Clicky

Pages

Tuesday, November 29, 2011

30 PDF files processed by Cuckoo Sandbox - results and samples

Update - posted a list of the dropped files for each file and the C&C info from pcaps in the end of the post - for review and easy Googling.


Shutterstock image
In addition to the post about the Cuckoo sandbox, please see below sandbox results and samples for 30 recent  PDF files (APT type). I excluded the payload/dropped files because of the large number of benign files in the same folder as the payload. Perhaps seeing the output will help you decide whether you want to deploy the sandbox or not.
If you need to see the payload 'files' folders, please see the previous post for example or contact me.According to the author, the file dumps filtering will be added soon.
 What you will see in the package:
Original analysis folder (excluding "Files" - dropped files)
  • Analysis.config - you will see the name of the analysed file there.
  • Analysis.log + report.txt- all API calls and created files log
  • Dump.pcap file
  • logs folder - in csv fomat
  • shots folder - screenshots taken
  • Original file itself  
 Additonal files
  • List of all hashes of all files
  • All pcap files converted to text
  • Filtered logs showing dropped files.





List of included files and corresponding Cuckoo sandbox analysis results

86730A9BC3AB99503322EDA6115C1096    1104statment.pdf   
35458535961F767E267487E39641766C    1106.pdf   
92D142E08DBEF9FC6BC61A575224C3EC    111109.pdf   
B4CB1B1182EA0B616ED6702A2B25FAC2    20111106_.pdf   
88B884E8CE014D6B8D30B8198E048708    20111111_SexyDay.pdf   
C0D5B1CC0C77FCF32FF02AAC98FAC536    2012().pdf   
31DD6F29F19626F8CE03D73B3F635296    2012()2.pdf   
C89D0C1DF6B4EF20E8447B11BEB77723    2012()3.pdf   
08CDC6213D63EA85FBCCD335579CAEC4    2015.pdf   
57F8BC2995CA99E20B356B623FA12F29    AEO.pdf   
61481CBCBD35034C7CF4D1930B5E63E3    ATT03306.pdf   
CBEA315F41205B731379521C5464C134    ATT03865.pdf   
452703B9292A7A5D45EB224C622D32CF    ATT11990.pdf   
704D40896BF6C9EA174F4CF3B57AC562    ATT25948.pdf   
2A0DCB1915C0465949E7AECFB06F47EA    ATT41702.pdf   
979C64214F11F72EDDDD04FFC4887BB5    ATT63950.pdf   
E30D11EB28BB88681D1FB31DA88D84C6    ATT78434.pdf   
DD7A03F4932CB86A77BD57B1C21FC18F    ATT85096.pdf   
1188EA8F0D086A8860A3AAFB54A3FA76    ATT88422.pdf   
B4CB1B1182EA0B616ED6702A2B25FAC2    ATT93159.pdf   
91759CA240EECCC4C742CFF341C9A9A7    ATT93487.pdf   
3173D2A0A607ECCF21707A3DC5DE30DA    Bainbridge Skills.pdf   
F567FFD4F7A19A469D836E5A0A9552AB    Conference information for next week.pdf   
670E22EC5EE2F8D08795BA7FF5A5D52E    DOB Aug 2011.pdf   
01A1CAA4BA9EC050BA8CEAFE26998577    g20 summit.pdf   
670E22EC5EE2F8D08795BA7FF5A5D52E    ID194.pdf   
CDB6DCF66B7D3C5BC678378F46BA94E7    military procurement.pdf   
C898ABCEA6EAAA3E1795322D02E95D7E    NorthKorea.pdf   
0A630BBAA1691ED10540048BD5B4CF04    Nuclear Security and Summit Diplomacy.pdf   
DE095F05913928CF58A27F27C5BF8605    statement.pdf   
DROPPED FILES AND C&Cs


52/[2011-11-29 00:13:25] "C:\APT_1104statment.pdf"
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d8caps.dat"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d9caps.dat"
52/[2011-11-29 00:13:28] "iso88591"
78  71.361654    10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81  83.379329    10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460


53/[2011-11-29 00:15:55] "C:\APT_1106.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d8caps.dat"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d9caps.dat"
53/[2011-11-29 00:15:56] "iso88591"
103 131.960627    10.0.2.15 -> 61.203.196.118 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460


54/[2011-11-29 00:18:22] "C:\APT_111109.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d8caps.dat"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d9caps.dat"
54/[2011-11-29 00:18:23] "iso88591"

 92 100.874401    10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 93 106.882960    10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 97 118.901642    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 99 119.300035 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
100 119.300466    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
101 119.300509    10.0.2.15 -> 62.233.245.91 SSL Continuation Data
102 119.300538 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [ACK] Seq=1 Ack=193 Win=65535 Len=0
104 119.671542 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [FIN, ACK] Seq=1 Ack=193 Win=65535 Len=0
105 119.672034    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=193 Ack=2 Win=64240 Len=0
106 119.672056    10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [FIN, ACK] Seq=193 Ack=2 Win=64240 Len=0
107 119.672107 62.233.245.91 -> 10.0.2.15    TCP 443 > 1050 [ACK] Seq=2 Ack=194 Win=65535 Len=0
108 119.672640    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
110 122.606271    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
111 123.110597 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
112 123.110991    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
113 123.111028    10.0.2.15 -> 62.233.245.91 HTTP GET /khdpi.php?id=0080131911386GB524 HTTP/1.1
114 123.111058 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=1 Ack=189 Win=65535 Len=0
115 123.564824 62.233.245.91 -> 10.0.2.15    HTTP HTTP/1.1 404 Nie znaleziono obiektu  (text/html)
116 123.565799    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [FIN, ACK] Seq=189 Ack=312 Win=63929 Len=0
117 123.565880 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=312 Ack=190 Win=65535 Len=0
118 123.581081 62.233.245.91 -> 10.0.2.15    TCP 80 > 1051 [FIN, ACK] Seq=312 Ack=190 Win=65535 Len=0
119 123.581393    10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=190 Ack=313 Win=63929 Len=0
121 125.560394    10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
123 128.514543    10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
126 134.523033    10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460


55/[2011-11-29 00:20:50] "C:\APT_20111106_.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d8caps.dat"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d9caps.dat"
55/[2011-11-29 00:20:51] "iso88591"
 60  34.365192    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 61  34.682612 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 62  34.686987    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 63  34.687007    10.0.2.15 -> 203.116.203.67 SSL Continuation Data
 64  34.687042 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0
 68  37.286460 203.116.203.67 -> 10.0.2.15    SSL Continuation Data



56/[2011-11-29 00:23:18] "C:\APT_20111111_SexyDay.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d8caps.dat"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d9caps.dat"
56/[2011-11-29 00:23:19] "iso88591"
60  34.580116    10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 61  35.001033 62.233.245.91 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 62  35.001274    10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 63  35.001683    10.0.2.15 -> 62.233.245.91 SSL Continuation Data


57/[2011-11-29 00:25:45] "C:\APT_2012().pdf"
--

58/[2011-11-29 00:28:15] "C:\APT_2012()2.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
--

59/[2011-11-29 00:30:42] "C:\APT_2012()3.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d8caps.dat"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d9caps.dat"
59/[2011-11-29 00:30:43] "iso88591"

 1   0.000000              ->              Ethernet [Packet size limited during capture]
 59  34.274013    10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 65  37.193422    10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 73  43.201705    10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 76  55.221290    10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 78  58.222827    10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 82  64.232492    10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 86  76.250579    10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 88  79.253888    10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 91  85.262904    10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 95  97.180318    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 97  97.376698 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 98  97.376875    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 99  97.377127    10.0.2.15 -> 2.116.180.66 HTTP GET /rqban.php?id=0026041911386GB524 HTTP/1.1
100  97.377168 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [ACK] Seq=1 Ack=188 Win=65535 Len=0
110 127.883970    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
111 127.884082 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [ACK] Seq=1 Ack=189 Win=65535 Len=0
112 127.884442    10.0.2.15 -> 2.229.10.5   TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
113 128.055148 2.116.180.66 -> 10.0.2.15    TCP 80 > 1048 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
114 128.055442    10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
116 130.827421    10.0.2.15 -> 2.229.10.5   TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
121 136.835963    10.0.2.15 -> 2.229.10.5   TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460


60/[2011-11-29 00:33:09] "C:\APT_2015.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d8caps.dat"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d9caps.dat"
60/[2011-11-29 00:33:10] "iso88591"
90  85.128211    10.0.2.15 -> 71.246.244.139 TCP 1047 > 1010 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
94  97.055009    10.0.2.15 -> 206.253.41.47 TCP 1048 > 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

61/[2011-11-29 00:35:36] "C:\APT_AEO.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d8caps.dat"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d9caps.dat"
61/[2011-11-29 00:35:37] "iso88591"
 98 105.995079    10.0.2.15 -> 61.203.196.118 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
103 120.016061    10.0.2.15 -> 220.135.104.7 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

62/[2011-11-29 00:38:03] "C:\APT_ATT03306.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d8caps.dat"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d9caps.dat"
62/[2011-11-29 00:38:03] "iso88591"
 62  34.663176 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 63  34.664159    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 64  34.664179    10.0.2.15 -> 203.116.203.67 SSL Continuation Data

63/[2011-11-29 00:40:29] "C:\APT_ATT03865.pdf"

64/[2011-11-29 00:42:59] "C:\APT_ATT11990.pdf"
64/[2011-11-29 00:43:00] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\cmd.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d8caps.dat"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d9caps.dat"
64/[2011-11-29 00:43:00] "iso88591"
  1   0.000000              ->              Ethernet [Packet size limited during capture]
 66  40.373167    10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 67  40.819758 60.249.85.109 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 68  40.820024    10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 69  40.820061    10.0.2.15 -> 60.249.85.109 SSL Continuation Data
 70  40.820088 60.249.85.109 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=23 Win=65535 Len=0
 74  40.881943    10.0.2.15 -> 68.87.73.246 DNS Standard query A checkip.dyndns.org
 75  41.032372 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME checkip.dyndns.com A 216.146.39.70 A 91.198.22.70 A 216.146.38.70
 76  41.033219    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 77  41.269469 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 78  41.270321    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 79  41.270384    10.0.2.15 -> 216.146.39.70 HTTP GET / HTTP/1.1 Continuation or non-HTTP traffic
 80  41.270423 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=65 Win=65535 Len=0
 81  41.552327 216.146.39.70 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
 82  41.552557 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [FIN, ACK] Seq=261 Ack=65 Win=65535 Len=0
 83  41.552712    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=65 Ack=262 Win=63980 Len=0
 84  41.552744    10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [FIN, ACK] Seq=65 Ack=262 Win=63980 Len=0
 85  41.552773 216.146.39.70 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=262 Ack=66 Win=65535 Len=0
 86  41.553781    10.0.2.15 -> 60.249.85.109 SSL Continuation Data

65/[2011-11-29 00:45:26] "C:\APT_ATT25948.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d8caps.dat"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d9caps.dat"
65/[2011-11-29 00:45:27] "iso88591"
 60  35.138773    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 62  35.703752 203.116.203.67 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 63  35.703752    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 64  35.703752    10.0.2.15 -> 203.116.203.67 SSL Continuation Data
 65  35.703752 203.116.203.67 -> 10.0.2.15    TCP 443 > 1044 [ACK] Seq=1 Ack=194 Win=65535 Len=0
 68  37.287146 203.116.203.67 -> 10.0.2.15    SSL Continuation Data

66/[2011-11-29 00:47:53] "C:\APT_ATT41702.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d8caps.dat"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d9caps.dat"
66/[2011-11-29 00:47:54] "iso88591"
62  35.220147    10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 63  35.729797 203.92.33.98 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 64  35.730349    10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 65  35.730367    10.0.2.15 -> 203.92.33.98 SSL Continuation Data
 66  35.730401 203.92.33.98 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=192 Win=65535 Len=0
 68  36.008025 203.92.33.98 -> 10.0.2.15    TCP 443 > 1043 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0


67/[2011-11-29 00:50:20] "C:\APT_ATT63950.pdf"

68/[2011-11-29 00:52:48] "C:\APT_ATT78434.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d8caps.dat"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d9caps.dat"
68/[2011-11-29 00:52:49] "iso88591"
106 118.728793    10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
107 119.104435 62.233.245.91 -> 10.0.2.15    TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
108 119.104435    10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
109 119.104435    10.0.2.15 -> 62.233.245.91 HTTP GET /vikqz.php?id=0007871911386GB524 HTTP/1.1
110 119.104435 62.233.245.91 -> 10.0.2.15    TCP 80 > 1050 [ACK] Seq=1 Ack=189 Win=65535 Len=0
111 119.290731 62.233.245.91 -> 10.0.2.15    HTTP HTTP/1.1 404 Nie znaleziono obiektu  (text/html)
112 119.291465 62.233.245.91 -> 10.0.2.15    TCP 80 > 1050 [FIN, ACK] Seq=312 Ack=189 Win=65535 Len=0


69/[2011-11-29 00:55:16] "C:\APT_ATT85096.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"

70/[2011-11-29 00:57:43] "C:\APT_ATT88422.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\ccapp.exe"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d8caps.dat"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d9caps.dat"
70/[2011-11-29 00:57:43] "iso88591"
  1   0.000000              ->              Ethernet [Packet size limited during capture]
 61  34.446095    10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 66  37.377861    10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 74  43.386561    10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 77  55.405520    10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 79  58.407708    10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 83  64.416957    10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 87  76.434892    10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 89  79.438217    10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 92  85.447996    10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 96  97.365250    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 98  97.766921 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 99  97.767318    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
100  97.767349    10.0.2.15 -> 2.116.180.66 HTTP GET /hrqxk.php?id=0100641911386GB524 HTTP/1.1
101  97.767394 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [ACK] Seq=1 Ack=188 Win=65535 Len=0
111 128.279223    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
112 128.279304 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [ACK] Seq=1 Ack=189 Win=65535 Len=0
113 128.279790    10.0.2.15 -> 2.229.10.5   TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
114 128.455002 2.116.180.66 -> 10.0.2.15    TCP 80 > 1049 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
115 128.455337    10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
117 131.213059    10.0.2.15 -> 2.229.10.5   TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
122 137.221641    10.0.2.15 -> 2.229.10.5   TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460



71/[2011-11-29 01:00:10] "C:\APT_ATT93159.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d8caps.dat"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d9caps.dat"
71/[2011-11-29 01:00:11] "iso88591"
61  35.267636    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 62  35.755264 203.116.203.67 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 63  35.755767    10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0

72/[2011-11-29 01:00:52] "C:\APT_ATT93487.pdf"
72/[2011-11-29 01:00:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11111.exe"
72/[2011-11-29 01:00:53] "C:\WINDOWS\system32\cmd.exe"
49  28.589394    10.0.2.15 -> 68.87.73.246 DNS Standard query A family.mobwork.net
 52  28.815334 68.87.73.246 -> 10.0.2.15    DNS Standard query response, No such name
 53  28.824172    10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 55  29.391808 60.249.219.82 -> 10.0.2.15    TCP 443 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 56  29.393046    10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 57  29.393089    10.0.2.15 -> 60.249.219.82 SSL Continuation Data


73/[2011-11-29 01:03:20] "C:\APT_Bainbridge Skills.pdf"
73/[2011-11-29 01:03:20] "C:\WINDOWS\\googlesetup.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\AdobeARM.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\cmd.exe"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d8caps.dat"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d9caps.dat"
 1   0.000000              ->              Ethernet [Packet size limited during capture]
 60  34.385805    10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org
 61  34.386808    10.0.2.15 -> 68.87.73.246 DNS Standard query A www.microsoft.com
 63  34.651537 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME toggle.www.ms.akadns.net CNAME g.www.ms.akadns.net CNAME lb1.www.ms.akadns.net A 207.46.19.254
 64  34.653667    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 65  34.660488 68.87.73.246 -> 10.0.2.15    DNS Standard query response, No such name
 66  34.661636    10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org.hsd1.va.comcast.net
 67  34.929382 207.46.19.254 -> 10.0.2.15    TCP 80 > 1047 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 68  34.929845    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 69  34.948980 68.87.73.246 -> 10.0.2.15    DNS Standard query response, No such name
 71  35.171205    10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
 72  35.171292 207.46.19.254 -> 10.0.2.15    TCP 80 > 1047 [ACK] Seq=1 Ack=1130 Win=65535 Len=0
 73  35.457443 207.46.19.254 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
 74  35.457494 207.46.19.254 -> 10.0.2.15    HTTP HTTP/1.0 200 OK  (text/html)
 75  35.457916    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1130 Ack=557 Win=63685 Len=0
 76  35.470823    10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [FIN, ACK] Seq=1130 Ack=557 Win=63685 Len=0
 77  35.470895 207.46.19.254 -> 10.0.2.15    TCP 80 > 1047 [ACK] Seq=557 Ack=1131 Win=65535 Len=0
 79  36.074407    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 80  36.294800 207.46.19.254 -> 10.0.2.15    TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 81  36.295728    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 82  36.297643    10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
 83  36.297718 207.46.19.254 -> 10.0.2.15    TCP 80 > 1049 [ACK] Seq=1 Ack=1291 Win=65535 Len=0
 84  36.534015 207.46.19.254 -> 10.0.2.15    HTTP HTTP/1.1 302 Found  (text/html)
 85  36.536261    10.0.2.15 -> 68.87.73.246 DNS Standard query A home.microsoft.com
 86  36.648320    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1291 Ack=547 Win=63694 Len=0
 88  36.699394 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME redir.blu.cb3.glbdns.microsoft.com A 65.55.206.209
 89  36.700413    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 90  36.873588 65.55.206.209 -> 10.0.2.15    TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 91  36.874437    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 92  36.874467    10.0.2.15 -> 65.55.206.209 HTTP GET / HTTP/1.1
 93  36.874531 65.55.206.209 -> 10.0.2.15    TCP 80 > 1050 [ACK] Seq=1 Ack=1129 Win=65535 Len=0
 94  37.055783 65.55.206.209 -> 10.0.2.15    HTTP HTTP/1.1 301 Moved Permanently
 95  37.057985    10.0.2.15 -> 68.87.73.246 DNS Standard query A www.msn.com
 96  37.236864 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME us.co1.cb3.glbdns.microsoft.com A 207.46.140.34
 97  37.238158    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 98  37.249543    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1129 Ack=298 Win=63943 Len=0
100  37.491542 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
101  37.492462    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
102  37.492498    10.0.2.15 -> 207.46.140.34 HTTP GET / HTTP/1.1
103  37.492538 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=1 Ack=817 Win=65535 Len=0
104  37.814454 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
105  37.814506 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
106  37.814816    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=1449 Win=62792 Len=0
107  37.814902 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
108  37.814937 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
109  37.815251    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=2897 Win=64240 Len=0
110  37.836372    10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stc.s-msn.com
111  37.909124 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
112  37.909177 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
113  37.909422 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
114  37.909451 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
115  37.909473    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=4345 Win=62792 Len=0
116  37.909731    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=5793 Win=64240 Len=0
117  37.909824 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
118  37.909849 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
119  37.909985    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=7241 Win=62792 Len=0
120  37.910259 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
121  37.910488 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
122  37.910618    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=8689 Win=64240 Len=0
123  38.002706 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
124  38.002774 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
125  38.003245 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
126  38.003373 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
127  38.003895 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
128  38.003940    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=10137 Win=62792 Len=0
129  38.003985    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=11585 Win=64240 Len=0
130  38.004040 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
131  38.004123    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=13033 Win=62792 Len=0
132  38.005081 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
133  38.005125 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
134  38.005268    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=14481 Win=61344 Len=0
135  38.005378 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
136  38.005419 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
137  38.005525    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=15929 Win=59896 Len=0
138  38.005995 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
139  38.006038 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
140  38.006180    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=17377 Win=58448 Len=0
141  38.010812 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
142  38.010857 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
143  38.011153    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=18825 Win=57000 Len=0
144  38.011266 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
145  38.011312 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
146  38.011471    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=20273 Win=55552 Len=0
147  38.031499 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME colstc.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.209 A 65.54.81.185
148  38.032809    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
149  38.032977    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
150  38.035078    10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=20273 Win=64240 Len=0
151  38.091287 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
152  38.091328 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
153  38.091541    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=21721 Win=62792 Len=0
154  38.091594 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
155  38.091634 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
156  38.091800    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=23169 Win=64240 Len=0
157  38.091879 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
158  38.091903 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
159  38.092222    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=24617 Win=62792 Len=0
160  38.092252 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
161  38.092276 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
162  38.092752    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=26065 Win=64240 Len=0
163  38.092832 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
164  38.092860 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
165  38.093222    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=27513 Win=62792 Len=0
166  38.093252 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
167  38.093275 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
168  38.093711    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=28961 Win=64240 Len=0
169  38.093740 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
170  38.093769 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
171  38.094127    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=30409 Win=62792 Len=0
172  38.094157 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
173  38.094180 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
174  38.095541    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=31857 Win=61344 Len=0
175  38.095575 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
176  38.095605 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
177  38.096013    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=33305 Win=59896 Len=0
178  38.096093 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
179  38.096119 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
180  38.097120    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=34753 Win=58448 Len=0
181  38.097151    10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=34753 Win=64240 Len=0
182  38.097195 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
183  38.097248 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
184  38.097469    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=36201 Win=62792 Len=0
185  38.097493 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
186  38.097528 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
187  38.097842    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=37649 Win=64240 Len=0
188  38.097871 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
189  38.097901 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
190  38.097952 207.46.140.34 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
191  38.098031    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39097 Win=62792 Len=0
193  38.237992 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
194  38.238320 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
195  38.238404    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
196  38.238788    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
197  38.238804    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/3c/e52849405b21b1b7b78858e8f94f2f.css HTTP/1.1
198  38.238890 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=1 Ack=377 Win=65535 Len=0
199  38.240511    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/f5/c58b60aba0638d30b1ba54ac21ef03.css HTTP/1.1
200  38.240573 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=1 Ack=377 Win=65535 Len=0
201  38.250677    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39854 Win=64240 Len=0
202  38.449344 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
203  38.464082 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
204  38.512984    10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stj.s-msn.com
205  38.551278    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=377 Ack=168 Win=64073 Len=0
206  38.652280    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=377 Ack=169 Win=64072 Len=0
207  38.728227 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME colstj.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.18
208  38.729729    10.0.2.15 -> 65.54.81.24  TCP 1054 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
209  38.733541    10.0.2.15 -> 65.54.81.24  TCP 1055 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
210  38.735147    10.0.2.15 -> 68.87.73.246 DNS Standard query A amer.rel.msn.com
211  38.739101    10.0.2.15 -> 68.87.73.246 DNS Standard query A exp.www.msn.com
212  38.824585    10.0.2.15 -> 68.87.73.246 DNS Standard query A udc.msn.com
216  38.955997  65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
217  38.956179    10.0.2.15 -> 65.54.81.24  TCP 1055 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
218  38.956342  65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
219  38.958079    10.0.2.15 -> 65.54.81.24  TCP 1054 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
220  38.961515 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME amer.hops.glbdns.microsoft.com A 207.46.140.46
221  38.962824    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
222  38.965918    10.0.2.15 -> 68.87.73.246 DNS Standard query A view.atdmt.com
223  38.967318 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME ro-msn.exp.glbdns.microsoft.com A 65.55.18.18
224  38.973159    10.0.2.15 -> 65.55.18.18  TCP 1058 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
225  38.974222    10.0.2.15 -> 68.87.73.246 DNS Standard query A b.scorecardresearch.com
226  39.051152 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME udc.udc0.glbdns.microsoft.com A 70.37.130.35
227  39.053649    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
228  39.053691    10.0.2.15 -> 68.87.73.246 DNS Standard query A c.msn.com
229  39.200684 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 65.55.33.48
230  39.201639    10.0.2.15 -> 65.55.33.48  TCP 1060 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
231  39.204105    10.0.2.15 -> 68.87.73.246 DNS Standard query A www.bing.com
232  39.204532 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME b.scorecardresearch.com.edgesuite.net CNAME a1294.w20.akamai.net A 96.17.168.80 A 96.17.168.152 A 96.17.168.98
233  39.206253    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
234  39.206283    10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stb.s-msn.com
235  39.265296 207.46.140.46 -> 10.0.2.15    TCP 80 > 1057 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
236  39.265754    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
237  39.278876  65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
238  39.279083    10.0.2.15 -> 65.55.18.18  TCP 1058 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
239  39.281502 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME c.msn.com.nsatc.net A 64.4.21.39
240  39.283203    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
241  39.283360    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/icons/BING_websearch_2.jpg HTTP/1.1
242  39.283416 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=168 Ack=740 Win=65535 Len=0
243  39.304309 70.37.130.35 -> 10.0.2.15    TCP 80 > 1059 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
244  39.304617    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
245  39.442570 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME colstb.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.47
246  39.443333 96.17.168.80 -> 10.0.2.15    TCP 80 > 1061 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
247  39.443994    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
248  39.444021    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
249  39.444045 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.161 A 96.17.171.99
250  39.445180    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
251  39.447047    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
252  39.447064    10.0.2.15 -> 68.87.73.246 DNS Standard query A blst.msn.com
253  39.447074    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/ff/adchoices_gif2.gif HTTP/1.1
254  39.447147 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=169 Ack=733 Win=65535 Len=0
255  39.449020    10.0.2.15 -> 65.54.81.24  HTTP GET /br/sc/js/01/dapmsn_exp_min.js HTTP/1.1
256  39.449080    10.0.2.15 -> 65.54.81.24  HTTP GET /br/sc/js/jquery/jquery-1.4.2.min.js HTTP/1.1
257  39.449102    10.0.2.15 -> 207.46.140.46 HTTP GET /default.aspx?parsergroup=hops&fk=W&gp=P&optkey=default&rf=&di=340&pi=7317&ps=95101&pageid=6875603&mk=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&tfk=C%3Adefault&utk=&cts=1322546503640&tv=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook HTTP/1.1
258  39.449124  65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [ACK] Seq=1 Ack=360 Win=65535 Len=0
259  39.449151  65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [ACK] Seq=1 Ack=364 Win=65535 Len=0
260  39.449168 207.46.140.46 -> 10.0.2.15    TCP 80 > 1057 [ACK] Seq=1 Ack=932 Win=65535 Len=0
261  39.449798    10.0.2.15 -> 65.55.18.18  HTTP GET /ro.aspx?evt=impr&obs=msnhp_us_pv&di=340&pi=7317&ps=95101&pn=US+HPMSFT3WANBOV2T2&ch=MSFT&rid=&cts=1322546503640&rf=&slv=0&tp=http%3A%2F%2Fwww.msn.com%2F HTTP/1.1
262  39.449817    10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=impr&js=1&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&pp=False&bd=&gnd=&cts=1322546503670&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&dv.SNLogin=fb%3Af%2Ctw%3Af&dv.GrpFrMod=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook&hp=N&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&rf=&cu=http%3A%2F%2Fwww.msn.com%2F&sl=0&slv=0&bh=294&bw=609&scr=800x600&sd=32&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&br=MSFT&mv=V14 HTTP/1.1
263  39.449827    10.0.2.15 -> 96.17.168.80 HTTP GET /b?c1=2&c2=3000001&c7=http%3A%2F%2Fwww.msn.com%2F&c9=&rn=1322546503680 HTTP/1.1
264  39.449861  65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [ACK] Seq=1 Ack=915 Win=65535 Len=0
265  39.449887 70.37.130.35 -> 10.0.2.15    TCP 80 > 1059 [ACK] Seq=1 Ack=1234 Win=65535 Len=0
266  39.449932 96.17.168.80 -> 10.0.2.15    TCP 80 > 1061 [ACK] Seq=1 Ack=383 Win=65535 Len=0
267  39.509919  65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
268  39.510410    10.0.2.15 -> 65.55.33.48  TCP 1060 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
269  39.510434    10.0.2.15 -> 65.55.33.48  HTTP GET /action/MSN_Homepage_Remessaging_111808/nc?a=1 HTTP/1.1
270  39.510488  65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [ACK] Seq=1 Ack=488 Win=65535 Len=0
271  39.519224 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
272  39.520668    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.gif HTTP/1.1
273  39.520762 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=339 Ack=1112 Win=65535 Len=0
274  39.594079   64.4.21.39 -> 10.0.2.15    TCP 80 > 1062 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
275  39.594624    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
276  39.594651    10.0.2.15 -> 64.4.21.39   HTTP GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&rnd=1322546503680&rf=&scr=800x600 HTTP/1.1
277  39.594707   64.4.21.39 -> 10.0.2.15    TCP 80 > 1062 [ACK] Seq=1 Ack=791 Win=65535 Len=0
278  39.686830 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME blst.blu.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.47 A 65.54.81.24
279  39.688064    10.0.2.15 -> 65.54.81.47  TCP 1066 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
280  39.688328 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
281  39.688516    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
282  39.688690  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
283  39.689023  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
284  39.690695    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
285  39.690716    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
286  39.690727    10.0.2.15 -> 96.17.171.161 HTTP GET /partner/primedns.gif HTTP/1.1
287  39.690749    10.0.2.15 -> 65.54.81.24  HTTP GET /i/B7/EB75D45B8948F72EE451223E95A96.gif HTTP/1.1
288  39.690758    10.0.2.15 -> 65.54.81.24  HTTP GET /i/65/CDAB2F44A1591D2B308C20C6C15375.jpg HTTP/1.1
289  39.690786 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [ACK] Seq=1 Ack=492 Win=65535 Len=0
290  39.690805  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=1 Ack=372 Win=65535 Len=0
291  39.690816  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=1 Ack=372 Win=65535 Len=0
292  39.691986 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
293  39.693701    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/7d/7fda667169fb45760dd7152ddafd78.gif HTTP/1.1
294  39.693744  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
295  39.693804 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=339 Ack=1107 Win=65535 Len=0
296  39.694158    10.0.2.15 -> 65.54.81.24  HTTP GET /br/sc/js/cf/ece838bdac41f565b1c59d87c4c9cf63.js HTTP/1.1
297  39.694198  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
298  39.694217  65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [ACK] Seq=184 Ack=736 Win=65535 Len=0
299  39.708116 96.17.168.80 -> 10.0.2.15    HTTP HTTP/1.1 204 No Content
300  39.731730 70.37.130.35 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
301  39.769324 207.46.140.46 -> 10.0.2.15    HTTP HTTP/1.1 204 No Content
302  39.776036    10.0.2.15 -> 68.87.73.246 DNS Standard query A rad.msn.com
303  39.776145  65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
304  39.782075 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
305  39.786147    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/f8/614595fba50d96389708a4135776e4.gif HTTP/1.1
306  39.786252 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=509 Ack=1487 Win=65535 Len=0
307  39.852770    10.0.2.15 -> 65.54.81.24  TCP 1054 > 80 [ACK] Seq=364 Ack=185 Win=64056 Len=0
308  39.852800    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=383 Ack=249 Win=63992 Len=0
309  39.852816    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1234 Ack=368 Win=63873 Len=0
310  39.928698  65.55.33.48 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
311  39.928761  65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [FIN, ACK] Seq=257 Ack=488 Win=65535 Len=0
312  39.929609    10.0.2.15 -> 65.55.33.48  TCP 1060 > 80 [ACK] Seq=488 Ack=258 Win=63984 Len=0
313  39.929655    10.0.2.15 -> 65.55.33.48  TCP 1060 > 80 [FIN, ACK] Seq=488 Ack=258 Win=63984 Len=0
314  39.929731  65.55.33.48 -> 10.0.2.15    TCP 80 > 1060 [ACK] Seq=258 Ack=489 Win=65535 Len=0
315  39.948119   64.4.21.39 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
316  39.952979    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=293 Win=63948 Len=0
317  39.953047    10.0.2.15 -> 65.55.18.18  TCP 1058 > 80 [ACK] Seq=915 Ack=371 Win=63870 Len=0
318  39.966706  65.54.81.47 -> 10.0.2.15    TCP 80 > 1066 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
319  39.967116    10.0.2.15 -> 65.54.81.47  TCP 1066 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
320  39.967167    10.0.2.15 -> 65.54.81.47  HTTP GET /as/wea3/i/en-us/law/11.gif HTTP/1.1
321  39.967213  65.54.81.47 -> 10.0.2.15    TCP 80 > 1066 [ACK] Seq=1 Ack=666 Win=65535 Len=0
322  39.973864 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
323  39.974378  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
324  39.974529  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
325  39.975523    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gif HTTP/1.1
326  39.975607 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=508 Ack=1481 Win=65535 Len=0
327  39.998798    10.0.2.15 -> 65.54.81.24  HTTP GET /i/93/FBAB2A6CE18375B5A6A8AB82A7DF1A.jpg HTTP/1.1
328  39.998894  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=171 Ack=744 Win=65535 Len=0
329  39.999124    10.0.2.15 -> 65.54.81.24  HTTP GET /i/C3/D7F23B32F2CD62EC115C23378FFE1.jpg HTTP/1.1
330  39.999176  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=170 Ack=743 Win=65535 Len=0
331  40.011676 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
332  40.042310 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME rad.msn.com.nsatc.net A 65.55.121.231 A 65.55.192.10
333  40.043911    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
334  40.053005 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
335  40.053287    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [ACK] Seq=791 Ack=423 Win=63818 Len=0
336  40.054856    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gif HTTP/1.1
337  40.054915 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [ACK] Seq=679 Ack=1861 Win=65535 Len=0
338  40.153403    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=492 Ack=277 Win=63964 Len=0
339  40.231698  65.54.81.47 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
340  40.240187 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
341  40.255247  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
342  40.259013    10.0.2.15 -> 65.54.81.24  HTTP GET /i/A2/CB94E521DF334C97CB2DC5056A52E.jpg HTTP/1.1
343  40.259091  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=339 Ack=1114 Win=65535 Len=0
344  40.261390  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
345  40.262416    10.0.2.15 -> 65.54.81.24  HTTP GET /i/E2/7244F875BC3B1936217FC28AC541.jpg HTTP/1.1
346  40.262477  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=338 Ack=1023 Win=65535 Len=0
347  40.295186 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
348  40.295368    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
349  40.296893    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNPFS&AP=1089 HTTP/1.1
350  40.296959 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [ACK] Seq=1 Ack=771 Win=65535 Len=0
351  40.322531 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
352  40.353817    10.0.2.15 -> 65.54.81.47  TCP 1066 > 80 [ACK] Seq=666 Ack=1208 Win=63033 Len=0
353  40.353850    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1481 Ack=678 Win=63563 Len=0
354  40.453894    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=849 Win=63392 Len=0
355  40.524032  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
356  40.528151    10.0.2.15 -> 65.54.81.24  HTTP GET /i/14/37366221F516EE388EAC8C26DC4FE9.jpg HTTP/1.1
357  40.528255  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=507 Ack=1396 Win=65535 Len=0
358  40.531938  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
359  40.531989  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
360  40.532222  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
361  40.532260    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [ACK] Seq=1023 Ack=1786 Win=64240 Len=0
362  40.532302  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
363  40.532631    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [ACK] Seq=1023 Ack=3234 Win=62792 Len=0
364  40.533444  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
365  40.533500  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
366  40.533600    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [ACK] Seq=1023 Ack=4682 Win=64240 Len=0
367  40.535446  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
368  40.535491  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
369  40.535892    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [ACK] Seq=1023 Ack=6130 Win=62792 Len=0
370  40.536668  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (JPEG JFIF image)
371  40.538144    10.0.2.15 -> 65.54.81.24  HTTP GET /i/25/4075B47E5BDF545B1FB27F1C75CDEC.jpg HTTP/1.1
372  40.538206  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=6514 Ack=1395 Win=65535 Len=0
373  40.571685 65.55.121.231 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
374  40.571749 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
375  40.572327    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=771 Ack=1870 Win=64240 Len=0
376  40.647941  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
377  40.648000    10.0.2.15 -> 68.87.73.246 DNS Standard query A ads.pointroll.com
378  40.723783    10.0.2.15 -> 65.55.18.18  HTTP GET /msn/msnhp_us_ttg?ty=TBCB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
379  40.723783  65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [ACK] Seq=371 Ack=1813 Win=65535 Len=0
380  40.803441  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
381  40.803523  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
382  40.803534  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
383  40.803827  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
384  40.803865    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [ACK] Seq=1396 Ack=1955 Win=64240 Len=0
385  40.803911  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
386  40.804073    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [ACK] Seq=1396 Ack=3403 Win=62792 Len=0
387  40.804503  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
388  40.804542  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
389  40.804853    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [ACK] Seq=1396 Ack=4851 Win=64240 Len=0
390  40.806526  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
391  40.806560  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
392  40.807193    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [ACK] Seq=1396 Ack=6299 Win=62792 Len=0
393  40.807992  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (JPEG JFIF image)
394  40.856905    10.0.2.15 -> 65.54.81.24  TCP 1055 > 80 [ACK] Seq=736 Ack=367 Win=63874 Len=0
395  40.861585    10.0.2.15 -> 65.54.81.24  HTTP GET /i/E2/37BA92E210D341BFDBF4126422A3D2.gif HTTP/1.1
396  40.861609    10.0.2.15 -> 65.54.81.24  HTTP GET /i/C4/9F97E4662E66D88ACDC52D97FC6C1.jpg HTTP/1.1
397  40.861689  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=6932 Ack=1767 Win=65535 Len=0
398  40.861708  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=6682 Ack=1765 Win=65535 Len=0
399  40.880472 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 72.32.153.176
400  40.882015    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
401  40.969332    10.0.2.15 -> 96.17.171.161 HTTP GET /sck?cn=_SS&r=http://www.msn.com/sck.aspx&form=MSN005&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
402  40.969549 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [ACK] Seq=277 Ack=1165 Win=65535 Len=0
403  40.972923    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
404  40.975068    10.0.2.15 -> 68.87.73.246 DNS Standard query A api.bing.com
405  40.999068    10.0.2.15 -> 65.54.81.24  HTTP GET /br/sc/js/51/anatm.js HTTP/1.1
406  40.999068  65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [ACK] Seq=185 Ack=714 Win=65535 Len=0
407  40.999068    10.0.2.15 -> 65.55.18.18  TCP 1070 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
408  41.064842  65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
409  41.143402  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
410  41.143476  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
411  41.151195    10.0.2.15 -> 65.54.81.24  HTTP GET /i/AD/A7F1B2A19D642097AC7567BCFCC2.jpg HTTP/1.1
412  41.151220    10.0.2.15 -> 65.54.81.24  HTTP GET /i/96/FFFA8C9EF55535D7A289CE662951.jpg HTTP/1.1
413  41.151299  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7101 Ack=2136 Win=65535 Len=0
414  41.151320  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=6850 Ack=2135 Win=65535 Len=0
415  41.189538 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
416  41.190057    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
417  41.190073    10.0.2.15 -> 72.32.153.176 HTTP GET /PortalServe/?pid=1501166P77620111115192417&flash=6&time=2|1:1|-5&pos=s&ajx=1&redir=$CTURL$&r=0.970374845534282 HTTP/1.1
418  41.190128 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [ACK] Seq=1 Ack=354 Win=65535 Len=0
419  41.250078 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.99 A 96.17.171.161
420  41.251219 96.17.171.161 -> 10.0.2.15    TCP 80 > 1069 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
421  41.251269    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
422  41.251658    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
423  41.251679    10.0.2.15 -> 96.17.171.161 HTTP GET /s/as/899538/en.js HTTP/1.1
424  41.251728 96.17.171.161 -> 10.0.2.15    TCP 80 > 1069 [ACK] Seq=1 Ack=489 Win=65535 Len=0
425  41.256685    10.0.2.15 -> 65.55.18.18  TCP 1058 > 80 [ACK] Seq=1813 Ack=741 Win=63500 Len=0
426  41.273484  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
427  41.297670 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
428  41.345989  65.55.18.18 -> 10.0.2.15    TCP 80 > 1070 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
429  41.346529    10.0.2.15 -> 65.55.18.18  TCP 1070 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
430  41.346547    10.0.2.15 -> 65.55.18.18  HTTP GET /msn/msnhp_us_ttg?ty=TACB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
431  41.346610  65.55.18.18 -> 10.0.2.15    TCP 80 > 1070 [ACK] Seq=1 Ack=899 Win=65535 Len=0
432  41.385740    10.0.2.15 -> 207.46.140.34 HTTP GET /sck.aspx?cv=_SS%3dSID%3d7415D61A534D4976A4769A771B40DC4E%3b&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
433  41.385855 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=39854 Ack=1853 Win=65535 Len=0
434  41.431317  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
435  41.434812    10.0.2.15 -> 65.54.81.24  HTTP GET /i/EE/4DA23F4C5870A75228FEAFD14EFBF.gif HTTP/1.1
436  41.434897  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7269 Ack=2506 Win=65535 Len=0
437  41.436012  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
438  41.439276    10.0.2.15 -> 65.54.81.24  HTTP GET /i/5D/EE55A9EE91D76B923A4CD03D9B9A.jpg HTTP/1.1
439  41.439343  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7018 Ack=2504 Win=65535 Len=0
440  41.456934    10.0.2.15 -> 65.54.81.24  TCP 1054 > 80 [ACK] Seq=714 Ack=369 Win=63872 Len=0
441  41.456959    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1165 Ack=778 Win=63463 Len=0
442  41.510225 72.32.153.176 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
443  41.510686 72.32.153.176 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
444  41.511128    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=2723 Win=64240 Len=0
445  41.511186 72.32.153.176 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
446  41.544137 96.17.171.99 -> 10.0.2.15    TCP 80 > 1071 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
447  41.544642    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
448  41.544660    10.0.2.15 -> 96.17.171.99 HTTP GET /qsonhs.aspx?form=MSN005&q= HTTP/1.1
449  41.544730 96.17.171.99 -> 10.0.2.15    TCP 80 > 1071 [ACK] Seq=1 Ack=397 Win=65535 Len=0
450  41.545295 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
451  41.563559 72.32.153.176 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
452  41.563617 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [FIN, ACK] Seq=3937 Ack=354 Win=65535 Len=0
453  41.565949    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3937 Win=63026 Len=0
454  41.565969    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3938 Win=63026 Len=0
455  41.565979    10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [FIN, ACK] Seq=354 Ack=3938 Win=63026 Len=0
456  41.566038 72.32.153.176 -> 10.0.2.15    TCP 80 > 1068 [ACK] Seq=3938 Ack=355 Win=65535 Len=0
457  41.659015    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=489 Ack=241 Win=64000 Len=0
458  41.716634  65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
459  41.736305  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
460  41.736769  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
461  41.736838    10.0.2.15 -> 65.54.81.24  HTTP GET /i/A0/C9428460AFED1C89A9476537C01E6C.jpg HTTP/1.1
462  41.736918  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7436 Ack=2877 Win=65535 Len=0
463  41.737847    10.0.2.15 -> 65.54.81.24  HTTP GET /i/4F/B454FA8321E9C9FB98FC0ED6C9B31.jpg HTTP/1.1
464  41.737898  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7186 Ack=2874 Win=65535 Len=0
465  41.763584 207.46.140.34 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
466  41.815036    10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.doubleclick.net
467  41.815036    10.0.2.15 -> 68.87.73.246 DNS Standard query A speed.pointroll.com
468  41.863684    10.0.2.15 -> 65.55.18.18  TCP 1070 > 80 [ACK] Seq=899 Ack=371 Win=63870 Len=0
469  41.875036 96.17.171.99 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (application/json)
470  41.959015    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1853 Ack=41235 Win=62859 Len=0
471  41.981056    10.0.2.15 -> 65.54.81.24  HTTP GET /br/sc/js/1c/4a0253de6eac448d8f2c39c53f8926.js HTTP/1.1
472  41.981188  65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [ACK] Seq=367 Ack=1208 Win=65535 Len=0
473  42.029614  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
474  42.029763  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
475  42.059567    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=397 Ack=183 Win=64058 Len=0
476  42.103334 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME dart.l.doubleclick.net A 74.125.226.219
477  42.109345 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME speed.pointroll.com.edgesuite.net CNAME a1343.g.akamai.net A 96.17.168.113 A 96.17.168.91
478  42.115036    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
479  42.119160    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
480  42.124497    10.0.2.15 -> 65.54.81.24  HTTP GET /i/A9/7AA2D84B8DBC1D16190B37053EA70.jpg HTTP/1.1
481  42.124517    10.0.2.15 -> 65.54.81.24  HTTP GET /i/74/59D9EBE09028E93076FEB538BDF8AD.jpg HTTP/1.1
482  42.124582  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7604 Ack=3248 Win=65535 Len=0
483  42.124608  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7354 Ack=3246 Win=65535 Len=0
484  42.136035    10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/5f/5280118e68aedbc5821d17132a5340.gif HTTP/1.1
485  42.136184 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [ACK] Seq=678 Ack=1855 Win=65535 Len=0
486  42.271036  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
487  42.411033 96.17.168.113 -> 10.0.2.15    TCP 80 > 1073 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
488  42.415015    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
489  42.415015    10.0.2.15 -> 96.17.168.113 HTTP GET /PointRoll/Media/Banners/Ford/915428/2011_YECMSN3for40_ML_EXP_300x250_Default.jpg?PRAd=1544247&PRCID=1544247&PRplcmt=1501166&PRPID=1501166 HTTP/1.1
490  42.415015 96.17.168.113 -> 10.0.2.15    TCP 80 > 1073 [ACK] Seq=1 Ack=423 Win=65535 Len=0
491  42.415536 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
492  42.415679    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
493  42.419616    10.0.2.15 -> 74.125.226.219 HTTP GET /imp;v1;f;248163114;0-0;0;73804323;1%7C1;39709740%7C39727527%7C1;;cs=f;%3fhttp://ad.doubleclick.net/dot.gif?0.970374845534282 HTTP/1.1
494  42.419679 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [ACK] Seq=1 Ack=464 Win=65535 Len=0
495  42.422923  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
496  42.427066  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 304 Not Modified
497  42.427692 65.54.81.209 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
498  42.459605    10.0.2.15 -> 65.54.81.24  TCP 1055 > 80 [ACK] Seq=1208 Ack=551 Win=63690 Len=0
499  42.505684    10.0.2.15 -> 96.17.171.161 HTTP GET /msnhomepagehistory.aspx?sid=7415D61A534D4976A4769A771B40DC4E&_=1322546507615 HTTP/1.1
500  42.505829 96.17.171.161 -> 10.0.2.15    TCP 80 > 1065 [ACK] Seq=778 Ack=1704 Win=65535 Len=0
502  42.526183    10.0.2.15 -> 65.55.18.18  HTTP GET /msn/msnhp_us_ttg?ty=tl&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
503  42.526291  65.55.18.18 -> 10.0.2.15    TCP 80 > 1058 [ACK] Seq=741 Ack=2751 Win=65535 Len=0
504  42.535068    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNHQ2&AP=1402 HTTP/1.1
505  42.535068 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [ACK] Seq=1870 Ack=1541 Win=65535 Len=0
506  42.541397    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
507  42.559068    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1207 Win=63034 Len=0
508  42.559068    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [ACK] Seq=3246 Ack=7522 Win=63232 Len=0
509  42.559068    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [ACK] Seq=3248 Ack=7772 Win=63400 Len=0
510  42.673409 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
511  42.673487 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
512  42.673916 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
513  42.673970    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=1449 Win=62792 Len=0
514  42.674015 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
515  42.674261 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
516  42.674334    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=2897 Win=64240 Len=0
517  42.674404 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
518  42.674767 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
519  42.674803 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
520  42.674809    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=4345 Win=62792 Len=0
521  42.675405    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=5793 Win=64240 Len=0
522  42.686493 65.55.121.231 -> 10.0.2.15    TCP 80 > 1074 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
523  42.686981    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
524  42.686998    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNIF1&AP=1455 HTTP/1.1
525  42.687061 65.55.121.231 -> 10.0.2.15    TCP 80 > 1074 [ACK] Seq=1 Ack=771 Win=65535 Len=0
526  42.687542 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
527  42.687594 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
528  42.687926 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
529  42.687986    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=7241 Win=62792 Len=0
530  42.688059 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
531  42.688083 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
532  42.688104 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
533  42.688436 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
534  42.688468    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=8689 Win=64240 Len=0
535  42.688482    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=10137 Win=62792 Len=0
536  42.688526 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
537  42.688990    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=11585 Win=64240 Len=0
538  42.692714 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
539  42.692765 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
540  42.693000 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
541  42.693064    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=13033 Win=62792 Len=0
542  42.693112 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
543  42.693961    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=14481 Win=64240 Len=0
544  42.696698 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
545  42.696740 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
546  42.697002 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
547  42.697043    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=15929 Win=62792 Len=0
548  42.697091 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
549  42.697385 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
550  42.697420    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=17377 Win=64240 Len=0
551  42.697493 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
552  42.697742 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
553  42.697796    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=18825 Win=62792 Len=0
554  42.697845 96.17.168.113 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
555  42.697858 96.17.168.113 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (JPEG JFIF image)
556  42.698340    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20273 Win=64240 Len=0
557  42.698569 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
558  42.707512 74.125.226.219 -> 10.0.2.15    HTTP HTTP/1.1 302 Moved Temporarily
559  42.712399 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
560  42.739017    10.0.2.15 -> 74.125.226.219 HTTP GET /dot.gif?0.970374845534282 HTTP/1.1
561  42.739017 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [ACK] Seq=196 Ack=828 Win=65535 Len=0
562  42.739017    10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNSUR&AP=1089 HTTP/1.1
563  42.739017 65.55.121.231 -> 10.0.2.15    TCP 80 > 1067 [ACK] Seq=2918 Ack=2311 Win=65535 Len=0
564  42.750353 96.17.171.161 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/javascript)
565  42.751066    10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.wsod.com
566  42.755297 65.55.121.231 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
567  42.756436  65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
568  42.769281 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 209.234.225.242
569  42.774998    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
570  42.779251 74.125.226.219 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
571  42.819327    10.0.2.15 -> 68.87.73.246 DNS Standard query A ads2.msads.net
572  42.823411    10.0.2.15 -> 74.125.226.219 HTTP GET /ad/N4492.MSN/B5014254.187;sz=1x1;ord=1124616328? HTTP/1.1
573  42.823584 74.125.226.219 -> 10.0.2.15    TCP 80 > 1072 [ACK] Seq=408 Ack=1215 Win=65535 Len=0
574  42.831942 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME msnads.vo.msecnd.net A 65.54.81.161 A 65.54.81.152
575  42.835114    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
576  42.841377 209.234.225.242 -> 10.0.2.15    TCP 80 > 1075 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
577  42.841639    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
578  42.842983    10.0.2.15 -> 209.234.225.242 HTTP GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/2398.1579.tk.177x20/725237877 HTTP/1.1
579  42.843061 209.234.225.242 -> 10.0.2.15    TCP 80 > 1075 [ACK] Seq=1 Ack=447 Win=65535 Len=0
580  42.849859 65.54.81.161 -> 10.0.2.15    TCP 80 > 1076 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
581  42.851660    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
582  42.851682    10.0.2.15 -> 65.54.81.161 HTTP GET /CIS/95/000/000/000/019/637.jpg HTTP/1.1
583  42.851746 65.54.81.161 -> 10.0.2.15    TCP 80 > 1076 [ACK] Seq=1 Ack=271 Win=65535 Len=0
584  42.859036    10.0.2.15 -> 65.55.18.18  TCP 1058 > 80 [ACK] Seq=2751 Ack=1111 Win=63130 Len=0
585  42.859036    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=2311 Ack=3661 Win=64240 Len=0
586  42.859177    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1704 Ack=1561 Win=64240 Len=0
587  42.859192    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20816 Win=63697 Len=0
588  42.859201    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=771 Ack=1042 Win=63199 Len=0
589  42.866584 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
590  42.866630 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
591  42.866817    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=1449 Win=62792 Len=0
592  42.866872 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
593  42.866906 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
594  42.867362    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=2897 Win=64240 Len=0
595  42.869225 74.125.226.219 -> 10.0.2.15    HTTP HTTP/1.1 302 Moved Temporarily
596  42.870642    10.0.2.15 -> 68.87.73.246 DNS Standard query A m.doubleclick.net
597  42.879138 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
598  42.879176 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
599  42.879606 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
600  42.879650    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=4345 Win=62792 Len=0
601  42.879712 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
602  42.879752 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
603  42.879770 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
604  42.879960    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=5793 Win=64240 Len=0
605  42.879984    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=7241 Win=62792 Len=0
606  42.880034 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
607  42.880063 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
608  42.880599    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=8689 Win=64240 Len=0
609  42.880669 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
610  42.880708 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
611  42.880851    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=10137 Win=62792 Len=0
612  42.881147 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
613  42.881180 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
614  42.881718    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=11585 Win=64240 Len=0
615  42.881931 68.87.73.246 -> 10.0.2.15    DNS Standard query response CNAME s0-2mdn-net.l.google.com A 74.125.226.251
616  42.883451    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
617  42.883774 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
618  42.883814 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
619  42.884081 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
620  42.884132    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=13033 Win=62792 Len=0
621  42.884182 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
622  42.884760    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=14481 Win=64240 Len=0
623  42.891069 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
624  42.891106 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
625  42.891258    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=15929 Win=62792 Len=0
626  42.891421 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
627  42.891474 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
628  42.891698    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=17377 Win=64240 Len=0
629  42.891736 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
630  42.891756 65.54.81.161 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
631  42.892333    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=18825 Win=62792 Len=0
632  42.895527 65.54.81.161 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (JPEG JFIF image)
633  42.910686 209.234.225.242 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
634  42.912344 74.125.226.251 -> 10.0.2.15    TCP 80 > 1077 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
635  42.912673    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
636  42.914697    10.0.2.15 -> 74.125.226.251 HTTP GET /dot.gif HTTP/1.1
637  42.914776 74.125.226.251 -> 10.0.2.15    TCP 80 > 1077 [ACK] Seq=1 Ack=346 Win=65535 Len=0
638  42.936684 74.125.226.251 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
639  43.059351    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19542 Win=64240 Len=0
640  43.059392    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=585 Win=63656 Len=0
641  43.059403    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=346 Ack=361 Win=63880 Len=0
642  43.059411    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1215 Ack=627 Win=63614 Len=0
643  44.111447  65.54.81.47 -> 10.0.2.15    TCP 80 > 1066 [FIN, ACK] Seq=1208 Ack=666 Win=65535 Len=0
644  44.111703    10.0.2.15 -> 65.54.81.47  TCP 1066 > 80 [ACK] Seq=666 Ack=1209 Win=63033 Len=0
645  44.125425 65.54.81.209 -> 10.0.2.15    TCP 80 > 1052 [FIN, ACK] Seq=849 Ack=1861 Win=65535 Len=0
646  44.125599    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=850 Win=63392 Len=0
647  45.110536  65.54.81.24 -> 10.0.2.15    TCP 80 > 1054 [FIN, ACK] Seq=369 Ack=714 Win=65535 Len=0
648  45.110771    10.0.2.15 -> 65.54.81.24  TCP 1054 > 80 [ACK] Seq=714 Ack=370 Win=63872 Len=0
649  45.913572 209.234.225.242 -> 10.0.2.15    TCP 80 > 1075 [FIN, ACK] Seq=585 Ack=447 Win=65535 Len=0
650  45.914044    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=586 Win=63656 Len=0
651  46.015286    10.0.2.15 -> 65.54.81.24  HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
652  46.015286  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7772 Ack=3529 Win=65535 Len=0
653  46.021859    10.0.2.15 -> 65.55.18.18  HTTP GET /ro.aspx?evt=br&di=340&pi=7317&ps=95101&rid=&cts=1322546511130&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
654  46.021940  65.55.18.18 -> 10.0.2.15    TCP 80 > 1070 [ACK] Seq=371 Ack=1837 Win=65535 Len=0
655  46.023977    10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=br&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&cts=1322546511130&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
656  46.024062 70.37.130.35 -> 10.0.2.15    TCP 80 > 1059 [ACK] Seq=368 Ack=2249 Win=65535 Len=0
657  46.110765  65.54.81.24 -> 10.0.2.15    TCP 80 > 1055 [FIN, ACK] Seq=551 Ack=1208 Win=65535 Len=0
658  46.110950    10.0.2.15 -> 65.54.81.24  TCP 1055 > 80 [ACK] Seq=1208 Ack=552 Win=63690 Len=0
659  46.111199  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [FIN, ACK] Seq=7522 Ack=3246 Win=65535 Len=0
660  46.111313    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [ACK] Seq=3246 Ack=7523 Win=63232 Len=0
661  46.111460  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [FIN, ACK] Seq=7772 Ack=3529 Win=65535 Len=0
662  46.112343    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [ACK] Seq=3529 Ack=7773 Win=63400 Len=0
663  46.112364    10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [RST, ACK] Seq=447 Ack=586 Win=0 Len=0
664  46.112380    10.0.2.15 -> 65.54.81.47  TCP 1066 > 80 [RST, ACK] Seq=666 Ack=1209 Win=0 Len=0
665  46.112389    10.0.2.15 -> 65.54.81.24  TCP 1054 > 80 [RST, ACK] Seq=714 Ack=370 Win=0 Len=0
666  46.112397    10.0.2.15 -> 65.54.81.24  TCP 1055 > 80 [RST, ACK] Seq=1208 Ack=552 Win=0 Len=0
667  46.112406    10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [RST, ACK] Seq=1861 Ack=850 Win=0 Len=0
668  46.112691    10.0.2.15 -> 65.54.81.24  TCP 1064 > 80 [FIN, ACK] Seq=3529 Ack=7773 Win=63400 Len=0
669  46.112749  65.54.81.24 -> 10.0.2.15    TCP 80 > 1064 [ACK] Seq=7773 Ack=3530 Win=65535 Len=0
670  46.114825    10.0.2.15 -> 65.54.81.24  TCP 1063 > 80 [FIN, ACK] Seq=3246 Ack=7523 Win=63232 Len=0
671  46.114847    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
672  46.114914  65.54.81.24 -> 10.0.2.15    TCP 80 > 1063 [ACK] Seq=7523 Ack=3247 Win=65535 Len=0
673  46.114979 65.54.81.161 -> 10.0.2.15    TCP 80 > 1076 [FIN, ACK] Seq=19542 Ack=271 Win=65535 Len=0
674  46.115148    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19543 Win=64240 Len=0
675  46.117442 65.54.81.209 -> 10.0.2.15    TCP 80 > 1053 [FIN, ACK] Seq=1207 Ack=1855 Win=65535 Len=0
676  46.117592    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1208 Win=63034 Len=0
677  46.152358 70.37.130.35 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
678  46.187614  65.54.81.24 -> 10.0.2.15    TCP 80 > 1078 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
679  46.188088    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
680  46.188111    10.0.2.15 -> 65.54.81.24  HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
681  46.188166  65.54.81.24 -> 10.0.2.15    TCP 80 > 1078 [ACK] Seq=1 Ack=282 Win=65535 Len=0
682  46.202724  65.55.18.18 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (GIF89a)
683  46.264115    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=2249 Ack=735 Win=63506 Len=0
684  46.285768  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
685  46.285830  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
686  46.286098  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
687  46.286134    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=1449 Win=62792 Len=0
688  46.286175  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
689  46.286853    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=2897 Win=64240 Len=0
690  46.348872  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
691  46.348930  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
692  46.349148    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=4345 Win=62792 Len=0
693  46.349189  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
694  46.349214  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
695  46.349435    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=5793 Win=64240 Len=0
696  46.349475  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
697  46.349502  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
698  46.349924  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
699  46.350051  65.54.81.24 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
700  46.350277  65.54.81.24 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (JPEG JFIF image)
701  46.357721    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=7241 Win=62792 Len=0
702  46.357745    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=8689 Win=64240 Len=0
703  46.367174    10.0.2.15 -> 65.55.18.18  TCP 1070 > 80 [ACK] Seq=1837 Ack=741 Win=63500 Len=0
704  46.467160    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=9620 Win=63309 Len=0
705  47.921611    10.0.2.15 -> 207.46.140.34 HTTP GET /?euid=3CE72C262627635C3C662E93222763E1&userGroup=W:default&PM=z:1&zipCode=22310&newsProviderId=WRC&weaDegreeType=F&weaLocations=wc%3A10067507 HTTP/1.1
706  47.921794 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [ACK] Seq=41235 Ack=2799 Win=65535 Len=0
707  48.289718 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
708  48.289792 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
709  48.290040 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
710  48.290067 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
711  48.290076    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=42683 Win=64240 Len=0
712  48.290336 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
713  48.290369 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
714  48.290376    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=44131 Win=62792 Len=0
715  48.290871    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=45579 Win=64240 Len=0
716  48.291047 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
717  48.291073 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
718  48.291559 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
719  48.291583 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
720  48.291591    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=47027 Win=62792 Len=0
721  48.291921 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
722  48.292038    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=48475 Win=64240 Len=0
723  48.292068 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
724  48.292299 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
725  48.292383    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=49923 Win=62792 Len=0
726  48.292425 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
727  48.292808 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
728  48.292897    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=51371 Win=64240 Len=0
729  48.292939 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
730  48.293314 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
731  48.293343 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
732  48.293352    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=52819 Win=62792 Len=0
733  48.293786 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
734  48.293871    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=54267 Win=64240 Len=0
735  48.293913 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
736  48.294222 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
737  48.294250    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=55715 Win=62792 Len=0
738  48.294274 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
739  48.294679 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
740  48.294706 207.46.140.34 -> 10.0.2.15    TCP [TCP segment of a reassembled PDU]
741  48.294712    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=57163 Win=64240 Len=0
742  48.294834    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=58611 Win=62792 Len=0
743  48.295187 207.46.140.34 -> 10.0.2.15    HTTP HTTP/1.1 200 OK  (text/html)
744  48.467164    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59959 Win=64240 Len=0
745  50.112739  65.54.81.24 -> 10.0.2.15    TCP 80 > 1078 [FIN, ACK] Seq=9620 Ack=282 Win=65535 Len=0
746  50.112974    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [ACK] Seq=282 Ack=9621 Win=63309 Len=0
747  53.294480    10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [RST, ACK] Seq=271 Ack=19543 Win=0 Len=0
748  53.294505    10.0.2.15 -> 65.54.81.24  TCP 1078 > 80 [RST, ACK] Seq=282 Ack=9621 Win=0 Len=0
749  53.294515    10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [RST, ACK] Seq=1855 Ack=1208 Win=0 Len=0
750  98.359689    10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [RST, ACK] Seq=1129 Ack=298 Win=0 Len=0
751  98.360086    10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [RST, ACK] Seq=1291 Ack=547 Win=0 Len=0
753  99.281366 207.46.140.46 -> 10.0.2.15    TCP 80 > 1057 [FIN, ACK] Seq=293 Ack=932 Win=65535 Len=0
754  99.281589    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=294 Win=63948 Len=0
755 103.368611    10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [RST, ACK] Seq=346 Ack=361 Win=0 Len=0
756 103.368642    10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [RST, ACK] Seq=423 Ack=20816 Win=0 Len=0
757 103.368652    10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [RST, ACK] Seq=1215 Ack=627 Win=0 Len=0
758 103.368661    10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [RST, ACK] Seq=397 Ack=183 Win=0 Len=0
759 103.368669    10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [RST, ACK] Seq=771 Ack=1042 Win=0 Len=0
760 103.368677    10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [RST, ACK] Seq=2311 Ack=3661 Win=0 Len=0
761 103.369276    10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [RST, ACK] Seq=489 Ack=241 Win=0 Len=0
762 103.369290    10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [RST, ACK] Seq=1704 Ack=1561 Win=0 Len=0
763 103.369298    10.0.2.15 -> 64.4.21.39   TCP 1062 > 80 [RST, ACK] Seq=791 Ack=423 Win=0 Len=0
764 103.369901    10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [RST, ACK] Seq=383 Ack=249 Win=0 Len=0
765 103.369913    10.0.2.15 -> 65.55.18.18  TCP 1058 > 80 [RST, ACK] Seq=2751 Ack=1111 Win=0 Len=0
766 103.369922    10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [RST, ACK] Seq=932 Ack=294 Win=0 Len=0
767 104.617462 207.46.140.34 -> 10.0.2.15    TCP 80 > 1051 [FIN, ACK] Seq=59959 Ack=2799 Win=65535 Len=0
768 104.617775    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59960 Win=64240 Len=0
769 108.373475    10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [RST, ACK] Seq=2249 Ack=735 Win=0 Len=0
770 108.374044    10.0.2.15 -> 65.55.18.18  TCP 1070 > 80 [RST, ACK] Seq=1837 Ack=741 Win=0 Len=0
771 108.374060    10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [RST, ACK] Seq=2799 Ack=59960 Win=0 Len=0



74/[2011-11-29 01:05:43] "C:\APT_Conference information for next week.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d8caps.dat"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d9caps.dat"
74/[2011-11-29 01:05:44] "iso88591"
74  44.123769    10.0.2.15 -> 110.142.12.95 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 77  56.143195    10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 78  59.145745    10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 80  65.154873    10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 83  77.173225    10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 84  80.176440    10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460


75/[2011-11-29 01:06:22] "C:\APT_DOB Aug 2011.pdf"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\cmd.exe"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\crypt32.dll"
75/[2011-11-29 01:06:22] "iso88591"
 43  24.071248    10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
 47  24.758951 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 58.68.224.24
 48  25.287274    10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 50  25.746641 58.68.224.24 -> 10.0.2.15    TCP 80 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 51  25.746656    10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 52  25.747357    10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
 53  25.747373    10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
 54  25.747430 58.68.224.24 -> 10.0.2.15    TCP 80 > 1046 [ACK] Seq=1 Ack=236 Win=65535 Len=0
 55  25.747449 58.68.224.24 -> 10.0.2.15    TCP 80 > 1046 [ACK] Seq=1 Ack=1516 Win=65535 Len=0


76/[2011-11-29 01:08:49] "C:\APT_g20 summit.pdf"
76/[2011-11-29 01:08:49] "C:\WINDOWS\system32\d3d9caps.dat"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
76/[2011-11-29 01:08:50] "C:\WINDOWS\system32\d3d8caps.dat"
76/[2011-11-29 01:08:50] "iso88591"
 1   0.000000              ->              Ethernet [Packet size limited during capture]
 60  34.827483    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 62  35.375156 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 63  35.375595    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 64  35.375614    10.0.2.15 -> 203.92.33.98 SSL Continuation Data
 65  35.375670 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [ACK] Seq=1 Ack=192 Win=65535 Len=0
 66  35.643683 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0
 67  35.644358    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=192 Ack=2 Win=64240 Len=0
 68  35.644382    10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [FIN, ACK] Seq=192 Ack=2 Win=64240 Len=0
 69  35.644435 203.92.33.98 -> 10.0.2.15    TCP 443 > 1044 [ACK] Seq=2 Ack=193 Win=65535 Len=0
 70  35.646130    10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 72  36.192141 211.233.62.146 -> 10.0.2.15    TCP 443 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 73  36.192503    10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 74  36.192520    10.0.2.15 -> 211.233.62.146 SSL Continuation Data


77/[2011-11-29 01:09:27] "C:\APT_ID194.pdf"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\cmd.exe"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\crypt32.dll"
77/[2011-11-29 01:09:27] "iso88591"
  1   0.000000              ->              Ethernet [Packet size limited during capture]
 42  23.708044    10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
 43  24.209549 68.87.73.246 -> 10.0.2.15    DNS Standard query response A 58.68.224.24
 44  24.213107    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 48  24.732612 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 49  24.733912    10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 50  24.735034    10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
 51  24.735034 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=236 Win=65535 Len=0
 52  24.736365    10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
 53  24.736428 58.68.224.24 -> 10.0.2.15    TCP 80 > 1045 [ACK] Seq=1 Ack=1516 Win=65535 Len=0


78/[2011-11-29 01:11:54] "C:\APT_military procurement.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d8caps.dat"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d9caps.dat"
78/[2011-11-29 01:11:55] "iso88591"
60  34.295971    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 65  37.284641    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 67  37.841869 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
 68  37.842133    10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
 69  37.843287    10.0.2.15 -> 203.116.203.67 SSL Continuation Data
 70  37.843342 203.116.203.67 -> 10.0.2.15    TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0


79/[2011-11-29 01:14:22] "C:\APT_NorthKorea.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d8caps.dat"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d9caps.dat"
79/[2011-11-29 01:14:22] "iso88591"
60  34.992584    10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 65  37.908912    10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 73  43.943196    10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 75  60.967116    10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 77  63.970209    10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460


80/[2011-11-29 01:16:51] "C:\APT_Nuclear Security and Summit Diplomacy.pdf"
80/[2011-11-29 01:16:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\A9R83C7.tmp"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d8caps.dat"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d9caps.dat"
80/[2011-11-29 01:16:54] "C:\WINDOWS\AutoUpdate.exe"
80/[2011-11-29 01:16:54] "C:\WINDOWS\ºÓ°]«O96-97³q°T¿Ã½.pdf"
----

81/[2011-11-29 01:19:57] "C:\APT_statement.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d8caps.dat"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d9caps.dat"
81/[2011-11-29 01:19:58] "iso88591"

72  54.979463    10.0.2.15 -> 78.39.236.6  TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 75  57.981829    10.0.2.15 -> 78.39.236.6  TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 78  63.990170    10.0.2.15 -> 78.39.236.6  TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 81  76.008794    10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
 83  79.012034    10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460

Download

Download 30 analysis packages as a password protected archive (contact me if you need the password)


10 comments:

  1. Hello, I'm doing some research on APT attacks and I'm very intersted in these PDF files and their behaviors.Could you please send me the password? thanks in advance! My email address: 780142207@qq.com

    ReplyDelete
  2. It would be very helpful if a summary of CVE's exploited was available. If any of these used a previously unreported exploit, with coordinated disclosure as well.

    ReplyDelete
  3. Dave, there are no zero days in the pack, most are CVE-2011-0611 and maybe a few other old ones as well.I will be posting CVE# in the future. Thank you for reading and feedback

    ReplyDelete
  4. Hi, I am doing a lot of malware analysis on my own so I would love to have a look on these pdf files and the analysis reports also. It would be great if you shared the password, my mail is tomeye[at]freemail.gr
    Thanassis

    ReplyDelete
  5. PDF files are very famous. It has so many benefits thus making it popular.

    Sample Emails

    ReplyDelete
  6. Hello, I'm doing some research on Vulnerability and working on Vaccine small venture.
    I'm very intersted in PDF files.
    Could you please send me the password? thanks in advance! My email address:
    kyle_mustangss at hotmail.com

    ReplyDelete
  7. Seems to be another Duqu variants?.

    ReplyDelete
  8. I get wrong, sorry about that!...

    ReplyDelete
  9. Hello,
    Also working against vulnerabilities in a big company... could you send me the password for the file please ?
    skyrb[at]free.fr

    Many thanks.

    ReplyDelete
  10. @all - please don't leave your emails here but send me email using my address in the profile of this blog. Unless you want it public and get spammed by harvesters :)

    ReplyDelete