Lost in Transmission

One of our corporate backup servers has been possibly compromised. Our Data Loss Prevention (DLP) system has discovered some suspicious traffic late last night between this machine and what seems to be a Command and Control (C&C) server.

Fortunately, we have a cron task that encrypts all our backups every couple of minutes. Still, there is a slight chance some data was exfiltrated.

Our Security department needs your high level expertise to check if any critical data has been compromised by understanding the communication protocol between the compromised machine and the C&C.

Material:
The relevant traffic has been anonymised (cnc.pcap).
The relevant C&C server traffic has been isolated (10.21.0.17) and our backup server
has the IPv4 10.21.0.3. On that particular day, the critical files being uploaded on
the backup server had the following MD5 hashes (critical.txt)

Check if any of the critical files have been compromised!