Be careful, it might not all be malware, adware, PUPs and innocuous traffic is in play.
Download PCAP : netstream
VM executables used will be included in the next post.
2016-08-25 20:40:37.831293 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [P.], seq 0:267, ack 1, win 256, length 267: HTTP: GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
E..3?…..~^…f%…[email protected].._.p?..P…^…GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive
2016-08-25 20:40:37.939899 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [.], ack 1279, win 251, length 0
E..(?……h…f%…[email protected]..`.p? .P….”……..
2016-08-25 20:40:37.943675 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [F.], seq 267, ack 1279, win 251, length 0
E..(?……g…f%…[email protected]..`.p? .P….!……..
2016-08-25 20:40:38.141806 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [S], seq 3409745412, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4?.@…K….f.P…A.P.
2016-08-25 20:40:38.233133 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [.], ack 1250113124, win 256, length 0
E..(?……….f.P…A.P.<..j.6dp>
2016-08-25 20:40:38.237062 IP 192.168.1.102.51777 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_INI HTTP/1.1
E..a?……….f.P…A.P.<..j.6dp http>
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
2016-08-25 20:40:47.118444 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;/…f%0h..B.5^……… .HM…………..
2016-08-25 20:40:47.753813 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;….f%0h..B.5^……… .HM…………..
2016-08-25 20:40:48.383911 IP 192.168.1.102.51778 > 37.48.104.171.53: Flags [S], seq 1587645888, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;1…f%0h..B.5^…….p. .\\……….
2016-08-25 20:40:49.059816 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;,…f%0h..C.5-.:%…… ..k…………..
2016-08-25 20:40:49.338099 IP 192.168.1.102.12102 > 88.198.80.173.22638: UDP, length 50
E..Ne…..i8…fX.P./FXn.:.B(.(…e.8X….e…J… ….e..?\./.;@w..K.-.JRh..]
2016-08-25 20:40:49.712951 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;+…f%0h..C.5-.:%…… ..k…………..
2016-08-25 20:40:50.332987 IP 192.168.1.102.51779 > 37.48.104.171.53: Flags [S], seq 756890149, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;….f%0h..C.5-.:%….p. ..z……….
2016-08-25 20:40:50.919291 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;)…f%0h..D.5…^…… ……………..
2016-08-25 20:40:50.931997 IP 192.168.1.102.63747 > 209.85.201.125.5222: Flags [.], ack 54, win 253, length 0
E..(}4….`….f.U.}…f.7 oN.g’P………….
2016-08-25 20:40:51.386024 IP 192.168.1.102.63735 > 108.168.236.116.80: Flags [.], ack 73, win 252, length 0
E..(n3…..q…fl..t…P..Cl.j.[P…t7……..
2016-08-25 20:40:51.547051 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4o.@…;(…f%0h..D.5…^…… ……………..
2016-08-25 20:40:52.183113 IP 192.168.1.102.51780 > 37.48.104.171.53: Flags [S], seq 3717442142, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0o.@…;+…f%0h..D.5…^….p. ………….
2016-08-25 20:40:52.338366 IP 192.168.1.102.12102 > 82.22.183.182.36659: UDP, length 52
E..P3…..:….fR…/F.3.<..yk.te>
….o…9..9Q.”
2016-08-25 20:40:53.651836 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [P.], seq 0:663, ack 1, win 256, length 663: HTTP: POST /cgi-bin/get_protect.cgi HTTP/1.1
E…?…..|….f%….F.P…?~…P…….POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 564053523
x-spidermessenger-length: 280
Content-Type: text/*
User-Agent: sun21-SunnyDay21
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 386
Cache-Control: no-cache
ujXl2iaEv38JRlMCJUzLFCyglD0cQAQgE6EF56dWsz5OEBIEPEaaQ4ORDT3wc9vQbsZQLvQLyIGIKjW%2Fl4u3fdbbAMvHSB3Y8rHY6C15iy1v4T3HVwJHvnfvkcvsRH%2FwMwmTE0grv4DsJ%2ByvnMOf49J6q1ePUb8IejjsoHzBt3u6zWDwi57jEdnwDanJbVR9%2FQ6kiGKgMRlYm2VATvtoIK%2FXh1ewSC2acmrJpK8FPpDO5X4U8U%2BhVOQYKnve01SqePzC0jOBAaoCZYqrtet4eSNXBC58haWj9YO4CJ%2F4%2FM4Nav4noGSVy1Qbz81UE7k9%2BS0EqRjvZe%2FEFJL56ZEExcv7I8L7SqCbMzmWt19hp0A%3D
2016-08-25 20:40:53.755451 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [.], ack 2442, win 256, length 0
E..(?……a…f%….F.P….~..’P………….
2016-08-25 20:40:53.755850 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [.], ack 2443, win 256, length 0
E..(?……`…f%….F.P….~..(P………….
2016-08-25 20:40:53.936963 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [F.], seq 663, ack 2443, win 256, length 0
E..(? ….._…f%….F.P….~..(P………….
2016-08-25 20:40:54.169503 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [S], seq 2595205625, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@…K….f.P…G.P………. ……………..
2016-08-25 20:40:54.267077 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [.], ack 1240556016, win 256, length 0
E..(@……….f.P…G.P….I.a.P…|………
2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, length 235
E…S…..j….f%..v.E……..9.P………………W…,…|_M.]]………..>..J…..\…
.9.8………5……………
… .3.2…..E.D…../…A………………. ……………]………upd.adskyforever.com………
.4.2…………….. .
…………………………
2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=24
3783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, length 235
E…S…..j….f%..v.E……..9.P………………W…,…|_M.]]………..>..J…..\…
.9.8………5……………
… .3.2…..E.D…../…A………………. ……………]………upd.adskyforever.com………
.4.2…………….. .
…………………………
2016-08-25 20:40:54.365617 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [F.], seq 313, ack 881, win 253, length 0
E..(@……….f.P…G.P…3I.e`P…x………
2016-08-25 20:40:54.366167 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [.], ack 882, win 253, length 0
E..(@……….f.P…G.P…4I.eaP…x………
2016-08-25 20:40:54.370115 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [S], seq 4015338610, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@…K….f.P…H.P.U4r…… ……………..
2016-08-25 20:40:54.420141 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [.], ack 1, win 256, options [nop,nop,sack 1 {1461:2718}], length 0
E..4S.@…*….f%..v.E……..9……1…..
..?o..DX
2016-08-25 20:40:54.420536 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [.], ack 2718, win 256, length 0
E..(S…..j….f%..v.E……..DXP………….
2016-08-25 20:40:54.439037 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 235:369, ack 2718, win 256, length 134
E…S…..jw…f%..v.E……..DXP….}……F…BA………..,………..$’..N…Q.|..’3…O…U|.C.Q.)…….i…………[email protected]………1.>)….:X.R……].OG.b9..M.7y.).`|
2016-08-25 20:40:54.463188 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [.], ack 2683766345, win 256, length 0
E..(@……….f.P…H.P.U4s…IP….D……..
2016-08-25 20:40:54.463647 IP 192.168.1.102.51784 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_FIN HTTP/1.1
E..a@……….f.P…H.P.U4s…IP…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
2016-08-25 20:40:58.905556 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [.], ack 2856380214, win 64240, length 0
E..(x5…..f…fW..:.K.P…[email protected]………….
2016-08-25 20:40:58.906135 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [P.], seq 0:341, ack 1, win 64240, length 341: HTTP: POST /file.php HTTP/1.1
E..}x6………fW..:.K.P…[email protected]….{..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache
Xi%.i….<_gdub4>
2016-08-25 20:40:58.920785 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [.], ack 1603268971, win 64240, length 0
E..(x7…..d…fW..:.L.Pr…_..kP…h………
2016-08-25 20:40:58.921202 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [P.], seq 0:353, ack 1, win 64240, length 353: HTTP: POST /file.php HTTP/1.1
E…x8………fW..:.L.Pr…_..kP….$..POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache
..m.*d…`.7E…f.}..Spr@…!o..A..i….J….I.yX.C…8..:….W.a…….?..2D.0#g]…].v..=7b…..WcAV…. JL..\.fUh…4M}zUv.Y..C….y…F
J.
2016-08-25 20:40:59.107685 IP 192.168.1.102.51787 > 87.236.19.58.80: Flags [P.], seq 341:694, ack 519, win 63722, length 353: HTTP: POST /file.php HTTP/1.1
E…x9………fW..:.K.P.. ..@.
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 142
Connection: Keep-Alive
Cache-Control: no-cache
..m.*d…`.7E…f.}..Spr@…!o..A..i….J….I.yX.C…8..:….W.a…….?..2D.0#g]…].v..=7b…..WcAV…. JL..\.fUh…4M}zUv.Y..C….y…F
J.
2016-08-25 20:40:59.107907 IP 192.168.1.102.51788 > 87.236.19.58.80: Flags [P.], seq 353:694, ack 519, win 63722, length 341: HTTP: POST /file.php HTTP/1.1
E..}x:………fW..:.L.Pr…_..qP…N…POST /file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: qawsf1gy.bget.ru
Content-Length: 130
Connection: Keep-Alive
Cache-Control: no-cache
016-08-25 20:41:35.942852 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 3197274254, ack 152215858, win 252, length 0
E..(U……….f\o.}..V….. ..2P………….
2016-08-25 20:41:36.293772 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V….. ..2P………….
2016-08-25 20:41:36.894824 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V….. ..2P………….
2016-08-25 20:41:37.360053 IP 192.168.1.102.12102 > 88.198.80.173.22638: UDP, length 62
E..Ze…..i*…fX.P./FXn.F…b._…80./[…………..0.=u”….T..obM..1….. …k..#>.X.#
2016-08-25 20:41:38.095908 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V….. ..2P………….
2016-08-25 20:41:40.360218 IP 192.168.1.102.12102 > 82.22.183.182.36659: UDP, length 57
E..U3…..:….fR…/F.3.A.iI.+P….&c..O..#..u.:……….’..
.W.d…`p.4….m^n….
2016-08-25 20:41:40.497053 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V….. ..2P………….
2016-08-25 20:41:42.663567 IP 192.168.1.102.51790 > 23.253.126.58.443: Flags [S], seq 117805912, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……..f..~:.N…..X…… ..c…………..
2016-08-25 20:41:43.360410 IP 192.168.1.102.12102 > 210.133.208.78.11652: UDP, length 54
E..Rq…..d….f…N/F-..>….3.y…”.-..)_*…..L…r2…..$
H.T……………yb
2016-08-25 20:41:45.297334 IP 192.168.1.102.51421 > 92.111.175.125.22222: Flags [F.], seq 0, ack 1, win 252, length 0
E..(U……….f\o.}..V….. ..2P………….
2016-08-25 20:42:49.622060 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [S], seq 2057745320, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.T..z……… ……………..
2016-08-25 20:42:49.794120 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 3954064400, win 260, length 0
E..(O…..a….f..
}.T..z…..<.p>
2016-08-25 20:42:49.840829 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 0:77, ack 1, win 260, length 77
E..uO…..a….f..
}.T..z…..<.p>
Y.c.w.R…’O…:……R(..d……..
. .d.b………c………
2016-08-25 20:42:50.068322 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 748, win 257, length 0
E..(O…..a….f..
}.T..z…..>.P….K……..
2016-08-25 20:42:50.081419 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 77:267, ack 748, win 257, length 190
E…O…..a0…f..
}.T..z…..>.P…0……………J,z;….k..od.c..m..J.6……/…,Y..’…..#{..g…L..s..O.>s…….Q… j._=…S..i…q{..l.g.N….gf..l……L.u..|”.5H…. ………..(.S.!O….4……….o….S.U..I.0.l.Tx..
2016-08-25 20:42:50.299317 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 799, win 257, length 0
E..(O…..a….f..
}.T..z…..?.P….Y……..
2016-08-25 20:42:50.452744 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [P.], seq 267:365, ack 799, win 257, length 98
E…O…..a….f..
}.T..z…..?.P…2………n…..sg=P..{..`..s*f……@-‘(l.&.l…h.[.._…-3g………..*.I.T9″……..(.7..gPm…….
2016-08-25 20:42:50.661372 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [F.], seq 365, ack 1676, win 260, length 0
E..(O…..a….f..
}.T..z…..B.P………….
2016-08-25 20:42:50.662103 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [S], seq 1111764833, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.U..BD/a…… ..(…………..
2016-08-25 20:42:50.662234 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [S], seq 247285886, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4O.@…!….f..
}.V….H~…… ……………..
2016-08-25 20:42:50.833009 IP 192.168.1.102.51796 > 188.166.10.125.443: Flags [.], ack 1677, win 260, length 0
E..(O…..a….f..
}.T..z…..B.P………….
2016-08-25 20:42:50.834539 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [.], ack 4265457260, win 260, length 0
E..(O…..a….f..
}.V….H..=.lP…M………
2016-08-25 20:42:50.835151 IP 192.168.1.102.51798 > 188.166.10.125.443: Flags [P.], seq 0:109, ack 1, win 260, length 109
E…O…..ay…f..
}.V….H..=.lP….G……h…d..W..c..k.
P(..B……^.N.6..)..aC ..7w…U8………+…..f…$O………
. .d.b………c………
2016-08-25 20:42:52.087758 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 215796, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5……….
2016-08-25 20:42:52.088179 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 218316, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5……….
2016-08-25 20:42:52.088938 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 220836, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5.@……..
2016-08-25 20:42:52.089497 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 223356, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2._P..5.h……..
2016-08-25 20:42:52.090208 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 225876, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2.7P..5}………
2016-08-25 20:42:52.090816 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 228396, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5s………
2016-08-25 20:42:52.091466 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 230916, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5i………
2016-08-25 20:42:52.092047 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 233436, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5`………
2016-08-25 20:42:52.093266 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 235956, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2..P..5V0……..
2016-08-25 20:42:52.093882 IP 192.168.1.102.51797 > 188.166.10.125.443: Flags [.], ack 238476, win 1333, length 0
E..(P…..a….f..
}.U..BD3..2.oP..5LX……..
2016-08-25 20:42:52.519472 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [S], seq 864782611, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4 .@…c….f\?o..X.P3……… .9……………
2016-08-25 20:42:52.681083 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [.], ack 2746851228, win 260, length 0
E..( ……….f\?o..X.P3…….P…V7……..
2016-08-25 20:42:52.681582 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 0:343, ack 1, win 260, length 343: HTTP: GET /module/96df1c84c7fb13e880e399f9627e0db0 HTTP/1.1
E… ……….f\?o..X.P3…….P….0..GET /module/96df1c84c7fb13e880e399f9627e0db0 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173
2016-08-25 20:42:53.381648 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [.], ack 99559, win 260, length 0
E..( ……….f\?o..X.P3..k..$.P………….
2016-08-25 20:42:53.753273 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 343:686, ack 99559, win 260, length 343: HTTP: GET /module/311ac29c5a8f6b4e7a247db98207fd6e HTTP/1.1
E… ……….f\?o..X.P3..k..$.P…….GET /module/311ac29c5a8f6b4e7a247db98207fd6e HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173
2016-08-25 20:42:54.597357 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 686:1029, ack 128966, win 1046, length 343: HTTP: GET /module/a104f2955999a2f1a1c881e8930b82f6 HTTP/1.1
E… ……….f\?o..X.P3……aP…tp..GET /module/a104f2955999a2f1a1c881e8930b82f6 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173
2016-08-25 20:42:55.538846 IP 192.168.1.102.51800 > 92.63.111.173.80: Flags [P.], seq 1029:1372, ack 219620, win 1087, length 343: HTTP: GET /module/d1967c99c0c7f9b468f2e08e59e41ffe HTTP/1.1
E…
……a…f\?o..X.P3…….P..?.2..GET /module/d1967c99c0c7f9b468f2e08e59e41ffe HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; WIN32)
Host: 92.63.111.173
2016-08-25 20:42:55.975976 IP 192.168.1.102.51801 > 188.166.10.125.443: Flags [P.], seq 267:749, ack 799, win 257, length 482
E..
P\…._`…f..
}.Y….. !..{P….!…….Y.^s..`…..G…b..7……….<_..u..pv.adc..>
..#Y.0.V…k.oz.D…N..|8……….R..9.s.(.1&..S……2…….Dx…..*..4……g..u.@….=![…..1.b:.9….L>EK…….B$.”`;…._.gU.Jx.h.E…8…:{n.C…M.
………t..R.7b.…i.y.EO.[.d=a…1…r.:..|
2016-08-25 20:42:55.977244 IP 192.168.1.102.51801 > 188.166.10.125.443: Flags [P.], seq 749:2209, ack 799, win 257, length 1460
E…P]….[….f..
}.Y……!..{P…………J
.(}…..(“.Ekd.uSfM.i
…8.if.5..H…!…U..-J…_W.[…A~….T….R …L|.#a.”4..Z..r.Y_.!nV.Kc..<.>#.. .6….t……..3..?.|..
…….|^…c;;…..@w……..D..$J.:*..T…v.y……I80.n.t..i{….x.O.’.w…….I..2……..~
.y.f…..X…’..E..Z.Xm.N..rLc .|..c…|-.,9`t…HN..&v!……..1i….b..0.\.\.X….am………
… …D.0!..(…@…I.,”..<..m>l.).&..ZLgxN_LC..X4…..Z…. ..SG….|.i…T8….._|…i.~.
.f.J…….mX..O{.L?.e.r…..
..c…P.Ei.r.R8..H{….F…b…*O….
.N../.
/..+..C……B.DI.?………..’…..`…G.1…..A…….y.D…..:.d..^.>.h…*.XF…..N..?._…….Q…Q….gqP..*.3gb…….:…a…..2.\….V………E~..(.. ..M!Y.Mv……y..’….h .0..%j..H..w..%.(….W…L…d.!.I<. .a..w>………”…
………………………………
……
………………
…………………………………’………………
…………………
……………………
………………………
……… …………………
………… …………
…………… ………
…………………
…………………
……………………
…………………
………………………
………………………
……………………
………………………
……………’……
………………………
……………………
……………………
………………………
…………………
………………………
……………………
……………………
………………………
…………………
………………”””<.m..>
…………………”””<.m..>
…………………”””<.m..>
………………”””<.m..>
…………………”””<.m..>
…………………””””<.m..>
………………””””<.>
………………””””<.>
…………………””””<.>
…………………””””<.>
………………””””<.>
……………
…………………””””<.>
………………””””<.>
……… …………………
…”……
…………
………………………………
………
………………′……&……’…………
…………&Ud………
…… …………………………………
…………………’……………”………………
……………’…………………………”…………………………’………<.a>…………
…
…………………&……”……
’’…………………&Y.c.Fz……………’…………………
………&………… …
……………’……’…………………’”…
…………………………
…………”…………’…&…
…………………………………’
……………’……”……………………’……………&…………”…………………………………………………………………………’……………………′……………………………<.. p>&……’…………‘……………
This post first appeared on Computer Security.org - CyberSecurity News, Inform, please read the originial post: here
