sqiuba.176win.com 176Win.exe Malware/Adware Traffic Analysis PCAP file download

2016-10-26 00:38:49.205338 IP 192.168.1.102.62152 > 219.84.168.195.80: Flags [P.], seq 0:290, ack 1, win 256, length 290: HTTP: GET /176Win.exe HTTP/1.1
E..J..@……..f.T…..P…..Ii.P….I..GET /176Win.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: sqiuba.176win.com
Connection: Keep-Alive

2016-10-26 00:38:49.441803 IP 192.168.1.102.62152 > 219.84.168.195.80: Flags [.], ack 2921, win 256, length 0
E..(..@……..f.T…..P…..It.P… /……..

E..(.U@….T…f.T…..P#]…B.hP………….
2016-10-26 00:39:00.214544 IP 192.168.1.102.62155 > 219.84.168.195.80: Flags [P.], seq 0:218, ack 1, win 256, length 218: HTTP: GET /load.swf HTTP/1.1
E….V@….y…f.T…..P#]…B.hP…….GET /load.swf HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: www.176win.com
Connection: Keep-Alive

2016-10-26 00:39:00.434571 IP 192.168.1.102.62155 > 219.84.168.195.80: Flags [.], ack 2921, win 256, length 0
E..(.W@….R…f.T…..P#]…B..P………….

E..(.+@….~…f.T…..PIl.P..Z.P………….
2016-10-26 00:39:05.574199 IP 192.168.1.102.62156 > 219.84.168.195.80: Flags [P.], seq 0:210, ack 1, win 256, length 210: HTTP: POST /GiftWS.asmx HTTP/1.1
E….,@……..f.T…..PIl.P..Z.P…I…POST /GiftWS.asmx HTTP/1.1
Content-Length: 311
Content-Type: text/xml; charset=utf-8
SOAPAction: “http://tempuri.org/GetURL”
Accept: text/xml
Host: www.176win.com
User-Agent: Microsoft-ATL-Native/7.00

2016-10-26 00:39:05.937678 IP 192.168.1.102.62156 > 219.84.168.195.80: Flags [P.], seq 210:521, ack 1, win 256, length 311: HTTP
E.._.-@….E…f.T…..PIl.”..Z.P…E…<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:soapenc=”http://schemas.xmlsoap.org/soap/encoding/”><soap:Body><GetURL xmlns=”http://tempuri.org/”></GetURL></soap:Body></soap:Envelope>