Analysis Date2013-08-14 08:19:11
MD59f50d6877741400b755a15728730ff32
SHA197c4566f948e078a15249a4335876c348850720e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fae84b0b76b26d1043fab6cc26db949e sha1: 8226258381ee8b25c47f4663f38601b10d719151 size: 212992
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: cacf0a388531289d61050cb880d5fc5e sha1: 473e6f28aad6ee979cc0dcbfbb532e42028493d5 size: 4096
Timestamp2010-04-03 03:16:57
VersionLegalCopyright: Thanks for your interest
InternalName: CM
FileVersion: 1.00
CompanyName: none
Comments: Don't worry this is just Advertisement.
ProductName: KOG
ProductVersion: 1.00
FileDescription: Not Has any bad behavior "Click No or Cancel"
OriginalFilename: CM.exe
PackerMicrosoft Visual Basic 4.0
PEhash2c34a33ef9a8875148953a6432e2a21efd6fb3ee

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G8\KMFItemp\key ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G8\KMDest\I ➝
<None>
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G8\KMSEC\Value ➝
2D3A42554B1158393D574655
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KM_Path8 ➝
%SystemRoot%\system32\oobe\rule8\files\csrss.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun ➝
3486769
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G8\KMCounter\Value ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G8\KMIN\restart ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\K_O_G8\KMFIX\Tstadmn ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\whatismyipaddress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\whatismyipaddress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\cmyip[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\adversion8.blogspot[1].htm
Creates FileC:\WINDOWS\system32\oobe\page
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\adversion7.blogspot[1].htm
Creates FileC:\WINDOWS\system32\oobe\p1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\doniablog.wordpress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\kogpage.blogspot[1].htm
Creates FileC:\WINDOWS\system32\oobe\nl.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip-adress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip2location[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\ip-adress[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF1D01.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\cmyip[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\adversion7.blogspot[1].htm
Deletes FileC:\WINDOWS\system32\oobe\page
Deletes FileC:\WINDOWS\system32\oobe\p1
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\whatismyipaddress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\doniablog.wordpress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\kogpage.blogspot[1].htm
Deletes FileC:\WINDOWS\system32\oobe\nl.lnk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\whatismyipaddress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip-adress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip2location[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\ip-adress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\cmyip[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\adversion8.blogspot[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\cmyip[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexcsrss.exe
Winsock DNSwww.yahoo.com
Winsock DNSwww.kogpage.blogspot.com
Winsock DNSwww.cmyip.com
Winsock DNSadversion8.blogspot.com
Winsock DNSadversion7.blogspot.com
Winsock DNSdoniablog.wordpress.com
Winsock DNSwww.ip-adress.com
Winsock DNSwww.ip2location.com
Winsock DNSwhatismyipaddress.com

Network Details:

DNSds-eu-fp3.wa1.b.yahoo.com
Type: A
87.248.112.181
DNSip2location.com
Type: A
174.129.0.77
DNSwww.ip-adress.com
Type: A
64.34.169.244
DNSwhatismyipaddress.com
Type: A
67.203.139.148
DNSwhatismyipaddress.com
Type: A
66.80.82.69
DNScmyip.com
Type: A
198.100.149.221
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.106
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.107
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.108
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.107
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.108
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.106
DNSlb.wordpress.com
Type: A
72.233.2.58
DNSlb.wordpress.com
Type: A
66.155.9.238
DNSlb.wordpress.com
Type: A
66.155.11.238
DNSlb.wordpress.com
Type: A
72.233.69.6
DNSlb.wordpress.com
Type: A
76.74.254.120
DNSlb.wordpress.com
Type: A
76.74.254.123
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.108
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.106
DNSblogspot.l.googleusercontent.com
Type: A
173.194.34.107
DNSwww.yahoo.com
Type: A
DNSwww.ip2location.com
Type: A
DNSwww.cmyip.com
Type: A
DNSadversion8.blogspot.com
Type: A
DNSadversion7.blogspot.com
Type: A
DNSdoniablog.wordpress.com
Type: A
DNSwww.kogpage.blogspot.com
Type: A
HTTP GEThttp://www.ip2location.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.ip-adress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://whatismyipaddress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.cmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://adversion8.blogspot.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://adversion7.blogspot.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://doniablog.wordpress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.kogpage.blogspot.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.ip2location.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.ip-adress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://whatismyipaddress.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.cmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 87.248.112.181:80
Flows TCP192.168.1.1:1033 ➝ 174.129.0.77:80
Flows TCP192.168.1.1:1034 ➝ 64.34.169.244:80
Flows TCP192.168.1.1:1035 ➝ 67.203.139.148:80
Flows TCP192.168.1.1:1036 ➝ 198.100.149.221:80
Flows TCP192.168.1.1:1037 ➝ 87.248.112.181:80
Flows TCP192.168.1.1:1038 ➝ 173.194.34.106:80
Flows TCP192.168.1.1:1039 ➝ 173.194.34.107:80
Flows TCP192.168.1.1:1040 ➝ 72.233.2.58:80
Flows TCP192.168.1.1:1041 ➝ 173.194.34.108:80
Flows TCP192.168.1.1:1042 ➝ 174.129.0.77:80
Flows TCP192.168.1.1:1043 ➝ 64.34.169.244:80
Flows TCP192.168.1.1:1044 ➝ 67.203.139.148:80
Flows TCP192.168.1.1:1045 ➝ 198.100.149.221:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   6970326c 6f636174 696f6e2e 636f6d0d   ip2location.com.
0x000000b0 (00176)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000c0 (00192)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   69702d61 64726573 732e636f 6d0d0a43   ip-adress.com..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a0d0a              Alive......

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 77686174   727)..Host: what
0x000000a0 (00160)   69736d79 69706164 64726573 732e636f   ismyipaddress.co
0x000000b0 (00176)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000c0 (00192)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   636d7969 702e636f 6d0d0a43 6f6e6e65   cmyip.com..Conne
0x000000b0 (00176)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000c0 (00192)   650d0a0d 0a6c6976 650d0a0d 0a         e....live....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 61647665   727)..Host: adve
0x000000a0 (00160)   7273696f 6e382e62 6c6f6773 706f742e   rsion8.blogspot.
0x000000b0 (00176)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000c0 (00192)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 61647665   727)..Host: adve
0x000000a0 (00160)   7273696f 6e372e62 6c6f6773 706f742e   rsion7.blogspot.
0x000000b0 (00176)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000c0 (00192)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 646f6e69   727)..Host: doni
0x000000a0 (00160)   61626c6f 672e776f 72647072 6573732e   ablog.wordpress.
0x000000b0 (00176)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000c0 (00192)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   6b6f6770 6167652e 626c6f67 73706f74   kogpage.blogspot
0x000000b0 (00176)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   6970326c 6f636174 696f6e2e 636f6d0d   ip2location.com.
0x000000b0 (00176)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000c0 (00192)   702d416c 6976650d 0a0d0a65 0d0a0d0a   p-Alive....e....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   69702d61 64726573 732e636f 6d0d0a43   ip-adress.com..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a0d0a65 0d0a0d0a   Alive......e....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 77686174   727)..Host: what
0x000000a0 (00160)   69736d79 69706164 64726573 732e636f   ismyipaddress.co
0x000000b0 (00176)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000c0 (00192)   6565702d 416c6976 650d0a0d 0a0a0d0a   eep-Alive.......
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000030 (00048)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000040 (00064)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000050 (00080)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000060 (00096)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000070 (00112)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000080 (00128)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000090 (00144)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000a0 (00160)   636d7969 702e636f 6d0d0a43 6f6e6e65   cmyip.com..Conne
0x000000b0 (00176)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000c0 (00192)   650d0a0d 0a6c6976 650d0a0d 0a0a0d0a   e....live.......
0x000000d0 (00208)                                         


Strings