Analysis Date2016-01-28 20:04:49
MD59a8335f9d5ee08291646c713d67bb32e
SHA1eb3ba78df0dbf1d1365ac49c87998b77bf657007

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 714094992cd0578bd4b3063c9768167d sha1: 319a8c7dbc33307902a45c1b2963fff364bf4be9 size: 183808
Section.rdata md5: 492d72ad3ccf7b189c633be62bafc38e sha1: 4528664a9359a5c5bb38492e206b9102e91b0c23 size: 2560
Section.data md5: 89acefbed12bef9ba6c409131fa5f10d sha1: f8e25e362e484ccaed9ff4107dc3bd31bd0e21c9 size: 15360
Section.reloc md5: 663a988b183719f2c1ac1885664e038b sha1: 6772a681fc68fd2e2b0a51450606237f5d3afbae size: 30720
Timestamp2014-06-29 03:54:23
PEhashbb7a806c273745181d7527bd31d22bc48ca030b3
IMPhash09aefb919d779f6d1a353279a2f12914
AVRisingNo Virus
AVMcafeeTrojan-FHQT!9A8335F9D5EE
AVAvira (antivir)TR/Nivdort.A.31012
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.790778
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.BA
AVGrisoft (avg)Generic37.YHT
AVSymantecTrojan.Bayrob!gen6
AVFortinetNo Virus
AVBitDefenderGen:Variant.Kazy.790778
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DA
AVMicroWorld (escan)Gen:Variant.Kazy.790778
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.790778
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.790778
AVArcabit (arcavir)Gen:Variant.Kazy.790778
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.9618
AVF-SecureGen:Variant.Kazy.790778
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\esgplnwayyakelp\jpzqloihi
Creates FileC:\esgplnwayyakelp\apfn1l5arlyo4rxsk.exe
Creates FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Deletes FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Creates ProcessC:\esgplnwayyakelp\apfn1l5arlyo4rxsk.exe

Process
↳ C:\esgplnwayyakelp\apfn1l5arlyo4rxsk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Awareness Hardware Biometric Proxy TP ➝
C:\esgplnwayyakelp\zqprrobwg.exe
Creates FileC:\esgplnwayyakelp\asvivh43isfx
Creates FileC:\esgplnwayyakelp\jpzqloihi
Creates FileC:\esgplnwayyakelp\zqprrobwg.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Deletes FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Creates ProcessC:\esgplnwayyakelp\zqprrobwg.exe
Creates ServiceDCOM Level Process Notification Tunneling DLL - C:\esgplnwayyakelp\zqprrobwg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1176

Process
↳ C:\esgplnwayyakelp\zqprrobwg.exe

Creates FileC:\esgplnwayyakelp\wsephqdbx
Creates FileC:\esgplnwayyakelp\asvivh43isfx
Creates FileC:\esgplnwayyakelp\jpzqloihi
Creates Filepipe\net\NtControlPipe10
Creates FileC:\esgplnwayyakelp\vxyorjae.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Deletes FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Creates Processskhsxja7f5zb "c:\esgplnwayyakelp\zqprrobwg.exe"

Process
↳ C:\esgplnwayyakelp\zqprrobwg.exe

Creates FileC:\esgplnwayyakelp\jpzqloihi
Creates FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Deletes FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi

Process
↳ skhsxja7f5zb "c:\esgplnwayyakelp\zqprrobwg.exe"

Creates FileC:\esgplnwayyakelp\jpzqloihi
Creates FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi
Deletes FileC:\WINDOWS\esgplnwayyakelp\jpzqloihi

Network Details:

DNSmightplease.net
Type: A
208.100.26.234
DNSprettysoldier.net
Type: A
184.168.221.52
DNSprettyplease.net
Type: A
207.148.248.143
DNSbrokennation.net
Type: A
208.91.197.27
DNSresultnation.net
Type: A
208.91.197.27
DNSbrokensoldier.net
Type: A
173.236.158.114
DNSbuildingpower.net
Type: A
188.40.84.184
DNSprettypower.net
Type: A
208.91.197.23
DNSdoublefamous.net
Type: A
210.157.1.134
DNSfellowpower.net
Type: A
98.139.135.129
DNSbrokenfamous.net
Type: A
208.100.26.234
DNSbrokenpower.net
Type: A
72.167.131.57
DNSstillpower.net
Type: A
184.168.221.34
DNSdoctorletter.net
Type: A
162.255.119.251
DNSdoctordifferent.net
Type: A
184.168.221.43
DNSprettydifferent.net
Type: A
23.236.62.147
DNSstillsurprise.net
Type: A
98.139.135.129
DNSstorenation.net
Type: A
DNSmightnation.net
Type: A
DNSstoresoldier.net
Type: A
DNSmightsoldier.net
Type: A
DNSstoreplease.net
Type: A
DNSstorecondition.net
Type: A
DNSmightcondition.net
Type: A
DNSdoctornation.net
Type: A
DNSprettynation.net
Type: A
DNSdoctorsoldier.net
Type: A
DNSdoctorplease.net
Type: A
DNSdoctorcondition.net
Type: A
DNSprettycondition.net
Type: A
DNSfellownation.net
Type: A
DNSdoublenation.net
Type: A
DNSfellowsoldier.net
Type: A
DNSdoublesoldier.net
Type: A
DNSfellowplease.net
Type: A
DNSdoubleplease.net
Type: A
DNSfellowcondition.net
Type: A
DNSdoublecondition.net
Type: A
DNSresultsoldier.net
Type: A
DNSbrokenplease.net
Type: A
DNSresultplease.net
Type: A
DNSbrokencondition.net
Type: A
DNSresultcondition.net
Type: A
DNSpreparenation.net
Type: A
DNSdesirenation.net
Type: A
DNSpreparesoldier.net
Type: A
DNSdesiresoldier.net
Type: A
DNSprepareplease.net
Type: A
DNSdesireplease.net
Type: A
DNSpreparecondition.net
Type: A
DNSdesirecondition.net
Type: A
DNSstrengthnation.net
Type: A
DNSstillnation.net
Type: A
DNSstrengthsoldier.net
Type: A
DNSstillsoldier.net
Type: A
DNSstrengthplease.net
Type: A
DNSstillplease.net
Type: A
DNSstrengthcondition.net
Type: A
DNSstillcondition.net
Type: A
DNSmovementcentury.net
Type: A
DNSoutsidecentury.net
Type: A
DNSmovementfamous.net
Type: A
DNSoutsidefamous.net
Type: A
DNSmovementpower.net
Type: A
DNSoutsidepower.net
Type: A
DNSmovementcountry.net
Type: A
DNSoutsidecountry.net
Type: A
DNSbuildingcentury.net
Type: A
DNSeveningcentury.net
Type: A
DNSbuildingfamous.net
Type: A
DNSeveningfamous.net
Type: A
DNSeveningpower.net
Type: A
DNSbuildingcountry.net
Type: A
DNSeveningcountry.net
Type: A
DNSstorecentury.net
Type: A
DNSmightcentury.net
Type: A
DNSstorefamous.net
Type: A
DNSmightfamous.net
Type: A
DNSstorepower.net
Type: A
DNSmightpower.net
Type: A
DNSstorecountry.net
Type: A
DNSmightcountry.net
Type: A
DNSdoctorcentury.net
Type: A
DNSprettycentury.net
Type: A
DNSdoctorfamous.net
Type: A
DNSprettyfamous.net
Type: A
DNSdoctorpower.net
Type: A
DNSdoctorcountry.net
Type: A
DNSprettycountry.net
Type: A
DNSfellowcentury.net
Type: A
DNSdoublecentury.net
Type: A
DNSfellowfamous.net
Type: A
DNSdoublepower.net
Type: A
DNSfellowcountry.net
Type: A
DNSdoublecountry.net
Type: A
DNSbrokencentury.net
Type: A
DNSresultcentury.net
Type: A
DNSresultfamous.net
Type: A
DNSresultpower.net
Type: A
DNSbrokencountry.net
Type: A
DNSresultcountry.net
Type: A
DNSpreparecentury.net
Type: A
DNSdesirecentury.net
Type: A
DNSpreparefamous.net
Type: A
DNSdesirefamous.net
Type: A
DNSpreparepower.net
Type: A
DNSdesirepower.net
Type: A
DNSpreparecountry.net
Type: A
DNSdesirecountry.net
Type: A
DNSstrengthcentury.net
Type: A
DNSstillcentury.net
Type: A
DNSstrengthfamous.net
Type: A
DNSstillfamous.net
Type: A
DNSstrengthpower.net
Type: A
DNSstrengthcountry.net
Type: A
DNSstillcountry.net
Type: A
DNSmovementsurprise.net
Type: A
DNSoutsidesurprise.net
Type: A
DNSmovementbeside.net
Type: A
DNSoutsidebeside.net
Type: A
DNSmovementletter.net
Type: A
DNSoutsideletter.net
Type: A
DNSmovementdifferent.net
Type: A
DNSoutsidedifferent.net
Type: A
DNSbuildingsurprise.net
Type: A
DNSeveningsurprise.net
Type: A
DNSbuildingbeside.net
Type: A
DNSeveningbeside.net
Type: A
DNSbuildingletter.net
Type: A
DNSeveningletter.net
Type: A
DNSbuildingdifferent.net
Type: A
DNSeveningdifferent.net
Type: A
DNSstoresurprise.net
Type: A
DNSmightsurprise.net
Type: A
DNSstorebeside.net
Type: A
DNSmightbeside.net
Type: A
DNSstoreletter.net
Type: A
DNSmightletter.net
Type: A
DNSstoredifferent.net
Type: A
DNSmightdifferent.net
Type: A
DNSdoctorsurprise.net
Type: A
DNSprettysurprise.net
Type: A
DNSdoctorbeside.net
Type: A
DNSprettybeside.net
Type: A
DNSprettyletter.net
Type: A
DNSfellowsurprise.net
Type: A
DNSdoublesurprise.net
Type: A
DNSfellowbeside.net
Type: A
DNSdoublebeside.net
Type: A
DNSfellowletter.net
Type: A
DNSdoubleletter.net
Type: A
DNSfellowdifferent.net
Type: A
DNSdoubledifferent.net
Type: A
DNSbrokensurprise.net
Type: A
DNSresultsurprise.net
Type: A
DNSbrokenbeside.net
Type: A
DNSresultbeside.net
Type: A
DNSbrokenletter.net
Type: A
DNSresultletter.net
Type: A
DNSbrokendifferent.net
Type: A
DNSresultdifferent.net
Type: A
DNSpreparesurprise.net
Type: A
DNSdesiresurprise.net
Type: A
DNSpreparebeside.net
Type: A
DNSdesirebeside.net
Type: A
DNSprepareletter.net
Type: A
DNSdesireletter.net
Type: A
DNSpreparedifferent.net
Type: A
DNSdesiredifferent.net
Type: A
DNSstrengthsurprise.net
Type: A
HTTP GEThttp://mightplease.net/index.php
User-Agent:
HTTP GEThttp://prettysoldier.net/index.php
User-Agent:
HTTP GEThttp://prettyplease.net/index.php
User-Agent:
HTTP GEThttp://brokennation.net/index.php
User-Agent:
HTTP GEThttp://resultnation.net/index.php
User-Agent:
HTTP GEThttp://brokensoldier.net/index.php
User-Agent:
HTTP GEThttp://buildingpower.net/index.php
User-Agent:
HTTP GEThttp://prettypower.net/index.php
User-Agent:
HTTP GEThttp://doublefamous.net/index.php
User-Agent:
HTTP GEThttp://fellowpower.net/index.php
User-Agent:
HTTP GEThttp://brokenfamous.net/index.php
User-Agent:
HTTP GEThttp://brokenpower.net/index.php
User-Agent:
HTTP GEThttp://stillpower.net/index.php
User-Agent:
HTTP GEThttp://doctorletter.net/index.php
User-Agent:
HTTP GEThttp://doctordifferent.net/index.php
User-Agent:
HTTP GEThttp://prettydifferent.net/index.php
User-Agent:
HTTP GEThttp://stillsurprise.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1033 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 173.236.158.114:80
Flows TCP192.168.1.1:1037 ➝ 188.40.84.184:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.23:80
Flows TCP192.168.1.1:1039 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 72.167.131.57:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.34:80
Flows TCP192.168.1.1:1044 ➝ 162.255.119.251:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1046 ➝ 23.236.62.147:80
Flows TCP192.168.1.1:1047 ➝ 98.139.135.129:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   69676874 706c6561 73652e6e 65740d0a   ightplease.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79736f6c 64696572 2e6e6574   rettysoldier.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79706c65 6173652e 6e65740d   rettyplease.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e6e6174 696f6e2e 6e65740d   rokennation.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   6573756c 746e6174 696f6e2e 6e65740d   esultnation.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e736f6c 64696572 2e6e6574   rokensoldier.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6770 6f776572 2e6e6574   uildingpower.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79706f77 65722e6e 65740d0a   rettypower.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 6566616d 6f75732e 6e65740d   oublefamous.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   656c6c6f 77706f77 65722e6e 65740d0a   ellowpower.net..
0x00000050 (00080)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e66616d 6f75732e 6e65740d   rokenfamous.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e706f77 65722e6e 65740d0a   rokenpower.net..
0x00000050 (00080)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 706f7765 722e6e65 740d0a0d   tillpower.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726c6574 7465722e 6e65740d   octorletter.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72646966 66657265 6e742e6e   octordifferent.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79646966 66657265 6e742e6e   rettydifferent.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 73757270 72697365 2e6e6574   tillsurprise.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings