 3, 2024 14:35:46.654767036 CEST	53	51964	1.1.1.1	192.168.2.5
Jun 3, 2024 14:35:46.654779911 CEST	53	59248	1.1.1.1	192.168.2.5
Jun 3, 2024 14:36:01.319976091 CEST	53	55149	1.1.1.1	192.168.2.5
Jun 3, 2024 14:36:14.506833076 CEST	53	62193	162.159.36.2	192.168.2.5
Jun 3, 2024 14:36:15.107465029 CEST	62771	53	192.168.2.5	1.1.1.1
Jun 3, 2024 14:36:15.116877079 CEST	53	62771	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 3, 2024 14:35:46.647341967 CEST	192.168.2.5	1.1.1.1	0xae3c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jun 3, 2024 14:35:46.647828102 CEST	192.168.2.5	1.1.1.1	0xdb1e	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jun 3, 2024 14:36:15.107465029 CEST	192.168.2.5	1.1.1.1	0x59eb	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 3, 2024 14:35:46.654767036 CEST	1.1.1.1	192.168.2.5	0xdb1e	No error (0)	www.google.com			65	IN (0x0001)	false
Jun 3, 2024 14:35:46.654779911 CEST	1.1.1.1	192.168.2.5	0xae3c	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Jun 3, 2024 14:36:15.116877079 CEST	1.1.1.1	192.168.2.5	0x59eb	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jun 3, 2024 14:36:52.507934093 CEST	1.1.1.1	192.168.2.5	0xcad2	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	s-part-0014.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 3, 2024 14:36:52.507934093 CEST	1.1.1.1	192.168.2.5	0xcad2	No error (0)	s-part-0014.t-0009.t-msedge.net		13.107.246.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

https:

www.bing.com

fe3cr.delivery.mp.microsoft.com

otelrules.azureedge.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49722	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:35:52 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-06-03 12:35:52 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:35:53 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:34:53 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_SN1 x-ms-request-id: a8f96e9c-2f65-42ac-9725-9e57b39c46b1 PPServer: PPV: 30 H: SN1PEPF0002FA61 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:35:52 GMT Connection: close Content-Length: 1276
2024-06-03 12:35:53 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49724	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:35:54 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-06-03 12:35:54 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:35:55 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:34:54 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_BAY x-ms-request-id: aa02f27d-a232-4a30-a321-edf8fd2a1926 PPServer: PPV: 30 H: PH1PEPF00011F97 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:35:54 GMT Connection: close Content-Length: 1276
2024-06-03 12:35:55 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:35:54 UTC	446	OUT	POST /ppsecure/deviceaddcredential.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 7642 Host: login.live.com
2024-06-03 12:35:54 UTC	7642	OUT	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 65 70 68 6b 70 69 68 79 6f 6c 74 72 66 61 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 65 5e 6b 57 7e 72 70 34 49 49 58 48 71 4c 68 64 71 51 2c 39 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 76 6e 71 75 73 6b 66 70 70 70 63 69 76 63 3c 2f 4f 6c 64 4d Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02ephkpihyoltrfa</Membername><Password>e^kW~rp4IIXHqLhdqQ,9</Password></Authentication><OldMembername>02vnquskfpppcivc</OldM
2024-06-03 12:35:56 UTC	542	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/xml Expires: Mon, 03 Jun 2024 12:34:55 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C542_BAY x-ms-request-id: fbde4eeb-6f41-47f7-9e0e-8d98bf46f859 PPServer: PPV: 30 H: PH1PEPF00011E5F V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:35:55 GMT Connection: close Content-Length: 17166
2024-06-03 12:35:56 UTC	15842	IN	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 30 30 30 46 37 31 32 46 37 35 34 31 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 36 66 33 64 37 62 32 30 2d 63 39 64 62 2d 34 35 34 37 2d 62 32 62 33 2d 66 65 34 31 36 36 36 36 33 62 36 61 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>0018000F712F7541</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="6f3d7b20-c9db-4547-b2b3-fe4166663b6a" LicenseID="3252b20c-d425-4711
2024-06-03 12:35:56 UTC	1324	IN	Data Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66 Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49730	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:35:57 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-06-03 12:35:57 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:35:58 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:34:58 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30238.5 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C530_BAY x-ms-request-id: eed160e5-0aa1-47e5-a81b-6e67c030109b PPServer: PPV: 30 H: PH1PEPF00011E60 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:35:58 GMT Connection: close Content-Length: 11392
2024-06-03 12:35:58 UTC	11392	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49734	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:35:59 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5pC4Y4cpzEw+3b3&MD=vyxT2ADH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-06-03 12:35:59 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 48d14c00-b726-4104-b23a-43db50d969ff MS-RequestId: 51f37c4a-1799-4b05-aff7-e89723a8e055 MS-CV: XJUwCQ5wlUax6S4z.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 03 Jun 2024 12:35:59 GMT Connection: close Content-Length: 24490
2024-06-03 12:35:59 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-06-03 12:35:59 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49735	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:00 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-06-03 12:36:00 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:36:00 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:35:00 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30238.5 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C530_BAY x-ms-request-id: 45e26391-7679-4ca7-91e6-a4451ac7b28c PPServer: PPV: 30 H: PH1PEPF00011E67 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:36:00 GMT Connection: close Content-Length: 11392
2024-06-03 12:36:00 UTC	11392	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49737	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:01 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-06-03 12:36:01 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:36:02 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:35:01 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_BAY x-ms-request-id: ff1dceb2-e3f6-4916-88aa-a8c8239f2ce8 PPServer: PPV: 30 H: PH1PEPF00011DF7 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:36:01 GMT Connection: close Content-Length: 1918
2024-06-03 12:36:02 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.5	49736	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:01 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1717418126817&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-06-03 12:36:01 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-06-03 12:36:01 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-06-03 12:36:02 UTC	480	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 0A74A2A5D97740B4830983BCA5CB1C56 Ref B: LAX311000110005 Ref C: 2024-06-03T12:36:01Z Date: Mon, 03 Jun 2024 12:36:02 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1717418161.3fcb048a

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49739	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:03 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-06-03 12:36:03 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:36:03 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:35:03 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C530_SN1 x-ms-request-id: 6fafb28a-a199-4460-9059-dd1f6a29359b PPServer: PPV: 30 H: SN1PEPF0002F8F8 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:36:03 GMT Connection: close Content-Length: 11372
2024-06-03 12:36:03 UTC	11372	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49738	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:03 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-06-03 12:36:03 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:36:03 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:35:03 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_BAY x-ms-request-id: 7630ceef-f3bf-43c8-8e9e-e9cfd5e1975c PPServer: PPV: 30 H: PH1PEPF00011FA9 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:36:02 GMT Connection: close Content-Length: 1918
2024-06-03 12:36:03 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49740	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:04 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-06-03 12:36:04 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:36:05 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:35:05 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C530_SN1 x-ms-request-id: 19d770af-4818-4bc6-be18-9c18737d0688 PPServer: PPV: 30 H: SN1PEPF0002FA2B V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:36:04 GMT Connection: close Content-Length: 11372
2024-06-03 12:36:05 UTC	11372	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49741	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:06 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-06-03 12:36:06 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:36:06 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:35:06 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C530_BL2 x-ms-request-id: f15027e7-b842-4a6d-8afd-a7bfc5ca5402 PPServer: PPV: 30 H: BL02EPF0001D705 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:36:05 GMT Connection: close Content-Length: 11372
2024-06-03 12:36:06 UTC	11372	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49742	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:07 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4722 Host: login.live.com
2024-06-03 12:36:07 UTC	4722	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-06-03 12:36:08 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Mon, 03 Jun 2024 12:35:08 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C530_SN1 x-ms-request-id: d38c1414-b54f-4963-a6dd-5941989f8929 PPServer: PPV: 30 H: SN1PEPF0002F1B8 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Mon, 03 Jun 2024 12:36:07 GMT Connection: close Content-Length: 10197
2024-06-03 12:36:08 UTC	10197	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	54172	20.3.187.198	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:16 UTC	142	OUT	GET /clientwebservice/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: fe3cr.delivery.mp.microsoft.com
2024-06-03 12:36:16 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Content-Type-Options: nosniff Date: Mon, 03 Jun 2024 12:36:15 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	54173	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:17 UTC	124	OUT	GET /sls/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: slscr.update.microsoft.com
2024-06-03 12:36:17 UTC	318	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 MS-CV: 1QhKqE5Lj0q4f85r.0 MS-RequestId: 6844c4af-5080-4341-bebb-eef8e9f86c62 MS-CorrelationId: 59d84901-f75a-466d-bf77-489a7551eb07 X-Content-Type-Options: nosniff Date: Mon, 03 Jun 2024 12:36:16 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	54174	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5pC4Y4cpzEw+3b3&MD=vyxT2ADH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-06-03 12:36:19 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: f1450691-86ca-4d7f-8d8d-b4012368de01 MS-RequestId: 836e9a59-4ea0-4769-acd9-8f00001f5e97 MS-CV: g/wrUy6yi0uA/1Ki.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 03 Jun 2024 12:36:19 GMT Connection: close Content-Length: 24490
2024-06-03 12:36:19 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-06-03 12:36:19 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	54175	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:20 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=5pC4Y4cpzEw+3b3&MD=vyxT2ADH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-06-03 12:36:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_1440" MS-CorrelationId: f6e5d01f-6435-4745-b1c6-b0a452b5c62d MS-RequestId: 5c144518-78cb-4aae-8285-6feffd3dd242 MS-CV: ID/bsbLIo02aENix.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 03 Jun 2024 12:36:20 GMT Connection: close Content-Length: 25457
2024-06-03 12:36:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-06-03 12:36:21 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	54178	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:53 UTC	208	OUT	GET /rules/rule170012v10s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:53 UTC	564	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:53 GMT Content-Type: text/xml Content-Length: 1523 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD969CD29" x-ms-request-id: 76c6ad5f-101e-0082-77b2-b5d4a9000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123653Z-15d96746b98gv6zhnx0x1ursws0000000gcg00000000az3r x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-06-03 12:36:53 UTC	1523	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="10" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	54177	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:53 UTC	206	OUT	GET /rules/rule63067v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:53 UTC	584	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:53 GMT Content-Type: text/xml Content-Length: 2871 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT ETag: "0x8DC582BEC5E84E0" x-ms-request-id: a75f9c0e-701e-0000-2261-b5d5f8000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123653Z-15d96746b98lbpwjmt4p2gm20g0000000gxg000000007p0u x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-06-03 12:36:53 UTC	2871	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	54179	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:53 UTC	207	OUT	GET /rules/rule490016v3s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:53 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:53 GMT Content-Type: text/xml Content-Length: 777 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT ETag: "0x8DC582BEC2AAB32" x-ms-request-id: f1a85532-301e-0014-8085-b5c9d2000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123653Z-15d96746b98shw6wguq1e4zxdw0000000gpg00000000b4r3 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-06-03 12:36:53 UTC	777	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	54181	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:53 UTC	207	OUT	GET /rules/rule324002v5s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:53 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:53 GMT Content-Type: text/xml Content-Length: 833 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD9758B35" x-ms-request-id: 1be0c935-301e-0050-5c23-abb6cb000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123653Z-r17dbd4456b6qjmkd7uxw823mc0000000pz00000000034pf x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-06-03 12:36:53 UTC	833	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	54180	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:53 UTC	207	OUT	GET /rules/rule324001v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:53 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:53 GMT Content-Type: text/xml Content-Length: 513 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT ETag: "0x8DC582BD84BDCC1" x-ms-request-id: 51905da5-b01e-0064-5294-b53bd2000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123653Z-15d96746b98m4ckkvedrtzue5800000008fg0000000072n3 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-06-03 12:36:53 UTC	513	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	54184	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:54 UTC	207	OUT	GET /rules/rule324005v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:54 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:54 GMT Content-Type: text/xml Content-Length: 599 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT ETag: "0x8DC582BC0B3C3C8" x-ms-request-id: 114f1811-901e-001e-4d9e-b3c7c7000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123654Z-r17dbd4456b8777h1uh2m0pdew0000000py00000000003q9 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-06-03 12:36:54 UTC	599	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	54182	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:54 UTC	207	OUT	GET /rules/rule324003v5s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:54 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:54 GMT Content-Type: text/xml Content-Length: 716 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT ETag: "0x8DC582BD9F5CC0A" x-ms-request-id: 42e064cb-701e-0000-4eaa-b5d5f8000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123654Z-15d96746b98j25c2tyr0yabrpw0000000d0g000000007xxk x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-06-03 12:36:54 UTC	716	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	54183	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:54 UTC	207	OUT	GET /rules/rule324004v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:54 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:54 GMT Content-Type: text/xml Content-Length: 738 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT ETag: "0x8DC582BD9FE7D4B" x-ms-request-id: aa3f1f06-a01e-0051-4996-aa9dc9000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123654Z-r17dbd4456bpzg8fvekvyc5n840000000kwg000000003nuz x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-06-03 12:36:54 UTC	738	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	54185	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:54 UTC	207	OUT	GET /rules/rule324006v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:54 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:54 GMT Content-Type: text/xml Content-Length: 599 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT ETag: "0x8DC582BBC83D642" x-ms-request-id: 22803179-c01e-00ab-2578-aa3689000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123654Z-r17dbd4456bnvhcmm7rnn63kzn0000000px0000000002t9y x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-06-03 12:36:54 UTC	599	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	54186	13.107.246.42	443	5776	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-06-03 12:36:54 UTC	207	OUT	GET /rules/rule324007v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-06-03 12:36:54 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 03 Jun 2024 12:36:54 GMT Content-Type: text/xml Content-Length: 611 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:50 GMT ETag: "0x8DC582BBFB58BC6" x-ms-request-id: b4df2813-401e-000b-07ef-b4f0ef000000 x-ms-version: 2018-03-28 x-azure-ref: 20240603T123654Z-r1cd689ddcbcrmf6tfrw4phtkw000000049g00000000asqm x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-06-03 12:36:54 UTC	611	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 37 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 49 64 65 4d 61 63 72 6f 52 75 6e 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324007" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryIdeMacroRun" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• EXCEL.EXE

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• EXCEL.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	08:35:37
Start date:	03/06/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:35:40
Start date:	03/06/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2240,i,4638376767373001243,5637970318286738540,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:35:42
Start date:	03/06/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx"
Imagebase:	0x660000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\4f376fe2-f22a-4110-a00b-3e4ef7db054c.tmp

C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx (copy)

C:\Users\user\Downloads\Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx.crdownload (copy)

C:\Users\user\Downloads\~$Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Berkshire Fund VIII-A, L.P._Berkshire Portfolio Company Summary - 3.31.24 - F8.xlsx