Malware PCAP Traffic Analysis – Can you name the different types of malware? 2016-08-27

By | August 27, 2016

Be careful, it might not all be malware, adware, PUPs and innocuous traffic is in play.

Download PCAP : netstream

VM executables used will be included in the next post.

 

2016-08-25 20:40:37.831293 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [P.], seq 0:267, ack 1, win 256, length 267: HTTP: GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
E..3?…..~^…f%….@.P.._.p?..P…^…GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive

2016-08-25 20:40:37.939899 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [.], ack 1279, win 251, length 0
E..(?……h…f%….@.P..`.p?  .P….”……..
2016-08-25 20:40:37.943675 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [F.], seq 267, ack 1279, win 251, length 0
E..(?……g…f%….@.P..`.p?  .P….!……..
2016-08-25 20:40:38.141806 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [S], seq 3409745412, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4?.@…K….f.P…A.P.<…….. ..O…………..
2016-08-25 20:40:38.233133 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [.], ack 1250113124, win 256, length 0
E..(?……….f.P…A.P.<..J.6dP….+……..
2016-08-25 20:40:38.237062 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_INI HTTP/1.1
E..a?……….f.P…A.P.<..J.6dP…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:47.118444 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;/…f%0h..B.5^……… .HM…………..
2016-08-25 20:40:47.753813 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;….f%0h..B.5^……… .HM…………..
2016-08-25 20:40:48.383911 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;1…f%0h..B.5^…….p. .\\……….
2016-08-25 20:40:49.059816 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;,…f%0h..C.5-.:%…… ..k…………..
2016-08-25 20:40:49.338099 IP 192.168.1.102.12102 > 88.198.80.173.22638: UDP, length 50
E..Ne…..i8…fX.P./FXn.:.B(.(…e.8X….e…J…      ….e..?\./.;@w..K.-.JRh..]
2016-08-25 20:40:49.712951 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;+…f%0h..C.5-.:%…… ..k…………..
2016-08-25 20:40:50.332987 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;….f%0h..C.5-.:%….p. ..z……….
2016-08-25 20:40:50.919291 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;)…f%0h..D.5…^…… ……………..
2016-08-25 20:40:50.931997 IP 192.168.1.102.63747 > 209.85.201.125.5222: Flags [.], ack 54, win 253, length 0
E..(}4….`….f.U.}…f.7 oN.g’P………….
2016-08-25 20:40:51.386024 IP 192.168.1.102.63735 > 108.168.236.116.80: Flags [.], ack 73, win 252, length 0
E..(n3…..q…fl..t…P..Cl.j.[P…t7……..
2016-08-25 20:40:51.547051 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;(…f%0h..D.5…^…… ……………..
2016-08-25 20:40:52.183113 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;+…f%0h..D.5…^….p. ………….
2016-08-25 20:40:52.338366 IP 192.168.1.102.12102 > 82.22.183.182.36659: UDP, length 52
E..P3…..:….fR…/F.3.<..yk.TE…rY….sq&..mg.b+…d.D.];=..
….o…9..9Q.”

2016-08-25 20:40:53.651836 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [P.], seq 0:663, ack 1, win 256, length 663: HTTP: POST /cgi-bin/get_protect.cgi HTTP/1.1
E…?…..|….f%….F.P…?~…P…….POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 564053523
x-spidermessenger-length: 280
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 386
Cache-Control: no-cache

ujXl2iaEv38JRlMCJUzLFCyglD0cQAQgE6EF56dWsz5OEBIEPEaaQ4ORDT3wc9vQbsZQLvQLyIGIKjW%2Fl4u3fdbbAMvHSB3Y8rHY6C15iy1v4T3HVwJHvnfvkcvsRH%2FwMwmTE0grv4DsJ%2ByvnMOf49J6q1ePUb8IejjsoHzBt3u6zWDwi57jEdnwDanJbVR9%2FQ6kiGKgMRlYm2VATvtoIK%2FXh1ewSC2acmrJpK8FPpDO5X4U8U%2BhVOQYKnve01SqePzC0jOBAaoCZYqrtet4eSNXBC58haWj9YO4CJ%2F4%2FM4Nav4noGSVy1Qbz81UE7k9%2BS0EqRjvZe%2FEFJL56ZEExcv7I8L7SqCbMzmWt19hp0A%3D
2016-08-25 20:40:53.755451 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [.], ack 2442, win 256, length 0
E..(?……a…f%….F.P….~..’P………….
2016-08-25 20:40:53.755850 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [.], ack 2443, win 256, length 0
E..(?……`…f%….F.P….~..(P………….
2016-08-25 20:40:53.936963 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [F.], seq 663, ack 2443, win 256, length 0
E..(? ….._…f%….F.P….~..(P………….
2016-08-25 20:40:54.169503 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [S], seq 2595205625, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@…K….f.P…G.P………. ……………..
2016-08-25 20:40:54.267077 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [.], ack 1240556016, win 256, length 0
E..(@……….f.P…G.P….I.a.P…|………
2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, length 235
E…S…..j….f%..v.E……..9.P………………W…,…|_M.]]………..>..J…..\…
.9.8………5……………
…     .3.2…..E.D…../…A……………….       ……………]………upd.adskyforever.com………
.4.2……………..   .
…………………………

2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=24
3783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, length 235
E…S…..j….f%..v.E……..9.P………………W…,…|_M.]]………..>..J…..\…
.9.8………5……………
…     .3.2…..E.D…../…A……………….       ……………]………upd.adskyforever.com………
.4.2……………..   .
…………………………
2016-08-25 20:40:54.365617 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [F.], seq 313, ack 881, win 253, length 0
E..(@……….f.P…G.P…3I.e`P…x………
2016-08-25 20:40:54.366167 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [.], ack 882, win 253, length 0
E..(@……….f.P…G.P…4I.eaP…x………
2016-08-25 20:40:54.370115 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [S], seq 4015338610, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@…K….f.P…H.P.U4r…… ……………..
2016-08-25 20:40:54.420141 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2718}], length 0
E..4S.@…*….f%..v.E……..9……1…..
..?o..DX
2016-08-25 20:40:54.420536 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [.], ack 2718, win 256, length 0
E..(S…..j….f%..v.E……..DXP………….
2016-08-25 20:40:54.439037 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 235:369, ack 2718, win 256, length 134
E…S…..jw…f%..v.E……..DXP….}……F…BA………..,………..$’..N…Q.|..’3…O…U|.C.Q.)…….i…………..0@.n………1.>)….:X.R……].OG.b9..M.7y.).`|
2016-08-25 20:40:54.463188 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [.], ack 2683766345, win 256, length 0
E..(@……….f.P…H.P.U4s…IP….D……..
2016-08-25 20:40:54.463647 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_FIN HTTP/1.1
E..a@……….f.P…H.P.U4s…IP…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive

2016-08-25 20:40:58.905556 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [.], ack 2856380214, win 64240, length 0
E..(x5…..f…fW..:.K.P…..@.6P………….
2016-08-25 20:40:58.906135 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [P.], seq 0:341, ack 1, win 64240, length 341: HTTP: POST /file.php HTTP/1.1
E..}x6………fW..:.K.P…..@.6P….{..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache

Xi%.i….<_gDUB4…..E..I……D.&…X…….g]….2.}dz4.w.J.|5..<..ZqD.)o…..P,..o….|..b;..”f…P-..@…..2.X5.m…….-.”q..
2016-08-25 20:40:58.920785 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [.], ack 1603268971, win 64240, length 0
E..(x7…..d…fW..:.L.Pr…_..kP…h………
2016-08-25 20:40:58.921202 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [P.], seq 0:353, ack 1, win 64240, length 353: HTTP: POST /file.php HTTP/1.1
E…x8………fW..:.L.Pr…_..kP….$..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

..m.*d…`.7E…f.}..Spr@…!o..A..i….J….I.yX.C…8..:….W.a…….?..2D.0#g]…].v..=7b…..WcAV…. JL..\.fUh…4M}zUv.Y..C….y…F
J.
2016-08-25 20:40:59.107685 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [P.], seq 341:694, ack 519, win 63722, length 353: HTTP: POST /file.php HTTP/1.1
E…x9………fW..:.K.P.. ..@.<P….+..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache

..m.*d…`.7E…f.}..Spr@…!o..A..i….J….I.yX.C…8..:….W.a…….?..2D.0#g]…].v..=7b…..WcAV…. JL..\.fUh…4M}zUv.Y..C….y…F
J.
2016-08-25 20:40:59.107907 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [P.], seq 353:694, ack 519, win 63722, length 341: HTTP: POST /file.php HTTP/1.1
E..}x:………fW..:.L.Pr…_..qP…N…POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache

016-08-25 20:41:35.942852 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 3197274254, ack 152215858, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:36.293772 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:36.894824 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:37.360053 IP 192.168.1.102.12102 > 88.198.80.173.22638: UDP, length 62
E..Ze…..i*…fX.P./FXn.F…b._…80./[…………..0.=u”….T..obM..1…..   …k..#>.X.#
2016-08-25 20:41:38.095908 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:40.360218 IP 192.168.1.102.12102 > 82.22.183.182.36659: UDP, length 57
E..U3…..:….fR…/F.3.A.iI.+P….&c..O..#..u.:……….’..
.W.d…`p.4….m^n….
2016-08-25 20:41:40.497053 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….
2016-08-25 20:41:42.663567 IP 192.168.1.102.51790 > 23.253.126.58.443: Flags [S], seq 117805912, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f..~:.N…..X…… ..c…………..
2016-08-25 20:41:43.360410 IP 192.168.1.102.12102 > 210.133.208.78.11652: UDP, length 54
E..Rq…..d….f…N/F-..>….3.y…”.-..)_*…..L…r2…..$
H.T……………yb
2016-08-25 20:41:45.297334 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V…..    ..2P………….

2016-08-25 20:42:49.622060 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [S], seq 2057745320, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.T..z……… ……………..
2016-08-25 20:42:49.794120 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 3954064400, win 260, length 0
E..(O…..a….f..
}.T..z…..<.P………….
2016-08-25 20:42:49.840829 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 0:77, ack 1, win 260, length 77
E..uO…..a….f..
}.T..z…..<.P………..H…D..W..b
Y.c.w.R…’O…:……R(..d……..
.       .d.b………c………
2016-08-25 20:42:50.068322 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 748, win 257, length 0
E..(O…..a….f..
}.T..z…..>.P….K……..
2016-08-25 20:42:50.081419 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 77:267, ack 748, win 257, length 190
E…O…..a0…f..
}.T..z…..>.P…0……………J,z;….k..od.c..m..J.6……/…,Y..’…..#{..g…L..s..O.>s…….Q… j._=…S..i…q{..l.g.N….gf..l……L.u..|”.5H…. ………..(.S.!O….4……….o….S.U..I.0.l.Tx..
2016-08-25 20:42:50.299317 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 799, win 257, length 0
E..(O…..a….f..
}.T..z…..?.P….Y……..
2016-08-25 20:42:50.452744 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 267:365, ack 799, win 257, length 98
E…O…..a….f..
}.T..z…..?.P…2………n…..sg=P..{..`..s*f……@-‘(l.&.l…h.[.._…-3g………..*.I.T9″……..(.7..gPm…….
2016-08-25 20:42:50.661372 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [F.], seq 365, ack 1676, win 260, length 0
E..(O…..a….f..
}.T..z…..B.P………….
2016-08-25 20:42:50.662103 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [S], seq 1111764833, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.U..BD/a…… ..(…………..
2016-08-25 20:42:50.662234 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [S], seq 247285886, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.V….H~…… ……………..
2016-08-25 20:42:50.833009 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 1677, win 260, length 0
E..(O…..a….f..
}.T..z…..B.P………….
2016-08-25 20:42:50.834539 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [.], ack 4265457260, win 260, length 0
E..(O…..a….f..
}.V….H..=.lP…M………
2016-08-25 20:42:50.835151 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [P.], seq 0:109, ack 1, win 260, length 109
E…O…..ay…f..
}.V….H..=.lP….G……h…d..W..c..k.
P(..B……^.N.6..)..aC ..7w…U8………+…..f…$O………
.       .d.b………c………

2016-08-25 20:42:52.087758 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 215796, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5……….
2016-08-25 20:42:52.088179 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 218316, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5……….
2016-08-25 20:42:52.088938 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 220836, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5.@……..
2016-08-25 20:42:52.089497 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 223356, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2._P..5.h……..
2016-08-25 20:42:52.090208 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 225876, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2.7P..5}………
2016-08-25 20:42:52.090816 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 228396, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5s………
2016-08-25 20:42:52.091466 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 230916, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5i………
2016-08-25 20:42:52.092047 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 233436, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5`………
2016-08-25 20:42:52.093266 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 235956, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5V0……..
2016-08-25 20:42:52.093882 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 238476, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2.oP..5LX……..

2016-08-25 20:42:52.519472 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [S], seq 864782611, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4    .@…c….f\?o..X.P3……… .9……………
2016-08-25 20:42:52.681083 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [.], ack 2746851228, win 260, length 0
E..(    ……….f\?o..X.P3…….P…V7……..
2016-08-25 20:42:52.681582 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 0:343, ack 1, win 260, length 343: HTTP: GET /module/96df1c84c7fb13e880e399f9627e0db0 HTTP/1.1
E…    ……….f\?o..X.P3…….P….0..GET /module/96df1c84c7fb13e880e399f9627e0db0 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:53.381648 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [.], ack 99559, win 260, length 0
E..(    ……….f\?o..X.P3..k..$.P………….
2016-08-25 20:42:53.753273 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 343:686, ack 99559, win 260, length 343: HTTP: GET /module/311ac29c5a8f6b4e7a247db98207fd6e HTTP/1.1
E…    ……….f\?o..X.P3..k..$.P…….GET /module/311ac29c5a8f6b4e7a247db98207fd6e HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:54.597357 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 686:1029, ack 128966, win 1046, length 343: HTTP: GET /module/a104f2955999a2f1a1c881e8930b82f6 HTTP/1.1
E…    ……….f\?o..X.P3……aP…tp..GET /module/a104f2955999a2f1a1c881e8930b82f6 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:55.538846 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 1029:1372, ack 219620, win 1087, length 343: HTTP: GET /module/d1967c99c0c7f9b468f2e08e59e41ffe HTTP/1.1
E…
……a…f\?o..X.P3…….P..?.2..GET /module/d1967c99c0c7f9b468f2e08e59e41ffe HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173

2016-08-25 20:42:55.975976 IP 192.168.1.102.51801 > 188.166.10.125.443: Flags [P.], seq 267:749, ack 799, win 257, length 482
E..
P\…._`…f..
}.Y….. !..{P….!…….Y.^s..`…..G…b..7……….<.t.M.vt:_..u..PV.adc../n.]D…H\N.U.xv.^…x..
..#Y.0.V…k.oz.D…N..|8……….R..9.s.(.1&..S……2…….Dx…..*..4……g..u.@….=![…..1.b:.9….L>EK…….B$.”`;…._.gU.Jx.h.E…8…:{n.C…M.
………t..R.7b.<……………”f..MIE……-…c..x..l….cwU1#.p.B…T$<….w..z.;.:F.9.C6Rj..@e..a@A.c..z.Ex..5…0tYA.(d.c..0W:….x.V.. ..BC. .My……X..1.x.k…..yr..r.4.”..g0…Gg..$s#.X_…._…qJ.%..d>…i.y.EO.[.d=a…1…r.:..|
2016-08-25 20:42:55.977244 IP 192.168.1.102.51801 > 188.166.10.125.443: Flags [P.], seq 749:2209, ack 799, win 257, length 1460
E…P]….[….f..
}.Y……!..{P…………J
.(}…..(“.Ekd.uSfM.i
…8.if.5..H…!…U..-J…_W.[…A~….T….R  …L|.#a.”4..Z..r.Y_.!nV.Kc..<.,.9….V..&..4z.UF..>#.. .6….t……..3..?.|..
…….|^…c;;…..@w……..D..$J.:*..T…v.y……I80.n.t..i{….x.O.’.w…….I..2……..~
.y.f…..X…’..E..Z.Xm.N..rLc  .|..c…|-.,9`t…HN..&v!……..1i….b..0.\.\.X….am………<…P..b5…&   …     E|..5..
…     …D.0!..(…@…I.,”..<..m….^…..c..C.-..1…Q….v…….]..{..XX..B.g7….,I.C.w8.n8.7…OY.#..’R…)..#..k.)t.`..3..ky….Y.9…….8……..=.H…h..$.g.(0…..L8..pc..z.>l.).&..ZLgxN_LC..X4…..Z…. ..SG….|.i…T8….._|…i.~.
.f.J…….mX..O{.L?.e.r…..
..c…P.Ei.r.R8..H{….F…b…*O….
.N../.
/..+..C……B.DI.?………..’…..`…G.1…..A…….y.D…..:.d..^.>.h…*.XF…..N..?._…….Q…Q….gqP..*.3gb…….:…a…..2.\….V………E~..(.. ..M!Y.Mv……y..’….h .0..%j..H..w..%.(….W…L…d.!.I<pp.0FTQ..:.,|F……JT…./.D.3….2.ie-..W%K.P.%.6…a.@’..ID.K9=.q.;{…2…r.^.X}..]…T…….zq.7E..8   .A..W….ka.tw…C).J3…2……..t.>|..).FU/…l-…7.T…”3…..7.
`K.y…~O.0…..nL….4zKU..IU.^.m…[x.!……..4>.-….p..2.J.n6..E..3…..=……..?….G2….B.6;F..
…….
t+.#.b…l.Q…..B8….E…A……}..Fu.. .BA65.
……`.}.`….Z….N..j{%……w….Q……..x.8../.ojR..W.Y…m…..?..~…V..%..zw.._9.T.}….2.’…….L…K…f……..

2016-08-25 20:43:56.038455 IP 192.168.1.102.51809 > 37.187.148.135.80: Flags [P.], seq 0:737, ack 1, win 256, length 737: HTTP: POST /cgi-bin/create_profile.cgi HTTP/1.1
E..     ?,….|r…f%….a.PVG……P…….POST /cgi-bin/create_profile.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 1240229404
x-spidermessenger-length: 271
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 388
Cache-Control: no-cache
Cookie: conftime=1472172015; EoRezo=73.172.154.70.1472172015145032

ujXl2iaEv38JRlMCJUzLFNBZ%2FYStRVI1KxpSzMDulRbtDqiqtedG%2Ba9lkB3czzWEVk2q%2BpKe%2BzYM3pyfaM0nZHytTY7H3hmmB%2FeOkC0gLXBl7L%2FxN6fq%2F7%2BgUk3j%2Bx6GmvQfdkf5Kstyif%2FXbpP%2BXMdPE4fI3g3F2KBFPLOG9Q6%2FRvwmoBVICRmM5Y08YbUJMmtMhO%2FFAlSqvxZM7RDfvqJrq9%2BdXdEh0NPsKAaqQz1y%2F85cCMdBQpnLv3EKRVigYb8Hq9UoEBwOwUFskoJkCh0B6anwMwz1qhjY8EbqZ47zDyZowM1CgDPEl%2FCXJ8ZCduedPSrZ6ABN1b1zvFq1%2FUuQW0%2BCwbag
2016-08-25 20:43:56.203003 IP 192.168.1.102.51809 > 37.187.148.135.80: Flags [.], ack 1135, win 252, length 0
E..(?-…..R…f%….a.PVG…..?P………….
2016-08-25 20:43:56.203846 IP 192.168.1.102.51809 > 37.187.148.135.80: Flags [F.], seq 737, ack 1135, win 252, length 0
E..(?……Q…f%….a.PVG…..?P………….
2016-08-25 20:43:56.707723 IP 192.168.1.102.51810 > 37.187.137.144.80: Flags [S], seq 163765992, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4?.@…I….f%….b.P        ……… .*Y…………..
2016-08-25 20:43:56.806333 IP 192.168.1.102.51810 > 37.187.137.144.80: Flags [.], ack 2999876834, win 256, length 0
E..(?……….f%….b.P        …..|.P…Zk……..
2016-08-25 20:43:56.806770 IP 192.168.1.102.51810 > 37.187.137.144.80: Flags [P.], seq 0:627, ack 1, win 256, length 627: HTTP: POST /cgi-bin/trace.cgi HTTP/1.1
E…?……A…f%….b.P        …..|.P…….POST /cgi-bin/trace.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 1808263860
x-spidermessenger-length: 259
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: log.hmmmilikethat.com
Content-Length: 366
Cache-Control: no-cache

YlFEYq03QpPOdyhwgx6Zd5nR4%2Fs11wdRmVxOegjv%2BLSbuf0%2BAAHXschZmrR23ej7XPDIsfC2dKLEwcBQCeDZfRV3FanrpoqUZ18LjuNjFows9otFCVECIXEZRbn7wupVK8vF2hGr8TlcYhjcVv%2BqYdmbLUMp2h%2BrcOb1oN5mi4kjTQYAh14wHS34yjVTqzR9HJUyit3KypHufUNEUWEl8ROP5HXQePsN98TcSjhVf6E%2FhFApsD84W8klJjeYOI2gZ4NxoNOi6VFa7fTcH5no4TJL9ABC7lIQGsi3m%2B%2Fq86zqcufgWuZBTJyJvIebPKq0RL73bonMtJnQ%2BRP1Tjhc6Q%3D%3D

2016-08-25 20:43:58.162750 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [P.], seq 0:360, ack 1, win 256, length 360: HTTP: GET /download/2/wizzrelease.exe?jUrMqP9yIX5h5h6UFcUJeXtGlI87%2FDHI8ysr%2FnlKCVAh6bPF1YlSGMQBF8SUNejYppAll8HBVYK3uD9XuscO7S4V1eR%2B8joqvZ%2Foe1pMiStyXO6su9nx7GI00Qva0OA3XuydsPp7H1b1IYf%2BKYVUlLI18diFuxN4 HTTP/1.1
E…O……….f. .:.d.P…)l…P….T..GET /download/2/wizzrelease.exe?jUrMqP9yIX5h5h6UFcUJeXtGlI87%2FDHI8ysr%2FnlKCVAh6bPF1YlSGMQBF8SUNejYppAll8HBVYK3uD9XuscO7S4V1eR%2B8joqvZ%2Foe1pMiStyXO6su9nx7GI00Qva0OA3XuydsPp7H1b1IYf%2BKYVUlLI18diFuxN4 HTTP/1.1
Accept: */*
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: download.cleanshot.host
Connection: Keep-Alive
Cache-Control: no-cache

2016-08-25 20:43:59.615381 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1954941, win 5013, length 0
E..(Q……….f. .:.d.P….m.c[P…w ……..
2016-08-25 20:43:59.616127 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1957861, win 5013, length 0
E..(Q……….f. .:.d.P….m.n.P…k………
2016-08-25 20:43:59.617049 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1960781, win 5013, length 0
E..(Q……….f. .:.d.P….m.z+P…`P……..
2016-08-25 20:43:59.617713 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1963701, win 5013, length 0
E..(Q……….f. .:.d.P….m…P…T………
2016-08-25 20:43:59.618785 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1966621, win 5013, length 0
E..(Q……….f. .:.d.P….m…P…I………
2016-08-25 20:43:59.619390 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1969541, win 5013, length 0
E..(Q……….f. .:.d.P….m..cP…>………
2016-08-25 20:43:59.620097 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1972461, win 5013, length 0
E..(Q……….f. .:.d.P….m…P…2………
2016-08-25 20:43:59.620791 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1975381, win 5013, length 0
E..(Q……….f. .:.d.P….m..3P…’H……..
2016-08-25 20:43:59.621533 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1978301, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.622117 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1981221, win 5013, length 0
E..(Q……….f. .:.d.P….m…P….x……..
2016-08-25 20:43:59.622652 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1984141, win 5013, length 0
E..(Q……….f. .:.d.P….m..kP………….
2016-08-25 20:43:59.623266 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1987061, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.623681 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1989981, win 5013, length 0
E..(Q……….f. .:.d.P….m..;P….?……..
2016-08-25 20:43:59.624109 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1992901, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.624515 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1995821, win 5013, length 0
E..(Q……….f. .:.d.P….m…P….o……..
2016-08-25 20:43:59.624930 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 1998741, win 5013, length 0
E..(Q……….f. .:.d.P….m..sP………….
2016-08-25 20:43:59.630861 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2001661, win 5013, length 0
E..(Q……….f. .:.d.P….m…P………….
2016-08-25 20:43:59.631489 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2004581, win 5013, length 0
E..(Q……….f. .:.d.P….m.%CP….7……..
2016-08-25 20:43:59.632653 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2007501, win 5013, length 0

016-08-25 20:43:59.913501 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2914161}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LSY@……..f. .:.d.P….m…….KV…..”m”..m$.Om .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913503 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2915621}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LSZ@……..f. .:.d.P….m…….E……”m”..m$..m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913624 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2917081}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS[@……..f. .:.d.P….m…….?……”m”..m$..m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913627 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2918541}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS\@……..f. .:.d.P….m…….::…..”m”..m$.km .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913629 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2920001}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS]@……..f. .:.d.P….m…….4……”m”..m$..m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913630 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2829481:2921461}{2712681:2810501}{2613401:2665961}{2457181:2576901}], length 0
E..LS^@……..f. .:.d.P….m…………..”m”..m$”.m .Gm”qcm.owm <.m..;m…
2016-08-25 20:43:59.913674 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2971101}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LS_@……..f. .:.d.P….m…….Y …..”m$..m$..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913786 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2972561}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LS`@……..f. .:.d.P….m…….Sl…..”m$..m$.om”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913789 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2974021}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSa@……..f. .:.d.P….m…….M……”m$..m$.#m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913791 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2975481}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSb@……..f. .:.d.P….m…….H……”m$..m$..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913793 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2976941}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSc@……..f. .:.d.P….m…….BP…..”m$..m$..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913836 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2978401}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSd@……..f. .:.d.P….m…….<……”m$..m%.?m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913948 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2979861}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSe@……..f. .:.d.P….m…….6……”m$..m%..m”..m$”.m .Gm”qcm.owm <.
2016-08-25 20:43:59.913951 IP 192.168.1.102.51812 > 178.32.139.58.80: Flags [.], ack 2441121, win 5127, options [nop,nop,sack 4 {2969641:2981321}{2829481:2921461}{2712681:2810501}{2613401:2665961}], length 0
E..LSf@……..f. .:.d.P….m…….14…..”m$..m%..m”..m$”.m .Gm”qcm.owm <.

2016-08-25 20:44:31.215512 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [S], seq 2478522633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4Wp@……..f_.d[.f>…A     …… ……………..
2016-08-25 20:44:31.357256 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [.], ack 4209888609, win 256, length 0
E..(Wq….]”…f_.d[.f>…A
…aP….o……..
2016-08-25 20:44:31.411755 IP 192.168.1.102.12102 > 146.158.119.2.22235: UDP, length 60
E..Xo……….f..w./FV..DGH..}.5C…cv….e l……V..4….8….ShZFc……=.awW…E..
2016-08-25 20:44:31.951881 IP 192.168.1.102.63747 > 209.85.201.125.5222: Flags [P.], seq 1522:1575, ack 54, win 253, length 53
E..]}<….`}…f.U.}…f.7!.N.g’P…0…….0.=……;……”….AG…../Tv….Opx..<]…….
2016-08-25 20:44:32.357745 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [P.], seq 0:288, ack 1, win 256, length 288
E..HWr….\….f_.d[.f>…A
…aP….4…….~…4d..x..9…5′!……&.x.4…/.2H.Q..m…H..H.-..J..-.’…4..G.o……D.h.ad8;}..s~….E.}Hb.p.M{.I..gd.u
…;i………..N.Lw.m.&Ud>.r[0J..V………]..
m.a……       …<]..\.#…L…m…   .:..,.6..b8
,O.7….uOV…`..W..8!j……Q…aTY…..F.._.E….P….8…}:,…..Z……>..z[P.
2016-08-25 20:44:32.531071 IP 192.168.1.102.51814 > 95.211.100.91.16044: Flags [P.], seq 288:752, ack 305, win 255, length 464
E…Ws….[P…f_.d[.f>…B*….P…+f…\p’.{…..B…%OS..Y…~EI…..f…,.J.d.H”.`J.T..!..k]..(K^Q+.No.F…P}.xl..;.H…NY..N..Q.1.X.s……q$…….U.
.       aL…….@6.A.o…Y…….;.wX..B’…#……kZ…%Q.O…F4.}…j.PD.k…Ek.y….%.s..=..A.8…..,.y9..)\.UC….”C…=..x.[r..X. . …_w1…m$}!Z…ds1bs.6,.P…….[1.r_$….DHzd.QeE..g….u..I.m. _..n.t.B.~.#.1.9.v1`.0…F….+Km.’..A..4.s…….d…45.<.A….x.]…7
..M,X….;..}f…..b.LL.^…~..D..^._.B?l…..r./.
…h.4;.N.<\d.P…}…..
.
2016-08-25 20:44:32.558893 IP 192.168.1.102.51699 > 149.56.103.125.10911: Flags [P.], seq 12672:13728, ack 3169, win 256, length 1056
E..HH.@……..f.8g}..*.R..3…9P…o…Wh…2.[…ey..&…)..W.y.BVc(..O…”$..;[}…8..b.S._M.@…iN..p.u{Ag
..V..=’f’p……f.K…..iX..i…….(…w.kK.~.f.*[5..D.T.op.T.n{U…>.?.-..=.-&Y.c.Fz…u…Y.LX.-w…g./….t)…..6P.~#.Ws’XL….}y..T.h.+.1…N._.o./j.jD..Pk.D.*..|0…E…..=.*;]83V……….
.N$.[..A…t..QF…c.T(.+mp+H…..n&.!..gnZ….`.-…..]…`.;…@.0.Bt.j.H     ….
.xMQ….Yee.,….R.V.`.~t..iv.i)s.7.[…c$b?.7…….v0..x.’……’c.f.[.$.6].<…….N.e…..3x *.._P.jS3VA…o.M.7.$.R….Y…..R.r\.*6       ..$E.y{7)f1.r!…9.;.p.\xc.N5……+{S…….u..i.jD..n<“…t.U..$.x.q`…..#X…./…d.cn….v.>.)c……zV…9…..j.;….WZ….mI..h..V-….w.f*.’../..;]s.l”….
……V…)..}.$…r..:y..3..%……Y.O..?[..5X…..kQI. Q……\.s…q.. .KL\..5f=
.x.T.D…N….{bl…..M@…O”()Dv. F.z.?..}…..ry….c..Qt…..lh5.O.:l..#…`’#c.-\…..V&..*…..05..c
iQ.W].C..5a.@…….e…u>(v….DMg.Qa……z.h…..v..m.^7.W..gkN…V/.<)#.IJJ_….E   …Q..b.rE..^{g&C..y.).,…E.4._.IKp..D….c…a’y.l.F….      ……..o..2..<~Q>.O3D^{.r……oh-.X..^…qX.(U.lf.G..4…h..17…’.
2016-08-25 20:44:32.599513 IP 192.168.1.102.51699 > 149.56.103.125.10911: Flags [P.], seq 13728:14784, ack 3169, win 256, length 1056
E..HH.@……..f.8g}..*.R..S…9P…Pa…’..Q.*..vL……\ay..”6..;…2U.4….U.Of.~To@x%….[AM.n.i……;……..e.,….9..’…. ?……+…V..J..$`….f.&9…E:…o.Y..d.`#……=I.]..O.-s.”.-.4g)I….O…$:.L.NIby..n..F.S.>….S.J..,…o..B.-.8W58*…${.5…*..E…..M+J..eo…._..Z..[……._.a)lFz.|……….J…(…^….^`.|..p…….S.X:………U.)….pY…]……X……./o.I2(…@.n’..O….gL/……..@..Z.!…w….x}.{..E.f..s..OK.r.(.Lv#6._.. A.}.Y..7..k…[..r..e..y.3r..>+.5V.H2h..b…..#?…zY.o.1′.-.y.)…4..y.}.v>.9…Z…^……….. .6*….+M…H.bE….0…..z.gB.%MC: 5m..9m.r~…..r.w^<..<%..#.h)..)w..D…….~W.Kb…..&……r&&V….J.h…~.IB.T…… p…5.6I*……&.V.{.p.Gw:.D.7;..u=.o….[Qt…..\k/….)}…
V.p..E.9.C..&;…..A,….’…….|.ss.dY…..4…..{‘G…….OP…H.|*T@G..u5L….H….p<…_3….XC.$.!../t.n(C…S…!..      2…….Gk`^…H.I..1…..A..v..r.<….U…]
/..m..e.

Share Button

One thought on “Malware PCAP Traffic Analysis – Can you name the different types of malware? 2016-08-27

  1. check it out

    Hi, I do think this is a great website. I stumbledupon it 😉 I am going to revisit once again since I
    saved as a favorite it. Money and freedom is
    the best way to change, may you be rich and continue to guide other people.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *