Analysis Date2015-08-10 23:59:37
MD5a69a159cdc5608dc966c33b522bb50c4
SHA1f6d65b6c4eb3b96345319ebcc354790c0f2c3b22

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 26289970a94a79b92734ef35fef89310 sha1: d131ec66c3d4778d16f0741954a98f3a948eaa0a size: 734720
Section.rdata md5: fb51f0598c973a4ce57880ee4bcf7b25 sha1: 0a1410b5a85df243448446e34f8145615283f69e size: 32256
Section.data md5: 62e3b813f1b20fc48174d02d57d295d0 sha1: 0498fdba3b8195d827bd0edc0d08d3d61023c434 size: 123392
Timestamp2014-02-12 00:16:28
PackerMicrosoft Visual C++ ?.?
PEhash70ef67f42405bba765362a38b9c49fb8e3fcf4ce
IMPhash63450de88e4888b87dffe0f49f87d361
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend MicroTSPY_NIVDORT.SM
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.Win32.Spy
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Symmi.AH.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVK7Trojan ( 0049a7ec1 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Kryptik.BCFJ!tr
AVSymantecno_virus
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.CCLE
AVAlwil (avast)Kryptik-OCE [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.558BEC@24000C1@2F.mg
AVAvira (antivir)BDS/Zegost.Gen4
AVMcafeeRDN/Generic PWS.y

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ssezgyw1lugxnxav8rd.exe
Creates FileC:\WINDOWS\system32\hocjzksprbu\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ssezgyw1lugxnxav8rd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ssezgyw1lugxnxav8rd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Hardware Interactive Collector User-mode ➝
C:\WINDOWS\system32\qoclkockean.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\qoclkockean.exe
Creates FileC:\WINDOWS\system32\hocjzksprbu\lck
Creates FileC:\WINDOWS\system32\hocjzksprbu\etc
Creates FileC:\WINDOWS\system32\hocjzksprbu\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\qoclkockean.exe
Creates ServiceAccess Gateway Netlogon Framework SSDP - C:\WINDOWS\system32\qoclkockean.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1168

Process
↳ C:\WINDOWS\system32\qoclkockean.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\hocjzksprbu\lck
Creates FileC:\WINDOWS\TEMP\ssezgyw1s77xn.exe
Creates FileC:\WINDOWS\system32\dyfvywsjmdfh.exe
Creates FileC:\WINDOWS\system32\hocjzksprbu\run
Creates FileC:\WINDOWS\system32\hocjzksprbu\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\hocjzksprbu\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\hocjzksprbu\cfg
Creates ProcessC:\WINDOWS\TEMP\ssezgyw1s77xn.exe -r 28354 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\qoclkockean.exe"

Process
↳ C:\WINDOWS\system32\qoclkockean.exe

Creates FileC:\WINDOWS\system32\hocjzksprbu\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\qoclkockean.exe"

Creates FileC:\WINDOWS\system32\hocjzksprbu\tst

Process
↳ C:\WINDOWS\TEMP\ssezgyw1s77xn.exe -r 28354 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNStablefruit.net
Type: A
69.195.129.70
DNSstickmarch.net
Type: A
69.195.129.70
DNSfiftystate.net
Type: A
184.168.221.96
DNSsorrynews.net
Type: A
74.208.86.74
DNSwestmark.net
Type: A
50.63.202.104
DNSfearnews.net
Type: A
184.168.221.96
DNSwestnews.net
Type: A
66.151.181.49
DNSleadnews.net
Type: A
184.168.221.27
DNScallstate.net
Type: A
195.22.26.253
DNScallstate.net
Type: A
195.22.26.254
DNScallstate.net
Type: A
195.22.26.231
DNScallstate.net
Type: A
195.22.26.252
DNScallbroke.net
Type: A
95.211.230.75
DNSpointmark.net
Type: A
98.124.253.216
DNScallmark.net
Type: A
97.74.42.79
DNSpointnews.net
Type: A
85.25.138.44
DNScallnews.net
Type: A
216.55.149.9
DNSwellmark.net
Type: A
218.85.139.71
DNSwellnews.net
Type: A
198.72.112.7
DNSringmark.net
Type: A
104.28.4.24
DNSringmark.net
Type: A
104.28.5.24
DNSdonaven4guia.com
Type: A
DNSfredesecas.com
Type: A
DNSlaloponea.com
Type: A
DNSdavedekilai.com
Type: A
DNSnoseteach.net
Type: A
DNSwellgrave.net
Type: A
DNSnosegrave.net
Type: A
DNSringusual.net
Type: A
DNSfavorusual.net
Type: A
DNSringcould.net
Type: A
DNSfavorcould.net
Type: A
DNSringteach.net
Type: A
DNSfavorteach.net
Type: A
DNSringgrave.net
Type: A
DNSfavorgrave.net
Type: A
DNSsorrystate.net
Type: A
DNSsorrybroke.net
Type: A
DNSfiftybroke.net
Type: A
DNSsorrymark.net
Type: A
DNSfiftymark.net
Type: A
DNSfiftynews.net
Type: A
DNStheirstate.net
Type: A
DNSlikrstate.net
Type: A
DNStheirbroke.net
Type: A
DNSlikrbroke.net
Type: A
DNStheirmark.net
Type: A
DNSlikrmark.net
Type: A
DNStheirnews.net
Type: A
DNSlikrnews.net
Type: A
DNSfearstate.net
Type: A
DNSweststate.net
Type: A
DNSfearbroke.net
Type: A
DNSwestbroke.net
Type: A
DNSfearmark.net
Type: A
DNStablestate.net
Type: A
DNSleadstate.net
Type: A
DNStablebroke.net
Type: A
DNSleadbroke.net
Type: A
DNStablemark.net
Type: A
DNSleadmark.net
Type: A
DNStablenews.net
Type: A
DNSpointstate.net
Type: A
DNSpointbroke.net
Type: A
DNSnonestate.net
Type: A
DNSliarstate.net
Type: A
DNSnonebroke.net
Type: A
DNSliarbroke.net
Type: A
DNSnonemark.net
Type: A
DNSliarmark.net
Type: A
DNSnonenews.net
Type: A
DNSliarnews.net
Type: A
DNSwellstate.net
Type: A
DNSnosestate.net
Type: A
DNSwellbroke.net
Type: A
DNSnosebroke.net
Type: A
DNSnosemark.net
Type: A
DNSnosenews.net
Type: A
DNSringstate.net
Type: A
DNSfavorstate.net
Type: A
DNSringbroke.net
Type: A
DNSfavorbroke.net
Type: A
DNSfavormark.net
Type: A
DNSringnews.net
Type: A
DNSfavornews.net
Type: A
DNSsorrythan.net
Type: A
DNSfiftythan.net
Type: A
DNSsorryread.net
Type: A
DNSfiftyread.net
Type: A
DNSsorrymile.net
Type: A
DNSfiftymile.net
Type: A
DNSsorryking.net
Type: A
DNSfiftyking.net
Type: A
DNStheirthan.net
Type: A
DNSlikrthan.net
Type: A
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://fiftystate.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://sorrynews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://westmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://fearnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://westnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://leadnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callstate.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callbroke.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://pointmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://pointnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://wellmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://wellnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://ringmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://fiftystate.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://sorrynews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://westmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://fearnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://westnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://leadnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callstate.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callbroke.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://pointmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://pointnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://callnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://wellmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://wellnews.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
HTTP GEThttp://ringmark.net/forum/search.php?method=validate&mode=sox&v=022&sox=3bab4a00
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1037 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1057 ➝ 194.106.166.22:443
Flows TCP192.168.1.1:1038 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1039 ➝ 74.208.86.74:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1043 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1044 ➝ 184.168.221.27:80
Flows TCP192.168.1.1:1045 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1046 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1047 ➝ 98.124.253.216:80
Flows TCP192.168.1.1:1048 ➝ 97.74.42.79:80
Flows TCP192.168.1.1:1049 ➝ 85.25.138.44:80
Flows TCP192.168.1.1:1050 ➝ 216.55.149.9:80
Flows TCP192.168.1.1:1051 ➝ 218.85.139.71:80
Flows TCP192.168.1.1:1052 ➝ 198.72.112.7:80
Flows TCP192.168.1.1:1053 ➝ 104.28.4.24:80
Flows TCP192.168.1.1:1054 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1055 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1056 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1057 ➝ 74.208.86.74:80
Flows TCP192.168.1.1:1058 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1059 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1060 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1061 ➝ 184.168.221.27:80
Flows TCP192.168.1.1:1062 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1063 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1064 ➝ 98.124.253.216:80
Flows TCP192.168.1.1:1065 ➝ 97.74.42.79:80
Flows TCP192.168.1.1:1066 ➝ 85.25.138.44:80
Flows TCP192.168.1.1:1067 ➝ 216.55.149.9:80
Flows TCP192.168.1.1:1068 ➝ 218.85.139.71:80
Flows TCP192.168.1.1:1069 ➝ 198.72.112.7:80
Flows TCP192.168.1.1:1070 ➝ 104.28.4.24:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 626c6566 72756974 2e6e6574   : tablefruit.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 69636b6d 61726368 2e6e6574   : stickmarch.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206669 66747973 74617465 2e6e6574   : fiftystate.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20736f 7272796e 6577732e 6e65740d   : sorrynews.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 73746d61 726b2e6e 65740d0a   : westmark.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206665 61726e65 77732e6e 65740d0a   : fearnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 73746e65 77732e6e 65740d0a   : westnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c65 61646e65 77732e6e 65740d0a   : leadnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c7374 6174652e 6e65740d   : callstate.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c6272 6f6b652e 6e65740d   : callbroke.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20706f 696e746d 61726b2e 6e65740d   : pointmark.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c6d61 726b2e6e 65740d0a   : callmark.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20706f 696e746e 6577732e 6e65740d   : pointnews.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c6e65 77732e6e 65740d0a   : callnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 6c6c6d61 726b2e6e 65740d0a   : wellmark.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 6c6c6e65 77732e6e 65740d0a   : wellnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207269 6e676d61 726b2e6e 65740d0a   : ringmark.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 626c6566 72756974 2e6e6574   : tablefruit.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 69636b6d 61726368 2e6e6574   : stickmarch.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206669 66747973 74617465 2e6e6574   : fiftystate.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20736f 7272796e 6577732e 6e65740d   : sorrynews.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 73746d61 726b2e6e 65740d0a   : westmark.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206665 61726e65 77732e6e 65740d0a   : fearnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 73746e65 77732e6e 65740d0a   : westnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c65 61646e65 77732e6e 65740d0a   : leadnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c7374 6174652e 6e65740d   : callstate.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c6272 6f6b652e 6e65740d   : callbroke.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20706f 696e746d 61726b2e 6e65740d   : pointmark.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c6d61 726b2e6e 65740d0a   : callmark.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20706f 696e746e 6577732e 6e65740d   : pointnews.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206361 6c6c6e65 77732e6e 65740d0a   : callnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 6c6c6d61 726b2e6e 65740d0a   : wellmark.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207765 6c6c6e65 77732e6e 65740d0a   : wellnews.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303232 26736f78 3d336261 62346130   =022&sox=3bab4a0
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207269 6e676d61 726b2e6e 65740d0a   : ringmark.net..
0x00000080 (00128)   0d0a0a0a                              ....


Strings