stub.exe Adware Loads Search Protect Adware PUP NSIS_Inetc PCAP file download

2016-09-20 07:16:07.938958 IP 192.168.1.102.59262 > 192.168.1.100.80: Flags [P.], seq 1:339, ack 1, win 256, length 338: HTTP: GET /captured/Stub.exe HTTP/1.1
E..zn…..Fh…f…d.~.P..%.`.^jP…….GET /captured/Stub.exe HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.100/captured/
Connection: keep-alive
2016-09-20 07:16:07.938976 IP 192.168.1.100.80 > 192.168.1.102.59262: Flags [.], ack 339, win 237, length 0
E..(..@.@……d…f.P.~`.^j..’.P….5..
2016-09-20 07:16:07.939147 IP 192.168.1.100.80 > 192.168.1.102.59262: Flags [.], seq 1:5841, ack 339, win 237, length 5840: HTTP: HTTP/1.1 200 OK
E…..@.@……d…f.P.~`.^j..’.P…….HTTP/1.1 200 OK
Date: Tue, 20 Sep 2016 11:16:07 GMT
Server: Apache/2.4.18 (Debian)
Last-Modified: Tue, 20 Sep 2016 09:31:34 GMT
ETag: “2b660-53ced182d7a3e”
Accept-Ranges: bytes
Content-Length: 177760
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..

2016-09-20 07:16:52.930042 IP 192.168.1.102.59288 > 23.23.99.139.80: Flags [P.], seq 5866:6140, ack 521, win 254, length 274: HTTP: POST / HTTP/1.1
E..:?……b…f..c….Pc
..v.M.P…|[..POST / HTTP/1.1
Content-Type: application/json
Accept: */*
User-Agent: SearchProtect;3.1.4.5;Microsoft Windows XP Professional;SPF850F91B-AE3E-437C-9903-35EE2FF19951
Host: sp-usage.databssint.com
Content-Length: 2561
Connection: Keep-Alive
Cache-Control: no-cache

2016-09-20 07:16:54.288912 IP 192.168.1.102.59286 > 23.217.129.72.80: Flags [P.], seq 221:443, ack 5166, win 256, length 222: HTTP: GET /NewInstall/UP/settings/?ctid=CT3331172&gd=&UM=8&c=US&DUM=2 HTTP/1.1
E……….’…f…H…P.N…A..P…….GET /NewInstall/UP/settings/?ctid=CT3331172&gd=&UM=8&c=US&DUM=2 HTTP/1.1
User-Agent: SearchProtect;3.1.4.5;Microsoft Windows XP Professional;SPF850F91B-AE3E-437C-9903-35EE2FF19951
Accept: */*
Host: c.api.seccint.com

2016-09-20 07:17:00.217913 IP 192.168.1.102.59264 > 54.225.182.66.80: Flags [P.], seq 1606:2419, ack 343, win 255, length 813: HTTP: POST / HTTP/1.1
E..UG…..@….f6..B…P\….t.xP…….POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.databssint.com
Content-Length: 606
Connection: Keep-Alive
Cache-Control: no-cache