Analysis Date2016-02-14 05:55:06
MD5330d3070eca840624ef0ae6efda48e89
SHA1eb9d349da247c1d05144d8c07c424bd3beadf019

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9266185f99b46118489163794ac93721 sha1: 0c56e7a42dec0532e7269d8360139cf2a60e2a2a size: 197120
Section.rdata md5: 3c3da1444fe4a42d6c39add1eedb4529 sha1: 4636b87de81a15c7b55aea9b5b8b81a940f956a4 size: 3072
Section.data md5: 26e57adc5a81939d17d3367c4632dd57 sha1: 22c9bfd8ecfeedabd0fc73a311a4cc946c1443d9 size: 15360
Section.reloc md5: f1538a5be734281919cef5c3198338a1 sha1: c47e460fdfca114df28f3f41d34c5101ccbda3e6 size: 30720
Timestamp2014-07-22 14:31:01
PEhashc462bc784926235bed23a2d53d005ed37a496963
IMPhasha814c7649b1bf4da4b2fdccc5b0f76ce
AVCA (E-Trust Ino)Gen:Variant.Kazy.788903
AVF-SecureGen:Variant.Kazy.788903
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Kazy.788903
AVBullGuardGen:Variant.Kazy.788903
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.788903
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DE
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Kazy.788903
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Win32/Heur
AVEset (nod32)Win32/Bayrob.AT.gen
AVAlwil (avast)Vupa [Cryp]
AVRisingNo Virus
AVAd-AwareGen:Variant.Kazy.788903
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.A.29075
AVMcafeeTrojan-FHRG!330D3070ECA8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\qrbuekuefnralpb\mckbcrg
Creates FileC:\qrbuekuefnralpb\sexjkwajxziqthytw.exe
Creates FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Deletes FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Creates ProcessC:\qrbuekuefnralpb\sexjkwajxziqthytw.exe

Process
↳ C:\qrbuekuefnralpb\sexjkwajxziqthytw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RPC Control Configuration Program Brightness ➝
C:\qrbuekuefnralpb\croqbtgfnvss.exe
Creates FileC:\qrbuekuefnralpb\mckbcrg
Creates FileC:\qrbuekuefnralpb\croqbtgfnvss.exe
Creates FilePIPE\lsarpc
Creates FileC:\qrbuekuefnralpb\unt4zyvayiqw
Creates FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Deletes FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Creates ProcessC:\qrbuekuefnralpb\croqbtgfnvss.exe
Creates ServiceIPsec Server Card Routing Collector Base - C:\qrbuekuefnralpb\croqbtgfnvss.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝
192.168.254.254\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝
192.168.254.254\\x00
Creates FileC:\WINDOWS\Prefetch\EB9D349DA247C1D05144D8C07C424-38149FF5.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileNDIS
Creates FileC:\WINDOWS\Prefetch\XWFMJANKXSHI.EXE-21F941A6.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\SEXJKWAJXZIQTHYTW.EXE-01001307.pf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\CROQBTGFNVSS.EXE-1DFDDA83.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1208

Process
↳ Pid 1324

Process
↳ Pid 1864

Process
↳ Pid 316

Process
↳ C:\qrbuekuefnralpb\croqbtgfnvss.exe

Creates FileC:\qrbuekuefnralpb\mckbcrg
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\qrbuekuefnralpb\er3kkvtxdky
Creates FileC:\qrbuekuefnralpb\xwfmjankxshi.exe
Creates FileC:\qrbuekuefnralpb\unt4zyvayiqw
Creates FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Deletes FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Creates Processvunybvea66ux "c:\qrbuekuefnralpb\croqbtgfnvss.exe"

Process
↳ C:\qrbuekuefnralpb\croqbtgfnvss.exe

Creates FileC:\qrbuekuefnralpb\mckbcrg
Creates FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Deletes FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg

Process
↳ vunybvea66ux "c:\qrbuekuefnralpb\croqbtgfnvss.exe"

Creates FileC:\qrbuekuefnralpb\mckbcrg
Creates FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg
Deletes FileC:\WINDOWS\qrbuekuefnralpb\mckbcrg

Network Details:

DNSdesireopinion.net
Type: A
195.22.28.199
DNSdesireopinion.net
Type: A
195.22.28.196
DNSdesireopinion.net
Type: A
195.22.28.197
DNSdesireopinion.net
Type: A
195.22.28.198
DNSpreparepromise.net
Type: A
208.100.26.234
DNSoutsidesupply.net
Type: A
98.124.243.47
DNSoutsideoffice.net
Type: A
104.24.17.64
DNSoutsideoffice.net
Type: A
104.24.16.64
DNSbuildingsupply.net
Type: A
67.212.232.207
DNSbuildingoffice.net
Type: A
46.20.7.163
DNSstoresupply.net
Type: A
69.172.201.208
DNSdoctorsupply.net
Type: A
184.168.221.96
DNSdoctoroffice.net
Type: A
69.172.201.208
DNSstillsupply.net
Type: A
50.63.202.15
DNSbuildingtrouble.net
Type: A
208.100.26.234
DNSprettystrong.net
Type: A
50.62.236.1
DNSdoubletrouble.net
Type: A
207.148.248.143
DNSstillstrong.net
Type: A
206.188.192.251
DNSbuildingmaster.net
Type: A
199.83.132.178
DNSbuildingmaster.net
Type: A
199.83.128.178
DNSstoremaster.net
Type: A
184.168.221.104
DNSdoctormaster.net
Type: A
212.48.86.202
DNSprepareopinion.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
DNSstillopinion.net
Type: A
DNSstrengthpromise.net
Type: A
DNSstillpromise.net
Type: A
DNSmovementsupply.net
Type: A
DNSmovementdistance.net
Type: A
DNSoutsidedistance.net
Type: A
DNSmovementoffice.net
Type: A
DNSmovementarrive.net
Type: A
DNSoutsidearrive.net
Type: A
DNSeveningsupply.net
Type: A
DNSbuildingdistance.net
Type: A
DNSeveningdistance.net
Type: A
DNSeveningoffice.net
Type: A
DNSbuildingarrive.net
Type: A
DNSeveningarrive.net
Type: A
DNSmightsupply.net
Type: A
DNSstoredistance.net
Type: A
DNSmightdistance.net
Type: A
DNSstoreoffice.net
Type: A
DNSmightoffice.net
Type: A
DNSstorearrive.net
Type: A
DNSmightarrive.net
Type: A
DNSprettysupply.net
Type: A
DNSdoctordistance.net
Type: A
DNSprettydistance.net
Type: A
DNSprettyoffice.net
Type: A
DNSdoctorarrive.net
Type: A
DNSprettyarrive.net
Type: A
DNSfellowsupply.net
Type: A
DNSdoublesupply.net
Type: A
DNSfellowdistance.net
Type: A
DNSdoubledistance.net
Type: A
DNSfellowoffice.net
Type: A
DNSdoubleoffice.net
Type: A
DNSfellowarrive.net
Type: A
DNSdoublearrive.net
Type: A
DNSbrokensupply.net
Type: A
DNSresultsupply.net
Type: A
DNSbrokendistance.net
Type: A
DNSresultdistance.net
Type: A
DNSbrokenoffice.net
Type: A
DNSresultoffice.net
Type: A
DNSbrokenarrive.net
Type: A
DNSresultarrive.net
Type: A
DNSpreparesupply.net
Type: A
DNSdesiresupply.net
Type: A
DNSpreparedistance.net
Type: A
DNSdesiredistance.net
Type: A
DNSprepareoffice.net
Type: A
DNSdesireoffice.net
Type: A
DNSpreparearrive.net
Type: A
DNSdesirearrive.net
Type: A
DNSstrengthsupply.net
Type: A
DNSstrengthdistance.net
Type: A
DNSstilldistance.net
Type: A
DNSstrengthoffice.net
Type: A
DNSstilloffice.net
Type: A
DNSstrengtharrive.net
Type: A
DNSstillarrive.net
Type: A
DNSmovementstrong.net
Type: A
DNSoutsidestrong.net
Type: A
DNSmovementtrouble.net
Type: A
DNSoutsidetrouble.net
Type: A
DNSmovementpresident.net
Type: A
DNSoutsidepresident.net
Type: A
DNSmovementcaught.net
Type: A
DNSoutsidecaught.net
Type: A
DNSbuildingstrong.net
Type: A
DNSeveningstrong.net
Type: A
DNSeveningtrouble.net
Type: A
DNSbuildingpresident.net
Type: A
DNSeveningpresident.net
Type: A
DNSbuildingcaught.net
Type: A
DNSeveningcaught.net
Type: A
DNSstorestrong.net
Type: A
DNSmightstrong.net
Type: A
DNSstoretrouble.net
Type: A
DNSmighttrouble.net
Type: A
DNSstorepresident.net
Type: A
DNSmightpresident.net
Type: A
DNSstorecaught.net
Type: A
DNSmightcaught.net
Type: A
DNSdoctorstrong.net
Type: A
DNSdoctortrouble.net
Type: A
DNSprettytrouble.net
Type: A
DNSdoctorpresident.net
Type: A
DNSprettypresident.net
Type: A
DNSdoctorcaught.net
Type: A
DNSprettycaught.net
Type: A
DNSfellowstrong.net
Type: A
DNSdoublestrong.net
Type: A
DNSfellowtrouble.net
Type: A
DNSfellowpresident.net
Type: A
DNSdoublepresident.net
Type: A
DNSfellowcaught.net
Type: A
DNSdoublecaught.net
Type: A
DNSbrokenstrong.net
Type: A
DNSresultstrong.net
Type: A
DNSbrokentrouble.net
Type: A
DNSresulttrouble.net
Type: A
DNSbrokenpresident.net
Type: A
DNSresultpresident.net
Type: A
DNSbrokencaught.net
Type: A
DNSresultcaught.net
Type: A
DNSpreparestrong.net
Type: A
DNSdesirestrong.net
Type: A
DNSpreparetrouble.net
Type: A
DNSdesiretrouble.net
Type: A
DNSpreparepresident.net
Type: A
DNSdesirepresident.net
Type: A
DNSpreparecaught.net
Type: A
DNSdesirecaught.net
Type: A
DNSstrengthstrong.net
Type: A
DNSstrengthtrouble.net
Type: A
DNSstilltrouble.net
Type: A
DNSstrengthpresident.net
Type: A
DNSstillpresident.net
Type: A
DNSstrengthcaught.net
Type: A
DNSstillcaught.net
Type: A
DNSmovementcontinue.net
Type: A
DNSoutsidecontinue.net
Type: A
DNSmovementmaster.net
Type: A
DNSoutsidemaster.net
Type: A
DNSmovementwonder.net
Type: A
DNSoutsidewonder.net
Type: A
DNSmovementdiscover.net
Type: A
DNSoutsidediscover.net
Type: A
DNSbuildingcontinue.net
Type: A
DNSeveningcontinue.net
Type: A
DNSeveningmaster.net
Type: A
DNSbuildingwonder.net
Type: A
DNSeveningwonder.net
Type: A
DNSbuildingdiscover.net
Type: A
DNSeveningdiscover.net
Type: A
DNSstorecontinue.net
Type: A
DNSmightcontinue.net
Type: A
DNSmightmaster.net
Type: A
DNSstorewonder.net
Type: A
DNSmightwonder.net
Type: A
DNSstorediscover.net
Type: A
DNSmightdiscover.net
Type: A
DNSdoctorcontinue.net
Type: A
DNSprettycontinue.net
Type: A
DNSprettymaster.net
Type: A
DNSdoctorwonder.net
Type: A
DNSprettywonder.net
Type: A
HTTP GEThttp://desireopinion.net/index.php
User-Agent:
HTTP GEThttp://preparepromise.net/index.php
User-Agent:
HTTP GEThttp://outsidesupply.net/index.php
User-Agent:
HTTP GEThttp://outsideoffice.net/index.php
User-Agent:
HTTP GEThttp://buildingsupply.net/index.php
User-Agent:
HTTP GEThttp://buildingoffice.net/index.php
User-Agent:
HTTP GEThttp://storesupply.net/index.php
User-Agent:
HTTP GEThttp://doctorsupply.net/index.php
User-Agent:
HTTP GEThttp://doctoroffice.net/index.php
User-Agent:
HTTP GEThttp://stillsupply.net/index.php
User-Agent:
HTTP GEThttp://buildingtrouble.net/index.php
User-Agent:
HTTP GEThttp://prettystrong.net/index.php
User-Agent:
HTTP GEThttp://doubletrouble.net/index.php
User-Agent:
HTTP GEThttp://stillstrong.net/index.php
User-Agent:
HTTP GEThttp://buildingmaster.net/index.php
User-Agent:
HTTP GEThttp://storemaster.net/index.php
User-Agent:
HTTP GEThttp://doctormaster.net/index.php
User-Agent:
Flows TCP192.168.1.1:1033 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 98.124.243.47:80
Flows TCP192.168.1.1:1036 ➝ 104.24.17.64:80
Flows TCP192.168.1.1:1037 ➝ 67.212.232.207:80
Flows TCP192.168.1.1:1038 ➝ 46.20.7.163:80
Flows TCP192.168.1.1:1039 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1041 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1042 ➝ 50.63.202.15:80
Flows TCP192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1044 ➝ 50.62.236.1:80
Flows TCP192.168.1.1:1045 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1046 ➝ 206.188.192.251:80
Flows TCP192.168.1.1:1047 ➝ 199.83.132.178:80
Flows TCP192.168.1.1:1048 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1049 ➝ 212.48.86.202:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   65736972 656f7069 6e696f6e 2e6e6574   esireopinion.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657061 72657072 6f6d6973 652e6e65   reparepromise.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657375 70706c79 2e6e6574   utsidesupply.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64656f66 66696365 2e6e6574   utsideoffice.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 7570706c 792e6e65   uildingsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e676f 66666963 652e6e65   uildingoffice.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 73757070 6c792e6e 65740d0a   toresupply.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72737570 706c792e 6e65740d   octorsupply.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f6666 6963652e 6e65740d   octoroffice.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 73757070 6c792e6e 65740d0a   tillsupply.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6774 726f7562 6c652e6e   uildingtrouble.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79737472 6f6e672e 6e65740d   rettystrong.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 6574726f 75626c65 2e6e6574   oubletrouble.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 7374726f 6e672e6e 65740d0a   tillstrong.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e676d 61737465 722e6e65   uildingmaster.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 6d617374 65722e6e 65740d0a   toremaster.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726d6173 7465722e 6e65740d   octormaster.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....


Strings