Analysis Date2015-08-11 06:17:25
MD5f9471cc5b97a16dc357a1111464ee07c
SHA13751b8fe39b19102d6c727f1273d83a837f64842

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1965583b4bc21d858270cd4cc78df470 sha1: 61233fedce2766b98b947b64fd72d256cbd99389 size: 1242624
Section.rdata md5: 6a08f6eae858c8e615c098a927cdc8ae sha1: 786282330bf3a0d25d0a9d1b5fe29d51185103b8 size: 336384
Section.data md5: 8f9789f3c1133f0d2f67529b6f18a2aa sha1: f508e64fd8c7a70075017fff8b5191721f86f934 size: 8192
Section.reloc md5: 5b42180c632000afeff526e414c9bba3 sha1: 849d3de80fe83c1b7ca61116b482a8b41f1eda45 size: 163328
Timestamp2015-05-11 03:53:51
PackerVC8 -> Microsoft Corporation
PEhash9eb8506a49ad4f43e0ea72ef5abc0aa89010d7d0
IMPhashc6ceab21a9f039b779deb2a598884b77
AVZillya!no_virus
AVTrend Microno_virus
AVBullGuardGen:Variant.Kazy.611782
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVFortinetW32/Bayrob.X!tr
AVF-SecureGen:Variant.Kazy.611782
AVDr. WebTrojan.Bayrob.5
AVEset (nod32)Win32/Bayrob.Z
AVEmsisoftGen:Variant.Kazy.611782
AVRisingno_virus
AVTwisterno_virus
AVMcafeeTrojan-FGIJ!F9471CC5B97A
AVBitDefenderGen:Variant.Kazy.611782
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVAd-AwareGen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVAvira (antivir)TR/Crypt.Xpack.274632
AVVirusBlokAda (vba32)no_virus
AVAlwil (avast)Dropper-OJQ [Drp]
AVSymantecDownloader.Upatre!g15
AVAuthentiumW32/SoxGrave.A2.gen!Eldorado
AVMalwareBytesno_virus
AVIkarusTrojan.Win32.Bayrob
AVGrisoft (avg)Win32/Cryptor
AVFrisk (f-prot)no_virus
AVPadvishno_virus
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ihx4tgv5z2zi8qmvivsmwy.exe
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ihx4tgv5z2zi8qmvivsmwy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ihx4tgv5z2zi8qmvivsmwy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Portable Office Spooler COM ➝
C:\WINDOWS\system32\qsjkjfczpevb.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\etc
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\lck
Creates FileC:\WINDOWS\system32\qsjkjfczpevb.exe
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\qsjkjfczpevb.exe
Creates ServiceInstaller Disk Secure Background Defender - C:\WINDOWS\system32\qsjkjfczpevb.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\IHX4TGV5Z2ZI8QMVIVSMWY.EXE-33062B35.pf
Creates FileC:\WINDOWS\Prefetch\3751B8FE39B19102D6C727F1273D8-23C8FED8.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\QSJKJFCZPEVB.EXE-14A0EFF0.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\IHX4TGVFHIZI8QM.EXE-01E31DA4.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf
Creates FileC:\WINDOWS\Prefetch\KFKLWGAYGBM.EXE-09E2B9E2.pf

Process
↳ Pid 1120

Process
↳ Pid 1216

Process
↳ Pid 1328

Process
↳ Pid 1876

Process
↳ Pid 1248

Process
↳ C:\WINDOWS\system32\qsjkjfczpevb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\cfg
Creates FileC:\WINDOWS\system32\kfklwgaygbm.exe
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\rng
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\tst
Creates FileC:\WINDOWS\TEMP\ihx4tgvfhizi8qm.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\run
Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\lck
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\TEMP\ihx4tgvfhizi8qm.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\qsjkjfczpevb.exe"
Creates ProcessC:\WINDOWS\TEMP\ihx4tgvfhizi8qm.exe -r 33148 tcp

Process
↳ C:\WINDOWS\system32\qsjkjfczpevb.exe

Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\qsjkjfczpevb.exe"

Creates FileC:\WINDOWS\system32\zqijbeugpfdvf\tst

Process
↳ C:\WINDOWS\TEMP\ihx4tgvfhizi8qm.exe -r 33148 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSwellmark.net
Type: A
218.85.139.71
DNSwellnews.net
Type: A
198.72.112.7
DNSringmark.net
Type: A
104.28.4.24
DNSringmark.net
Type: A
104.28.5.24
DNSwestking.net
Type: A
125.209.214.79
DNStableking.net
Type: A
72.52.4.119
DNSleadking.net
Type: A
141.8.224.239
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSnosebroke.net
Type: A
DNSnosemark.net
Type: A
DNSnosenews.net
Type: A
DNSringstate.net
Type: A
DNSfavorstate.net
Type: A
DNSringbroke.net
Type: A
DNSfavorbroke.net
Type: A
DNSfavormark.net
Type: A
DNSringnews.net
Type: A
DNSfavornews.net
Type: A
DNSsorrythan.net
Type: A
DNSfiftythan.net
Type: A
DNSsorryread.net
Type: A
DNSfiftyread.net
Type: A
DNSsorrymile.net
Type: A
DNSfiftymile.net
Type: A
DNSsorryking.net
Type: A
DNSfiftyking.net
Type: A
DNStheirthan.net
Type: A
DNSlikrthan.net
Type: A
DNStheirread.net
Type: A
DNSlikrread.net
Type: A
DNStheirmile.net
Type: A
DNSlikrmile.net
Type: A
DNStheirking.net
Type: A
DNSlikrking.net
Type: A
DNSfearthan.net
Type: A
DNSwestthan.net
Type: A
DNSfearread.net
Type: A
DNSwestread.net
Type: A
DNSfearmile.net
Type: A
DNSwestmile.net
Type: A
DNSfearking.net
Type: A
DNStablethan.net
Type: A
DNSleadthan.net
Type: A
DNStableread.net
Type: A
DNSleadread.net
Type: A
DNStablemile.net
Type: A
DNSleadmile.net
Type: A
DNSpointthan.net
Type: A
DNScallthan.net
Type: A
DNSpointread.net
Type: A
DNScallread.net
Type: A
DNSpointmile.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://wellmark.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://wellnews.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://ringmark.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://westking.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://tableking.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
HTTP GEThttp://leadking.net/index.php?method=validate&mode=sox&v=050&sox=4f9cca03&lenhdr
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 218.85.139.71:80
Flows TCP192.168.1.1:1051 ➝ 198.72.112.7:80
Flows TCP192.168.1.1:1052 ➝ 104.28.4.24:80
Flows TCP192.168.1.1:1053 ➝ 125.209.214.79:80
Flows TCP192.168.1.1:1054 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1055 ➝ 141.8.224.239:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207265 636f7264 736f6c64 6965722e   : recordsoldier.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20666c 69657273 75727072 6973652e   : fliersurprise.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206869 73746f72 79627269 6768742e   : historybright.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206368 69656673 6f6c6469 65722e6e   : chiefsoldier.n
0x00000080 (00128)   65740d0a 0d0a0a                       et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20636c 61737373 75727072 6973652e   : classsurprise.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 6f736563 6f6e7469 6e75652e   : thosecontinue.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 726f7567 68636f6e 7461696e   : throughcontain
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206265 6c6f6e67 67756172 642e6e65   : belongguard.ne
0x00000080 (00128)   740d0a0d 0a0a0d0a                     t.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206d61 7962656c 6c696e65 74686164   : maybellinethad
0x00000080 (00128)   64657573 2e6e6574 0d0a0d0a            deus.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206b69 6d626572 6c657973 6861766f   : kimberleyshavo
0x00000080 (00128)   6e6e652e 6e65740d 0a0d0a0a            nne.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c6465 65702e63 6f6d0d0a   : naildeep.com..
0x00000080 (00128)   0d0a652e 6e65740d 0a0d0a0a            ..e.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207269 6464656e 73746f72 6d2e6e65   : riddenstorm.ne
0x00000080 (00128)   740d0a0d 0a65740d 0a0d0a0a            t....et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206465 7374726f 7973746f 726d2e6e   : destroystorm.n
0x00000080 (00128)   65740d0a 0d0a740d 0a0d0a0a            et....t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 6c6c6d61 726b2e6e 65740d0a   : wellmark.net..
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 6c6c6e65 77732e6e 65740d0a   : wellnews.net..
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207269 6e676d61 726b2e6e 65740d0a   : ringmark.net..
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 73746b69 6e672e6e 65740d0a   : westking.net..
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 626c656b 696e672e 6e65740d   : tableking.net.
0x00000080 (00128)   0a0d0a0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 39636361 3033266c 656e6864   x=4f9cca03&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c65 61646b69 6e672e6e 65740d0a   : leadking.net..
0x00000080 (00128)   0d0a0a0a 0d0a740d 0a0d0a0a            ......t.....


Strings