Analysis Date2013-09-01 06:41:19
MD5add09d372e77b744fca7ac3d06942ff3
SHA1b3bad5dd45dbb23f31d3a9f043ad01ebf968909c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1298a87aa1f55f95cddbc89e36f485d8 sha1: 2eb501fa7be64d7da3144ec83d2dc0c866b1627d size: 725504
Section.rdata md5: 8c4c9c9cb4feb222b9e94b396f8c1dc8 sha1: 3ca6ddc1b03a2d6babee82f304d5eb817ae16abe size: 34304
Section.data md5: f78a961a7d342185335eeaa0cee5ef6e sha1: 8d15efd8a3dacb85e370430d88ffefda3d515881 size: 123392
Timestamp2013-05-27 15:31:25
PackerMicrosoft Visual C++ ?.?
PEhash5b7df63ada2459656632e06c8be2304533d66a76

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\yqkrogdricduid\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\k5ejqkz1ntnegrfekdy.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\k5ejqkz1ntnegrfekdy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\k5ejqkz1ntnegrfekdy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Resolution Alerts Play Secure ➝
C:\WINDOWS\system32\dtrwdow.exe
Creates FileC:\WINDOWS\system32\yqkrogdricduid\tst
Creates FileC:\WINDOWS\system32\dtrwdow.exe
Creates FileC:\WINDOWS\system32\yqkrogdricduid\etc
Creates FileC:\WINDOWS\system32\yqkrogdricduid\lck
Creates ProcessC:\WINDOWS\system32\dtrwdow.exe
Creates ServiceHost PnP-X Management Profile - C:\WINDOWS\system32\dtrwdow.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ Pid 1060

Process
↳ C:\WINDOWS\system32\dtrwdow.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\yqkrogdricduid\tst
Creates FileC:\WINDOWS\system32\yqkrogdricduid\run
Creates FileC:\WINDOWS\system32\wsjpxjiw.exe
Creates FileC:\WINDOWS\system32\yqkrogdricduid\lck
Creates FileC:\WINDOWS\system32\yqkrogdricduid\cfg
Creates FileC:\WINDOWS\TEMP\k5ejqkz1z6xeg.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\yqkrogdricduid\rng
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\k5ejqkz1z6xeg.exe -r 29352 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\dtrwdow.exe"

Process
↳ C:\WINDOWS\system32\dtrwdow.exe

Creates FileC:\WINDOWS\system32\yqkrogdricduid\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\dtrwdow.exe"

Creates FileC:\WINDOWS\system32\yqkrogdricduid\tst

Process
↳ C:\WINDOWS\TEMP\k5ejqkz1z6xeg.exe -r 29352 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSelementarimagine.com
Type: A
216.239.140.29
DNSthemorrefk.com
Type: A
216.55.149.9
DNSjumpgray.net
Type: A
98.139.135.21
DNSjumpgray.net
Type: A
98.139.135.22
DNSsightguide.net
Type: A
95.143.172.148
DNScaseguide.net
Type: A
190.93.246.20
DNScaseguide.net
Type: A
141.101.114.20
DNScaseguide.net
Type: A
141.101.115.20
DNScaseguide.net
Type: A
190.93.244.20
DNScaseguide.net
Type: A
190.93.245.20
DNSquickname.net
Type: A
64.95.64.190
DNSquickguide.net
Type: A
64.95.64.162
DNSdarkhalf.net
Type: A
173.236.166.37
DNScloudname.net
Type: A
84.49.232.107
DNScloudguide.net
Type: A
216.8.179.30
DNSmilkfish.net
Type: A
98.14.236.145
DNSwithwing.net
Type: A
36.3.112.226
DNSsightfish.net
Type: A
205.178.145.123
DNSheadwing.net
Type: A
199.34.228.100
DNSquickwing.net
Type: A
184.168.221.96
DNSquickfish.net
Type: A
124.126.173.204
DNSmojoguia.com
Type: A
DNSpengthecon.com
Type: A
DNStablewash.net
Type: A
DNSsalthave.net
Type: A
DNSyourenjoy.net
Type: A
DNSlookloss.net
Type: A
DNSsouthabout.net
Type: A
DNSliarshot.net
Type: A
DNSableeach.net
Type: A
DNSmovegray.net
Type: A
DNSsightname.net
Type: A
DNStheseguide.net
Type: A
DNStheselate.net
Type: A
DNSsightlate.net
Type: A
DNScasehalf.net
Type: A
DNSheadhalf.net
Type: A
DNScasename.net
Type: A
DNSheadname.net
Type: A
DNSheadguide.net
Type: A
DNScaselate.net
Type: A
DNSheadlate.net
Type: A
DNSquickhalf.net
Type: A
DNSthenhalf.net
Type: A
DNSthenname.net
Type: A
DNSthenguide.net
Type: A
DNSquicklate.net
Type: A
DNSthenlate.net
Type: A
DNSsundayhalf.net
Type: A
DNSmosthalf.net
Type: A
DNSsundayname.net
Type: A
DNSmostname.net
Type: A
DNSsundayguide.net
Type: A
DNSmostguide.net
Type: A
DNSsundaylate.net
Type: A
DNSmostlate.net
Type: A
DNSmeathalf.net
Type: A
DNSsickhalf.net
Type: A
DNSmeatname.net
Type: A
DNSsickname.net
Type: A
DNSmeatguide.net
Type: A
DNSsickguide.net
Type: A
DNSmeatlate.net
Type: A
DNSsicklate.net
Type: A
DNScloudhalf.net
Type: A
DNSdarkname.net
Type: A
DNSdarkguide.net
Type: A
DNScloudlate.net
Type: A
DNSdarklate.net
Type: A
DNSmilkwing.net
Type: A
DNStriedwing.net
Type: A
DNSmilkpast.net
Type: A
DNStriedpast.net
Type: A
DNSmilklady.net
Type: A
DNStriedlady.net
Type: A
DNStriedfish.net
Type: A
DNSdutywing.net
Type: A
DNSwithpast.net
Type: A
DNSdutypast.net
Type: A
DNSwithlady.net
Type: A
DNSdutylady.net
Type: A
DNSwithfish.net
Type: A
DNSdutyfish.net
Type: A
DNSthesewing.net
Type: A
DNSsightwing.net
Type: A
DNSthesepast.net
Type: A
DNSsightpast.net
Type: A
DNStheselady.net
Type: A
DNSsightlady.net
Type: A
DNSthesefish.net
Type: A
DNScasewing.net
Type: A
DNScasepast.net
Type: A
DNSheadpast.net
Type: A
DNScaselady.net
Type: A
DNSheadlady.net
Type: A
DNScasefish.net
Type: A
DNSheadfish.net
Type: A
DNSthenwing.net
Type: A
DNSquickpast.net
Type: A
DNSthenpast.net
Type: A
DNSquicklady.net
Type: A
DNSthenlady.net
Type: A
DNSthenfish.net
Type: A
HTTP GEThttp://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://themorrefk.com/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://jumpgray.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://sightguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://caseguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickname.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://darkhalf.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://cloudname.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://cloudguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://milkfish.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://withwing.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://sightfish.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://headwing.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickwing.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickfish.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://elementarimagine.com/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://themorrefk.com/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://jumpgray.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://sightguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://caseguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickname.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://darkhalf.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://cloudname.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://cloudguide.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://milkfish.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://withwing.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://sightfish.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://headwing.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickwing.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
HTTP GEThttp://quickfish.net/forum/search.php?method=validate&mode=sox&v=007&sox=2da92c00
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.239.140.29:80
Flows TCP192.168.1.1:1032 ➝ 216.55.149.9:80
Flows TCP192.168.1.1:1035 ➝ 98.139.135.21:80
Flows TCP192.168.1.1:1039 ➝ 95.143.172.148:80
Flows TCP192.168.1.1:1040 ➝ 190.93.246.20:80
Flows TCP192.168.1.1:1041 ➝ 64.95.64.190:80
Flows TCP192.168.1.1:1042 ➝ 64.95.64.162:80
Flows TCP192.168.1.1:1044 ➝ 173.236.166.37:80
Flows TCP192.168.1.1:1045 ➝ 84.49.232.107:80
Flows TCP192.168.1.1:1046 ➝ 216.8.179.30:80
Flows TCP192.168.1.1:1047 ➝ 98.14.236.145:80
Flows TCP192.168.1.1:1048 ➝ 36.3.112.226:80
Flows TCP192.168.1.1:1049 ➝ 205.178.145.123:80
Flows TCP192.168.1.1:1050 ➝ 199.34.228.100:80
Flows TCP192.168.1.1:1051 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1052 ➝ 124.126.173.204:80
Flows TCP192.168.1.1:1053 ➝ 216.239.140.29:80
Flows TCP192.168.1.1:1054 ➝ 216.55.149.9:80
Flows TCP192.168.1.1:1055 ➝ 98.139.135.21:80
Flows TCP192.168.1.1:1056 ➝ 95.143.172.148:80
Flows TCP192.168.1.1:1057 ➝ 190.93.246.20:80
Flows TCP192.168.1.1:1058 ➝ 64.95.64.190:80
Flows TCP192.168.1.1:1059 ➝ 64.95.64.162:80
Flows TCP192.168.1.1:1060 ➝ 173.236.166.37:80
Flows TCP192.168.1.1:1061 ➝ 84.49.232.107:80
Flows TCP192.168.1.1:1062 ➝ 216.8.179.30:80
Flows TCP192.168.1.1:1063 ➝ 98.14.236.145:80
Flows TCP192.168.1.1:1064 ➝ 36.3.112.226:80
Flows TCP192.168.1.1:1065 ➝ 205.178.145.123:80
Flows TCP192.168.1.1:1066 ➝ 199.34.228.100:80
Flows TCP192.168.1.1:1067 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1068 ➝ 124.126.173.204:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20656c 656d656e 74617269 6d616769   : elementarimagi
0x00000080 (00128)   6e652e63 6f6d0d0a 0d0a                ne.com....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 656d6f72 7265666b 2e636f6d   : themorrefk.com
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206a75 6d706772 61792e6e 65740d0a   : jumpgray.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207369 67687467 75696465 2e6e6574   : sightguide.net
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 73656775 6964652e 6e65740d   : caseguide.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b6e 616d652e 6e65740d   : quickname.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b67 75696465 2e6e6574   : quickguide.net
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206461 726b6861 6c662e6e 65740d0a   : darkhalf.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20636c 6f75646e 616d652e 6e65740d   : cloudname.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20636c 6f756467 75696465 2e6e6574   : cloudguide.net
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206d69 6c6b6669 73682e6e 65740d0a   : milkfish.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207769 74687769 6e672e6e 65740d0a   : withwing.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207369 67687466 6973682e 6e65740d   : sightfish.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206865 61647769 6e672e6e 65740d0a   : headwing.net..
0x00000080 (00128)   0d0a0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b77 696e672e 6e65740d   : quickwing.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b66 6973682e 6e65740d   : quickfish.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20656c 656d656e 74617269 6d616769   : elementarimagi
0x00000080 (00128)   6e652e63 6f6d0d0a 0d0ab501            ne.com......

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207468 656d6f72 7265666b 2e636f6d   : themorrefk.com
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0ab501            ....om......

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206a75 6d706772 61792e6e 65740d0a   : jumpgray.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0ab501            ....om......

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207369 67687467 75696465 2e6e6574   : sightguide.net
0x00000080 (00128)   0d0a0d0a 6f6d0d0a 0d0ab501            ....om......

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 73656775 6964652e 6e65740d   : caseguide.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a 0d0ab501            ....om......

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b6e 616d652e 6e65740d   : quickname.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b67 75696465 2e6e6574   : quickguide.net
0x00000080 (00128)   0d0a0d0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206461 726b6861 6c662e6e 65740d0a   : darkhalf.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20636c 6f75646e 616d652e 6e65740d   : cloudname.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20636c 6f756467 75696465 2e6e6574   : cloudguide.net
0x00000080 (00128)   0d0a0d0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206d69 6c6b6669 73682e6e 65740d0a   : milkfish.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207769 74687769 6e672e6e 65740d0a   : withwing.net..
0x00000080 (00128)   0d0a0d0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207369 67687466 6973682e 6e65740d   : sightfish.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206865 61647769 6e672e6e 65740d0a   : headwing.net..
0x00000080 (00128)   0d0a0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b77 696e672e 6e65740d   : quickwing.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303037 26736f78 3d326461 39326330   =007&sox=2da92c0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207175 69636b66 6973682e 6e65740d   : quickfish.net.
0x00000080 (00128)   0a0d0a0a 6f6d0d0a a03ab501            ....om...:..


Strings