Edit tour

Windows Analysis Report
Due Statement- (1).xlsx

Overview

General Information

Sample name:	Due Statement- (1).xlsx
Analysis ID:	1523561
MD5:	070ff8582c893391b1ab0a0f0d2ee021
SHA1:	5fd90de3dc370cf10f4568a82ee4e8d854428dd4
SHA256:	12b76ea192da62a56474b7862bcccd44083699f97ec5ed91da1f255f9628968e
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected landing page (webpage, office document or email)

Detected non-DNS traffic on DNS port

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 7612 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 8064 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

chrome.exe (PID: 8184 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sparksymmetrho.pro/ZEDaX/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1932,i,15197531248749630120,10810818292204147746,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7340 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2316 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,2893898303469731858,14813356722618462385,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sparksymmetrho.pro/ZEDaX/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Sigma Signatures

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7612, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49759

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49759, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7612, Protocol: tcp, SourceIp: 13.107.246.60, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: excel.exe

Memory has grown: Private usage: 2MB later: 97MB

Source: global traffic

TCP traffic: 192.168.2.4:58053 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.73
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xmC82Mf+gYZo8XV&MD=7vzGDmzP HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xmC82Mf+gYZo8XV&MD=7vzGDmzP HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rules/rule170022v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324001v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule170012v12s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324002v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324003v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324004v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324006v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule324005v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: global traffic	DNS traffic detected: DNS query: sparksymmetrho.pro
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr

String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 58058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58068
Source: unknown	Network traffic detected: HTTP traffic on port 58068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58061
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58062
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 58055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 58059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 58062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58058
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58059
Source: unknown	Network traffic detected: HTTP traffic on port 58067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58055
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 58063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: ~DFBBF6F6B0E75CF25C.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: sus24.winXLSX@37/8@6/6

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Due Statement- (1).xlsx

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{2F0891AF-04E5-4899-BCF1-DA650EF0124C} - OProcSessId.dat

Jump to behavior

Source: Due Statement- (1).xlsx	OLE indicator, Workbook stream: true
Source: 12C30000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,2893898303469731858,14813356722618462385,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sparksymmetrho.pro/ZEDaX/"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sparksymmetrho.pro/ZEDaX/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1932,i,15197531248749630120,10810818292204147746,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sparksymmetrho.pro/ZEDaX/	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,2893898303469731858,14813356722618462385,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1932,i,15197531248749630120,10810818292204147746,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a0f-f192-11d4-a65f-0040963251e5}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Due Statement- (1).xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: 12C30000.0.dr	Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: Due Statement- (1).xlsx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: Office document	LLM: Page contains button: 'View' Source: 'Office document'
Source: Office document	LLM: Office document contains prominent button: 'view'

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 2231			Jump to behavior
Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 7740			Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Due Statement- (1).xlsx	11%	ReversingLabs	Document-Word.Trojan.Heuristic

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
www.google.com	142.250.186.36	true	false	unknown
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.35	true	false	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
sparksymmetrho.pro	34.76.205.124	true	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.36	www.google.com	United States	15169	GOOGLEUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
34.76.205.124	sparksymmetrho.pro	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.184.228	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523561
Start date and time:	2024-10-01 19:18:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Due Statement- (1).xlsx
Detection:	SUS
Classification:	sus24.winXLSX@37/8@6/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Browse link: https://sparksymmetrho.pro/ZEDaX/ Scroll down Close Viewer Override analysis time to 33244.3734 for current running targets taking high CPU consumption Override analysis time to 66488.7468 for current running targets taking high CPU consumption Override analysis time to 132977.4936 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.28.47, 52.113.194.132, 184.28.90.27, 217.20.57.35, 192.229.221.95, 20.189.173.24, 142.250.185.195, 142.250.185.238, 74.125.206.84, 34.104.35.123, 172.217.18.99, 142.250.184.227, 142.250.186.78, 13.70.79.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, clientservices.googleapis.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, clients2.google.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, update.googleapis.com, officeclient.microsoft.com, www.gstatic.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, clients1.google.com, ecs.office.com, self-events-data.trafficmanager.net, onedscolprdaue01.australiaeast.cloudapp.azure.com, fs.microsoft.com, accounts.google.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, s-0005-office.config.skyp
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Due Statement- (1).xlsx

Simulations

Behavior and APIs

Time	Type	Description
13:20:53	API Interceptor	14733201x Sleep call for process: splwow64.exe modified

LLM Input / Output

Input

Output

URL: Office document Model: jbxai

{
"brand":["Adobe"],
"contains_trigger_text":true,
"trigger_text":"STATEMENT DUE",
"prominent_button_name":"View",
"text_input_field_labels":"unknown",
"pdf_icon_visible":true,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	file.exe	Get hash	malicious	Credential Flusher	Browse
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse
	Audio_Msg..00299229202324Transcript.html	Get hash	malicious	Unknown	Browse
	https://bit.ly/4eqfXtg	Get hash	malicious	Unknown	Browse
	$R3ET6JM.htm	Get hash	malicious	Unknown	Browse
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse
	https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid	Get hash	malicious	HTMLPhisher	Browse
	https://k7qo.sarnerholz.cam/APRjVfmk	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
13.107.246.60	https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1v	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
13.107.246.60	http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5	Get hash	malicious	Unknown	Browse	wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	13.107.246.45
	test.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	Play_VM-Now(Tina.lawvey)CQDM.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	63670000.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://docs.zoom.us/doc/qMqlDrh-RUWwdmI-mAClTg	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4u	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://targetemissionservices.ezofficeinventory.com/users/sign_in	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	13.107.246.45
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
s-part-0032.t-0009.t-msedge.net	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	13.107.246.60
	https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://app.powerbi.com/Redirect?action=OpenLink&linkId=zdvBDOlnbh&ctid=fc5c5a9f-3ade-48e2-abb1-5450e9fb332d&pbi_source=linkShare_m365Notify&bookmarkGuid=5672cb10-cc42-4d8a-943e-29b95931de59&bookmarkUsage=1	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	Swift_ach Complaints.sppgCQDM.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	1_13904442253.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.60
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=rCxHFZLdZUGNvhn9cgWChLhuCDtpfZJDs2F6orjCzx1UQTZXSUlaNE5INzZVSkgxRlBKR1RMSTVRTi4u	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://targetemissionservices.ezofficeinventory.com/users/sign_in	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	13.107.246.60
	INVOICE DUE..xlsx	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	bWrRSlOThY.exe	Get hash	malicious	AsyncRAT, Neshta	Browse	217.20.57.34
	https://swissquotech.com/swissquote-2024.zip	Get hash	malicious	Phisher	Browse	217.20.57.24
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	217.20.57.42
	tr5jscSEwo.exe	Get hash	malicious	ScreenConnect Tool	Browse	217.20.57.18
	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	84.201.210.35
	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	217.20.57.18
	http://langtonskilkenny.com/rrUrhf	Get hash	malicious	Unknown	Browse	217.20.57.34
	http://hrlaw.com.au	Get hash	malicious	Unknown	Browse	217.20.57.34
	https://pokegamaclub.com/	Get hash	malicious	Unknown	Browse	217.20.57.34
	file.exe	Get hash	malicious	PureCrypter	Browse	217.20.57.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	204.79.197.203
	Audio_Msg..00299229202324Transcript.html	Get hash	malicious	Unknown	Browse	150.171.27.10
	moba-24.2-installer_M64ZB-1.exe	Get hash	malicious	PureLog Stealer	Browse	20.157.119.2
	https://wetransfer.com/downloads/fc718a7028ccd1e273879a61c0883fe420241001145250/8110e2eb5f5a56cc2015d1b3243d9b3120241001145309/33d289?trk=TRN_TDL_01&utm_campaign=TRN_TDL_01&utm_medium=email&utm_source=sendgrid	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	13.107.246.60
	test.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	Play_VM-Now(Tina.lawvey)CQDM.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.44
	https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.com	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10
	https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Message_2477367.eml	Get hash	malicious	Unknown	Browse	52.178.17.234

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 40.126.31.73
	https://bit.ly/4eqfXtg	Get hash	malicious	Unknown	Browse	13.85.23.86 40.126.31.73
	$R3ET6JM.htm	Get hash	malicious	Unknown	Browse	13.85.23.86 40.126.31.73
	https://k7qo.sarnerholz.cam/APRjVfmk	Get hash	malicious	Unknown	Browse	13.85.23.86 40.126.31.73
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 40.126.31.73
	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	13.85.23.86 40.126.31.73
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.85.23.86 40.126.31.73
	Play_VM-Now(Tina.lawvey)CQDM.html	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 40.126.31.73
	https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCA	Get hash	malicious	Unknown	Browse	13.85.23.86 40.126.31.73
	https://k7qo.sarnerholz.cam/APRjVfmk	Get hash	malicious	Unknown	Browse	13.85.23.86 40.126.31.73
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	test.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.60
	ZJh3V10O2e.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	ZJh3V10O2e.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	tomarket_app.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	tomarket_app.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	Deolane-Video-PDF.vbs	Get hash	malicious	Unknown	Browse	13.107.246.60
	SecuriteInfo.com.PUA.Win32.Lutimani.SMA.20966.14164.dll	Get hash	malicious	Unknown	Browse	13.107.246.60
	SecuriteInfo.com.PUA.Win32.Lutimani.SMA.20966.14164.dll	Get hash	malicious	Unknown	Browse	13.107.246.60

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4738726491832703
Encrypted:	false
SSDEEP:	6:kKmy8f8JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:OyEkPlE99SCQl2DUevat
MD5:	24468FA4756447F7A02B6BF38E67604E
SHA1:	FE27D79FCF975C99871DCD4C8814A14CEAD6F1C9
SHA-256:	04E363D53F9C0515EA0F0000DD4D38AA15CC573BA0257EB728383A65478F0939
SHA-512:	1966349F34A6C8793918E721EFF6F2E8A2C2852DA823DD9A6ED635087E7285BCA5484DE00A91FF260947936AECCE50FF51A3945578D0C5EEDFB680DEE4C379F1
Malicious:	false
Reputation:	low
Preview:	p...... ........=..!&...(.................................................M.@... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\15FC6627.png

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PNG image data, 903 x 737, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	117131
Entropy (8bit):	7.9716941908753
Encrypted:	false
SSDEEP:	3072:8f3wyHCTBc7y2FS/Ww528LmyS6kSI6D83y4yTC:wwyi9MS/fxLmySpSIpDyTC
MD5:	DE6213915B9FF3E769AA8019925FD94D
SHA1:	257F4DE6E63049E910BA4A2CBF2AEB0FF77528FC
SHA-256:	D4BD5A38D32ACDD5702E53E4ADAF2F2BFAFABF67A08715EE0242595884F5D08C
SHA-512:	193835AD07C483140507FABC099247D75C5E198593E1F71F7830CBB9B4A830E1F98AEDCBDE3B54AA40D102B586BDFC38A7E487FA2A7F1235597BEB2D4E497210
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............7.e....gAMA....\|.Q.... cHRM...........T...+..}>.....:............hiCCPICC Profile..X.WwTS...[........z..W)!...R..!.$......]Tp."..]............PDEY.uQ..7!....;..9s..\|...;...}\.$... O\ ...f.OMc.:....-`..\.L........w7....9t......2...D.3.2^..'..7.$......bZ.D..A.+..B.F...x..g(..A..x6...Q.\i....!.,.eA=.. v..Eb..(..xB..b....p..P^.1..xg\|.3.;......a..k....d.\....ny..!..S..xE.0..s.F)0..nqFL."........R..$.<j..a...bg>7$.b#...1.>#S.....t......>..........x.-..S.f...\.]....$.J......i...S .@lY(J..X.b'YNB.JfL...3$#..+...8^ ..V...3.a...<.P...............`gx.A.a,X.@.J..#....../..U.=....Tz.$....8E............bwYa.j-.\.7.R?.)).KT...es#...+@4`....r.3.T..D-....r&.p..d..pT1C+R.g.........lx]....B..0.\|:.......9.).y ......U.ak...dD.......]1...!.+.L....Ydj.I.C.!..b...7..p?<.>.`w.q..8.........7..;SD........0U.2...n.uz...?..5....8........= .V........E....#;.Q..r.........Z...6?J_3.......>........$..;...Na...X=`b'....;..........?.O..#..=..".2.Z.

C:\Users\user\AppData\Local\Temp\~DFBBF6F6B0E75CF25C.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	1.9095079205765537
Encrypted:	false
SSDEEP:	12:rl3baFivcqsButbXcy6M+us9jRmFmAiN8GtKwNc+us9jRmFmAiN8:rN36XuspjN8GtKwNHuspjN8
MD5:	9B16FB0A1C87B87581682E8DF048FF4A
SHA1:	F8EB1079789474896FC63EACC15701D3A938720C
SHA-256:	D4255A5C4E09E1F0AA19CDB3E47E0FBDD91B153391208D9EFB6571E04FD25C41
SHA-512:	58076E9E2024B82592DD0BB24589DA07F9EE853207D2DA958B9C3370E152C8636DE2992B6FCBB72D022F814787804EBC7FF7F3A02EFD726CE8E4E1B1BB128F1B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\12C30000

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	127259
Entropy (8bit):	7.932470415544294
Encrypted:	false
SSDEEP:	3072:zrf3wyHCTBc7y2FS/Ww528LmyS6kSI6D83y4yTEn:Pwyi9MS/fxLmySpSIpDyTEn
MD5:	0FFDE760EC5423918C59081B333BC972
SHA1:	28104B0F45A6B61F7F81AE01991ECBC4997D2D94
SHA-256:	B91812D50992CA260CFAF0D9B6C3A504C335C82D657051F29D97C53A8AAB3CBE
SHA-512:	7CF8A8435B8BDC201000CD24EE97CA7162A4C0BB1B8E9DA908E348531BC992ADA78D096AB9484F3A101DDDB53C973ECEF3367C76DA07DE06A76E0EB25D986D90
Malicious:	false
Preview:	PK..........!.....i...........[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.n.0..W.?D.V..CUU..].-...n<I,..c.......T.%..y.f<.n..V.P9[.Q>d...Ie.}....,.(...Y(...M'.7....f..X.&F..9......`.r..H.Ps/........t6....r......1{.....5.wq.T..i..9.E..x...kU.H..G......)...........S..}P1....D...s..\|....E~....U.t..P.r..... ...57B....).yZFW6......!...r... ...v....e....y.sy...)].Yp.i...?..H..'".Q.a(...H.pq..}.$..m.^..7.......PK..........!..U0#....L......._rels/.rels ...(........................

C:\Users\user\Desktop\12C30000:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Due Statement- (1).xlsx (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	127259
Entropy (8bit):	7.932470415544294
Encrypted:	false
SSDEEP:	3072:zrf3wyHCTBc7y2FS/Ww528LmyS6kSI6D83y4yTEn:Pwyi9MS/fxLmySpSIpDyTEn
MD5:	0FFDE760EC5423918C59081B333BC972
SHA1:	28104B0F45A6B61F7F81AE01991ECBC4997D2D94
SHA-256:	B91812D50992CA260CFAF0D9B6C3A504C335C82D657051F29D97C53A8AAB3CBE
SHA-512:	7CF8A8435B8BDC201000CD24EE97CA7162A4C0BB1B8E9DA908E348531BC992ADA78D096AB9484F3A101DDDB53C973ECEF3367C76DA07DE06A76E0EB25D986D90
Malicious:	false
Preview:	PK..........!.....i...........[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.n.0..W.?D.V..CUU..].-...n<I,..c.......T.%..y.f<.n..V.P9[.Q>d...Ie.}....,.(...Y(...M'.7....f..X.&F..9......`.r..H.Ps/........t6....r......1{.....5.wq.T..i..9.E..x...kU.H..G......)...........S..}P1....D...s..\|....E~....U.t..P.r..... ...57B....).yZFW6......!...r... ...v....e....y.sy...)].Yp.i...?..H..'".Q.a(...H.pq..}.$..m.^..7.......PK..........!..U0#....L......._rels/.rels ...(........................

C:\Users\user\Desktop\~$Due Statement- (1).xlsx

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:KVC+cAmltV:KVC+cR
MD5:	9C7132B2A8CABF27097749F4D8447635
SHA1:	71D7F78718A7AFC3EAB22ED395321F6CBE2F9899
SHA-256:	7029AE5479F0CD98D892F570A22B2AE8302747DCFF3465B2DE64D974AE815A83
SHA-512:	333AC8A4987CC7DF5981AE81238A77D123996DB2C4C97053E8BD2048A64FDCF33E1245DEE6839358161F6B5EEA6BFD8D2358BC4A9188D786295C22F79E2D635E
Malicious:	false
Preview:	.user ..j.o.n.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.932453533368436
TrID:	Excel Microsoft Office Open XML Format document (35004/1) 81.40% ZIP compressed archive (8000/1) 18.60%
File name:	Due Statement- (1).xlsx
File size:	127'289 bytes
MD5:	070ff8582c893391b1ab0a0f0d2ee021
SHA1:	5fd90de3dc370cf10f4568a82ee4e8d854428dd4
SHA256:	12b76ea192da62a56474b7862bcccd44083699f97ec5ed91da1f255f9628968e
SHA512:	d55ce613121fee95d3eff19010304842ca8c8c84d4f345c7206962e04704f51b6b05730040e24e8fd8fb36c3da4f46a2e12abf55c664d64a0096b9ffe9b60657
SSDEEP:	3072:k7zf3wyHCTBc7y2FS/Ww528LmyS6kSI6D83y4yTZt:4wyi9MS/fxLmySpSIpDyTZt
TLSH:	51C302E55991C413CF8E00BE92B5A3FB822F4273D1C05CEE249531EC2D69EBF86459DA
File Content Preview:	PK..........!.....i...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	35e58a8c0c8a85b9

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Due Statement- (1).xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 19:19:53.472157001 CEST	49675	443	192.168.2.4	173.222.162.32
Oct 1, 2024 19:19:57.316147089 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:57.316230059 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:57.316390991 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:57.317008018 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:57.317037106 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.107489109 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.107615948 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.126887083 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.126929045 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.127835989 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.128278971 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.128320932 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.128349066 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.510442019 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.510669947 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.510757923 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.515891075 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.515892029 CEST	49741	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.515949965 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.515974998 CEST	443	49741	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.545368910 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.545406103 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:58.545478106 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.545625925 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:58.545638084 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:59.320468903 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:59.321019888 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:59.321041107 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:59.322892904 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:59.322892904 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:19:59.322901964 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:19:59.322916985 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.569981098 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.570041895 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.570089102 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.570163012 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.570187092 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.570213079 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.570238113 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.570255995 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.570430994 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.570485115 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.570705891 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.570718050 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.570728064 CEST	49743	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.570732117 CEST	443	49743	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.620299101 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.620352983 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:02.620436907 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.620659113 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:02.620678902 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:03.393315077 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:03.394000053 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:03.394048929 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:03.394721985 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:03.394735098 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:03.394793034 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:03.394808054 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.654539108 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.654594898 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.654674053 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.654783964 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.654783964 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.654810905 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.654861927 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.655003071 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.655059099 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.655090094 CEST	49745	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.655105114 CEST	443	49745	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.677000999 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.677048922 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:04.677143097 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.677292109 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:04.677320957 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.480942011 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.481539965 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.481604099 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.482182980 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.482204914 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.482242107 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.482275963 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.805140972 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.805203915 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.805274010 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.805320024 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.805381060 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.805475950 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.805792093 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.805792093 CEST	49746	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.805828094 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.805850029 CEST	443	49746	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.837709904 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.837739944 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:05.837897062 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.838274956 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:05.838285923 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:06.194245100 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:06.194303989 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:06.195065975 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:06.196136951 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:06.196166039 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:06.644884109 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:06.646070957 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:06.646070957 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:06.646091938 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:06.646106958 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:06.646130085 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:06.646138906 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:06.890908957 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:06.891083002 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:06.892616987 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:06.892648935 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:06.892860889 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:06.943941116 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:06.944696903 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:06.987416029 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.169943094 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.169965982 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.169977903 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170003891 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170016050 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170025110 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170058012 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.170095921 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170124054 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170134068 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.170156956 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170180082 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.170191050 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170223951 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.170279980 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.170643091 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170684099 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.170749903 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.180716038 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.180744886 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.180773020 CEST	49748	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:07.180788040 CEST	443	49748	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:07.295651913 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.295686960 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.295751095 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.295758963 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.295775890 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.295790911 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.295804977 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.295820951 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.297878981 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.297889948 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.297900915 CEST	49747	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.297905922 CEST	443	49747	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.331155062 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.331211090 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:07.331285000 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.331475019 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:07.331516981 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.106064081 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.108629942 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.108690023 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.109246969 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.109262943 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.109313011 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.109338045 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.534511089 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.534568071 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.534605026 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.534692049 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.534713984 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.535028934 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.535100937 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.535151005 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.535166979 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.535200119 CEST	49749	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.535206079 CEST	443	49749	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.554227114 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.554274082 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:08.554359913 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.554493904 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:08.554522038 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.340895891 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.341907978 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:09.341942072 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.342570066 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:09.342575073 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.342601061 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:09.342611074 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.784486055 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.784545898 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.784619093 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.784661055 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:09.784692049 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.784719944 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:09.784980059 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:09.785006046 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.785028934 CEST	49750	443	192.168.2.4	40.126.31.73
Oct 1, 2024 19:20:09.785037041 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:09.785065889 CEST	443	49750	40.126.31.73	192.168.2.4
Oct 1, 2024 19:20:43.516150951 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:43.516246080 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:43.516331911 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:43.516779900 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:43.516803980 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.232502937 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.232933044 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.234136105 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.234158039 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.234654903 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.238625050 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.283394098 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.462063074 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.462148905 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.462213993 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.462220907 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.462266922 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.462287903 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.462335110 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.509771109 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.509826899 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.509846926 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.509869099 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.509901047 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.510046959 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.510236025 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.510910034 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.510942936 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:44.510968924 CEST	49751	443	192.168.2.4	13.85.23.86
Oct 1, 2024 19:20:44.510982990 CEST	443	49751	13.85.23.86	192.168.2.4
Oct 1, 2024 19:20:51.886583090 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:20:51.886619091 CEST	443	49755	34.76.205.124	192.168.2.4
Oct 1, 2024 19:20:51.886693001 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:20:51.886704922 CEST	49756	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:20:51.886771917 CEST	443	49756	34.76.205.124	192.168.2.4
Oct 1, 2024 19:20:51.886921883 CEST	49756	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:20:51.887033939 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:20:51.887054920 CEST	443	49755	34.76.205.124	192.168.2.4
Oct 1, 2024 19:20:51.887296915 CEST	49756	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:20:51.887332916 CEST	443	49756	34.76.205.124	192.168.2.4
Oct 1, 2024 19:20:54.215401888 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:54.215465069 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:20:54.215563059 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:54.215778112 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:54.215814114 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:20:54.877538919 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:20:54.878020048 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:54.878061056 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:20:54.878928900 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:20:54.878988981 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:54.880400896 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:54.880480051 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:20:54.926346064 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:54.926371098 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:20:54.973737955 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:20:58.588617086 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.588677883 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.588752031 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.588771105 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.588798046 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.588859081 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589070082 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589102983 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.589107037 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589142084 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.589260101 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589266062 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.589297056 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589391947 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589407921 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589411974 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.589504957 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589682102 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.589708090 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.590046883 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.590070963 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.590286970 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.590298891 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.590401888 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:58.590409994 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:58.907588959 CEST	49723	80	192.168.2.4	93.184.221.240
Oct 1, 2024 19:20:58.907640934 CEST	49724	80	192.168.2.4	93.184.221.240
Oct 1, 2024 19:20:58.913373947 CEST	80	49723	93.184.221.240	192.168.2.4
Oct 1, 2024 19:20:58.913424969 CEST	80	49724	93.184.221.240	192.168.2.4
Oct 1, 2024 19:20:58.913427114 CEST	49723	80	192.168.2.4	93.184.221.240
Oct 1, 2024 19:20:58.913675070 CEST	49724	80	192.168.2.4	93.184.221.240
Oct 1, 2024 19:20:59.232016087 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.232100964 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.233886003 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.233902931 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.234177113 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.235510111 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.235889912 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.235980034 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.236718893 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.236792088 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.237746000 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.237757921 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.238605022 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.239917994 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.239928007 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.240041971 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.240109921 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.240241051 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.241422892 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.241430998 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.241692066 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.241997004 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.242758989 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.242964983 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.253115892 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.253182888 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.254046917 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.254050970 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.254251003 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.255275965 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.283402920 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.283405066 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.283415079 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.283437967 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.295413017 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.331818104 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.331855059 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.332052946 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.332691908 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.332691908 CEST	49760	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.332721949 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.332748890 CEST	443	49760	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.339375019 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.339396000 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.339471102 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.339488029 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.339607000 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.339668989 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.339766979 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.339766979 CEST	49759	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.339782953 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.339802027 CEST	443	49759	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.340734959 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.340764046 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.341120005 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.341403008 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.341424942 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.342222929 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.342257023 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.342300892 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.342503071 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.342513084 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.342545986 CEST	49762	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.342550993 CEST	443	49762	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.348301888 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.348325968 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.348516941 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.348881960 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.348889112 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.348973036 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.349175930 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.349618912 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.350579977 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.350579977 CEST	49763	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.350596905 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.350616932 CEST	443	49763	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.351898909 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.351906061 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.351989985 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.352108955 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.352119923 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.356978893 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.356990099 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.357242107 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.357316017 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.357404947 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.357414007 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.358088970 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.358155966 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.358201027 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.358201027 CEST	49761	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.358206034 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.358211994 CEST	443	49761	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.364716053 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.364744902 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.365009069 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.365160942 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.365173101 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.978018999 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.978578091 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.978601933 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.979569912 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.979576111 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.987756014 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.988606930 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.988624096 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.989598989 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.989603996 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.998394966 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.998771906 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.998781919 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:20:59.999599934 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:20:59.999603987 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.004564047 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.004879951 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.004895926 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.005527020 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.005531073 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.036506891 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.036889076 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.036904097 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.037765026 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.037769079 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.079994917 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.080035925 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.080147028 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.080209970 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.080329895 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.080329895 CEST	49764	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.080341101 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.080343962 CEST	443	49764	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.095035076 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.095077038 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.095207930 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.095336914 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.095347881 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.095356941 CEST	49765	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.095361948 CEST	443	49765	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.102294922 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.102334023 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.102412939 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.102490902 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.102494955 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.102502108 CEST	49766	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.102504969 CEST	443	49766	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.117961884 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.118005037 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.118212938 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.118351936 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.118364096 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.118372917 CEST	49768	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.118376970 CEST	443	49768	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.182559013 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.182708025 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.182801962 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.182976961 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.182996988 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:00.183023930 CEST	49767	443	192.168.2.4	13.107.246.60
Oct 1, 2024 19:21:00.183028936 CEST	443	49767	13.107.246.60	192.168.2.4
Oct 1, 2024 19:21:04.778238058 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:04.778296947 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:04.778361082 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:21:06.662285089 CEST	49758	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:21:06.662364960 CEST	443	49758	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:21.892225981 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:21.892362118 CEST	49756	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:21.916790009 CEST	49770	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:21.916886091 CEST	443	49770	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:21.916982889 CEST	49770	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:21.917217016 CEST	49770	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:21.917253971 CEST	443	49770	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:21.939430952 CEST	443	49756	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:21.939457893 CEST	443	49755	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:51.929497957 CEST	49770	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:51.975409985 CEST	443	49770	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:52.982912064 CEST	49775	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:52.982945919 CEST	443	49775	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:52.983012915 CEST	49775	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:52.983285904 CEST	49776	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:52.983316898 CEST	443	49776	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:52.983367920 CEST	49776	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:52.984411955 CEST	49776	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:52.984421968 CEST	443	49776	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:52.984622002 CEST	49775	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:21:52.984632015 CEST	443	49775	34.76.205.124	192.168.2.4
Oct 1, 2024 19:21:53.535475016 CEST	58053	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:21:53.540602922 CEST	53	58053	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:53.540848970 CEST	58053	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:21:53.540895939 CEST	58053	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:21:53.545892000 CEST	53	58053	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:54.007776976 CEST	53	58053	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:54.008534908 CEST	58053	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:21:54.014364004 CEST	53	58053	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:54.014445066 CEST	58053	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:21:54.269001961 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:21:54.269020081 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:54.269098043 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:21:54.269423962 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:21:54.269434929 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:54.897078991 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:54.900774956 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:21:54.900784016 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:54.901094913 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:54.901463985 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:21:54.901541948 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:21:54.946136951 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:04.801688910 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:04.801743984 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:04.801943064 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:06.668997049 CEST	58055	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:06.669017076 CEST	443	58055	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:06.946686983 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:06.946703911 CEST	443	49755	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:06.946702003 CEST	49756	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:06.946774960 CEST	443	49756	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:22.988131046 CEST	49776	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:22.988229036 CEST	49775	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:23.031409025 CEST	443	49776	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:23.031439066 CEST	443	49775	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:28.022098064 CEST	58058	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:28.022159100 CEST	443	58058	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:28.022413015 CEST	58059	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:28.022440910 CEST	58058	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:28.022444963 CEST	443	58059	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:28.022706985 CEST	58059	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:28.022723913 CEST	58058	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:28.022747040 CEST	443	58058	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:28.024135113 CEST	58059	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:28.024146080 CEST	443	58059	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:36.976627111 CEST	49770	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:36.976660967 CEST	443	49770	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:51.958636999 CEST	49756	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:51.958637953 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:51.958657980 CEST	443	49755	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:51.958662033 CEST	443	49756	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:52.528430939 CEST	443	49756	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:52.528486013 CEST	49756	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:54.332175970 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:54.332273006 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:54.336503029 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:54.336503029 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:54.336592913 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:54.992556095 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:54.992922068 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:54.992970943 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:54.994105101 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:54.994463921 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:54.994647026 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:22:55.033929110 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:22:58.036165953 CEST	58059	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:58.036192894 CEST	58058	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:22:58.079436064 CEST	443	58058	34.76.205.124	192.168.2.4
Oct 1, 2024 19:22:58.083453894 CEST	443	58059	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:04.897181988 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:04.897345066 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:04.897411108 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:06.678566933 CEST	58060	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:06.678637981 CEST	443	58060	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:08.066050053 CEST	49776	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:08.066071987 CEST	443	49776	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:08.066076040 CEST	49775	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:08.066087008 CEST	443	49775	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:22.065155029 CEST	49770	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:22.065212011 CEST	443	49770	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:22.550981045 CEST	443	49770	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:22.552259922 CEST	49770	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:28.060657024 CEST	58061	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:28.060657024 CEST	58062	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:28.060729027 CEST	443	58061	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:28.060745955 CEST	443	58062	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:28.060906887 CEST	58061	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:28.060906887 CEST	58062	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:28.061692953 CEST	58062	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:28.061692953 CEST	58061	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:28.061716080 CEST	443	58062	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:28.061733007 CEST	443	58061	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:36.974365950 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:36.974376917 CEST	443	49755	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:43.098984957 CEST	58059	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:43.099004984 CEST	443	58059	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:43.124274969 CEST	58058	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:43.124288082 CEST	443	58058	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:52.536377907 CEST	443	49755	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:52.536457062 CEST	49755	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:52.547879934 CEST	443	49775	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:52.548295975 CEST	49775	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:52.572237015 CEST	443	49776	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:52.576303005 CEST	49776	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:52.587519884 CEST	443	58058	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:52.588361979 CEST	58058	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:52.611670971 CEST	443	58059	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:52.612293005 CEST	58059	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:54.384237051 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:54.384299994 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:54.384434938 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:54.384816885 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:54.384834051 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:55.040220976 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:55.040844917 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:55.040869951 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:55.041325092 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:55.042085886 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:55.042160988 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:23:55.156013012 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:23:58.066978931 CEST	58062	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:58.067096949 CEST	58061	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:58.067137957 CEST	443	58062	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:58.067297935 CEST	58062	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:23:58.067327023 CEST	443	58061	34.76.205.124	192.168.2.4
Oct 1, 2024 19:23:58.068327904 CEST	58061	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:24:04.951773882 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:24:04.951868057 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:24:04.951926947 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:24:06.677084923 CEST	58063	443	192.168.2.4	142.250.186.36
Oct 1, 2024 19:24:06.677159071 CEST	443	58063	142.250.186.36	192.168.2.4
Oct 1, 2024 19:24:54.455310106 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:24:54.455347061 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:24:54.455557108 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:24:54.455862045 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:24:54.455881119 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:24:55.127703905 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:24:55.128125906 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:24:55.128190041 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:24:55.129280090 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:24:55.129759073 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:24:55.129941940 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:24:55.174560070 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:24:58.098681927 CEST	58067	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:24:58.098710060 CEST	443	58067	34.76.205.124	192.168.2.4
Oct 1, 2024 19:24:58.098865986 CEST	58067	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:24:58.099009037 CEST	58068	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:24:58.099033117 CEST	443	58068	34.76.205.124	192.168.2.4
Oct 1, 2024 19:24:58.099282980 CEST	58067	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:24:58.099294901 CEST	443	58067	34.76.205.124	192.168.2.4
Oct 1, 2024 19:24:58.099400997 CEST	58068	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:24:58.099638939 CEST	58068	443	192.168.2.4	34.76.205.124
Oct 1, 2024 19:24:58.099648952 CEST	443	58068	34.76.205.124	192.168.2.4
Oct 1, 2024 19:25:05.027919054 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:25:05.028080940 CEST	443	58066	142.250.184.228	192.168.2.4
Oct 1, 2024 19:25:05.028146029 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:25:06.675520897 CEST	58066	443	192.168.2.4	142.250.184.228
Oct 1, 2024 19:25:06.675591946 CEST	443	58066	142.250.184.228	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 19:20:12.650420904 CEST	138	138	192.168.2.4	192.168.2.255
Oct 1, 2024 19:20:49.644999027 CEST	53	57883	1.1.1.1	192.168.2.4
Oct 1, 2024 19:20:49.648180008 CEST	53	55111	1.1.1.1	192.168.2.4
Oct 1, 2024 19:20:50.726144075 CEST	53	49724	1.1.1.1	192.168.2.4
Oct 1, 2024 19:20:51.709914923 CEST	57966	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:20:51.709916115 CEST	53162	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:20:51.884177923 CEST	53	57966	1.1.1.1	192.168.2.4
Oct 1, 2024 19:20:51.885710001 CEST	53	53162	1.1.1.1	192.168.2.4
Oct 1, 2024 19:20:54.206681013 CEST	56206	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:20:54.207042933 CEST	51089	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:20:54.214286089 CEST	53	56206	1.1.1.1	192.168.2.4
Oct 1, 2024 19:20:54.214325905 CEST	53	51089	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:08.882570982 CEST	53	55937	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:08.884908915 CEST	53	57717	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:26.543210030 CEST	53	54028	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:49.480025053 CEST	53	55744	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:49.512196064 CEST	53	55265	1.1.1.1	192.168.2.4
Oct 1, 2024 19:21:53.535017014 CEST	53	51225	1.1.1.1	192.168.2.4
Oct 1, 2024 19:24:13.297370911 CEST	138	138	192.168.2.4	192.168.2.255
Oct 1, 2024 19:24:54.441466093 CEST	56754	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:24:54.441466093 CEST	60516	53	192.168.2.4	1.1.1.1
Oct 1, 2024 19:24:54.449158907 CEST	53	60516	1.1.1.1	192.168.2.4
Oct 1, 2024 19:24:54.449821949 CEST	53	56754	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 1, 2024 19:21:08.884989023 CEST	192.168.2.4	1.1.1.1	c221	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 19:20:51.709914923 CEST	192.168.2.4	1.1.1.1	0xfd7b	Standard query (0)	sparksymmetrho.pro	65	IN (0x0001)	false
Oct 1, 2024 19:20:51.709916115 CEST	192.168.2.4	1.1.1.1	0x947b	Standard query (0)	sparksymmetrho.pro	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:20:54.206681013 CEST	192.168.2.4	1.1.1.1	0xe267	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:20:54.207042933 CEST	192.168.2.4	1.1.1.1	0x7520	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 1, 2024 19:24:54.441466093 CEST	192.168.2.4	1.1.1.1	0x4d71	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:24:54.441466093 CEST	192.168.2.4	1.1.1.1	0x112d	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.35	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.26	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.38	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.38	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.25	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.23	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:19:54.781955004 CEST	1.1.1.1	192.168.2.4	0x7b11	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.36	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:20:51.885710001 CEST	1.1.1.1	192.168.2.4	0x947b	No error (0)	sparksymmetrho.pro		34.76.205.124	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:20:54.214286089 CEST	1.1.1.1	192.168.2.4	0xe267	No error (0)	www.google.com		142.250.186.36	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:20:54.214325905 CEST	1.1.1.1	192.168.2.4	0x7520	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 19:20:58.586719036 CEST	1.1.1.1	192.168.2.4	0x1a9a	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 19:20:58.586719036 CEST	1.1.1.1	192.168.2.4	0x1a9a	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:21:22.920047045 CEST	1.1.1.1	192.168.2.4	0x8c14	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 19:21:22.920047045 CEST	1.1.1.1	192.168.2.4	0x8c14	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:21:41.650325060 CEST	1.1.1.1	192.168.2.4	0x7e72	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 19:21:41.650325060 CEST	1.1.1.1	192.168.2.4	0x7e72	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:22:19.142875910 CEST	1.1.1.1	192.168.2.4	0x9ace	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 19:22:19.142875910 CEST	1.1.1.1	192.168.2.4	0x9ace	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:23:49.202326059 CEST	1.1.1.1	192.168.2.4	0x8bbe	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 19:23:49.202326059 CEST	1.1.1.1	192.168.2.4	0x8bbe	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 1, 2024 19:24:54.449158907 CEST	1.1.1.1	192.168.2.4	0x112d	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 1, 2024 19:24:54.449821949 CEST	1.1.1.1	192.168.2.4	0x4d71	No error (0)	www.google.com		142.250.184.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

otelrules.azureedge.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49741	40.126.31.73	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:19:58 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-10-01 17:19:58 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-01 17:19:58 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 01 Oct 2024 17:18:58 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C533_BAY x-ms-request-id: e01fc4da-38af-4a9e-9c2a-c8c058273fe5 PPServer: PPV: 30 H: PH1PEPF00018C08 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 01 Oct 2024 17:19:57 GMT Connection: close Content-Length: 1276
2024-10-01 17:19:58 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.4	49743	40.126.31.73	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:19:59 UTC	446	OUT	POST /ppsecure/deviceaddcredential.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 7642 Host: login.live.com
2024-10-01 17:19:59 UTC	7642	OUT	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 6d 6a 67 62 64 6b 65 79 75 64 70 75 66 63 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 32 2b 71 4c 6c 4e 67 42 33 58 2c 75 47 23 4e 37 4f 6f 74 58 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 61 6b 71 72 6c 66 67 75 6b 69 6a 65 76 6c 3c 2f 4f 6c 64 4d Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02mjgbdkeyudpufc</Membername><Password>2+qLlNgB3X,uG#N7OotX</Password></Authentication><OldMembername>02akqrlfgukijevl</OldM
2024-10-01 17:20:02 UTC	542	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/xml Expires: Tue, 01 Oct 2024 17:18:59 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C528_BL2 x-ms-request-id: 9ebc7e4a-279c-4ee9-ba9f-56ce71a5e8a5 PPServer: PPV: 30 H: BL02EPF00027B33 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 01 Oct 2024 17:20:02 GMT Connection: close Content-Length: 17166
2024-10-01 17:20:02 UTC	15842	IN	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 34 30 31 30 45 38 30 43 35 46 42 42 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 34 36 61 39 62 35 34 30 2d 38 33 62 30 2d 34 32 34 37 2d 62 34 35 62 2d 37 30 30 31 38 63 32 62 35 30 32 65 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>00184010E80C5FBB</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="46a9b540-83b0-4247-b45b-70018c2b502e" LicenseID="3252b20c-d425-4711
2024-10-01 17:20:02 UTC	1324	IN	Data Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66 Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.4	49745	40.126.31.73	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:03 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-10-01 17:20:03 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-01 17:20:04 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 01 Oct 2024 17:19:03 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30374.3 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C507_BL2 x-ms-request-id: 863d11ae-7e06-4808-8bbc-6851a34cb2aa PPServer: PPV: 30 H: BL02EPF0001D732 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 01 Oct 2024 17:20:02 GMT Connection: close Content-Length: 11389
2024-10-01 17:20:04 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.4	49746	40.126.31.73	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:05 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-10-01 17:20:05 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-01 17:20:05 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 01 Oct 2024 17:19:05 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C533_BL2 x-ms-request-id: 7637b43f-1e17-432d-bffb-acf69ed1eb92 PPServer: PPV: 30 H: BL02EPF0001D793 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 01 Oct 2024 17:20:05 GMT Connection: close Content-Length: 1918
2024-10-01 17:20:05 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	49747	40.126.31.73	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:06 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-10-01 17:20:06 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-01 17:20:07 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 01 Oct 2024 17:19:06 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30374.3 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C507_BL2 x-ms-request-id: 2a6bdd63-743d-4747-84c8-526145ca0a30 PPServer: PPV: 30 H: BL02EPF0001D733 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 01 Oct 2024 17:20:06 GMT Connection: close Content-Length: 11409
2024-10-01 17:20:07 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:06 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xmC82Mf+gYZo8XV&MD=7vzGDmzP HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 17:20:07 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: c6272604-ad7a-4201-a8e1-d6db1f7addf0 MS-RequestId: bea2e0e1-4aa8-4b06-a0a6-5483f3b64882 MS-CV: K18cAQ29f0e2awkY.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 17:20:06 GMT Connection: close Content-Length: 24490
2024-10-01 17:20:07 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-01 17:20:07 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.4	49749	40.126.31.73	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:08 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-10-01 17:20:08 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-01 17:20:08 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 01 Oct 2024 17:19:08 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30374.3 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C507_BL2 x-ms-request-id: 98791a4c-f6f4-4261-80c5-ec577cdaed8f PPServer: PPV: 30 H: BL02EPF0001D72C V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 01 Oct 2024 17:20:08 GMT Connection: close Content-Length: 11409
2024-10-01 17:20:08 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.4	49750	40.126.31.73	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:09 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4762 Host: login.live.com
2024-10-01 17:20:09 UTC	4762	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-10-01 17:20:09 UTC	656	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 01 Oct 2024 17:19:09 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=5&213=296123&215=0&315=1&215=0&315=1&214=30&288=16.0.30374.3 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C507_BL2 x-ms-request-id: 5e88f652-5c57-46c8-87ab-b8b6a28040e0 PPServer: PPV: 30 H: BL02EPF000276BC V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 01 Oct 2024 17:20:09 GMT Connection: close Content-Length: 10197
2024-10-01 17:20:09 UTC	10197	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49751	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:44 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xmC82Mf+gYZo8XV&MD=7vzGDmzP HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-01 17:20:44 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 0d0e3e20-1234-4278-9f51-204733057b0e MS-RequestId: 140d74e6-b7e9-4f01-b6eb-371af47527e6 MS-CV: XP/YekvhV0CFnhvR.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 01 Oct 2024 17:20:44 GMT Connection: close Content-Length: 30005
2024-10-01 17:20:44 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-01 17:20:44 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49760	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	207	OUT	GET /rules/rule170022v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:20:59 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:20:59 GMT Content-Type: text/xml Content-Length: 756 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Sat, 27 Jul 2024 15:36:11 GMT ETag: "0x8DCAE51D7B4AB9D" x-ms-request-id: 240404f3-c01e-000b-68c5-13e255000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172059Z-15767c5fc55ncqdn59ub6rndq00000000820000000008480 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:20:59 UTC	756	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 32 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 73 49 6e 6b 4c 6f 61 64 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 3d 22 31 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 38 69 70 6a 22 20 41 3d 22 61 6e 75 69 35 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170022" V="2" DC="SM" EN="Office.Graphics.GVisInkLoad" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" S="1" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="b8ipj" A="anui5"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49763	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	207	OUT	GET /rules/rule324001v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:20:59 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:20:59 GMT Content-Type: text/xml Content-Length: 513 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:31 GMT ETag: "0x8DC582BD84BDCC1" x-ms-request-id: 088c1420-201e-0071-50c5-13ff15000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172059Z-15767c5fc55rg5b7sh1vuv8t7n00000008h0000000014ebu x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:20:59 UTC	513	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 31 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 50 72 6f 6a 65 63 74 4c 6f 61 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324001" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryProjectLoad" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49759	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	206	OUT	GET /rules/rule63067v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:20:59 UTC	584	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:20:59 GMT Content-Type: text/xml Content-Length: 2871 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:05 GMT ETag: "0x8DC582BEC5E84E0" x-ms-request-id: 6fb6f6f2-401e-0083-5cc5-13075c000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172059Z-15767c5fc55v7j95gq2uzq37a000000008e0000000011nm8 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:20:59 UTC	2871	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 36 33 30 36 37 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 49 64 65 6e 74 69 74 79 2e 53 73 70 69 50 72 6f 6d 70 74 57 69 6e 33 32 22 20 41 54 54 3d 22 35 63 36 35 62 62 63 34 65 64 62 66 34 38 30 64 39 36 33 37 61 63 65 30 34 64 36 32 62 64 39 38 2d 31 32 38 34 34 38 39 33 2d 38 61 62 39 2d 34 64 64 65 2d 62 38 35 30 2d 35 36 31 32 63 62 31 32 65 30 66 32 2d 37 38 32 32 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="63067" V="4" DC="SM" EN="Office.Identity.SspiPromptWin32" ATT="5c65bbc4edbf480d9637ace04d62bd98-12844893-8ab9-4dde-b850-5612cb12e0f2-7822" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <S>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	207	OUT	GET /rules/rule490016v3s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:20:59 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:20:59 GMT Content-Type: text/xml Content-Length: 777 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:28:04 GMT ETag: "0x8DC582BEC2AAB32" x-ms-request-id: 55f4d361-401e-0015-12c5-130e8d000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172059Z-15767c5fc554w2fgapsyvy8ua000000007tg00000000pp09 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:20:59 UTC	777	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 34 39 30 30 31 36 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 46 65 65 64 62 61 63 6b 2e 53 75 72 76 65 79 2e 46 6c 6f 6f 64 67 61 74 65 43 6c 69 65 6e 74 2e 52 6f 61 6d 69 6e 67 53 75 63 63 65 73 73 66 75 6c 52 65 61 64 57 72 69 74 65 22 20 41 54 54 3d 22 64 37 39 65 38 32 34 33 38 36 63 34 34 34 31 63 62 38 63 31 64 34 61 65 31 35 36 39 30 35 32 36 2d 62 64 34 34 33 33 30 39 2d 35 34 39 34 2d 34 34 34 61 2d 61 62 61 39 2d 30 61 66 39 65 65 66 39 39 66 38 34 2d 37 33 36 30 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22 20 44 4c 3d 22 4e 22 20 44 43 61 3d 22 50 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="490016" V="3" DC="SM" EN="Office.Feedback.Survey.FloodgateClient.RoamingSuccessfulReadWrite" ATT="d79e824386c4441cb8c1d4ae15690526-bd443309-5494-444a-aba9-0af9eef99f84-7360" T="Upload-Medium" DL="N" DCa="P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	208	OUT	GET /rules/rule170012v12s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:20:59 UTC	584	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:20:59 GMT Content-Type: text/xml Content-Length: 1353 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Sat, 25 May 2024 18:28:18 GMT ETag: "0x8DC7CE8734A2850" x-ms-request-id: 0c52b10d-f01e-0096-56c5-1310ef000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172059Z-15767c5fc55gs96cphvgp5f5vc000000089000000000ar7t x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:20:59 UTC	1353	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 30 31 32 22 20 56 3d 22 31 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 47 56 69 7a 49 6e 6b 53 74 72 6f 6b 65 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170012" V="12" DC="SM" EN="Office.Graphics.GVizInkStroke" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" SP="CriticalBusinessImpact" DCa="PSU" xmlns=""> <S> <UTS T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49764	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	207	OUT	GET /rules/rule324002v5s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:21:00 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:20:59 GMT Content-Type: text/xml Content-Length: 833 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:33 GMT ETag: "0x8DC582BD9758B35" x-ms-request-id: 36d17ada-601e-0002-50c5-13a786000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172059Z-15767c5fc55whfstvfw43u8fp400000008fg00000000cbzb x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:21:00 UTC	833	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 32 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 44 65 63 6c 61 72 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 30 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324002" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryDeclare" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T="1" Id="b0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49765	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	207	OUT	GET /rules/rule324003v5s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:21:00 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:21:00 GMT Content-Type: text/xml Content-Length: 716 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT ETag: "0x8DC582BD9F5CC0A" x-ms-request-id: a3754404-d01e-005a-08c5-137fd9000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172100Z-15767c5fc55gs96cphvgp5f5vc000000089g000000007nwx x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:21:00 UTC	716	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 33 22 20 56 3d 22 35 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 52 65 66 65 72 65 6e 63 65 64 4c 69 62 72 61 72 79 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324003" V="5" DC="SM" EN="Office.Extensibility.VbaTelemetryReferencedLibrary" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UTS T=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49766	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:20:59 UTC	207	OUT	GET /rules/rule324004v4s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:21:00 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:20:59 GMT Content-Type: text/xml Content-Length: 738 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:27:34 GMT ETag: "0x8DC582BD9FE7D4B" x-ms-request-id: 79ea2b94-301e-0052-50c5-1365d6000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172059Z-15767c5fc55xgp8c992y5v5w1800000008h000000000491q x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:21:00 UTC	738	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 34 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 4f 62 6a 65 63 74 49 6e 73 74 61 6e 74 69 61 74 65 64 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324004" V="4" DC="SM" EN="Office.Extensibility.VbaTelemetryComObjectInstantiated" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" DCa="DC PSP PSU" xmlns=""> <S> <UT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49768	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:21:00 UTC	207	OUT	GET /rules/rule324006v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:21:00 UTC	491	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:21:00 GMT Content-Type: text/xml Content-Length: 599 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:44 GMT ETag: "0x8DC582BBC83D642" x-ms-request-id: 0c52b2bd-f01e-0096-74c5-1310ef000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172100Z-15767c5fc554wklc0x4mc5pq0w00000008sg000000001cs4 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-10-01 17:21:00 UTC	599	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 36 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 53 68 6f 77 49 64 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324006" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryShowIde" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49767	13.107.246.60	443	7612	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-01 17:21:00 UTC	207	OUT	GET /rules/rule324005v2s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-01 17:21:00 UTC	471	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 17:21:00 GMT Content-Type: text/xml Content-Length: 599 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:51 GMT ETag: "0x8DC582BC0B3C3C8" x-ms-request-id: f4b5ee0a-a01e-0053-7026-148603000000 x-ms-version: 2018-03-28 x-azure-ref: 20241001T172100Z-15767c5fc5546rn6ch9zv310e0000000017000000000uzdr x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-10-01 17:21:00 UTC	599	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 33 32 34 30 30 35 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 45 78 74 65 6e 73 69 62 69 6c 69 74 79 2e 56 62 61 54 65 6c 65 6d 65 74 72 79 43 6f 6d 70 69 6c 65 22 20 41 54 54 3d 22 64 62 33 33 34 62 33 30 31 65 37 62 34 37 34 64 62 35 65 30 66 30 32 66 30 37 63 35 31 61 34 37 2d 61 31 62 35 62 63 33 36 2d 31 62 62 65 2d 34 38 32 66 2d 61 36 34 61 2d 63 32 64 39 63 62 36 30 36 37 30 36 2d 37 34 33 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 43 61 3d 22 44 43 20 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="324005" V="2" DC="SM" EN="Office.Extensibility.VbaTelemetryCompile" ATT="db334b301e7b474db5e0f02f07c51a47-a1b5bc36-1bbe-482f-a64a-c2d9cb606706-7439" SP="CriticalBusinessImpact" DCa="DC PSP PSU" xmlns="">

Target ID:	0
Start time:	13:19:49
Start date:	01/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x9f0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:20:47
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:20:48
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,2893898303469731858,14813356722618462385,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	13:20:50
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://sparksymmetrho.pro/ZEDaX/"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:20:53
Start date:	01/10/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 12288
Imagebase:	0x7ff704e10000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	13:21:14
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sparksymmetrho.pro/ZEDaX/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:21:14
Start date:	01/10/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1932,i,15197531248749630120,10810818292204147746,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Due Statement- (1).xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\15FC6627.png

C:\Users\user\AppData\Local\Temp\~DFBBF6F6B0E75CF25C.TMP

C:\Users\user\Desktop\12C30000

C:\Users\user\Desktop\12C30000:Zone.Identifier

C:\Users\user\Desktop\Due Statement- (1).xlsx (copy)

C:\Users\user\Desktop\~$Due Statement- (1).xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Due Statement- (1).xlsx"

Indicators

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
Due Statement- (1).xlsx