Update - posted a list of the dropped files for each file and the C&C info from pcaps in the end of the post - for review and easy Googling.
Shutterstock image |
If you need to see the payload 'files' folders, please see the previous post for example or contact me.According to the author, the file dumps filtering will be added soon.
What you will see in the package:
Original analysis folder (excluding "Files" - dropped files)
- Analysis.config - you will see the name of the analysed file there.
- Analysis.log + report.txt- all API calls and created files log
- Dump.pcap file
- logs folder - in csv fomat
- shots folder - screenshots taken
- Original file itself
- List of all hashes of all files
- All pcap files converted to text
- Filtered logs showing dropped files.
List of included files and corresponding Cuckoo sandbox analysis results
86730A9BC3AB99503322EDA6115C1096 1104statment.pdf
35458535961F767E267487E39641766C 1106.pdf
92D142E08DBEF9FC6BC61A575224C3EC 111109.pdf
B4CB1B1182EA0B616ED6702A2B25FAC2 20111106_.pdf
88B884E8CE014D6B8D30B8198E048708 20111111_SexyDay.pdf
C0D5B1CC0C77FCF32FF02AAC98FAC536 2012().pdf
31DD6F29F19626F8CE03D73B3F635296 2012()2.pdf
C89D0C1DF6B4EF20E8447B11BEB77723 2012()3.pdf
08CDC6213D63EA85FBCCD335579CAEC4 2015.pdf
57F8BC2995CA99E20B356B623FA12F29 AEO.pdf
61481CBCBD35034C7CF4D1930B5E63E3 ATT03306.pdf
CBEA315F41205B731379521C5464C134 ATT03865.pdf
452703B9292A7A5D45EB224C622D32CF ATT11990.pdf
704D40896BF6C9EA174F4CF3B57AC562 ATT25948.pdf
2A0DCB1915C0465949E7AECFB06F47EA ATT41702.pdf
979C64214F11F72EDDDD04FFC4887BB5 ATT63950.pdf
E30D11EB28BB88681D1FB31DA88D84C6 ATT78434.pdf
DD7A03F4932CB86A77BD57B1C21FC18F ATT85096.pdf
1188EA8F0D086A8860A3AAFB54A3FA76 ATT88422.pdf
B4CB1B1182EA0B616ED6702A2B25FAC2 ATT93159.pdf
91759CA240EECCC4C742CFF341C9A9A7 ATT93487.pdf
3173D2A0A607ECCF21707A3DC5DE30DA Bainbridge Skills.pdf
F567FFD4F7A19A469D836E5A0A9552AB Conference information for next week.pdf
670E22EC5EE2F8D08795BA7FF5A5D52E DOB Aug 2011.pdf
01A1CAA4BA9EC050BA8CEAFE26998577 g20 summit.pdf
670E22EC5EE2F8D08795BA7FF5A5D52E ID194.pdf
CDB6DCF66B7D3C5BC678378F46BA94E7 military procurement.pdf
C898ABCEA6EAAA3E1795322D02E95D7E NorthKorea.pdf
0A630BBAA1691ED10540048BD5B4CF04 Nuclear Security and Summit Diplomacy.pdf
DE095F05913928CF58A27F27C5BF8605 statement.pdf
DROPPED FILES AND C&Cs
52/[2011-11-29 00:13:25] "C:\APT_1104statment.pdf"
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d8caps.dat"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d9caps.dat"
52/[2011-11-29 00:13:28] "iso88591"
78 71.361654 10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81 83.379329 10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
53/[2011-11-29 00:15:55] "C:\APT_1106.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d8caps.dat"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d9caps.dat"
53/[2011-11-29 00:15:56] "iso88591"
103 131.960627 10.0.2.15 -> 61.203.196.118 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
54/[2011-11-29 00:18:22] "C:\APT_111109.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d8caps.dat"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d9caps.dat"
54/[2011-11-29 00:18:23] "iso88591"
92 100.874401 10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
93 106.882960 10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
97 118.901642 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
99 119.300035 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
100 119.300466 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
101 119.300509 10.0.2.15 -> 62.233.245.91 SSL Continuation Data
102 119.300538 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [ACK] Seq=1 Ack=193 Win=65535 Len=0
104 119.671542 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [FIN, ACK] Seq=1 Ack=193 Win=65535 Len=0
105 119.672034 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=193 Ack=2 Win=64240 Len=0
106 119.672056 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [FIN, ACK] Seq=193 Ack=2 Win=64240 Len=0
107 119.672107 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [ACK] Seq=2 Ack=194 Win=65535 Len=0
108 119.672640 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
110 122.606271 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
111 123.110597 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
112 123.110991 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
113 123.111028 10.0.2.15 -> 62.233.245.91 HTTP GET /khdpi.php?id=0080131911386GB524 HTTP/1.1
114 123.111058 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=1 Ack=189 Win=65535 Len=0
115 123.564824 62.233.245.91 -> 10.0.2.15 HTTP HTTP/1.1 404 Nie znaleziono obiektu (text/html)
116 123.565799 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [FIN, ACK] Seq=189 Ack=312 Win=63929 Len=0
117 123.565880 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=312 Ack=190 Win=65535 Len=0
118 123.581081 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [FIN, ACK] Seq=312 Ack=190 Win=65535 Len=0
119 123.581393 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=190 Ack=313 Win=63929 Len=0
121 125.560394 10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
123 128.514543 10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
126 134.523033 10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
55/[2011-11-29 00:20:50] "C:\APT_20111106_.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d8caps.dat"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d9caps.dat"
55/[2011-11-29 00:20:51] "iso88591"
60 34.365192 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61 34.682612 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
62 34.686987 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
63 34.687007 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
64 34.687042 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0
68 37.286460 203.116.203.67 -> 10.0.2.15 SSL Continuation Data
56/[2011-11-29 00:23:18] "C:\APT_20111111_SexyDay.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d8caps.dat"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d9caps.dat"
56/[2011-11-29 00:23:19] "iso88591"
60 34.580116 10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61 35.001033 62.233.245.91 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
62 35.001274 10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
63 35.001683 10.0.2.15 -> 62.233.245.91 SSL Continuation Data
57/[2011-11-29 00:25:45] "C:\APT_2012().pdf"
--
58/[2011-11-29 00:28:15] "C:\APT_2012()2.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
--
59/[2011-11-29 00:30:42] "C:\APT_2012()3.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d8caps.dat"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d9caps.dat"
59/[2011-11-29 00:30:43] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
59 34.274013 10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.193422 10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
73 43.201705 10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
76 55.221290 10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 58.222827 10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
82 64.232492 10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
86 76.250579 10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
88 79.253888 10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
91 85.262904 10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
95 97.180318 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
97 97.376698 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
98 97.376875 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
99 97.377127 10.0.2.15 -> 2.116.180.66 HTTP GET /rqban.php?id=0026041911386GB524 HTTP/1.1
100 97.377168 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [ACK] Seq=1 Ack=188 Win=65535 Len=0
110 127.883970 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
111 127.884082 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [ACK] Seq=1 Ack=189 Win=65535 Len=0
112 127.884442 10.0.2.15 -> 2.229.10.5 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
113 128.055148 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
114 128.055442 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
116 130.827421 10.0.2.15 -> 2.229.10.5 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
121 136.835963 10.0.2.15 -> 2.229.10.5 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
60/[2011-11-29 00:33:09] "C:\APT_2015.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d8caps.dat"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d9caps.dat"
60/[2011-11-29 00:33:10] "iso88591"
90 85.128211 10.0.2.15 -> 71.246.244.139 TCP 1047 > 1010 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
94 97.055009 10.0.2.15 -> 206.253.41.47 TCP 1048 > 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61/[2011-11-29 00:35:36] "C:\APT_AEO.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d8caps.dat"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d9caps.dat"
61/[2011-11-29 00:35:37] "iso88591"
98 105.995079 10.0.2.15 -> 61.203.196.118 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
103 120.016061 10.0.2.15 -> 220.135.104.7 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62/[2011-11-29 00:38:03] "C:\APT_ATT03306.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d8caps.dat"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d9caps.dat"
62/[2011-11-29 00:38:03] "iso88591"
62 34.663176 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 34.664159 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 34.664179 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
63/[2011-11-29 00:40:29] "C:\APT_ATT03865.pdf"
64/[2011-11-29 00:42:59] "C:\APT_ATT11990.pdf"
64/[2011-11-29 00:43:00] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\cmd.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d8caps.dat"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d9caps.dat"
64/[2011-11-29 00:43:00] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
66 40.373167 10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
67 40.819758 60.249.85.109 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 40.820024 10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 40.820061 10.0.2.15 -> 60.249.85.109 SSL Continuation Data
70 40.820088 60.249.85.109 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=23 Win=65535 Len=0
74 40.881943 10.0.2.15 -> 68.87.73.246 DNS Standard query A checkip.dyndns.org
75 41.032372 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME checkip.dyndns.com A 216.146.39.70 A 91.198.22.70 A 216.146.38.70
76 41.033219 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 41.269469 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
78 41.270321 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
79 41.270384 10.0.2.15 -> 216.146.39.70 HTTP GET / HTTP/1.1 Continuation or non-HTTP traffic
80 41.270423 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=65 Win=65535 Len=0
81 41.552327 216.146.39.70 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
82 41.552557 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [FIN, ACK] Seq=261 Ack=65 Win=65535 Len=0
83 41.552712 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=65 Ack=262 Win=63980 Len=0
84 41.552744 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [FIN, ACK] Seq=65 Ack=262 Win=63980 Len=0
85 41.552773 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=262 Ack=66 Win=65535 Len=0
86 41.553781 10.0.2.15 -> 60.249.85.109 SSL Continuation Data
65/[2011-11-29 00:45:26] "C:\APT_ATT25948.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d8caps.dat"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d9caps.dat"
65/[2011-11-29 00:45:27] "iso88591"
60 35.138773 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.703752 203.116.203.67 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.703752 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 35.703752 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
65 35.703752 203.116.203.67 -> 10.0.2.15 TCP 443 > 1044 [ACK] Seq=1 Ack=194 Win=65535 Len=0
68 37.287146 203.116.203.67 -> 10.0.2.15 SSL Continuation Data
66/[2011-11-29 00:47:53] "C:\APT_ATT41702.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d8caps.dat"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d9caps.dat"
66/[2011-11-29 00:47:54] "iso88591"
62 35.220147 10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
63 35.729797 203.92.33.98 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
64 35.730349 10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
65 35.730367 10.0.2.15 -> 203.92.33.98 SSL Continuation Data
66 35.730401 203.92.33.98 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=192 Win=65535 Len=0
68 36.008025 203.92.33.98 -> 10.0.2.15 TCP 443 > 1043 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0
67/[2011-11-29 00:50:20] "C:\APT_ATT63950.pdf"
68/[2011-11-29 00:52:48] "C:\APT_ATT78434.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d8caps.dat"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d9caps.dat"
68/[2011-11-29 00:52:49] "iso88591"
106 118.728793 10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
107 119.104435 62.233.245.91 -> 10.0.2.15 TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
108 119.104435 10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
109 119.104435 10.0.2.15 -> 62.233.245.91 HTTP GET /vikqz.php?id=0007871911386GB524 HTTP/1.1
110 119.104435 62.233.245.91 -> 10.0.2.15 TCP 80 > 1050 [ACK] Seq=1 Ack=189 Win=65535 Len=0
111 119.290731 62.233.245.91 -> 10.0.2.15 HTTP HTTP/1.1 404 Nie znaleziono obiektu (text/html)
112 119.291465 62.233.245.91 -> 10.0.2.15 TCP 80 > 1050 [FIN, ACK] Seq=312 Ack=189 Win=65535 Len=0
69/[2011-11-29 00:55:16] "C:\APT_ATT85096.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
70/[2011-11-29 00:57:43] "C:\APT_ATT88422.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\ccapp.exe"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d8caps.dat"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d9caps.dat"
70/[2011-11-29 00:57:43] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
61 34.446095 10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
66 37.377861 10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
74 43.386561 10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 55.405520 10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
79 58.407708 10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 64.416957 10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
87 76.434892 10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
89 79.438217 10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
92 85.447996 10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
96 97.365250 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
98 97.766921 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
99 97.767318 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
100 97.767349 10.0.2.15 -> 2.116.180.66 HTTP GET /hrqxk.php?id=0100641911386GB524 HTTP/1.1
101 97.767394 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [ACK] Seq=1 Ack=188 Win=65535 Len=0
111 128.279223 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
112 128.279304 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [ACK] Seq=1 Ack=189 Win=65535 Len=0
113 128.279790 10.0.2.15 -> 2.229.10.5 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
114 128.455002 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
115 128.455337 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
117 131.213059 10.0.2.15 -> 2.229.10.5 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
122 137.221641 10.0.2.15 -> 2.229.10.5 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
71/[2011-11-29 01:00:10] "C:\APT_ATT93159.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d8caps.dat"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d9caps.dat"
71/[2011-11-29 01:00:11] "iso88591"
61 35.267636 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.755264 203.116.203.67 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.755767 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
72/[2011-11-29 01:00:52] "C:\APT_ATT93487.pdf"
72/[2011-11-29 01:00:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11111.exe"
72/[2011-11-29 01:00:53] "C:\WINDOWS\system32\cmd.exe"
49 28.589394 10.0.2.15 -> 68.87.73.246 DNS Standard query A family.mobwork.net
52 28.815334 68.87.73.246 -> 10.0.2.15 DNS Standard query response, No such name
53 28.824172 10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
55 29.391808 60.249.219.82 -> 10.0.2.15 TCP 443 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
56 29.393046 10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
57 29.393089 10.0.2.15 -> 60.249.219.82 SSL Continuation Data
73/[2011-11-29 01:03:20] "C:\APT_Bainbridge Skills.pdf"
73/[2011-11-29 01:03:20] "C:\WINDOWS\\googlesetup.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\AdobeARM.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\cmd.exe"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d8caps.dat"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d9caps.dat"
1 0.000000 -> Ethernet [Packet size limited during capture]
60 34.385805 10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org
61 34.386808 10.0.2.15 -> 68.87.73.246 DNS Standard query A www.microsoft.com
63 34.651537 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME toggle.www.ms.akadns.net CNAME g.www.ms.akadns.net CNAME lb1.www.ms.akadns.net A 207.46.19.254
64 34.653667 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 34.660488 68.87.73.246 -> 10.0.2.15 DNS Standard query response, No such name
66 34.661636 10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org.hsd1.va.comcast.net
67 34.929382 207.46.19.254 -> 10.0.2.15 TCP 80 > 1047 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 34.929845 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 34.948980 68.87.73.246 -> 10.0.2.15 DNS Standard query response, No such name
71 35.171205 10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
72 35.171292 207.46.19.254 -> 10.0.2.15 TCP 80 > 1047 [ACK] Seq=1 Ack=1130 Win=65535 Len=0
73 35.457443 207.46.19.254 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
74 35.457494 207.46.19.254 -> 10.0.2.15 HTTP HTTP/1.0 200 OK (text/html)
75 35.457916 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1130 Ack=557 Win=63685 Len=0
76 35.470823 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [FIN, ACK] Seq=1130 Ack=557 Win=63685 Len=0
77 35.470895 207.46.19.254 -> 10.0.2.15 TCP 80 > 1047 [ACK] Seq=557 Ack=1131 Win=65535 Len=0
79 36.074407 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80 36.294800 207.46.19.254 -> 10.0.2.15 TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
81 36.295728 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
82 36.297643 10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
83 36.297718 207.46.19.254 -> 10.0.2.15 TCP 80 > 1049 [ACK] Seq=1 Ack=1291 Win=65535 Len=0
84 36.534015 207.46.19.254 -> 10.0.2.15 HTTP HTTP/1.1 302 Found (text/html)
85 36.536261 10.0.2.15 -> 68.87.73.246 DNS Standard query A home.microsoft.com
86 36.648320 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1291 Ack=547 Win=63694 Len=0
88 36.699394 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME redir.blu.cb3.glbdns.microsoft.com A 65.55.206.209
89 36.700413 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
90 36.873588 65.55.206.209 -> 10.0.2.15 TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
91 36.874437 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
92 36.874467 10.0.2.15 -> 65.55.206.209 HTTP GET / HTTP/1.1
93 36.874531 65.55.206.209 -> 10.0.2.15 TCP 80 > 1050 [ACK] Seq=1 Ack=1129 Win=65535 Len=0
94 37.055783 65.55.206.209 -> 10.0.2.15 HTTP HTTP/1.1 301 Moved Permanently
95 37.057985 10.0.2.15 -> 68.87.73.246 DNS Standard query A www.msn.com
96 37.236864 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME us.co1.cb3.glbdns.microsoft.com A 207.46.140.34
97 37.238158 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
98 37.249543 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1129 Ack=298 Win=63943 Len=0
100 37.491542 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
101 37.492462 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
102 37.492498 10.0.2.15 -> 207.46.140.34 HTTP GET / HTTP/1.1
103 37.492538 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=1 Ack=817 Win=65535 Len=0
104 37.814454 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
105 37.814506 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
106 37.814816 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=1449 Win=62792 Len=0
107 37.814902 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
108 37.814937 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
109 37.815251 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=2897 Win=64240 Len=0
110 37.836372 10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stc.s-msn.com
111 37.909124 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
112 37.909177 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
113 37.909422 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
114 37.909451 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
115 37.909473 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=4345 Win=62792 Len=0
116 37.909731 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=5793 Win=64240 Len=0
117 37.909824 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
118 37.909849 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
119 37.909985 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=7241 Win=62792 Len=0
120 37.910259 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
121 37.910488 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
122 37.910618 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=8689 Win=64240 Len=0
123 38.002706 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
124 38.002774 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
125 38.003245 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
126 38.003373 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
127 38.003895 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
128 38.003940 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=10137 Win=62792 Len=0
129 38.003985 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=11585 Win=64240 Len=0
130 38.004040 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
131 38.004123 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=13033 Win=62792 Len=0
132 38.005081 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
133 38.005125 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
134 38.005268 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=14481 Win=61344 Len=0
135 38.005378 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
136 38.005419 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
137 38.005525 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=15929 Win=59896 Len=0
138 38.005995 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
139 38.006038 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
140 38.006180 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=17377 Win=58448 Len=0
141 38.010812 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
142 38.010857 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
143 38.011153 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=18825 Win=57000 Len=0
144 38.011266 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
145 38.011312 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
146 38.011471 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=20273 Win=55552 Len=0
147 38.031499 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME colstc.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.209 A 65.54.81.185
148 38.032809 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
149 38.032977 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
150 38.035078 10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=20273 Win=64240 Len=0
151 38.091287 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
152 38.091328 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
153 38.091541 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=21721 Win=62792 Len=0
154 38.091594 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
155 38.091634 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
156 38.091800 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=23169 Win=64240 Len=0
157 38.091879 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
158 38.091903 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
159 38.092222 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=24617 Win=62792 Len=0
160 38.092252 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
161 38.092276 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
162 38.092752 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=26065 Win=64240 Len=0
163 38.092832 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
164 38.092860 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
165 38.093222 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=27513 Win=62792 Len=0
166 38.093252 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
167 38.093275 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
168 38.093711 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=28961 Win=64240 Len=0
169 38.093740 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
170 38.093769 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
171 38.094127 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=30409 Win=62792 Len=0
172 38.094157 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
173 38.094180 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
174 38.095541 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=31857 Win=61344 Len=0
175 38.095575 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
176 38.095605 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
177 38.096013 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=33305 Win=59896 Len=0
178 38.096093 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
179 38.096119 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
180 38.097120 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=34753 Win=58448 Len=0
181 38.097151 10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=34753 Win=64240 Len=0
182 38.097195 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
183 38.097248 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
184 38.097469 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=36201 Win=62792 Len=0
185 38.097493 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
186 38.097528 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
187 38.097842 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=37649 Win=64240 Len=0
188 38.097871 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
189 38.097901 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
190 38.097952 207.46.140.34 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
191 38.098031 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39097 Win=62792 Len=0
193 38.237992 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
194 38.238320 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
195 38.238404 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
196 38.238788 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
197 38.238804 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/3c/e52849405b21b1b7b78858e8f94f2f.css HTTP/1.1
198 38.238890 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=1 Ack=377 Win=65535 Len=0
199 38.240511 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/f5/c58b60aba0638d30b1ba54ac21ef03.css HTTP/1.1
200 38.240573 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=1 Ack=377 Win=65535 Len=0
201 38.250677 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39854 Win=64240 Len=0
202 38.449344 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
203 38.464082 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
204 38.512984 10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stj.s-msn.com
205 38.551278 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=377 Ack=168 Win=64073 Len=0
206 38.652280 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=377 Ack=169 Win=64072 Len=0
207 38.728227 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME colstj.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.18
208 38.729729 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
209 38.733541 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
210 38.735147 10.0.2.15 -> 68.87.73.246 DNS Standard query A amer.rel.msn.com
211 38.739101 10.0.2.15 -> 68.87.73.246 DNS Standard query A exp.www.msn.com
212 38.824585 10.0.2.15 -> 68.87.73.246 DNS Standard query A udc.msn.com
216 38.955997 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
217 38.956179 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
218 38.956342 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
219 38.958079 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
220 38.961515 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME amer.hops.glbdns.microsoft.com A 207.46.140.46
221 38.962824 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
222 38.965918 10.0.2.15 -> 68.87.73.246 DNS Standard query A view.atdmt.com
223 38.967318 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME ro-msn.exp.glbdns.microsoft.com A 65.55.18.18
224 38.973159 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
225 38.974222 10.0.2.15 -> 68.87.73.246 DNS Standard query A b.scorecardresearch.com
226 39.051152 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME udc.udc0.glbdns.microsoft.com A 70.37.130.35
227 39.053649 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
228 39.053691 10.0.2.15 -> 68.87.73.246 DNS Standard query A c.msn.com
229 39.200684 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 65.55.33.48
230 39.201639 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
231 39.204105 10.0.2.15 -> 68.87.73.246 DNS Standard query A www.bing.com
232 39.204532 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME b.scorecardresearch.com.edgesuite.net CNAME a1294.w20.akamai.net A 96.17.168.80 A 96.17.168.152 A 96.17.168.98
233 39.206253 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
234 39.206283 10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stb.s-msn.com
235 39.265296 207.46.140.46 -> 10.0.2.15 TCP 80 > 1057 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
236 39.265754 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
237 39.278876 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
238 39.279083 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
239 39.281502 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME c.msn.com.nsatc.net A 64.4.21.39
240 39.283203 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
241 39.283360 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/icons/BING_websearch_2.jpg HTTP/1.1
242 39.283416 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=168 Ack=740 Win=65535 Len=0
243 39.304309 70.37.130.35 -> 10.0.2.15 TCP 80 > 1059 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
244 39.304617 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
245 39.442570 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME colstb.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.47
246 39.443333 96.17.168.80 -> 10.0.2.15 TCP 80 > 1061 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
247 39.443994 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
248 39.444021 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
249 39.444045 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.161 A 96.17.171.99
250 39.445180 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
251 39.447047 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
252 39.447064 10.0.2.15 -> 68.87.73.246 DNS Standard query A blst.msn.com
253 39.447074 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/ff/adchoices_gif2.gif HTTP/1.1
254 39.447147 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=169 Ack=733 Win=65535 Len=0
255 39.449020 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/01/dapmsn_exp_min.js HTTP/1.1
256 39.449080 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/jquery/jquery-1.4.2.min.js HTTP/1.1
257 39.449102 10.0.2.15 -> 207.46.140.46 HTTP GET /default.aspx?parsergroup=hops&fk=W&gp=P&optkey=default&rf=&di=340&pi=7317&ps=95101&pageid=6875603&mk=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&tfk=C%3Adefault&utk=&cts=1322546503640&tv=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook HTTP/1.1
258 39.449124 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [ACK] Seq=1 Ack=360 Win=65535 Len=0
259 39.449151 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [ACK] Seq=1 Ack=364 Win=65535 Len=0
260 39.449168 207.46.140.46 -> 10.0.2.15 TCP 80 > 1057 [ACK] Seq=1 Ack=932 Win=65535 Len=0
261 39.449798 10.0.2.15 -> 65.55.18.18 HTTP GET /ro.aspx?evt=impr&obs=msnhp_us_pv&di=340&pi=7317&ps=95101&pn=US+HPMSFT3WANBOV2T2&ch=MSFT&rid=&cts=1322546503640&rf=&slv=0&tp=http%3A%2F%2Fwww.msn.com%2F HTTP/1.1
262 39.449817 10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=impr&js=1&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&pp=False&bd=&gnd=&cts=1322546503670&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&dv.SNLogin=fb%3Af%2Ctw%3Af&dv.GrpFrMod=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook&hp=N&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&rf=&cu=http%3A%2F%2Fwww.msn.com%2F&sl=0&slv=0&bh=294&bw=609&scr=800x600&sd=32&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&br=MSFT&mv=V14 HTTP/1.1
263 39.449827 10.0.2.15 -> 96.17.168.80 HTTP GET /b?c1=2&c2=3000001&c7=http%3A%2F%2Fwww.msn.com%2F&c9=&rn=1322546503680 HTTP/1.1
264 39.449861 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [ACK] Seq=1 Ack=915 Win=65535 Len=0
265 39.449887 70.37.130.35 -> 10.0.2.15 TCP 80 > 1059 [ACK] Seq=1 Ack=1234 Win=65535 Len=0
266 39.449932 96.17.168.80 -> 10.0.2.15 TCP 80 > 1061 [ACK] Seq=1 Ack=383 Win=65535 Len=0
267 39.509919 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
268 39.510410 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
269 39.510434 10.0.2.15 -> 65.55.33.48 HTTP GET /action/MSN_Homepage_Remessaging_111808/nc?a=1 HTTP/1.1
270 39.510488 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [ACK] Seq=1 Ack=488 Win=65535 Len=0
271 39.519224 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
272 39.520668 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.gif HTTP/1.1
273 39.520762 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=339 Ack=1112 Win=65535 Len=0
274 39.594079 64.4.21.39 -> 10.0.2.15 TCP 80 > 1062 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
275 39.594624 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
276 39.594651 10.0.2.15 -> 64.4.21.39 HTTP GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&rnd=1322546503680&rf=&scr=800x600 HTTP/1.1
277 39.594707 64.4.21.39 -> 10.0.2.15 TCP 80 > 1062 [ACK] Seq=1 Ack=791 Win=65535 Len=0
278 39.686830 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME blst.blu.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.47 A 65.54.81.24
279 39.688064 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
280 39.688328 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
281 39.688516 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
282 39.688690 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
283 39.689023 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
284 39.690695 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
285 39.690716 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
286 39.690727 10.0.2.15 -> 96.17.171.161 HTTP GET /partner/primedns.gif HTTP/1.1
287 39.690749 10.0.2.15 -> 65.54.81.24 HTTP GET /i/B7/EB75D45B8948F72EE451223E95A96.gif HTTP/1.1
288 39.690758 10.0.2.15 -> 65.54.81.24 HTTP GET /i/65/CDAB2F44A1591D2B308C20C6C15375.jpg HTTP/1.1
289 39.690786 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [ACK] Seq=1 Ack=492 Win=65535 Len=0
290 39.690805 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=1 Ack=372 Win=65535 Len=0
291 39.690816 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=1 Ack=372 Win=65535 Len=0
292 39.691986 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
293 39.693701 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/7d/7fda667169fb45760dd7152ddafd78.gif HTTP/1.1
294 39.693744 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
295 39.693804 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=339 Ack=1107 Win=65535 Len=0
296 39.694158 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/cf/ece838bdac41f565b1c59d87c4c9cf63.js HTTP/1.1
297 39.694198 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
298 39.694217 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [ACK] Seq=184 Ack=736 Win=65535 Len=0
299 39.708116 96.17.168.80 -> 10.0.2.15 HTTP HTTP/1.1 204 No Content
300 39.731730 70.37.130.35 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
301 39.769324 207.46.140.46 -> 10.0.2.15 HTTP HTTP/1.1 204 No Content
302 39.776036 10.0.2.15 -> 68.87.73.246 DNS Standard query A rad.msn.com
303 39.776145 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
304 39.782075 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
305 39.786147 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/f8/614595fba50d96389708a4135776e4.gif HTTP/1.1
306 39.786252 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=509 Ack=1487 Win=65535 Len=0
307 39.852770 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=364 Ack=185 Win=64056 Len=0
308 39.852800 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=383 Ack=249 Win=63992 Len=0
309 39.852816 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1234 Ack=368 Win=63873 Len=0
310 39.928698 65.55.33.48 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
311 39.928761 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [FIN, ACK] Seq=257 Ack=488 Win=65535 Len=0
312 39.929609 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [ACK] Seq=488 Ack=258 Win=63984 Len=0
313 39.929655 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [FIN, ACK] Seq=488 Ack=258 Win=63984 Len=0
314 39.929731 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [ACK] Seq=258 Ack=489 Win=65535 Len=0
315 39.948119 64.4.21.39 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
316 39.952979 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=293 Win=63948 Len=0
317 39.953047 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=915 Ack=371 Win=63870 Len=0
318 39.966706 65.54.81.47 -> 10.0.2.15 TCP 80 > 1066 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
319 39.967116 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
320 39.967167 10.0.2.15 -> 65.54.81.47 HTTP GET /as/wea3/i/en-us/law/11.gif HTTP/1.1
321 39.967213 65.54.81.47 -> 10.0.2.15 TCP 80 > 1066 [ACK] Seq=1 Ack=666 Win=65535 Len=0
322 39.973864 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
323 39.974378 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
324 39.974529 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
325 39.975523 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gif HTTP/1.1
326 39.975607 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=508 Ack=1481 Win=65535 Len=0
327 39.998798 10.0.2.15 -> 65.54.81.24 HTTP GET /i/93/FBAB2A6CE18375B5A6A8AB82A7DF1A.jpg HTTP/1.1
328 39.998894 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=171 Ack=744 Win=65535 Len=0
329 39.999124 10.0.2.15 -> 65.54.81.24 HTTP GET /i/C3/D7F23B32F2CD62EC115C23378FFE1.jpg HTTP/1.1
330 39.999176 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=170 Ack=743 Win=65535 Len=0
331 40.011676 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
332 40.042310 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME rad.msn.com.nsatc.net A 65.55.121.231 A 65.55.192.10
333 40.043911 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
334 40.053005 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
335 40.053287 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [ACK] Seq=791 Ack=423 Win=63818 Len=0
336 40.054856 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gif HTTP/1.1
337 40.054915 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=679 Ack=1861 Win=65535 Len=0
338 40.153403 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=492 Ack=277 Win=63964 Len=0
339 40.231698 65.54.81.47 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
340 40.240187 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
341 40.255247 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
342 40.259013 10.0.2.15 -> 65.54.81.24 HTTP GET /i/A2/CB94E521DF334C97CB2DC5056A52E.jpg HTTP/1.1
343 40.259091 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=339 Ack=1114 Win=65535 Len=0
344 40.261390 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
345 40.262416 10.0.2.15 -> 65.54.81.24 HTTP GET /i/E2/7244F875BC3B1936217FC28AC541.jpg HTTP/1.1
346 40.262477 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=338 Ack=1023 Win=65535 Len=0
347 40.295186 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
348 40.295368 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
349 40.296893 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNPFS&AP=1089 HTTP/1.1
350 40.296959 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [ACK] Seq=1 Ack=771 Win=65535 Len=0
351 40.322531 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
352 40.353817 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=666 Ack=1208 Win=63033 Len=0
353 40.353850 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1481 Ack=678 Win=63563 Len=0
354 40.453894 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=849 Win=63392 Len=0
355 40.524032 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
356 40.528151 10.0.2.15 -> 65.54.81.24 HTTP GET /i/14/37366221F516EE388EAC8C26DC4FE9.jpg HTTP/1.1
357 40.528255 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=507 Ack=1396 Win=65535 Len=0
358 40.531938 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
359 40.531989 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
360 40.532222 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
361 40.532260 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=1786 Win=64240 Len=0
362 40.532302 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
363 40.532631 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=3234 Win=62792 Len=0
364 40.533444 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
365 40.533500 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
366 40.533600 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=4682 Win=64240 Len=0
367 40.535446 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
368 40.535491 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
369 40.535892 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=6130 Win=62792 Len=0
370 40.536668 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
371 40.538144 10.0.2.15 -> 65.54.81.24 HTTP GET /i/25/4075B47E5BDF545B1FB27F1C75CDEC.jpg HTTP/1.1
372 40.538206 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=6514 Ack=1395 Win=65535 Len=0
373 40.571685 65.55.121.231 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
374 40.571749 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
375 40.572327 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=771 Ack=1870 Win=64240 Len=0
376 40.647941 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
377 40.648000 10.0.2.15 -> 68.87.73.246 DNS Standard query A ads.pointroll.com
378 40.723783 10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=TBCB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
379 40.723783 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [ACK] Seq=371 Ack=1813 Win=65535 Len=0
380 40.803441 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
381 40.803523 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
382 40.803534 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
383 40.803827 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
384 40.803865 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=1955 Win=64240 Len=0
385 40.803911 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
386 40.804073 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=3403 Win=62792 Len=0
387 40.804503 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
388 40.804542 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
389 40.804853 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=4851 Win=64240 Len=0
390 40.806526 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
391 40.806560 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
392 40.807193 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=6299 Win=62792 Len=0
393 40.807992 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
394 40.856905 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=736 Ack=367 Win=63874 Len=0
395 40.861585 10.0.2.15 -> 65.54.81.24 HTTP GET /i/E2/37BA92E210D341BFDBF4126422A3D2.gif HTTP/1.1
396 40.861609 10.0.2.15 -> 65.54.81.24 HTTP GET /i/C4/9F97E4662E66D88ACDC52D97FC6C1.jpg HTTP/1.1
397 40.861689 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=6932 Ack=1767 Win=65535 Len=0
398 40.861708 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=6682 Ack=1765 Win=65535 Len=0
399 40.880472 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 72.32.153.176
400 40.882015 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
401 40.969332 10.0.2.15 -> 96.17.171.161 HTTP GET /sck?cn=_SS&r=http://www.msn.com/sck.aspx&form=MSN005&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
402 40.969549 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [ACK] Seq=277 Ack=1165 Win=65535 Len=0
403 40.972923 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
404 40.975068 10.0.2.15 -> 68.87.73.246 DNS Standard query A api.bing.com
405 40.999068 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/51/anatm.js HTTP/1.1
406 40.999068 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [ACK] Seq=185 Ack=714 Win=65535 Len=0
407 40.999068 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
408 41.064842 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
409 41.143402 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
410 41.143476 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
411 41.151195 10.0.2.15 -> 65.54.81.24 HTTP GET /i/AD/A7F1B2A19D642097AC7567BCFCC2.jpg HTTP/1.1
412 41.151220 10.0.2.15 -> 65.54.81.24 HTTP GET /i/96/FFFA8C9EF55535D7A289CE662951.jpg HTTP/1.1
413 41.151299 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7101 Ack=2136 Win=65535 Len=0
414 41.151320 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=6850 Ack=2135 Win=65535 Len=0
415 41.189538 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
416 41.190057 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
417 41.190073 10.0.2.15 -> 72.32.153.176 HTTP GET /PortalServe/?pid=1501166P77620111115192417&flash=6&time=2|1:1|-5&pos=s&ajx=1&redir=$CTURL$&r=0.970374845534282 HTTP/1.1
418 41.190128 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [ACK] Seq=1 Ack=354 Win=65535 Len=0
419 41.250078 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.99 A 96.17.171.161
420 41.251219 96.17.171.161 -> 10.0.2.15 TCP 80 > 1069 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
421 41.251269 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
422 41.251658 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
423 41.251679 10.0.2.15 -> 96.17.171.161 HTTP GET /s/as/899538/en.js HTTP/1.1
424 41.251728 96.17.171.161 -> 10.0.2.15 TCP 80 > 1069 [ACK] Seq=1 Ack=489 Win=65535 Len=0
425 41.256685 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=1813 Ack=741 Win=63500 Len=0
426 41.273484 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
427 41.297670 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
428 41.345989 65.55.18.18 -> 10.0.2.15 TCP 80 > 1070 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
429 41.346529 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
430 41.346547 10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=TACB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
431 41.346610 65.55.18.18 -> 10.0.2.15 TCP 80 > 1070 [ACK] Seq=1 Ack=899 Win=65535 Len=0
432 41.385740 10.0.2.15 -> 207.46.140.34 HTTP GET /sck.aspx?cv=_SS%3dSID%3d7415D61A534D4976A4769A771B40DC4E%3b&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
433 41.385855 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=39854 Ack=1853 Win=65535 Len=0
434 41.431317 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
435 41.434812 10.0.2.15 -> 65.54.81.24 HTTP GET /i/EE/4DA23F4C5870A75228FEAFD14EFBF.gif HTTP/1.1
436 41.434897 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7269 Ack=2506 Win=65535 Len=0
437 41.436012 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
438 41.439276 10.0.2.15 -> 65.54.81.24 HTTP GET /i/5D/EE55A9EE91D76B923A4CD03D9B9A.jpg HTTP/1.1
439 41.439343 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7018 Ack=2504 Win=65535 Len=0
440 41.456934 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=714 Ack=369 Win=63872 Len=0
441 41.456959 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1165 Ack=778 Win=63463 Len=0
442 41.510225 72.32.153.176 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
443 41.510686 72.32.153.176 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
444 41.511128 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=2723 Win=64240 Len=0
445 41.511186 72.32.153.176 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
446 41.544137 96.17.171.99 -> 10.0.2.15 TCP 80 > 1071 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
447 41.544642 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
448 41.544660 10.0.2.15 -> 96.17.171.99 HTTP GET /qsonhs.aspx?form=MSN005&q= HTTP/1.1
449 41.544730 96.17.171.99 -> 10.0.2.15 TCP 80 > 1071 [ACK] Seq=1 Ack=397 Win=65535 Len=0
450 41.545295 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
451 41.563559 72.32.153.176 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
452 41.563617 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [FIN, ACK] Seq=3937 Ack=354 Win=65535 Len=0
453 41.565949 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3937 Win=63026 Len=0
454 41.565969 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3938 Win=63026 Len=0
455 41.565979 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [FIN, ACK] Seq=354 Ack=3938 Win=63026 Len=0
456 41.566038 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [ACK] Seq=3938 Ack=355 Win=65535 Len=0
457 41.659015 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=489 Ack=241 Win=64000 Len=0
458 41.716634 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
459 41.736305 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
460 41.736769 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
461 41.736838 10.0.2.15 -> 65.54.81.24 HTTP GET /i/A0/C9428460AFED1C89A9476537C01E6C.jpg HTTP/1.1
462 41.736918 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7436 Ack=2877 Win=65535 Len=0
463 41.737847 10.0.2.15 -> 65.54.81.24 HTTP GET /i/4F/B454FA8321E9C9FB98FC0ED6C9B31.jpg HTTP/1.1
464 41.737898 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7186 Ack=2874 Win=65535 Len=0
465 41.763584 207.46.140.34 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
466 41.815036 10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.doubleclick.net
467 41.815036 10.0.2.15 -> 68.87.73.246 DNS Standard query A speed.pointroll.com
468 41.863684 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=899 Ack=371 Win=63870 Len=0
469 41.875036 96.17.171.99 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (application/json)
470 41.959015 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1853 Ack=41235 Win=62859 Len=0
471 41.981056 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/1c/4a0253de6eac448d8f2c39c53f8926.js HTTP/1.1
472 41.981188 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [ACK] Seq=367 Ack=1208 Win=65535 Len=0
473 42.029614 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
474 42.029763 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
475 42.059567 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=397 Ack=183 Win=64058 Len=0
476 42.103334 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME dart.l.doubleclick.net A 74.125.226.219
477 42.109345 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME speed.pointroll.com.edgesuite.net CNAME a1343.g.akamai.net A 96.17.168.113 A 96.17.168.91
478 42.115036 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
479 42.119160 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
480 42.124497 10.0.2.15 -> 65.54.81.24 HTTP GET /i/A9/7AA2D84B8DBC1D16190B37053EA70.jpg HTTP/1.1
481 42.124517 10.0.2.15 -> 65.54.81.24 HTTP GET /i/74/59D9EBE09028E93076FEB538BDF8AD.jpg HTTP/1.1
482 42.124582 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7604 Ack=3248 Win=65535 Len=0
483 42.124608 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7354 Ack=3246 Win=65535 Len=0
484 42.136035 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/5f/5280118e68aedbc5821d17132a5340.gif HTTP/1.1
485 42.136184 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=678 Ack=1855 Win=65535 Len=0
486 42.271036 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
487 42.411033 96.17.168.113 -> 10.0.2.15 TCP 80 > 1073 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
488 42.415015 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
489 42.415015 10.0.2.15 -> 96.17.168.113 HTTP GET /PointRoll/Media/Banners/Ford/915428/2011_YECMSN3for40_ML_EXP_300x250_Default.jpg?PRAd=1544247&PRCID=1544247&PRplcmt=1501166&PRPID=1501166 HTTP/1.1
490 42.415015 96.17.168.113 -> 10.0.2.15 TCP 80 > 1073 [ACK] Seq=1 Ack=423 Win=65535 Len=0
491 42.415536 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
492 42.415679 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
493 42.419616 10.0.2.15 -> 74.125.226.219 HTTP GET /imp;v1;f;248163114;0-0;0;73804323;1%7C1;39709740%7C39727527%7C1;;cs=f;%3fhttp://ad.doubleclick.net/dot.gif?0.970374845534282 HTTP/1.1
494 42.419679 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [ACK] Seq=1 Ack=464 Win=65535 Len=0
495 42.422923 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
496 42.427066 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
497 42.427692 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
498 42.459605 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1208 Ack=551 Win=63690 Len=0
499 42.505684 10.0.2.15 -> 96.17.171.161 HTTP GET /msnhomepagehistory.aspx?sid=7415D61A534D4976A4769A771B40DC4E&_=1322546507615 HTTP/1.1
500 42.505829 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [ACK] Seq=778 Ack=1704 Win=65535 Len=0
502 42.526183 10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=tl&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
503 42.526291 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [ACK] Seq=741 Ack=2751 Win=65535 Len=0
504 42.535068 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNHQ2&AP=1402 HTTP/1.1
505 42.535068 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [ACK] Seq=1870 Ack=1541 Win=65535 Len=0
506 42.541397 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
507 42.559068 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1207 Win=63034 Len=0
508 42.559068 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=3246 Ack=7522 Win=63232 Len=0
509 42.559068 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=3248 Ack=7772 Win=63400 Len=0
510 42.673409 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
511 42.673487 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
512 42.673916 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
513 42.673970 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=1449 Win=62792 Len=0
514 42.674015 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
515 42.674261 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
516 42.674334 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=2897 Win=64240 Len=0
517 42.674404 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
518 42.674767 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
519 42.674803 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
520 42.674809 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=4345 Win=62792 Len=0
521 42.675405 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=5793 Win=64240 Len=0
522 42.686493 65.55.121.231 -> 10.0.2.15 TCP 80 > 1074 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
523 42.686981 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
524 42.686998 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNIF1&AP=1455 HTTP/1.1
525 42.687061 65.55.121.231 -> 10.0.2.15 TCP 80 > 1074 [ACK] Seq=1 Ack=771 Win=65535 Len=0
526 42.687542 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
527 42.687594 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
528 42.687926 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
529 42.687986 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=7241 Win=62792 Len=0
530 42.688059 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
531 42.688083 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
532 42.688104 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
533 42.688436 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
534 42.688468 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=8689 Win=64240 Len=0
535 42.688482 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=10137 Win=62792 Len=0
536 42.688526 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
537 42.688990 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=11585 Win=64240 Len=0
538 42.692714 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
539 42.692765 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
540 42.693000 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
541 42.693064 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=13033 Win=62792 Len=0
542 42.693112 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
543 42.693961 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=14481 Win=64240 Len=0
544 42.696698 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
545 42.696740 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
546 42.697002 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
547 42.697043 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=15929 Win=62792 Len=0
548 42.697091 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
549 42.697385 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
550 42.697420 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=17377 Win=64240 Len=0
551 42.697493 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
552 42.697742 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
553 42.697796 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=18825 Win=62792 Len=0
554 42.697845 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
555 42.697858 96.17.168.113 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
556 42.698340 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20273 Win=64240 Len=0
557 42.698569 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
558 42.707512 74.125.226.219 -> 10.0.2.15 HTTP HTTP/1.1 302 Moved Temporarily
559 42.712399 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
560 42.739017 10.0.2.15 -> 74.125.226.219 HTTP GET /dot.gif?0.970374845534282 HTTP/1.1
561 42.739017 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [ACK] Seq=196 Ack=828 Win=65535 Len=0
562 42.739017 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNSUR&AP=1089 HTTP/1.1
563 42.739017 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [ACK] Seq=2918 Ack=2311 Win=65535 Len=0
564 42.750353 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/javascript)
565 42.751066 10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.wsod.com
566 42.755297 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
567 42.756436 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
568 42.769281 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 209.234.225.242
569 42.774998 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
570 42.779251 74.125.226.219 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
571 42.819327 10.0.2.15 -> 68.87.73.246 DNS Standard query A ads2.msads.net
572 42.823411 10.0.2.15 -> 74.125.226.219 HTTP GET /ad/N4492.MSN/B5014254.187;sz=1x1;ord=1124616328? HTTP/1.1
573 42.823584 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [ACK] Seq=408 Ack=1215 Win=65535 Len=0
574 42.831942 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME msnads.vo.msecnd.net A 65.54.81.161 A 65.54.81.152
575 42.835114 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
576 42.841377 209.234.225.242 -> 10.0.2.15 TCP 80 > 1075 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
577 42.841639 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
578 42.842983 10.0.2.15 -> 209.234.225.242 HTTP GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/2398.1579.tk.177x20/725237877 HTTP/1.1
579 42.843061 209.234.225.242 -> 10.0.2.15 TCP 80 > 1075 [ACK] Seq=1 Ack=447 Win=65535 Len=0
580 42.849859 65.54.81.161 -> 10.0.2.15 TCP 80 > 1076 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
581 42.851660 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
582 42.851682 10.0.2.15 -> 65.54.81.161 HTTP GET /CIS/95/000/000/000/019/637.jpg HTTP/1.1
583 42.851746 65.54.81.161 -> 10.0.2.15 TCP 80 > 1076 [ACK] Seq=1 Ack=271 Win=65535 Len=0
584 42.859036 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=2751 Ack=1111 Win=63130 Len=0
585 42.859036 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=2311 Ack=3661 Win=64240 Len=0
586 42.859177 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1704 Ack=1561 Win=64240 Len=0
587 42.859192 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20816 Win=63697 Len=0
588 42.859201 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=771 Ack=1042 Win=63199 Len=0
589 42.866584 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
590 42.866630 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
591 42.866817 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=1449 Win=62792 Len=0
592 42.866872 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
593 42.866906 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
594 42.867362 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=2897 Win=64240 Len=0
595 42.869225 74.125.226.219 -> 10.0.2.15 HTTP HTTP/1.1 302 Moved Temporarily
596 42.870642 10.0.2.15 -> 68.87.73.246 DNS Standard query A m.doubleclick.net
597 42.879138 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
598 42.879176 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
599 42.879606 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
600 42.879650 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=4345 Win=62792 Len=0
601 42.879712 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
602 42.879752 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
603 42.879770 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
604 42.879960 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=5793 Win=64240 Len=0
605 42.879984 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=7241 Win=62792 Len=0
606 42.880034 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
607 42.880063 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
608 42.880599 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=8689 Win=64240 Len=0
609 42.880669 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
610 42.880708 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
611 42.880851 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=10137 Win=62792 Len=0
612 42.881147 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
613 42.881180 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
614 42.881718 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=11585 Win=64240 Len=0
615 42.881931 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME s0-2mdn-net.l.google.com A 74.125.226.251
616 42.883451 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
617 42.883774 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
618 42.883814 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
619 42.884081 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
620 42.884132 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=13033 Win=62792 Len=0
621 42.884182 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
622 42.884760 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=14481 Win=64240 Len=0
623 42.891069 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
624 42.891106 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
625 42.891258 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=15929 Win=62792 Len=0
626 42.891421 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
627 42.891474 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
628 42.891698 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=17377 Win=64240 Len=0
629 42.891736 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
630 42.891756 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
631 42.892333 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=18825 Win=62792 Len=0
632 42.895527 65.54.81.161 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
633 42.910686 209.234.225.242 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
634 42.912344 74.125.226.251 -> 10.0.2.15 TCP 80 > 1077 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
635 42.912673 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
636 42.914697 10.0.2.15 -> 74.125.226.251 HTTP GET /dot.gif HTTP/1.1
637 42.914776 74.125.226.251 -> 10.0.2.15 TCP 80 > 1077 [ACK] Seq=1 Ack=346 Win=65535 Len=0
638 42.936684 74.125.226.251 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
639 43.059351 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19542 Win=64240 Len=0
640 43.059392 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=585 Win=63656 Len=0
641 43.059403 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=346 Ack=361 Win=63880 Len=0
642 43.059411 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1215 Ack=627 Win=63614 Len=0
643 44.111447 65.54.81.47 -> 10.0.2.15 TCP 80 > 1066 [FIN, ACK] Seq=1208 Ack=666 Win=65535 Len=0
644 44.111703 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=666 Ack=1209 Win=63033 Len=0
645 44.125425 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [FIN, ACK] Seq=849 Ack=1861 Win=65535 Len=0
646 44.125599 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=850 Win=63392 Len=0
647 45.110536 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [FIN, ACK] Seq=369 Ack=714 Win=65535 Len=0
648 45.110771 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=714 Ack=370 Win=63872 Len=0
649 45.913572 209.234.225.242 -> 10.0.2.15 TCP 80 > 1075 [FIN, ACK] Seq=585 Ack=447 Win=65535 Len=0
650 45.914044 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=586 Win=63656 Len=0
651 46.015286 10.0.2.15 -> 65.54.81.24 HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
652 46.015286 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7772 Ack=3529 Win=65535 Len=0
653 46.021859 10.0.2.15 -> 65.55.18.18 HTTP GET /ro.aspx?evt=br&di=340&pi=7317&ps=95101&rid=&cts=1322546511130&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
654 46.021940 65.55.18.18 -> 10.0.2.15 TCP 80 > 1070 [ACK] Seq=371 Ack=1837 Win=65535 Len=0
655 46.023977 10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=br&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&cts=1322546511130&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
656 46.024062 70.37.130.35 -> 10.0.2.15 TCP 80 > 1059 [ACK] Seq=368 Ack=2249 Win=65535 Len=0
657 46.110765 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [FIN, ACK] Seq=551 Ack=1208 Win=65535 Len=0
658 46.110950 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1208 Ack=552 Win=63690 Len=0
659 46.111199 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [FIN, ACK] Seq=7522 Ack=3246 Win=65535 Len=0
660 46.111313 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=3246 Ack=7523 Win=63232 Len=0
661 46.111460 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [FIN, ACK] Seq=7772 Ack=3529 Win=65535 Len=0
662 46.112343 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=3529 Ack=7773 Win=63400 Len=0
663 46.112364 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [RST, ACK] Seq=447 Ack=586 Win=0 Len=0
664 46.112380 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [RST, ACK] Seq=666 Ack=1209 Win=0 Len=0
665 46.112389 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [RST, ACK] Seq=714 Ack=370 Win=0 Len=0
666 46.112397 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [RST, ACK] Seq=1208 Ack=552 Win=0 Len=0
667 46.112406 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [RST, ACK] Seq=1861 Ack=850 Win=0 Len=0
668 46.112691 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [FIN, ACK] Seq=3529 Ack=7773 Win=63400 Len=0
669 46.112749 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7773 Ack=3530 Win=65535 Len=0
670 46.114825 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [FIN, ACK] Seq=3246 Ack=7523 Win=63232 Len=0
671 46.114847 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
672 46.114914 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7523 Ack=3247 Win=65535 Len=0
673 46.114979 65.54.81.161 -> 10.0.2.15 TCP 80 > 1076 [FIN, ACK] Seq=19542 Ack=271 Win=65535 Len=0
674 46.115148 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19543 Win=64240 Len=0
675 46.117442 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [FIN, ACK] Seq=1207 Ack=1855 Win=65535 Len=0
676 46.117592 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1208 Win=63034 Len=0
677 46.152358 70.37.130.35 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
678 46.187614 65.54.81.24 -> 10.0.2.15 TCP 80 > 1078 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
679 46.188088 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
680 46.188111 10.0.2.15 -> 65.54.81.24 HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
681 46.188166 65.54.81.24 -> 10.0.2.15 TCP 80 > 1078 [ACK] Seq=1 Ack=282 Win=65535 Len=0
682 46.202724 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
683 46.264115 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=2249 Ack=735 Win=63506 Len=0
684 46.285768 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
685 46.285830 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
686 46.286098 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
687 46.286134 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=1449 Win=62792 Len=0
688 46.286175 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
689 46.286853 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=2897 Win=64240 Len=0
690 46.348872 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
691 46.348930 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
692 46.349148 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=4345 Win=62792 Len=0
693 46.349189 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
694 46.349214 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
695 46.349435 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=5793 Win=64240 Len=0
696 46.349475 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
697 46.349502 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
698 46.349924 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
699 46.350051 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
700 46.350277 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
701 46.357721 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=7241 Win=62792 Len=0
702 46.357745 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=8689 Win=64240 Len=0
703 46.367174 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=1837 Ack=741 Win=63500 Len=0
704 46.467160 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=9620 Win=63309 Len=0
705 47.921611 10.0.2.15 -> 207.46.140.34 HTTP GET /?euid=3CE72C262627635C3C662E93222763E1&userGroup=W:default&PM=z:1&zipCode=22310&newsProviderId=WRC&weaDegreeType=F&weaLocations=wc%3A10067507 HTTP/1.1
706 47.921794 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=41235 Ack=2799 Win=65535 Len=0
707 48.289718 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
708 48.289792 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
709 48.290040 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
710 48.290067 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
711 48.290076 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=42683 Win=64240 Len=0
712 48.290336 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
713 48.290369 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
714 48.290376 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=44131 Win=62792 Len=0
715 48.290871 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=45579 Win=64240 Len=0
716 48.291047 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
717 48.291073 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
718 48.291559 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
719 48.291583 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
720 48.291591 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=47027 Win=62792 Len=0
721 48.291921 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
722 48.292038 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=48475 Win=64240 Len=0
723 48.292068 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
724 48.292299 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
725 48.292383 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=49923 Win=62792 Len=0
726 48.292425 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
727 48.292808 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
728 48.292897 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=51371 Win=64240 Len=0
729 48.292939 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
730 48.293314 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
731 48.293343 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
732 48.293352 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=52819 Win=62792 Len=0
733 48.293786 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
734 48.293871 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=54267 Win=64240 Len=0
735 48.293913 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
736 48.294222 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
737 48.294250 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=55715 Win=62792 Len=0
738 48.294274 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
739 48.294679 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
740 48.294706 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
741 48.294712 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=57163 Win=64240 Len=0
742 48.294834 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=58611 Win=62792 Len=0
743 48.295187 207.46.140.34 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
744 48.467164 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59959 Win=64240 Len=0
745 50.112739 65.54.81.24 -> 10.0.2.15 TCP 80 > 1078 [FIN, ACK] Seq=9620 Ack=282 Win=65535 Len=0
746 50.112974 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=9621 Win=63309 Len=0
747 53.294480 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [RST, ACK] Seq=271 Ack=19543 Win=0 Len=0
748 53.294505 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [RST, ACK] Seq=282 Ack=9621 Win=0 Len=0
749 53.294515 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [RST, ACK] Seq=1855 Ack=1208 Win=0 Len=0
750 98.359689 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [RST, ACK] Seq=1129 Ack=298 Win=0 Len=0
751 98.360086 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [RST, ACK] Seq=1291 Ack=547 Win=0 Len=0
753 99.281366 207.46.140.46 -> 10.0.2.15 TCP 80 > 1057 [FIN, ACK] Seq=293 Ack=932 Win=65535 Len=0
754 99.281589 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=294 Win=63948 Len=0
755 103.368611 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [RST, ACK] Seq=346 Ack=361 Win=0 Len=0
756 103.368642 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [RST, ACK] Seq=423 Ack=20816 Win=0 Len=0
757 103.368652 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [RST, ACK] Seq=1215 Ack=627 Win=0 Len=0
758 103.368661 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [RST, ACK] Seq=397 Ack=183 Win=0 Len=0
759 103.368669 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [RST, ACK] Seq=771 Ack=1042 Win=0 Len=0
760 103.368677 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [RST, ACK] Seq=2311 Ack=3661 Win=0 Len=0
761 103.369276 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [RST, ACK] Seq=489 Ack=241 Win=0 Len=0
762 103.369290 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [RST, ACK] Seq=1704 Ack=1561 Win=0 Len=0
763 103.369298 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [RST, ACK] Seq=791 Ack=423 Win=0 Len=0
764 103.369901 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [RST, ACK] Seq=383 Ack=249 Win=0 Len=0
765 103.369913 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [RST, ACK] Seq=2751 Ack=1111 Win=0 Len=0
766 103.369922 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [RST, ACK] Seq=932 Ack=294 Win=0 Len=0
767 104.617462 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [FIN, ACK] Seq=59959 Ack=2799 Win=65535 Len=0
768 104.617775 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59960 Win=64240 Len=0
769 108.373475 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [RST, ACK] Seq=2249 Ack=735 Win=0 Len=0
770 108.374044 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [RST, ACK] Seq=1837 Ack=741 Win=0 Len=0
771 108.374060 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [RST, ACK] Seq=2799 Ack=59960 Win=0 Len=0
74/[2011-11-29 01:05:43] "C:\APT_Conference information for next week.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d8caps.dat"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d9caps.dat"
74/[2011-11-29 01:05:44] "iso88591"
74 44.123769 10.0.2.15 -> 110.142.12.95 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 56.143195 10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 59.145745 10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80 65.154873 10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 77.173225 10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
84 80.176440 10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75/[2011-11-29 01:06:22] "C:\APT_DOB Aug 2011.pdf"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\cmd.exe"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\crypt32.dll"
75/[2011-11-29 01:06:22] "iso88591"
43 24.071248 10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
47 24.758951 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 58.68.224.24
48 25.287274 10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
50 25.746641 58.68.224.24 -> 10.0.2.15 TCP 80 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
51 25.746656 10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
52 25.747357 10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
53 25.747373 10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
54 25.747430 58.68.224.24 -> 10.0.2.15 TCP 80 > 1046 [ACK] Seq=1 Ack=236 Win=65535 Len=0
55 25.747449 58.68.224.24 -> 10.0.2.15 TCP 80 > 1046 [ACK] Seq=1 Ack=1516 Win=65535 Len=0
76/[2011-11-29 01:08:49] "C:\APT_g20 summit.pdf"
76/[2011-11-29 01:08:49] "C:\WINDOWS\system32\d3d9caps.dat"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
76/[2011-11-29 01:08:50] "C:\WINDOWS\system32\d3d8caps.dat"
76/[2011-11-29 01:08:50] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
60 34.827483 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.375156 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.375595 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 35.375614 10.0.2.15 -> 203.92.33.98 SSL Continuation Data
65 35.375670 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [ACK] Seq=1 Ack=192 Win=65535 Len=0
66 35.643683 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0
67 35.644358 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=192 Ack=2 Win=64240 Len=0
68 35.644382 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [FIN, ACK] Seq=192 Ack=2 Win=64240 Len=0
69 35.644435 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [ACK] Seq=2 Ack=193 Win=65535 Len=0
70 35.646130 10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
72 36.192141 211.233.62.146 -> 10.0.2.15 TCP 443 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
73 36.192503 10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
74 36.192520 10.0.2.15 -> 211.233.62.146 SSL Continuation Data
77/[2011-11-29 01:09:27] "C:\APT_ID194.pdf"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\cmd.exe"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\crypt32.dll"
77/[2011-11-29 01:09:27] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
42 23.708044 10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
43 24.209549 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 58.68.224.24
44 24.213107 10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
48 24.732612 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
49 24.733912 10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
50 24.735034 10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
51 24.735034 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=236 Win=65535 Len=0
52 24.736365 10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
53 24.736428 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=1516 Win=65535 Len=0
78/[2011-11-29 01:11:54] "C:\APT_military procurement.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d8caps.dat"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d9caps.dat"
78/[2011-11-29 01:11:55] "iso88591"
60 34.295971 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.284641 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
67 37.841869 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 37.842133 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 37.843287 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
70 37.843342 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0
79/[2011-11-29 01:14:22] "C:\APT_NorthKorea.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d8caps.dat"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d9caps.dat"
79/[2011-11-29 01:14:22] "iso88591"
60 34.992584 10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.908912 10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
73 43.943196 10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75 60.967116 10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 63.970209 10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80/[2011-11-29 01:16:51] "C:\APT_Nuclear Security and Summit Diplomacy.pdf"
80/[2011-11-29 01:16:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\A9R83C7.tmp"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d8caps.dat"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d9caps.dat"
80/[2011-11-29 01:16:54] "C:\WINDOWS\AutoUpdate.exe"
80/[2011-11-29 01:16:54] "C:\WINDOWS\ºÓ°]«O96-97³q°T¿ý.pdf"
----
81/[2011-11-29 01:19:57] "C:\APT_statement.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d8caps.dat"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d9caps.dat"
81/[2011-11-29 01:19:58] "iso88591"
72 54.979463 10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75 57.981829 10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 63.990170 10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81 76.008794 10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 79.012034 10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
52/[2011-11-29 00:13:28] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d8caps.dat"
52/[2011-11-29 00:13:28] "C:\WINDOWS\system32\d3d9caps.dat"
52/[2011-11-29 00:13:28] "iso88591"
78 71.361654 10.0.2.15 -> 110.142.12.95 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81 83.379329 10.0.2.15 -> 108.77.146.124 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
53/[2011-11-29 00:15:55] "C:\APT_1106.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
53/[2011-11-29 00:15:56] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d8caps.dat"
53/[2011-11-29 00:15:56] "C:\WINDOWS\system32\d3d9caps.dat"
53/[2011-11-29 00:15:56] "iso88591"
103 131.960627 10.0.2.15 -> 61.203.196.118 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
54/[2011-11-29 00:18:22] "C:\APT_111109.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
54/[2011-11-29 00:18:23] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d8caps.dat"
54/[2011-11-29 00:18:23] "C:\WINDOWS\system32\d3d9caps.dat"
54/[2011-11-29 00:18:23] "iso88591"
92 100.874401 10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
93 106.882960 10.0.2.15 -> 110.142.12.95 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
97 118.901642 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
99 119.300035 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
100 119.300466 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
101 119.300509 10.0.2.15 -> 62.233.245.91 SSL Continuation Data
102 119.300538 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [ACK] Seq=1 Ack=193 Win=65535 Len=0
104 119.671542 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [FIN, ACK] Seq=1 Ack=193 Win=65535 Len=0
105 119.672034 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [ACK] Seq=193 Ack=2 Win=64240 Len=0
106 119.672056 10.0.2.15 -> 62.233.245.91 TCP 1050 > 443 [FIN, ACK] Seq=193 Ack=2 Win=64240 Len=0
107 119.672107 62.233.245.91 -> 10.0.2.15 TCP 443 > 1050 [ACK] Seq=2 Ack=194 Win=65535 Len=0
108 119.672640 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
110 122.606271 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
111 123.110597 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
112 123.110991 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
113 123.111028 10.0.2.15 -> 62.233.245.91 HTTP GET /khdpi.php?id=0080131911386GB524 HTTP/1.1
114 123.111058 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=1 Ack=189 Win=65535 Len=0
115 123.564824 62.233.245.91 -> 10.0.2.15 HTTP HTTP/1.1 404 Nie znaleziono obiektu (text/html)
116 123.565799 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [FIN, ACK] Seq=189 Ack=312 Win=63929 Len=0
117 123.565880 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=312 Ack=190 Win=65535 Len=0
118 123.581081 62.233.245.91 -> 10.0.2.15 TCP 80 > 1051 [FIN, ACK] Seq=312 Ack=190 Win=65535 Len=0
119 123.581393 10.0.2.15 -> 62.233.245.91 TCP 1051 > 80 [ACK] Seq=190 Ack=313 Win=63929 Len=0
121 125.560394 10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
123 128.514543 10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
126 134.523033 10.0.2.15 -> 61.203.196.118 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
55/[2011-11-29 00:20:50] "C:\APT_20111106_.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
55/[2011-11-29 00:20:51] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d8caps.dat"
55/[2011-11-29 00:20:51] "C:\WINDOWS\system32\d3d9caps.dat"
55/[2011-11-29 00:20:51] "iso88591"
60 34.365192 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61 34.682612 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
62 34.686987 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
63 34.687007 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
64 34.687042 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0
68 37.286460 203.116.203.67 -> 10.0.2.15 SSL Continuation Data
56/[2011-11-29 00:23:18] "C:\APT_20111111_SexyDay.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
56/[2011-11-29 00:23:19] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d8caps.dat"
56/[2011-11-29 00:23:19] "C:\WINDOWS\system32\d3d9caps.dat"
56/[2011-11-29 00:23:19] "iso88591"
60 34.580116 10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61 35.001033 62.233.245.91 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
62 35.001274 10.0.2.15 -> 62.233.245.91 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
63 35.001683 10.0.2.15 -> 62.233.245.91 SSL Continuation Data
57/[2011-11-29 00:25:45] "C:\APT_2012().pdf"
--
58/[2011-11-29 00:28:15] "C:\APT_2012()2.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
58/[2011-11-29 00:28:15] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
--
59/[2011-11-29 00:30:42] "C:\APT_2012()3.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
59/[2011-11-29 00:30:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d8caps.dat"
59/[2011-11-29 00:30:43] "C:\WINDOWS\system32\d3d9caps.dat"
59/[2011-11-29 00:30:43] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
59 34.274013 10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.193422 10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
73 43.201705 10.0.2.15 -> 59.120.54.79 TCP 1043 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
76 55.221290 10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 58.222827 10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
82 64.232492 10.0.2.15 -> 59.120.54.79 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
86 76.250579 10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
88 79.253888 10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
91 85.262904 10.0.2.15 -> 2.116.180.66 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
95 97.180318 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
97 97.376698 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
98 97.376875 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
99 97.377127 10.0.2.15 -> 2.116.180.66 HTTP GET /rqban.php?id=0026041911386GB524 HTTP/1.1
100 97.377168 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [ACK] Seq=1 Ack=188 Win=65535 Len=0
110 127.883970 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
111 127.884082 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [ACK] Seq=1 Ack=189 Win=65535 Len=0
112 127.884442 10.0.2.15 -> 2.229.10.5 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
113 128.055148 2.116.180.66 -> 10.0.2.15 TCP 80 > 1048 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
114 128.055442 10.0.2.15 -> 2.116.180.66 TCP 1048 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
116 130.827421 10.0.2.15 -> 2.229.10.5 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
121 136.835963 10.0.2.15 -> 2.229.10.5 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
60/[2011-11-29 00:33:09] "C:\APT_2015.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
60/[2011-11-29 00:33:10] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d8caps.dat"
60/[2011-11-29 00:33:10] "C:\WINDOWS\system32\d3d9caps.dat"
60/[2011-11-29 00:33:10] "iso88591"
90 85.128211 10.0.2.15 -> 71.246.244.139 TCP 1047 > 1010 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
94 97.055009 10.0.2.15 -> 206.253.41.47 TCP 1048 > 8080 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
61/[2011-11-29 00:35:36] "C:\APT_AEO.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
61/[2011-11-29 00:35:37] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d8caps.dat"
61/[2011-11-29 00:35:37] "C:\WINDOWS\system32\d3d9caps.dat"
61/[2011-11-29 00:35:37] "iso88591"
98 105.995079 10.0.2.15 -> 61.203.196.118 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
103 120.016061 10.0.2.15 -> 220.135.104.7 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62/[2011-11-29 00:38:03] "C:\APT_ATT03306.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
62/[2011-11-29 00:38:03] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d8caps.dat"
62/[2011-11-29 00:38:03] "C:\WINDOWS\system32\d3d9caps.dat"
62/[2011-11-29 00:38:03] "iso88591"
62 34.663176 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 34.664159 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 34.664179 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
63/[2011-11-29 00:40:29] "C:\APT_ATT03865.pdf"
64/[2011-11-29 00:42:59] "C:\APT_ATT11990.pdf"
64/[2011-11-29 00:43:00] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\cmd.exe"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d8caps.dat"
64/[2011-11-29 00:43:00] "C:\WINDOWS\system32\d3d9caps.dat"
64/[2011-11-29 00:43:00] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
66 40.373167 10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
67 40.819758 60.249.85.109 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 40.820024 10.0.2.15 -> 60.249.85.109 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 40.820061 10.0.2.15 -> 60.249.85.109 SSL Continuation Data
70 40.820088 60.249.85.109 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=23 Win=65535 Len=0
74 40.881943 10.0.2.15 -> 68.87.73.246 DNS Standard query A checkip.dyndns.org
75 41.032372 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME checkip.dyndns.com A 216.146.39.70 A 91.198.22.70 A 216.146.38.70
76 41.033219 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 41.269469 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
78 41.270321 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
79 41.270384 10.0.2.15 -> 216.146.39.70 HTTP GET / HTTP/1.1 Continuation or non-HTTP traffic
80 41.270423 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=65 Win=65535 Len=0
81 41.552327 216.146.39.70 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
82 41.552557 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [FIN, ACK] Seq=261 Ack=65 Win=65535 Len=0
83 41.552712 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [ACK] Seq=65 Ack=262 Win=63980 Len=0
84 41.552744 10.0.2.15 -> 216.146.39.70 TCP 1045 > 80 [FIN, ACK] Seq=65 Ack=262 Win=63980 Len=0
85 41.552773 216.146.39.70 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=262 Ack=66 Win=65535 Len=0
86 41.553781 10.0.2.15 -> 60.249.85.109 SSL Continuation Data
65/[2011-11-29 00:45:26] "C:\APT_ATT25948.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
65/[2011-11-29 00:45:27] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d8caps.dat"
65/[2011-11-29 00:45:27] "C:\WINDOWS\system32\d3d9caps.dat"
65/[2011-11-29 00:45:27] "iso88591"
60 35.138773 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.703752 203.116.203.67 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.703752 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 35.703752 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
65 35.703752 203.116.203.67 -> 10.0.2.15 TCP 443 > 1044 [ACK] Seq=1 Ack=194 Win=65535 Len=0
68 37.287146 203.116.203.67 -> 10.0.2.15 SSL Continuation Data
66/[2011-11-29 00:47:53] "C:\APT_ATT41702.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
66/[2011-11-29 00:47:54] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d8caps.dat"
66/[2011-11-29 00:47:54] "C:\WINDOWS\system32\d3d9caps.dat"
66/[2011-11-29 00:47:54] "iso88591"
62 35.220147 10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
63 35.729797 203.92.33.98 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
64 35.730349 10.0.2.15 -> 203.92.33.98 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
65 35.730367 10.0.2.15 -> 203.92.33.98 SSL Continuation Data
66 35.730401 203.92.33.98 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=192 Win=65535 Len=0
68 36.008025 203.92.33.98 -> 10.0.2.15 TCP 443 > 1043 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0
67/[2011-11-29 00:50:20] "C:\APT_ATT63950.pdf"
68/[2011-11-29 00:52:48] "C:\APT_ATT78434.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
68/[2011-11-29 00:52:49] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d8caps.dat"
68/[2011-11-29 00:52:49] "C:\WINDOWS\system32\d3d9caps.dat"
68/[2011-11-29 00:52:49] "iso88591"
106 118.728793 10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
107 119.104435 62.233.245.91 -> 10.0.2.15 TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
108 119.104435 10.0.2.15 -> 62.233.245.91 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
109 119.104435 10.0.2.15 -> 62.233.245.91 HTTP GET /vikqz.php?id=0007871911386GB524 HTTP/1.1
110 119.104435 62.233.245.91 -> 10.0.2.15 TCP 80 > 1050 [ACK] Seq=1 Ack=189 Win=65535 Len=0
111 119.290731 62.233.245.91 -> 10.0.2.15 HTTP HTTP/1.1 404 Nie znaleziono obiektu (text/html)
112 119.291465 62.233.245.91 -> 10.0.2.15 TCP 80 > 1050 [FIN, ACK] Seq=312 Ack=189 Win=65535 Len=0
69/[2011-11-29 00:55:16] "C:\APT_ATT85096.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\different orgasms.pdf"
69/[2011-11-29 00:55:17] "C:\DOCUME~1\Angie\LOCALS~1\Temp\svchost.exe"
70/[2011-11-29 00:57:43] "C:\APT_ATT88422.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11.pdf"
70/[2011-11-29 00:57:43] "C:\DOCUME~1\Angie\LOCALS~1\Temp\ccapp.exe"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d8caps.dat"
70/[2011-11-29 00:57:43] "C:\WINDOWS\system32\d3d9caps.dat"
70/[2011-11-29 00:57:43] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
61 34.446095 10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
66 37.377861 10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
74 43.386561 10.0.2.15 -> 59.120.54.79 TCP 1044 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 55.405520 10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
79 58.407708 10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 64.416957 10.0.2.15 -> 59.120.54.79 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
87 76.434892 10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
89 79.438217 10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
92 85.447996 10.0.2.15 -> 2.116.180.66 TCP 1048 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
96 97.365250 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
98 97.766921 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
99 97.767318 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
100 97.767349 10.0.2.15 -> 2.116.180.66 HTTP GET /hrqxk.php?id=0100641911386GB524 HTTP/1.1
101 97.767394 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [ACK] Seq=1 Ack=188 Win=65535 Len=0
111 128.279223 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [FIN, ACK] Seq=188 Ack=1 Win=64240 Len=0
112 128.279304 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [ACK] Seq=1 Ack=189 Win=65535 Len=0
113 128.279790 10.0.2.15 -> 2.229.10.5 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
114 128.455002 2.116.180.66 -> 10.0.2.15 TCP 80 > 1049 [FIN, ACK] Seq=1 Ack=189 Win=65535 Len=0
115 128.455337 10.0.2.15 -> 2.116.180.66 TCP 1049 > 80 [ACK] Seq=189 Ack=2 Win=64240 Len=0
117 131.213059 10.0.2.15 -> 2.229.10.5 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
122 137.221641 10.0.2.15 -> 2.229.10.5 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
71/[2011-11-29 01:00:10] "C:\APT_ATT93159.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
71/[2011-11-29 01:00:11] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d8caps.dat"
71/[2011-11-29 01:00:11] "C:\WINDOWS\system32\d3d9caps.dat"
71/[2011-11-29 01:00:11] "iso88591"
61 35.267636 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.755264 203.116.203.67 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.755767 10.0.2.15 -> 203.116.203.67 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
72/[2011-11-29 01:00:52] "C:\APT_ATT93487.pdf"
72/[2011-11-29 01:00:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\11111.exe"
72/[2011-11-29 01:00:53] "C:\WINDOWS\system32\cmd.exe"
49 28.589394 10.0.2.15 -> 68.87.73.246 DNS Standard query A family.mobwork.net
52 28.815334 68.87.73.246 -> 10.0.2.15 DNS Standard query response, No such name
53 28.824172 10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
55 29.391808 60.249.219.82 -> 10.0.2.15 TCP 443 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
56 29.393046 10.0.2.15 -> 60.249.219.82 TCP 1045 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
57 29.393089 10.0.2.15 -> 60.249.219.82 SSL Continuation Data
73/[2011-11-29 01:03:20] "C:\APT_Bainbridge Skills.pdf"
73/[2011-11-29 01:03:20] "C:\WINDOWS\\googlesetup.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\AdobeARM.dll"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\cmd.exe"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d8caps.dat"
73/[2011-11-29 01:03:20] "C:\WINDOWS\system32\d3d9caps.dat"
1 0.000000 -> Ethernet [Packet size limited during capture]
60 34.385805 10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org
61 34.386808 10.0.2.15 -> 68.87.73.246 DNS Standard query A www.microsoft.com
63 34.651537 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME toggle.www.ms.akadns.net CNAME g.www.ms.akadns.net CNAME lb1.www.ms.akadns.net A 207.46.19.254
64 34.653667 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 34.660488 68.87.73.246 -> 10.0.2.15 DNS Standard query response, No such name
66 34.661636 10.0.2.15 -> 68.87.73.246 DNS Standard query A winssl.dyndns.org.hsd1.va.comcast.net
67 34.929382 207.46.19.254 -> 10.0.2.15 TCP 80 > 1047 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 34.929845 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 34.948980 68.87.73.246 -> 10.0.2.15 DNS Standard query response, No such name
71 35.171205 10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
72 35.171292 207.46.19.254 -> 10.0.2.15 TCP 80 > 1047 [ACK] Seq=1 Ack=1130 Win=65535 Len=0
73 35.457443 207.46.19.254 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
74 35.457494 207.46.19.254 -> 10.0.2.15 HTTP HTTP/1.0 200 OK (text/html)
75 35.457916 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [ACK] Seq=1130 Ack=557 Win=63685 Len=0
76 35.470823 10.0.2.15 -> 207.46.19.254 TCP 1047 > 80 [FIN, ACK] Seq=1130 Ack=557 Win=63685 Len=0
77 35.470895 207.46.19.254 -> 10.0.2.15 TCP 80 > 1047 [ACK] Seq=557 Ack=1131 Win=65535 Len=0
79 36.074407 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80 36.294800 207.46.19.254 -> 10.0.2.15 TCP 80 > 1049 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
81 36.295728 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
82 36.297643 10.0.2.15 -> 207.46.19.254 HTTP GET /isapi/redir.dll?prd=ie&pver=6&ar=msnhome HTTP/1.1
83 36.297718 207.46.19.254 -> 10.0.2.15 TCP 80 > 1049 [ACK] Seq=1 Ack=1291 Win=65535 Len=0
84 36.534015 207.46.19.254 -> 10.0.2.15 HTTP HTTP/1.1 302 Found (text/html)
85 36.536261 10.0.2.15 -> 68.87.73.246 DNS Standard query A home.microsoft.com
86 36.648320 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [ACK] Seq=1291 Ack=547 Win=63694 Len=0
88 36.699394 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME redir.blu.cb3.glbdns.microsoft.com A 65.55.206.209
89 36.700413 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
90 36.873588 65.55.206.209 -> 10.0.2.15 TCP 80 > 1050 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
91 36.874437 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
92 36.874467 10.0.2.15 -> 65.55.206.209 HTTP GET / HTTP/1.1
93 36.874531 65.55.206.209 -> 10.0.2.15 TCP 80 > 1050 [ACK] Seq=1 Ack=1129 Win=65535 Len=0
94 37.055783 65.55.206.209 -> 10.0.2.15 HTTP HTTP/1.1 301 Moved Permanently
95 37.057985 10.0.2.15 -> 68.87.73.246 DNS Standard query A www.msn.com
96 37.236864 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME us.co1.cb3.glbdns.microsoft.com A 207.46.140.34
97 37.238158 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
98 37.249543 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [ACK] Seq=1129 Ack=298 Win=63943 Len=0
100 37.491542 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
101 37.492462 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
102 37.492498 10.0.2.15 -> 207.46.140.34 HTTP GET / HTTP/1.1
103 37.492538 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=1 Ack=817 Win=65535 Len=0
104 37.814454 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
105 37.814506 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
106 37.814816 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=1449 Win=62792 Len=0
107 37.814902 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
108 37.814937 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
109 37.815251 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=2897 Win=64240 Len=0
110 37.836372 10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stc.s-msn.com
111 37.909124 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
112 37.909177 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
113 37.909422 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
114 37.909451 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
115 37.909473 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=4345 Win=62792 Len=0
116 37.909731 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=5793 Win=64240 Len=0
117 37.909824 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
118 37.909849 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
119 37.909985 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=7241 Win=62792 Len=0
120 37.910259 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
121 37.910488 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
122 37.910618 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=8689 Win=64240 Len=0
123 38.002706 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
124 38.002774 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
125 38.003245 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
126 38.003373 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
127 38.003895 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
128 38.003940 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=10137 Win=62792 Len=0
129 38.003985 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=11585 Win=64240 Len=0
130 38.004040 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
131 38.004123 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=13033 Win=62792 Len=0
132 38.005081 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
133 38.005125 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
134 38.005268 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=14481 Win=61344 Len=0
135 38.005378 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
136 38.005419 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
137 38.005525 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=15929 Win=59896 Len=0
138 38.005995 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
139 38.006038 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
140 38.006180 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=17377 Win=58448 Len=0
141 38.010812 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
142 38.010857 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
143 38.011153 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=18825 Win=57000 Len=0
144 38.011266 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
145 38.011312 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
146 38.011471 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=20273 Win=55552 Len=0
147 38.031499 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME colstc.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.209 A 65.54.81.185
148 38.032809 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
149 38.032977 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
150 38.035078 10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=20273 Win=64240 Len=0
151 38.091287 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
152 38.091328 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
153 38.091541 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=21721 Win=62792 Len=0
154 38.091594 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
155 38.091634 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
156 38.091800 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=23169 Win=64240 Len=0
157 38.091879 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
158 38.091903 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
159 38.092222 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=24617 Win=62792 Len=0
160 38.092252 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
161 38.092276 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
162 38.092752 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=26065 Win=64240 Len=0
163 38.092832 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
164 38.092860 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
165 38.093222 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=27513 Win=62792 Len=0
166 38.093252 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
167 38.093275 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
168 38.093711 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=28961 Win=64240 Len=0
169 38.093740 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
170 38.093769 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
171 38.094127 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=30409 Win=62792 Len=0
172 38.094157 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
173 38.094180 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
174 38.095541 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=31857 Win=61344 Len=0
175 38.095575 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
176 38.095605 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
177 38.096013 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=33305 Win=59896 Len=0
178 38.096093 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
179 38.096119 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
180 38.097120 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=34753 Win=58448 Len=0
181 38.097151 10.0.2.15 -> 207.46.140.34 TCP [TCP Window Update] 1051 > 80 [ACK] Seq=817 Ack=34753 Win=64240 Len=0
182 38.097195 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
183 38.097248 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
184 38.097469 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=36201 Win=62792 Len=0
185 38.097493 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
186 38.097528 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
187 38.097842 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=37649 Win=64240 Len=0
188 38.097871 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
189 38.097901 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
190 38.097952 207.46.140.34 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
191 38.098031 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39097 Win=62792 Len=0
193 38.237992 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
194 38.238320 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
195 38.238404 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
196 38.238788 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
197 38.238804 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/3c/e52849405b21b1b7b78858e8f94f2f.css HTTP/1.1
198 38.238890 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=1 Ack=377 Win=65535 Len=0
199 38.240511 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/css/f5/c58b60aba0638d30b1ba54ac21ef03.css HTTP/1.1
200 38.240573 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=1 Ack=377 Win=65535 Len=0
201 38.250677 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=817 Ack=39854 Win=64240 Len=0
202 38.449344 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
203 38.464082 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
204 38.512984 10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stj.s-msn.com
205 38.551278 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=377 Ack=168 Win=64073 Len=0
206 38.652280 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=377 Ack=169 Win=64072 Len=0
207 38.728227 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME colstj.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.18
208 38.729729 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
209 38.733541 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
210 38.735147 10.0.2.15 -> 68.87.73.246 DNS Standard query A amer.rel.msn.com
211 38.739101 10.0.2.15 -> 68.87.73.246 DNS Standard query A exp.www.msn.com
212 38.824585 10.0.2.15 -> 68.87.73.246 DNS Standard query A udc.msn.com
216 38.955997 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
217 38.956179 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
218 38.956342 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
219 38.958079 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
220 38.961515 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME amer.hops.glbdns.microsoft.com A 207.46.140.46
221 38.962824 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
222 38.965918 10.0.2.15 -> 68.87.73.246 DNS Standard query A view.atdmt.com
223 38.967318 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME ro-msn.exp.glbdns.microsoft.com A 65.55.18.18
224 38.973159 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
225 38.974222 10.0.2.15 -> 68.87.73.246 DNS Standard query A b.scorecardresearch.com
226 39.051152 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME udc.udc0.glbdns.microsoft.com A 70.37.130.35
227 39.053649 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
228 39.053691 10.0.2.15 -> 68.87.73.246 DNS Standard query A c.msn.com
229 39.200684 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 65.55.33.48
230 39.201639 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
231 39.204105 10.0.2.15 -> 68.87.73.246 DNS Standard query A www.bing.com
232 39.204532 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME b.scorecardresearch.com.edgesuite.net CNAME a1294.w20.akamai.net A 96.17.168.80 A 96.17.168.152 A 96.17.168.98
233 39.206253 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
234 39.206283 10.0.2.15 -> 68.87.73.246 DNS Standard query A col.stb.s-msn.com
235 39.265296 207.46.140.46 -> 10.0.2.15 TCP 80 > 1057 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
236 39.265754 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
237 39.278876 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
238 39.279083 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
239 39.281502 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME c.msn.com.nsatc.net A 64.4.21.39
240 39.283203 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
241 39.283360 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/icons/BING_websearch_2.jpg HTTP/1.1
242 39.283416 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=168 Ack=740 Win=65535 Len=0
243 39.304309 70.37.130.35 -> 10.0.2.15 TCP 80 > 1059 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
244 39.304617 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
245 39.442570 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME colstb.co1.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.24 A 65.54.81.47
246 39.443333 96.17.168.80 -> 10.0.2.15 TCP 80 > 1061 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
247 39.443994 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
248 39.444021 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
249 39.444045 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.161 A 96.17.171.99
250 39.445180 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
251 39.447047 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
252 39.447064 10.0.2.15 -> 68.87.73.246 DNS Standard query A blst.msn.com
253 39.447074 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/ff/adchoices_gif2.gif HTTP/1.1
254 39.447147 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=169 Ack=733 Win=65535 Len=0
255 39.449020 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/01/dapmsn_exp_min.js HTTP/1.1
256 39.449080 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/jquery/jquery-1.4.2.min.js HTTP/1.1
257 39.449102 10.0.2.15 -> 207.46.140.46 HTTP GET /default.aspx?parsergroup=hops&fk=W&gp=P&optkey=default&rf=&di=340&pi=7317&ps=95101&pageid=6875603&mk=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&tfk=C%3Adefault&utk=&cts=1322546503640&tv=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook HTTP/1.1
258 39.449124 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [ACK] Seq=1 Ack=360 Win=65535 Len=0
259 39.449151 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [ACK] Seq=1 Ack=364 Win=65535 Len=0
260 39.449168 207.46.140.46 -> 10.0.2.15 TCP 80 > 1057 [ACK] Seq=1 Ack=932 Win=65535 Len=0
261 39.449798 10.0.2.15 -> 65.55.18.18 HTTP GET /ro.aspx?evt=impr&obs=msnhp_us_pv&di=340&pi=7317&ps=95101&pn=US+HPMSFT3WANBOV2T2&ch=MSFT&rid=&cts=1322546503640&rf=&slv=0&tp=http%3A%2F%2Fwww.msn.com%2F HTTP/1.1
262 39.449817 10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=impr&js=1&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&pp=False&bd=&gnd=&cts=1322546503670&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&dv.SNLogin=fb%3Af%2Ctw%3Af&dv.GrpFrMod=infopane_hops%3Ana%2Clocaltg%3Alocal%2Cstgsearch%3Apopsrchnew%2Csocialtg%3Afacebook&hp=N&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&rf=&cu=http%3A%2F%2Fwww.msn.com%2F&sl=0&slv=0&bh=294&bw=609&scr=800x600&sd=32&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&br=MSFT&mv=V14 HTTP/1.1
263 39.449827 10.0.2.15 -> 96.17.168.80 HTTP GET /b?c1=2&c2=3000001&c7=http%3A%2F%2Fwww.msn.com%2F&c9=&rn=1322546503680 HTTP/1.1
264 39.449861 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [ACK] Seq=1 Ack=915 Win=65535 Len=0
265 39.449887 70.37.130.35 -> 10.0.2.15 TCP 80 > 1059 [ACK] Seq=1 Ack=1234 Win=65535 Len=0
266 39.449932 96.17.168.80 -> 10.0.2.15 TCP 80 > 1061 [ACK] Seq=1 Ack=383 Win=65535 Len=0
267 39.509919 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
268 39.510410 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
269 39.510434 10.0.2.15 -> 65.55.33.48 HTTP GET /action/MSN_Homepage_Remessaging_111808/nc?a=1 HTTP/1.1
270 39.510488 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [ACK] Seq=1 Ack=488 Win=65535 Len=0
271 39.519224 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
272 39.520668 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.gif HTTP/1.1
273 39.520762 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=339 Ack=1112 Win=65535 Len=0
274 39.594079 64.4.21.39 -> 10.0.2.15 TCP 80 > 1062 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
275 39.594624 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
276 39.594651 10.0.2.15 -> 64.4.21.39 HTTP GET /c.gif?udc=true&di=340&pi=7317&ps=95101&lng=en-us&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&rnd=1322546503680&rf=&scr=800x600 HTTP/1.1
277 39.594707 64.4.21.39 -> 10.0.2.15 TCP 80 > 1062 [ACK] Seq=1 Ack=791 Win=65535 Len=0
278 39.686830 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME blst.blu.cb3.glbdns.microsoft.com CNAME msn.vo.msecnd.net A 65.54.81.47 A 65.54.81.24
279 39.688064 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
280 39.688328 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
281 39.688516 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
282 39.688690 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
283 39.689023 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
284 39.690695 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
285 39.690716 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
286 39.690727 10.0.2.15 -> 96.17.171.161 HTTP GET /partner/primedns.gif HTTP/1.1
287 39.690749 10.0.2.15 -> 65.54.81.24 HTTP GET /i/B7/EB75D45B8948F72EE451223E95A96.gif HTTP/1.1
288 39.690758 10.0.2.15 -> 65.54.81.24 HTTP GET /i/65/CDAB2F44A1591D2B308C20C6C15375.jpg HTTP/1.1
289 39.690786 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [ACK] Seq=1 Ack=492 Win=65535 Len=0
290 39.690805 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=1 Ack=372 Win=65535 Len=0
291 39.690816 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=1 Ack=372 Win=65535 Len=0
292 39.691986 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
293 39.693701 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/7d/7fda667169fb45760dd7152ddafd78.gif HTTP/1.1
294 39.693744 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
295 39.693804 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=339 Ack=1107 Win=65535 Len=0
296 39.694158 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/cf/ece838bdac41f565b1c59d87c4c9cf63.js HTTP/1.1
297 39.694198 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
298 39.694217 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [ACK] Seq=184 Ack=736 Win=65535 Len=0
299 39.708116 96.17.168.80 -> 10.0.2.15 HTTP HTTP/1.1 204 No Content
300 39.731730 70.37.130.35 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
301 39.769324 207.46.140.46 -> 10.0.2.15 HTTP HTTP/1.1 204 No Content
302 39.776036 10.0.2.15 -> 68.87.73.246 DNS Standard query A rad.msn.com
303 39.776145 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
304 39.782075 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
305 39.786147 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/f8/614595fba50d96389708a4135776e4.gif HTTP/1.1
306 39.786252 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=509 Ack=1487 Win=65535 Len=0
307 39.852770 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=364 Ack=185 Win=64056 Len=0
308 39.852800 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [ACK] Seq=383 Ack=249 Win=63992 Len=0
309 39.852816 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=1234 Ack=368 Win=63873 Len=0
310 39.928698 65.55.33.48 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
311 39.928761 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [FIN, ACK] Seq=257 Ack=488 Win=65535 Len=0
312 39.929609 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [ACK] Seq=488 Ack=258 Win=63984 Len=0
313 39.929655 10.0.2.15 -> 65.55.33.48 TCP 1060 > 80 [FIN, ACK] Seq=488 Ack=258 Win=63984 Len=0
314 39.929731 65.55.33.48 -> 10.0.2.15 TCP 80 > 1060 [ACK] Seq=258 Ack=489 Win=65535 Len=0
315 39.948119 64.4.21.39 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
316 39.952979 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=293 Win=63948 Len=0
317 39.953047 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=915 Ack=371 Win=63870 Len=0
318 39.966706 65.54.81.47 -> 10.0.2.15 TCP 80 > 1066 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
319 39.967116 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
320 39.967167 10.0.2.15 -> 65.54.81.47 HTTP GET /as/wea3/i/en-us/law/11.gif HTTP/1.1
321 39.967213 65.54.81.47 -> 10.0.2.15 TCP 80 > 1066 [ACK] Seq=1 Ack=666 Win=65535 Len=0
322 39.973864 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
323 39.974378 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
324 39.974529 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
325 39.975523 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gif HTTP/1.1
326 39.975607 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=508 Ack=1481 Win=65535 Len=0
327 39.998798 10.0.2.15 -> 65.54.81.24 HTTP GET /i/93/FBAB2A6CE18375B5A6A8AB82A7DF1A.jpg HTTP/1.1
328 39.998894 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=171 Ack=744 Win=65535 Len=0
329 39.999124 10.0.2.15 -> 65.54.81.24 HTTP GET /i/C3/D7F23B32F2CD62EC115C23378FFE1.jpg HTTP/1.1
330 39.999176 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=170 Ack=743 Win=65535 Len=0
331 40.011676 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
332 40.042310 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME rad.msn.com.nsatc.net A 65.55.121.231 A 65.55.192.10
333 40.043911 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
334 40.053005 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
335 40.053287 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [ACK] Seq=791 Ack=423 Win=63818 Len=0
336 40.054856 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/c1/cc36ca69630adc1a2052edc7351a47.gif HTTP/1.1
337 40.054915 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [ACK] Seq=679 Ack=1861 Win=65535 Len=0
338 40.153403 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=492 Ack=277 Win=63964 Len=0
339 40.231698 65.54.81.47 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
340 40.240187 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
341 40.255247 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
342 40.259013 10.0.2.15 -> 65.54.81.24 HTTP GET /i/A2/CB94E521DF334C97CB2DC5056A52E.jpg HTTP/1.1
343 40.259091 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=339 Ack=1114 Win=65535 Len=0
344 40.261390 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
345 40.262416 10.0.2.15 -> 65.54.81.24 HTTP GET /i/E2/7244F875BC3B1936217FC28AC541.jpg HTTP/1.1
346 40.262477 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=338 Ack=1023 Win=65535 Len=0
347 40.295186 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
348 40.295368 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
349 40.296893 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNPFS&AP=1089 HTTP/1.1
350 40.296959 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [ACK] Seq=1 Ack=771 Win=65535 Len=0
351 40.322531 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
352 40.353817 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=666 Ack=1208 Win=63033 Len=0
353 40.353850 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1481 Ack=678 Win=63563 Len=0
354 40.453894 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=849 Win=63392 Len=0
355 40.524032 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
356 40.528151 10.0.2.15 -> 65.54.81.24 HTTP GET /i/14/37366221F516EE388EAC8C26DC4FE9.jpg HTTP/1.1
357 40.528255 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=507 Ack=1396 Win=65535 Len=0
358 40.531938 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
359 40.531989 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
360 40.532222 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
361 40.532260 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=1786 Win=64240 Len=0
362 40.532302 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
363 40.532631 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=3234 Win=62792 Len=0
364 40.533444 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
365 40.533500 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
366 40.533600 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=4682 Win=64240 Len=0
367 40.535446 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
368 40.535491 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
369 40.535892 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=1023 Ack=6130 Win=62792 Len=0
370 40.536668 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
371 40.538144 10.0.2.15 -> 65.54.81.24 HTTP GET /i/25/4075B47E5BDF545B1FB27F1C75CDEC.jpg HTTP/1.1
372 40.538206 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=6514 Ack=1395 Win=65535 Len=0
373 40.571685 65.55.121.231 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
374 40.571749 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
375 40.572327 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=771 Ack=1870 Win=64240 Len=0
376 40.647941 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
377 40.648000 10.0.2.15 -> 68.87.73.246 DNS Standard query A ads.pointroll.com
378 40.723783 10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=TBCB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
379 40.723783 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [ACK] Seq=371 Ack=1813 Win=65535 Len=0
380 40.803441 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
381 40.803523 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
382 40.803534 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
383 40.803827 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
384 40.803865 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=1955 Win=64240 Len=0
385 40.803911 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
386 40.804073 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=3403 Win=62792 Len=0
387 40.804503 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
388 40.804542 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
389 40.804853 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=4851 Win=64240 Len=0
390 40.806526 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
391 40.806560 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
392 40.807193 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=1396 Ack=6299 Win=62792 Len=0
393 40.807992 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
394 40.856905 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=736 Ack=367 Win=63874 Len=0
395 40.861585 10.0.2.15 -> 65.54.81.24 HTTP GET /i/E2/37BA92E210D341BFDBF4126422A3D2.gif HTTP/1.1
396 40.861609 10.0.2.15 -> 65.54.81.24 HTTP GET /i/C4/9F97E4662E66D88ACDC52D97FC6C1.jpg HTTP/1.1
397 40.861689 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=6932 Ack=1767 Win=65535 Len=0
398 40.861708 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=6682 Ack=1765 Win=65535 Len=0
399 40.880472 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 72.32.153.176
400 40.882015 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
401 40.969332 10.0.2.15 -> 96.17.171.161 HTTP GET /sck?cn=_SS&r=http://www.msn.com/sck.aspx&form=MSN005&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
402 40.969549 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [ACK] Seq=277 Ack=1165 Win=65535 Len=0
403 40.972923 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
404 40.975068 10.0.2.15 -> 68.87.73.246 DNS Standard query A api.bing.com
405 40.999068 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/51/anatm.js HTTP/1.1
406 40.999068 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [ACK] Seq=185 Ack=714 Win=65535 Len=0
407 40.999068 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
408 41.064842 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
409 41.143402 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
410 41.143476 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
411 41.151195 10.0.2.15 -> 65.54.81.24 HTTP GET /i/AD/A7F1B2A19D642097AC7567BCFCC2.jpg HTTP/1.1
412 41.151220 10.0.2.15 -> 65.54.81.24 HTTP GET /i/96/FFFA8C9EF55535D7A289CE662951.jpg HTTP/1.1
413 41.151299 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7101 Ack=2136 Win=65535 Len=0
414 41.151320 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=6850 Ack=2135 Win=65535 Len=0
415 41.189538 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
416 41.190057 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
417 41.190073 10.0.2.15 -> 72.32.153.176 HTTP GET /PortalServe/?pid=1501166P77620111115192417&flash=6&time=2|1:1|-5&pos=s&ajx=1&redir=$CTURL$&r=0.970374845534282 HTTP/1.1
418 41.190128 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [ACK] Seq=1 Ack=354 Win=65535 Len=0
419 41.250078 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME search.ms.com.edgesuite.net CNAME a134.b.akamai.net A 96.17.171.99 A 96.17.171.161
420 41.251219 96.17.171.161 -> 10.0.2.15 TCP 80 > 1069 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
421 41.251269 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
422 41.251658 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
423 41.251679 10.0.2.15 -> 96.17.171.161 HTTP GET /s/as/899538/en.js HTTP/1.1
424 41.251728 96.17.171.161 -> 10.0.2.15 TCP 80 > 1069 [ACK] Seq=1 Ack=489 Win=65535 Len=0
425 41.256685 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=1813 Ack=741 Win=63500 Len=0
426 41.273484 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
427 41.297670 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
428 41.345989 65.55.18.18 -> 10.0.2.15 TCP 80 > 1070 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
429 41.346529 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
430 41.346547 10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=TACB&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
431 41.346610 65.55.18.18 -> 10.0.2.15 TCP 80 > 1070 [ACK] Seq=1 Ack=899 Win=65535 Len=0
432 41.385740 10.0.2.15 -> 207.46.140.34 HTTP GET /sck.aspx?cv=_SS%3dSID%3d7415D61A534D4976A4769A771B40DC4E%3b&h=b8642205-0de1-dc10-ed9b-66c5af494dd5 HTTP/1.1
433 41.385855 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=39854 Ack=1853 Win=65535 Len=0
434 41.431317 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
435 41.434812 10.0.2.15 -> 65.54.81.24 HTTP GET /i/EE/4DA23F4C5870A75228FEAFD14EFBF.gif HTTP/1.1
436 41.434897 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7269 Ack=2506 Win=65535 Len=0
437 41.436012 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
438 41.439276 10.0.2.15 -> 65.54.81.24 HTTP GET /i/5D/EE55A9EE91D76B923A4CD03D9B9A.jpg HTTP/1.1
439 41.439343 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7018 Ack=2504 Win=65535 Len=0
440 41.456934 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=714 Ack=369 Win=63872 Len=0
441 41.456959 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1165 Ack=778 Win=63463 Len=0
442 41.510225 72.32.153.176 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
443 41.510686 72.32.153.176 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
444 41.511128 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=2723 Win=64240 Len=0
445 41.511186 72.32.153.176 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
446 41.544137 96.17.171.99 -> 10.0.2.15 TCP 80 > 1071 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
447 41.544642 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
448 41.544660 10.0.2.15 -> 96.17.171.99 HTTP GET /qsonhs.aspx?form=MSN005&q= HTTP/1.1
449 41.544730 96.17.171.99 -> 10.0.2.15 TCP 80 > 1071 [ACK] Seq=1 Ack=397 Win=65535 Len=0
450 41.545295 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
451 41.563559 72.32.153.176 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
452 41.563617 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [FIN, ACK] Seq=3937 Ack=354 Win=65535 Len=0
453 41.565949 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3937 Win=63026 Len=0
454 41.565969 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [ACK] Seq=354 Ack=3938 Win=63026 Len=0
455 41.565979 10.0.2.15 -> 72.32.153.176 TCP 1068 > 80 [FIN, ACK] Seq=354 Ack=3938 Win=63026 Len=0
456 41.566038 72.32.153.176 -> 10.0.2.15 TCP 80 > 1068 [ACK] Seq=3938 Ack=355 Win=65535 Len=0
457 41.659015 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [ACK] Seq=489 Ack=241 Win=64000 Len=0
458 41.716634 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
459 41.736305 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
460 41.736769 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
461 41.736838 10.0.2.15 -> 65.54.81.24 HTTP GET /i/A0/C9428460AFED1C89A9476537C01E6C.jpg HTTP/1.1
462 41.736918 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7436 Ack=2877 Win=65535 Len=0
463 41.737847 10.0.2.15 -> 65.54.81.24 HTTP GET /i/4F/B454FA8321E9C9FB98FC0ED6C9B31.jpg HTTP/1.1
464 41.737898 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7186 Ack=2874 Win=65535 Len=0
465 41.763584 207.46.140.34 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
466 41.815036 10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.doubleclick.net
467 41.815036 10.0.2.15 -> 68.87.73.246 DNS Standard query A speed.pointroll.com
468 41.863684 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=899 Ack=371 Win=63870 Len=0
469 41.875036 96.17.171.99 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (application/json)
470 41.959015 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=1853 Ack=41235 Win=62859 Len=0
471 41.981056 10.0.2.15 -> 65.54.81.24 HTTP GET /br/sc/js/1c/4a0253de6eac448d8f2c39c53f8926.js HTTP/1.1
472 41.981188 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [ACK] Seq=367 Ack=1208 Win=65535 Len=0
473 42.029614 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
474 42.029763 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
475 42.059567 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [ACK] Seq=397 Ack=183 Win=64058 Len=0
476 42.103334 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME dart.l.doubleclick.net A 74.125.226.219
477 42.109345 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME speed.pointroll.com.edgesuite.net CNAME a1343.g.akamai.net A 96.17.168.113 A 96.17.168.91
478 42.115036 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
479 42.119160 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
480 42.124497 10.0.2.15 -> 65.54.81.24 HTTP GET /i/A9/7AA2D84B8DBC1D16190B37053EA70.jpg HTTP/1.1
481 42.124517 10.0.2.15 -> 65.54.81.24 HTTP GET /i/74/59D9EBE09028E93076FEB538BDF8AD.jpg HTTP/1.1
482 42.124582 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7604 Ack=3248 Win=65535 Len=0
483 42.124608 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7354 Ack=3246 Win=65535 Len=0
484 42.136035 10.0.2.15 -> 65.54.81.209 HTTP GET /br/sc/i/5f/5280118e68aedbc5821d17132a5340.gif HTTP/1.1
485 42.136184 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [ACK] Seq=678 Ack=1855 Win=65535 Len=0
486 42.271036 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
487 42.411033 96.17.168.113 -> 10.0.2.15 TCP 80 > 1073 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
488 42.415015 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
489 42.415015 10.0.2.15 -> 96.17.168.113 HTTP GET /PointRoll/Media/Banners/Ford/915428/2011_YECMSN3for40_ML_EXP_300x250_Default.jpg?PRAd=1544247&PRCID=1544247&PRplcmt=1501166&PRPID=1501166 HTTP/1.1
490 42.415015 96.17.168.113 -> 10.0.2.15 TCP 80 > 1073 [ACK] Seq=1 Ack=423 Win=65535 Len=0
491 42.415536 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
492 42.415679 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
493 42.419616 10.0.2.15 -> 74.125.226.219 HTTP GET /imp;v1;f;248163114;0-0;0;73804323;1%7C1;39709740%7C39727527%7C1;;cs=f;%3fhttp://ad.doubleclick.net/dot.gif?0.970374845534282 HTTP/1.1
494 42.419679 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [ACK] Seq=1 Ack=464 Win=65535 Len=0
495 42.422923 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
496 42.427066 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 304 Not Modified
497 42.427692 65.54.81.209 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
498 42.459605 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1208 Ack=551 Win=63690 Len=0
499 42.505684 10.0.2.15 -> 96.17.171.161 HTTP GET /msnhomepagehistory.aspx?sid=7415D61A534D4976A4769A771B40DC4E&_=1322546507615 HTTP/1.1
500 42.505829 96.17.171.161 -> 10.0.2.15 TCP 80 > 1065 [ACK] Seq=778 Ack=1704 Win=65535 Len=0
502 42.526183 10.0.2.15 -> 65.55.18.18 HTTP GET /msn/msnhp_us_ttg?ty=tl&di=340&pi=7317&ps=95101&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&rid=&ts=634581432960349339&rf= HTTP/1.1
503 42.526291 65.55.18.18 -> 10.0.2.15 TCP 80 > 1058 [ACK] Seq=741 Ack=2751 Win=65535 Len=0
504 42.535068 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNHQ2&AP=1402 HTTP/1.1
505 42.535068 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [ACK] Seq=1870 Ack=1541 Win=65535 Len=0
506 42.541397 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
507 42.559068 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1207 Win=63034 Len=0
508 42.559068 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=3246 Ack=7522 Win=63232 Len=0
509 42.559068 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=3248 Ack=7772 Win=63400 Len=0
510 42.673409 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
511 42.673487 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
512 42.673916 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
513 42.673970 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=1449 Win=62792 Len=0
514 42.674015 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
515 42.674261 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
516 42.674334 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=2897 Win=64240 Len=0
517 42.674404 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
518 42.674767 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
519 42.674803 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
520 42.674809 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=4345 Win=62792 Len=0
521 42.675405 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=5793 Win=64240 Len=0
522 42.686493 65.55.121.231 -> 10.0.2.15 TCP 80 > 1074 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
523 42.686981 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
524 42.686998 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNIF1&AP=1455 HTTP/1.1
525 42.687061 65.55.121.231 -> 10.0.2.15 TCP 80 > 1074 [ACK] Seq=1 Ack=771 Win=65535 Len=0
526 42.687542 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
527 42.687594 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
528 42.687926 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
529 42.687986 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=7241 Win=62792 Len=0
530 42.688059 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
531 42.688083 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
532 42.688104 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
533 42.688436 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
534 42.688468 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=8689 Win=64240 Len=0
535 42.688482 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=10137 Win=62792 Len=0
536 42.688526 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
537 42.688990 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=11585 Win=64240 Len=0
538 42.692714 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
539 42.692765 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
540 42.693000 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
541 42.693064 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=13033 Win=62792 Len=0
542 42.693112 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
543 42.693961 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=14481 Win=64240 Len=0
544 42.696698 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
545 42.696740 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
546 42.697002 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
547 42.697043 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=15929 Win=62792 Len=0
548 42.697091 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
549 42.697385 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
550 42.697420 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=17377 Win=64240 Len=0
551 42.697493 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
552 42.697742 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
553 42.697796 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=18825 Win=62792 Len=0
554 42.697845 96.17.168.113 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
555 42.697858 96.17.168.113 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
556 42.698340 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20273 Win=64240 Len=0
557 42.698569 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
558 42.707512 74.125.226.219 -> 10.0.2.15 HTTP HTTP/1.1 302 Moved Temporarily
559 42.712399 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
560 42.739017 10.0.2.15 -> 74.125.226.219 HTTP GET /dot.gif?0.970374845534282 HTTP/1.1
561 42.739017 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [ACK] Seq=196 Ack=828 Win=65535 Len=0
562 42.739017 10.0.2.15 -> 65.55.121.231 HTTP GET /ADSAdClient31.dll?GetSAd=&DPJS=4&PN=MSFT&ID=3CE72C262627635C3C662E93222763E1&MUID=3CE72C262627635C3C662E93222763E1&PG=MSNSUR&AP=1089 HTTP/1.1
563 42.739017 65.55.121.231 -> 10.0.2.15 TCP 80 > 1067 [ACK] Seq=2918 Ack=2311 Win=65535 Len=0
564 42.750353 96.17.171.161 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/javascript)
565 42.751066 10.0.2.15 -> 68.87.73.246 DNS Standard query A ad.wsod.com
566 42.755297 65.55.121.231 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
567 42.756436 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
568 42.769281 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 209.234.225.242
569 42.774998 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
570 42.779251 74.125.226.219 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
571 42.819327 10.0.2.15 -> 68.87.73.246 DNS Standard query A ads2.msads.net
572 42.823411 10.0.2.15 -> 74.125.226.219 HTTP GET /ad/N4492.MSN/B5014254.187;sz=1x1;ord=1124616328? HTTP/1.1
573 42.823584 74.125.226.219 -> 10.0.2.15 TCP 80 > 1072 [ACK] Seq=408 Ack=1215 Win=65535 Len=0
574 42.831942 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME msnads.vo.msecnd.net A 65.54.81.161 A 65.54.81.152
575 42.835114 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
576 42.841377 209.234.225.242 -> 10.0.2.15 TCP 80 > 1075 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
577 42.841639 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
578 42.842983 10.0.2.15 -> 209.234.225.242 HTTP GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/2398.1579.tk.177x20/725237877 HTTP/1.1
579 42.843061 209.234.225.242 -> 10.0.2.15 TCP 80 > 1075 [ACK] Seq=1 Ack=447 Win=65535 Len=0
580 42.849859 65.54.81.161 -> 10.0.2.15 TCP 80 > 1076 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
581 42.851660 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
582 42.851682 10.0.2.15 -> 65.54.81.161 HTTP GET /CIS/95/000/000/000/019/637.jpg HTTP/1.1
583 42.851746 65.54.81.161 -> 10.0.2.15 TCP 80 > 1076 [ACK] Seq=1 Ack=271 Win=65535 Len=0
584 42.859036 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [ACK] Seq=2751 Ack=1111 Win=63130 Len=0
585 42.859036 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [ACK] Seq=2311 Ack=3661 Win=64240 Len=0
586 42.859177 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [ACK] Seq=1704 Ack=1561 Win=64240 Len=0
587 42.859192 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [ACK] Seq=423 Ack=20816 Win=63697 Len=0
588 42.859201 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [ACK] Seq=771 Ack=1042 Win=63199 Len=0
589 42.866584 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
590 42.866630 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
591 42.866817 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=1449 Win=62792 Len=0
592 42.866872 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
593 42.866906 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
594 42.867362 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=2897 Win=64240 Len=0
595 42.869225 74.125.226.219 -> 10.0.2.15 HTTP HTTP/1.1 302 Moved Temporarily
596 42.870642 10.0.2.15 -> 68.87.73.246 DNS Standard query A m.doubleclick.net
597 42.879138 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
598 42.879176 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
599 42.879606 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
600 42.879650 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=4345 Win=62792 Len=0
601 42.879712 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
602 42.879752 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
603 42.879770 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
604 42.879960 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=5793 Win=64240 Len=0
605 42.879984 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=7241 Win=62792 Len=0
606 42.880034 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
607 42.880063 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
608 42.880599 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=8689 Win=64240 Len=0
609 42.880669 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
610 42.880708 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
611 42.880851 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=10137 Win=62792 Len=0
612 42.881147 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
613 42.881180 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
614 42.881718 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=11585 Win=64240 Len=0
615 42.881931 68.87.73.246 -> 10.0.2.15 DNS Standard query response CNAME s0-2mdn-net.l.google.com A 74.125.226.251
616 42.883451 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
617 42.883774 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
618 42.883814 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
619 42.884081 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
620 42.884132 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=13033 Win=62792 Len=0
621 42.884182 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
622 42.884760 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=14481 Win=64240 Len=0
623 42.891069 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
624 42.891106 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
625 42.891258 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=15929 Win=62792 Len=0
626 42.891421 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
627 42.891474 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
628 42.891698 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=17377 Win=64240 Len=0
629 42.891736 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
630 42.891756 65.54.81.161 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
631 42.892333 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=18825 Win=62792 Len=0
632 42.895527 65.54.81.161 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
633 42.910686 209.234.225.242 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
634 42.912344 74.125.226.251 -> 10.0.2.15 TCP 80 > 1077 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
635 42.912673 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
636 42.914697 10.0.2.15 -> 74.125.226.251 HTTP GET /dot.gif HTTP/1.1
637 42.914776 74.125.226.251 -> 10.0.2.15 TCP 80 > 1077 [ACK] Seq=1 Ack=346 Win=65535 Len=0
638 42.936684 74.125.226.251 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
639 43.059351 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19542 Win=64240 Len=0
640 43.059392 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=585 Win=63656 Len=0
641 43.059403 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [ACK] Seq=346 Ack=361 Win=63880 Len=0
642 43.059411 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [ACK] Seq=1215 Ack=627 Win=63614 Len=0
643 44.111447 65.54.81.47 -> 10.0.2.15 TCP 80 > 1066 [FIN, ACK] Seq=1208 Ack=666 Win=65535 Len=0
644 44.111703 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [ACK] Seq=666 Ack=1209 Win=63033 Len=0
645 44.125425 65.54.81.209 -> 10.0.2.15 TCP 80 > 1052 [FIN, ACK] Seq=849 Ack=1861 Win=65535 Len=0
646 44.125599 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [ACK] Seq=1861 Ack=850 Win=63392 Len=0
647 45.110536 65.54.81.24 -> 10.0.2.15 TCP 80 > 1054 [FIN, ACK] Seq=369 Ack=714 Win=65535 Len=0
648 45.110771 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [ACK] Seq=714 Ack=370 Win=63872 Len=0
649 45.913572 209.234.225.242 -> 10.0.2.15 TCP 80 > 1075 [FIN, ACK] Seq=585 Ack=447 Win=65535 Len=0
650 45.914044 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [ACK] Seq=447 Ack=586 Win=63656 Len=0
651 46.015286 10.0.2.15 -> 65.54.81.24 HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
652 46.015286 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7772 Ack=3529 Win=65535 Len=0
653 46.021859 10.0.2.15 -> 65.55.18.18 HTTP GET /ro.aspx?evt=br&di=340&pi=7317&ps=95101&rid=&cts=1322546511130&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
654 46.021940 65.55.18.18 -> 10.0.2.15 TCP 80 > 1070 [ACK] Seq=371 Ack=1837 Win=65535 Len=0
655 46.023977 10.0.2.15 -> 70.37.130.35 HTTP GET /c.gif?evt=br&rid=&exa=msnhp_us_master_v2%3AWP10_5%2Cmsnhp_us_anbov2%3AT2&cts=1322546511130&aop=&expac=673II6B39_0912%3AT2~40II3a39_0803%3AWP10_5%7C&fk=W&gp=P&optkey=default&clid=3CE72C262627635C3C662E93222763E1&di=340&pi=7317&ps=95101&mk=en-us&pn=US+HPMSFT3WANBOV2T2&pid=6875603&su=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe3wanbov2t2.aspx&pageid=6875603&ce=1&hl=SWP22&cm=head%3Ecb1 HTTP/1.1
656 46.024062 70.37.130.35 -> 10.0.2.15 TCP 80 > 1059 [ACK] Seq=368 Ack=2249 Win=65535 Len=0
657 46.110765 65.54.81.24 -> 10.0.2.15 TCP 80 > 1055 [FIN, ACK] Seq=551 Ack=1208 Win=65535 Len=0
658 46.110950 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [ACK] Seq=1208 Ack=552 Win=63690 Len=0
659 46.111199 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [FIN, ACK] Seq=7522 Ack=3246 Win=65535 Len=0
660 46.111313 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [ACK] Seq=3246 Ack=7523 Win=63232 Len=0
661 46.111460 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [FIN, ACK] Seq=7772 Ack=3529 Win=65535 Len=0
662 46.112343 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [ACK] Seq=3529 Ack=7773 Win=63400 Len=0
663 46.112364 10.0.2.15 -> 209.234.225.242 TCP 1075 > 80 [RST, ACK] Seq=447 Ack=586 Win=0 Len=0
664 46.112380 10.0.2.15 -> 65.54.81.47 TCP 1066 > 80 [RST, ACK] Seq=666 Ack=1209 Win=0 Len=0
665 46.112389 10.0.2.15 -> 65.54.81.24 TCP 1054 > 80 [RST, ACK] Seq=714 Ack=370 Win=0 Len=0
666 46.112397 10.0.2.15 -> 65.54.81.24 TCP 1055 > 80 [RST, ACK] Seq=1208 Ack=552 Win=0 Len=0
667 46.112406 10.0.2.15 -> 65.54.81.209 TCP 1052 > 80 [RST, ACK] Seq=1861 Ack=850 Win=0 Len=0
668 46.112691 10.0.2.15 -> 65.54.81.24 TCP 1064 > 80 [FIN, ACK] Seq=3529 Ack=7773 Win=63400 Len=0
669 46.112749 65.54.81.24 -> 10.0.2.15 TCP 80 > 1064 [ACK] Seq=7773 Ack=3530 Win=65535 Len=0
670 46.114825 10.0.2.15 -> 65.54.81.24 TCP 1063 > 80 [FIN, ACK] Seq=3246 Ack=7523 Win=63232 Len=0
671 46.114847 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
672 46.114914 65.54.81.24 -> 10.0.2.15 TCP 80 > 1063 [ACK] Seq=7523 Ack=3247 Win=65535 Len=0
673 46.114979 65.54.81.161 -> 10.0.2.15 TCP 80 > 1076 [FIN, ACK] Seq=19542 Ack=271 Win=65535 Len=0
674 46.115148 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [ACK] Seq=271 Ack=19543 Win=64240 Len=0
675 46.117442 65.54.81.209 -> 10.0.2.15 TCP 80 > 1053 [FIN, ACK] Seq=1207 Ack=1855 Win=65535 Len=0
676 46.117592 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [ACK] Seq=1855 Ack=1208 Win=63034 Len=0
677 46.152358 70.37.130.35 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
678 46.187614 65.54.81.24 -> 10.0.2.15 TCP 80 > 1078 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
679 46.188088 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
680 46.188111 10.0.2.15 -> 65.54.81.24 HTTP GET /i/D0/4278717F7C190E446356444E97F5A.jpg HTTP/1.1
681 46.188166 65.54.81.24 -> 10.0.2.15 TCP 80 > 1078 [ACK] Seq=1 Ack=282 Win=65535 Len=0
682 46.202724 65.55.18.18 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (GIF89a)
683 46.264115 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [ACK] Seq=2249 Ack=735 Win=63506 Len=0
684 46.285768 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
685 46.285830 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
686 46.286098 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
687 46.286134 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=1449 Win=62792 Len=0
688 46.286175 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
689 46.286853 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=2897 Win=64240 Len=0
690 46.348872 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
691 46.348930 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
692 46.349148 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=4345 Win=62792 Len=0
693 46.349189 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
694 46.349214 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
695 46.349435 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=5793 Win=64240 Len=0
696 46.349475 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
697 46.349502 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
698 46.349924 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
699 46.350051 65.54.81.24 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
700 46.350277 65.54.81.24 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
701 46.357721 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=7241 Win=62792 Len=0
702 46.357745 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=8689 Win=64240 Len=0
703 46.367174 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [ACK] Seq=1837 Ack=741 Win=63500 Len=0
704 46.467160 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=9620 Win=63309 Len=0
705 47.921611 10.0.2.15 -> 207.46.140.34 HTTP GET /?euid=3CE72C262627635C3C662E93222763E1&userGroup=W:default&PM=z:1&zipCode=22310&newsProviderId=WRC&weaDegreeType=F&weaLocations=wc%3A10067507 HTTP/1.1
706 47.921794 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [ACK] Seq=41235 Ack=2799 Win=65535 Len=0
707 48.289718 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
708 48.289792 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
709 48.290040 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
710 48.290067 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
711 48.290076 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=42683 Win=64240 Len=0
712 48.290336 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
713 48.290369 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
714 48.290376 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=44131 Win=62792 Len=0
715 48.290871 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=45579 Win=64240 Len=0
716 48.291047 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
717 48.291073 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
718 48.291559 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
719 48.291583 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
720 48.291591 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=47027 Win=62792 Len=0
721 48.291921 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
722 48.292038 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=48475 Win=64240 Len=0
723 48.292068 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
724 48.292299 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
725 48.292383 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=49923 Win=62792 Len=0
726 48.292425 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
727 48.292808 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
728 48.292897 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=51371 Win=64240 Len=0
729 48.292939 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
730 48.293314 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
731 48.293343 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
732 48.293352 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=52819 Win=62792 Len=0
733 48.293786 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
734 48.293871 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=54267 Win=64240 Len=0
735 48.293913 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
736 48.294222 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
737 48.294250 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=55715 Win=62792 Len=0
738 48.294274 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
739 48.294679 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
740 48.294706 207.46.140.34 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
741 48.294712 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=57163 Win=64240 Len=0
742 48.294834 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=58611 Win=62792 Len=0
743 48.295187 207.46.140.34 -> 10.0.2.15 HTTP HTTP/1.1 200 OK (text/html)
744 48.467164 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59959 Win=64240 Len=0
745 50.112739 65.54.81.24 -> 10.0.2.15 TCP 80 > 1078 [FIN, ACK] Seq=9620 Ack=282 Win=65535 Len=0
746 50.112974 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [ACK] Seq=282 Ack=9621 Win=63309 Len=0
747 53.294480 10.0.2.15 -> 65.54.81.161 TCP 1076 > 80 [RST, ACK] Seq=271 Ack=19543 Win=0 Len=0
748 53.294505 10.0.2.15 -> 65.54.81.24 TCP 1078 > 80 [RST, ACK] Seq=282 Ack=9621 Win=0 Len=0
749 53.294515 10.0.2.15 -> 65.54.81.209 TCP 1053 > 80 [RST, ACK] Seq=1855 Ack=1208 Win=0 Len=0
750 98.359689 10.0.2.15 -> 65.55.206.209 TCP 1050 > 80 [RST, ACK] Seq=1129 Ack=298 Win=0 Len=0
751 98.360086 10.0.2.15 -> 207.46.19.254 TCP 1049 > 80 [RST, ACK] Seq=1291 Ack=547 Win=0 Len=0
753 99.281366 207.46.140.46 -> 10.0.2.15 TCP 80 > 1057 [FIN, ACK] Seq=293 Ack=932 Win=65535 Len=0
754 99.281589 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [ACK] Seq=932 Ack=294 Win=63948 Len=0
755 103.368611 10.0.2.15 -> 74.125.226.251 TCP 1077 > 80 [RST, ACK] Seq=346 Ack=361 Win=0 Len=0
756 103.368642 10.0.2.15 -> 96.17.168.113 TCP 1073 > 80 [RST, ACK] Seq=423 Ack=20816 Win=0 Len=0
757 103.368652 10.0.2.15 -> 74.125.226.219 TCP 1072 > 80 [RST, ACK] Seq=1215 Ack=627 Win=0 Len=0
758 103.368661 10.0.2.15 -> 96.17.171.99 TCP 1071 > 80 [RST, ACK] Seq=397 Ack=183 Win=0 Len=0
759 103.368669 10.0.2.15 -> 65.55.121.231 TCP 1074 > 80 [RST, ACK] Seq=771 Ack=1042 Win=0 Len=0
760 103.368677 10.0.2.15 -> 65.55.121.231 TCP 1067 > 80 [RST, ACK] Seq=2311 Ack=3661 Win=0 Len=0
761 103.369276 10.0.2.15 -> 96.17.171.161 TCP 1069 > 80 [RST, ACK] Seq=489 Ack=241 Win=0 Len=0
762 103.369290 10.0.2.15 -> 96.17.171.161 TCP 1065 > 80 [RST, ACK] Seq=1704 Ack=1561 Win=0 Len=0
763 103.369298 10.0.2.15 -> 64.4.21.39 TCP 1062 > 80 [RST, ACK] Seq=791 Ack=423 Win=0 Len=0
764 103.369901 10.0.2.15 -> 96.17.168.80 TCP 1061 > 80 [RST, ACK] Seq=383 Ack=249 Win=0 Len=0
765 103.369913 10.0.2.15 -> 65.55.18.18 TCP 1058 > 80 [RST, ACK] Seq=2751 Ack=1111 Win=0 Len=0
766 103.369922 10.0.2.15 -> 207.46.140.46 TCP 1057 > 80 [RST, ACK] Seq=932 Ack=294 Win=0 Len=0
767 104.617462 207.46.140.34 -> 10.0.2.15 TCP 80 > 1051 [FIN, ACK] Seq=59959 Ack=2799 Win=65535 Len=0
768 104.617775 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [ACK] Seq=2799 Ack=59960 Win=64240 Len=0
769 108.373475 10.0.2.15 -> 70.37.130.35 TCP 1059 > 80 [RST, ACK] Seq=2249 Ack=735 Win=0 Len=0
770 108.374044 10.0.2.15 -> 65.55.18.18 TCP 1070 > 80 [RST, ACK] Seq=1837 Ack=741 Win=0 Len=0
771 108.374060 10.0.2.15 -> 207.46.140.34 TCP 1051 > 80 [RST, ACK] Seq=2799 Ack=59960 Win=0 Len=0
74/[2011-11-29 01:05:43] "C:\APT_Conference information for next week.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
74/[2011-11-29 01:05:44] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d8caps.dat"
74/[2011-11-29 01:05:44] "C:\WINDOWS\system32\d3d9caps.dat"
74/[2011-11-29 01:05:44] "iso88591"
74 44.123769 10.0.2.15 -> 110.142.12.95 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 56.143195 10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 59.145745 10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80 65.154873 10.0.2.15 -> 110.142.12.95 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 77.173225 10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
84 80.176440 10.0.2.15 -> 108.77.146.124 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75/[2011-11-29 01:06:22] "C:\APT_DOB Aug 2011.pdf"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\cmd.exe"
75/[2011-11-29 01:06:22] "C:\WINDOWS\system32\crypt32.dll"
75/[2011-11-29 01:06:22] "iso88591"
43 24.071248 10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
47 24.758951 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 58.68.224.24
48 25.287274 10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
50 25.746641 58.68.224.24 -> 10.0.2.15 TCP 80 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
51 25.746656 10.0.2.15 -> 58.68.224.24 TCP 1046 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
52 25.747357 10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
53 25.747373 10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
54 25.747430 58.68.224.24 -> 10.0.2.15 TCP 80 > 1046 [ACK] Seq=1 Ack=236 Win=65535 Len=0
55 25.747449 58.68.224.24 -> 10.0.2.15 TCP 80 > 1046 [ACK] Seq=1 Ack=1516 Win=65535 Len=0
76/[2011-11-29 01:08:49] "C:\APT_g20 summit.pdf"
76/[2011-11-29 01:08:49] "C:\WINDOWS\system32\d3d9caps.dat"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
76/[2011-11-29 01:08:50] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
76/[2011-11-29 01:08:50] "C:\WINDOWS\system32\d3d8caps.dat"
76/[2011-11-29 01:08:50] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
60 34.827483 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
62 35.375156 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
63 35.375595 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
64 35.375614 10.0.2.15 -> 203.92.33.98 SSL Continuation Data
65 35.375670 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [ACK] Seq=1 Ack=192 Win=65535 Len=0
66 35.643683 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [FIN, ACK] Seq=1 Ack=192 Win=65535 Len=0
67 35.644358 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [ACK] Seq=192 Ack=2 Win=64240 Len=0
68 35.644382 10.0.2.15 -> 203.92.33.98 TCP 1044 > 443 [FIN, ACK] Seq=192 Ack=2 Win=64240 Len=0
69 35.644435 203.92.33.98 -> 10.0.2.15 TCP 443 > 1044 [ACK] Seq=2 Ack=193 Win=65535 Len=0
70 35.646130 10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
72 36.192141 211.233.62.146 -> 10.0.2.15 TCP 443 > 1046 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
73 36.192503 10.0.2.15 -> 211.233.62.146 TCP 1046 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
74 36.192520 10.0.2.15 -> 211.233.62.146 SSL Continuation Data
77/[2011-11-29 01:09:27] "C:\APT_ID194.pdf"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\cmd.exe"
77/[2011-11-29 01:09:27] "C:\WINDOWS\system32\crypt32.dll"
77/[2011-11-29 01:09:27] "iso88591"
1 0.000000 -> Ethernet [Packet size limited during capture]
42 23.708044 10.0.2.15 -> 68.87.73.246 DNS Standard query A sh.antivirusbar.org
43 24.209549 68.87.73.246 -> 10.0.2.15 DNS Standard query response A 58.68.224.24
44 24.213107 10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
48 24.732612 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
49 24.733912 10.0.2.15 -> 58.68.224.24 TCP 1045 > 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
50 24.735034 10.0.2.15 -> 58.68.224.24 TCP [TCP segment of a reassembled PDU]
51 24.735034 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=236 Win=65535 Len=0
52 24.736365 10.0.2.15 -> 58.68.224.24 HTTP POST /phqghumeaylnlfdxfircvscxggbwkfn.htm HTTP/1.1
53 24.736428 58.68.224.24 -> 10.0.2.15 TCP 80 > 1045 [ACK] Seq=1 Ack=1516 Win=65535 Len=0
78/[2011-11-29 01:11:54] "C:\APT_military procurement.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\1.pdf"
78/[2011-11-29 01:11:55] "C:\DOCUME~1\Angie\LOCALS~1\Temp\RTHDCPL.exe"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d8caps.dat"
78/[2011-11-29 01:11:55] "C:\WINDOWS\system32\d3d9caps.dat"
78/[2011-11-29 01:11:55] "iso88591"
60 34.295971 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.284641 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
67 37.841869 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
68 37.842133 10.0.2.15 -> 203.116.203.67 TCP 1043 > 443 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69 37.843287 10.0.2.15 -> 203.116.203.67 SSL Continuation Data
70 37.843342 203.116.203.67 -> 10.0.2.15 TCP 443 > 1043 [ACK] Seq=1 Ack=194 Win=65535 Len=0
79/[2011-11-29 01:14:22] "C:\APT_NorthKorea.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
79/[2011-11-29 01:14:22] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d8caps.dat"
79/[2011-11-29 01:14:22] "C:\WINDOWS\system32\d3d9caps.dat"
79/[2011-11-29 01:14:22] "iso88591"
60 34.992584 10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
65 37.908912 10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
73 43.943196 10.0.2.15 -> 211.233.62.148 TCP 1044 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75 60.967116 10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
77 63.970209 10.0.2.15 -> 211.233.62.148 TCP 1047 > 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
80/[2011-11-29 01:16:51] "C:\APT_Nuclear Security and Summit Diplomacy.pdf"
80/[2011-11-29 01:16:53] "C:\DOCUME~1\Angie\LOCALS~1\Temp\A9R83C7.tmp"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d8caps.dat"
80/[2011-11-29 01:16:53] "C:\WINDOWS\system32\d3d9caps.dat"
80/[2011-11-29 01:16:54] "C:\WINDOWS\AutoUpdate.exe"
80/[2011-11-29 01:16:54] "C:\WINDOWS\ºÓ°]«O96-97³q°T¿ý.pdf"
----
81/[2011-11-29 01:19:57] "C:\APT_statement.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\2.pdf"
81/[2011-11-29 01:19:58] "C:\DOCUME~1\Angie\LOCALS~1\Temp\Migrated.exe"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d8caps.dat"
81/[2011-11-29 01:19:58] "C:\WINDOWS\system32\d3d9caps.dat"
81/[2011-11-29 01:19:58] "iso88591"
72 54.979463 10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
75 57.981829 10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 63.990170 10.0.2.15 -> 78.39.236.6 TCP 1047 > 53 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
81 76.008794 10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
83 79.012034 10.0.2.15 -> 61.222.205.180 TCP 1048 > 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460
Hello, I'm doing some research on APT attacks and I'm very intersted in these PDF files and their behaviors.Could you please send me the password? thanks in advance! My email address: 780142207@qq.com
ReplyDeleteIt would be very helpful if a summary of CVE's exploited was available. If any of these used a previously unreported exploit, with coordinated disclosure as well.
ReplyDeleteDave, there are no zero days in the pack, most are CVE-2011-0611 and maybe a few other old ones as well.I will be posting CVE# in the future. Thank you for reading and feedback
ReplyDeleteHi, I am doing a lot of malware analysis on my own so I would love to have a look on these pdf files and the analysis reports also. It would be great if you shared the password, my mail is tomeye[at]freemail.gr
ReplyDeleteThanassis
PDF files are very famous. It has so many benefits thus making it popular.
ReplyDeleteSample Emails
Hello, I'm doing some research on Vulnerability and working on Vaccine small venture.
ReplyDeleteI'm very intersted in PDF files.
Could you please send me the password? thanks in advance! My email address:
kyle_mustangss at hotmail.com
Seems to be another Duqu variants?.
ReplyDeleteI get wrong, sorry about that!...
ReplyDeleteHello,
ReplyDeleteAlso working against vulnerabilities in a big company... could you send me the password for the file please ?
skyrb[at]free.fr
Many thanks.
@all - please don't leave your emails here but send me email using my address in the profile of this blog. Unless you want it public and get spammed by harvesters :)
ReplyDelete