Gen.Variant.Adware.Symmi.50568_41ab28e172 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

41ab28e17243693:1380

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process 41ab28e17243693:1380 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts.ics (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DMCABadgeHelper.min[1].js (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dmca_protected_sml_120l[1].png (2 bytes)
%System%\drivers\etc\hosts (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\anti[1].txt (747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ajax-loader[1].gif (3966 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\11[1].png (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\VINACF[1].HTML (1260 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

Registry activity

The process 41ab28e17243693:1380 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 EF 27 19 B9 17 48 B7 81 78 8B A3 9A EE BE A5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://bit.ly/1MBMSIF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp1res.dll,-11003" = "Launch Internet Explorer Browser"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 3796 bytes in size. The following strings are added to the hosts file listed below:

81.19.186.195	congdonggame.net
81.19.186.195	congdonggame.com
81.19.186.195	congdonggame.org
81.19.186.195	autogame.biz
81.19.186.195	thuthuatgame.com
81.19.186.195	likecf.com
81.19.186.195	skinlienminh.com
81.19.186.195	lolvietnam.com
81.19.186.195	giangho.net
81.19.186.195	lienminhvietnam.net
81.19.186.195	langphim.com
81.19.186.195	truyenhay.com
81.19.186.195	www.congdonggame.net
81.19.186.195	www.congdonggame.com
81.19.186.195	www.congdonggame.org
81.19.186.195	www.autogame.biz
81.19.186.195	www.thuthuatgame.com
81.19.186.195	www.likecf.com
81.19.186.195	www.skinlienminh.com
81.19.186.195	www.lolvietnam.com
81.19.186.195	www.giangho.net
81.19.186.195	www.lienminhvietnam.net
81.19.186.195	www.langphim.com
81.19.186.195	www.truyenhay.com
81.19.186.195	auto.congdonggame.net
81.19.186.195	auto.congdonggame.com
81.19.186.195	auto.congdonggame.org
81.19.186.195	auto.giangho.net
81.19.186.195	www.chuyengame.com
81.19.186.195	chuyengame.com
81.19.186.195	downloadmodskinlol.blogspot.com
81.19.186.195	www.gamelienminh.com
81.19.186.195	gamelienminh.com
81.19.186.195	www.guidegame.vn
81.19.186.195	guidegame.vn
81.19.186.195	hacklienminh2013-garena.blogspot.com
81.19.186.195	www.hoigame.net
81.19.186.195	hoigame.net
81.19.186.195	www.lolvietnam.com
81.19.186.195	lolvietnam.com
81.19.186.195	www.mapskins.com
81.19.186.195	mapskins.com
81.19.186.195	www.modlienminh.com
81.19.186.195	modlienminh.com
81.19.186.195	www.modlmht.com
81.19.186.195	modlmht.com
81.19.186.195	modskinlienminh.blogspot.com
81.19.186.195	www.modskinlienminh.com
81.19.186.195	modskinlienminh.com
81.19.186.195	www.modskinlm.com
81.19.186.195	modskinlm.com
81.19.186.195	www.modskinlm.ga
81.19.186.195	modskinlm.ga
81.19.186.195	www.modskinlmht.com
81.19.186.195	modskinlmht.com
81.19.186.195	www.modskinlmht.org
81.19.186.195	modskinlmht.org
81.19.186.195	www.modskinlol.com
81.19.186.195	modskinlol.com
81.19.186.195	www.modskinlol.net
81.19.186.195	modskinlol.net
81.19.186.195	www.modskinlol.info
81.19.186.195	modskinlol.info
81.19.186.195	www.modskinlol.org
81.19.186.195	modskinlol.org
81.19.186.195	www.modskinlol.wevina.vn
81.19.186.195	modskinlol.wevina.vn
81.19.186.195	www.modskinlol2015.com
81.19.186.195	modskinlol2015.com
81.19.186.195	www.modskinvn.com
81.19.186.195	modskinvn.com
81.19.186.195	modslienminh.blogspot.com
81.19.186.195	modslol.over-blog.com
81.19.186.195	www.modslol.tk
81.19.186.195	modslol.tk
81.19.186.195	www.modskinlol.tk
81.19.186.195	modskinlol.tk
81.19.186.195	www.skinslol.com
81.19.186.195	skinslol.com
81.19.186.195	tailienminhhuyenthoai.blogspot.com
81.19.186.195	www.taiskinlol.com
81.19.186.195	taiskinlol.com
81.19.186.195	www.thanhmaiblog.com
81.19.186.195	thanhmaiblog.com
81.19.186.195	www.modskinslol.vn
81.19.186.195	modskinslol.vn
81.19.186.195	www.modskinfiles.com
81.19.186.195	modskinfiles.com
81.19.186.195	modlol2015.blogspot.com
81.19.186.195	www.hacktrangphuc.com
81.19.186.195	hacktrangphuc.com
81.19.186.195	lol.congdonggame.net
81.19.186.195	plus.autogame.biz
81.19.186.195	autogame.biz
81.19.186.195	www.autogame.biz
81.19.186.195	kichhoatgame.googlecode.com
81.19.186.195	tinhyeulagithe.googlecode.com
81.19.186.195	fo3vnss.googlecode.com
81.19.186.195	hack-game.net
81.19.186.195	www.hack-game.net
81.19.186.195	www.truykich.org
81.19.186.195	truykich.org
81.19.186.195	lol.congdonggame.biz
81.19.186.195	congdonggame.biz
81.19.186.195	plus.congdonggame.net
81.19.186.195	giangho.info
81.19.186.195	www.giangho.info
81.19.186.195	file.darkcoder.org
81.19.186.195	darkcoder.org
81.19.186.195	hackcsovn.com
81.19.186.195	www.hackcsovn.com
81.19.186.195	www.gamesupport.vn
81.19.186.195	gamesupport.vn

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\etc\hosts.ics (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DMCABadgeHelper.min[1].js (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dmca_protected_sml_120l[1].png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\anti[1].txt (747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ajax-loader[1].gif (3966 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\11[1].png (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\VINACF[1].HTML (1260 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: MS
Product Name: Project1
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: VINACFPRO.EXE
Internal Name: VINACFPRO
File Version: 1.00
File Description:
Comments:
Language: English (United States)

Company Name: MSProduct Name: Project1Product Version: 1.00Legal Copyright: Legal Trademarks: Original Filename: VINACFPRO.EXEInternal Name: VINACFPROFile Version: 1.00File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1671168	265728	5.54462	7f8d52290e4cd59b18d20a675e3d5477
.rsrc	1675264	12288	8704	4.82712	279a10b1f2d640ee28b92157c8d9f82d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://119.81.52.54/wp-includes/js/wp-emoji-release.min.js
hxxp://googleadapis.l.google.com/css?family=Droid Sans:regular,700
hxxp://119.81.52.54/wp-content/themes/sahifa/style.css
hxxp://119.81.52.54/wp-content/themes/sahifa/css/ilightbox/dark-skin/skin.css
hxxp://119.81.52.54/wp-includes/js/jquery/jquery.js
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot?
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot?
hxxp://gstaticadssl.l.google.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071
hxxp://119.81.52.54/wp-includes/js/jquery/jquery-migrate.min.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/html5.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/selectivizr-min.js
hxxp://119.81.52.54/wp-content/themes/sahifa/images/patterns/body-bg32.png
hxxp://119.81.52.54/wp-content/themes/sahifa/images/home.png
hxxp://photos-ugc.l.googleusercontent.com/-KeOVqKDJ_FI/U6El6dSg1kI/AAAAAAAAAWw/HYf_f9E48S4/s1600/OS.png
hxxp://67.202.94.94/swidget/fapcfcomz.png
hxxp://adcash.com/a/display.php?r=428475
hxxp://119.81.52.54/wp-content/themes/sahifa/images/stripe.png
hxxp://173.192.200.70/small/00/23.png
hxxp://adcash.com/a/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f&cbrandom=0.96737650282128
hxxp://star.c10r.facebook.com/plugins/likebox.php?href=https://www.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false
hxxp://adcash.com/script/java.php?option=rotateur&r=438612
hxxp://adcash.com/script/java.php?option=rotateur&r=438609
hxxp://cloud.cashtrafic.info/ban/236180/141423_300x250_iLivid_DB-4S-FolderDL_ru.gif	141.101.118.183
hxxp://adcash.com/ban/236180/2026221_300x250_iLivid_DB-Megabyte.gif
hxxp://adcash.com/script/java.php?option=rotateur&r=438611
hxxp://adcash.com/images/spacer.gif
hxxp://adcash.com/images/slidein.png
hxxp://adcash.com/images/slide_deploy.png
hxxp://adcash.com/images/slide_close.png
hxxp://adcash.com/images/slide_fold.png
hxxp://cloud.cashtrafic.info/ban/992077/200313_jZip_728x90_DB-RoundedBlue.gif	141.101.118.183
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.4.1/jquery.min.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/tie-scripts.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/ilightbox.packed.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/search.js
hxxp://vinacf.com/wp-content/themes/sahifa/js/selectivizr-min.js
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071
hxxp://vinacf.com/wp-content/themes/sahifa/images/patterns/body-bg32.png
hxxp://vinacf.com/wp-content/themes/sahifa/images/home.png
hxxp://vinacf.com/wp-includes/js/jquery/jquery.js
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot?
hxxp://www.adcash.com/a/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f&cbrandom=0.96737650282128
hxxp://widgets.amung.us/small/00/23.png
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js	216.58.209.170
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071
hxxp://vinacf.com/wp-content/themes/sahifa/js/search.js
hxxp://www.adcash.com/a/display.php?r=428475
hxxp://vinacf.com/wp-content/themes/sahifa/images/stripe.png
hxxp://3.bp.blogspot.com/-KeOVqKDJ_FI/U6El6dSg1kI/AAAAAAAAAWw/HYf_f9E48S4/s1600/OS.png	216.58.209.161
hxxp://www.adcash.com/ban/236180/2026221_300x250_iLivid_DB-Megabyte.gif
hxxp://vinacf.com/wp-content/themes/sahifa/css/ilightbox/dark-skin/skin.css
hxxp://whos.amung.us/swidget/fapcfcomz.png
hxxp://www.adcash.com/script/java.php?option=rotateur&r=438609
hxxp://vinacf.com/wp-content/themes/sahifa/style.css
hxxp://vinacf.com/wp-includes/js/jquery/jquery-migrate.min.js
hxxp://www.adcash.com/script/java.php?option=rotateur&r=438612
hxxp://vinacf.com/wp-content/themes/sahifa/js/ilightbox.packed.js
hxxp://fonts.gstatic.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot	216.58.209.163
hxxp://www.facebook.com/plugins/likebox.php?href=https://www.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false	31.13.93.3
hxxp://www.adcash.com/script/java.php?option=rotateur&r=438611
hxxp://vinacf.com/wp-content/themes/sahifa/js/html5.js
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot?
hxxp://vinacf.com/wp-includes/js/wp-emoji-release.min.js
hxxp://fonts.googleapis.com/css?family=Droid Sans:regular,700	64.233.164.95
hxxp://vinacf.com/wp-content/themes/sahifa/js/tie-scripts.js
2.bp.blogspot.com	216.58.209.161

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /a/display.php?r=428475 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-RevProc-1: a8ec481510bfe6cd3a9a746afe7461c5 = ok

27b..(function(document, scriptElement, firstScript) {.scriptElement = document.createElement('script');.scriptCFASync = document.createAttribute("data-cfasync");.scriptCFASync.value = false;.scriptElement.setAttributeNode(scriptCFASync);.scriptElement.src = "http:\/\/VVV.adcash.com\/a\/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f" '&cbrandom=' Math.random();.firstScript = document.scripts[0];.if(typeof firstScript == 'undefined'){. firstScript = document.getElementsByTagName( 'script' )[0];.}.firstScript.parentNode.insertBefore(scriptElement, firstScript).}(document));...0..HTTP/1.1 200 OK..Server: openresty..Date: Wed, 17 Jun 2015 22:24:36 GMT..Content-Type: application/javascript..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-RevProc-1: a8ec481510bfe6cd3a9a746afe7461c5 = ok..27b..(function(document, scriptElement, firstScript) {.scriptElement = document.createElement('script');.scriptCFASync = document.createAttribute("data-cfasync");.scriptCFASync.value = false;.scriptElement.setAttributeNode(scriptCFASync);.scriptElement.src = "http:\/\/VVV.adcash.com\/a\/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f" '&cbrandom=' Math.random();.firstScript = document.scripts[0];.if(typeof firstScript == 'undefined'){. firstScript = document.getElementsByTagName( 'script' )[0];.}.firstScript.parentNode.insertBefore(scriptElement, firstScript).}(document));...0...

<<< skipped >>>

GET /a/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f&cbrandom=0.96737650282128 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246927; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: 32ddea80e5c4fc80bb77fcffe58f8cf6 = ok

Content-Encoding: gzip

14d0.............Zkw.:..._A.....%H...q.rO.\H.6...e......@.....e..g:..;..4......}..........$..A...X.....5.Xv.bu..Q.'......bQ......~<......a.L.e5.%...e.l`x.2..a..M..........c......=.f.}...M..fo..{~.o4.A...r.....r...6.V9...3..j..Q......Yo0...Mf2...~.,.z....|.....yv..1....f...m.H..4}.?...>O.h....].c..x....d>.5.D.l.....G.......$..?......A.........$...........e..z=..EL|........*6.;..........f..('.3...r..}....hk........,..?.....<.E. E@..Y.j"q..D...0... ...."..).8../CE.n.j......j.gZ....g ....a.=...~.Aa..~.4|...f.V..E..k5.(.....|..v.....YA...f..0.u>`.a1..j.r..c..@......BqX.UF...'....8... .......m...Xo..Ne...G.....T....._.K....w.7..-..)q.....)..`.M..,..0..D.t_....j..y...*..Y..._..J.....f..(W.mO..-U....O{oX...4...A.O.F^.......M..W...U......@}[.T..........b\.V.Q8..w....Vs.q.w...........W...v.?..2T.._lU.m.a....X..j...2.....`x......l..[.U.. ..g......ZQ..._.G:...k.z.#..mSe.*..e.T........../...J....F.6&...j..W. ....%v..^...}.........S..wU^S..D..h.......j.Po..l..3...n.58....Q5..b....d>..*kJ...V...f.Z.XeSU1..h[..K.YZ{X.3...o.c.z...%c.(V..F.(...}G..h...D{.X.nrG1..n=.:B;.....Oh? :.}t.......h..7..h....k...]4...!ZPgSE........h#....1.@.av..#.....1......=..K....N.....F. t.....;.3E.A....0..>p.....\./1..........Eo.. ...t.........h .6C.....L..z...E.(:872..`...5.S...q.>.m.A.T..q.X./.,......dgb...9S.1.. :.'W..s..]..y....^....b...U....R....y.'.....N=....=k....eF...4.BNYH.E1e);.....Q.Wa..........n..v.........a...?Y..F.Z...."8o........:....u...mv.N.Z{.WTe..t....uo]...a ....;.... ?2U.u.....du...N.fc.......s.=...J...i. .

<<< skipped >>>

GET /script/java.php?option=rotateur&r=438609 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246922; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: e620540d01040c38e9ddb42c9892cdbd = ok

Content-Encoding: gzip

c4d.............Z{s.6......M-.bK$...t...t.&..o.....H.bB.,IIvS...-@..$?.$s... .....@...ea.. b.....y^;f.,..9..w../.."X..%.....G....}.I....dI.^.0.#......q$.coEH.... ..1k.fq...d........#..,..2.h..O.g,.N...Z.....e......... (....F0q5f..\...k.....8."._.X....%.>.<^bI...FL=%q...#6...?f..g.Y.....o..-..SB..A....!=?P0./.JR.e........!xaG....'Wuv4fy..X....../..T.....K.0<....Skw..J.Y._...Fcs.V^..#^.#..[.n{Cs.....QCU...c/.n...I..p.....<.f0....2^e<^.T.E.O_..|F......0*..&......9....\..e.."..Vi.X.y2j.\.C.5.x....%.ZEP6....,.).!.j..p..~N......Q..EC..m1[....r.-.S...!.t.D ...!..ija.....U.......e.....B....i.......x...,t....j.....,K...AB..y....`.Ca..F.)Dn....BZ./.....bZ.P..X.,;..8.d...W0...%.,...r.X.)..'o.fq:.K.Q.S..........<_.......4...=...'a|....*j}..q..F...#......"....o.....t|R...*.q.....|..E...i....B...(.i....T........!..f.Q...=..Oc.*.......(....5.. .>.#...0.r............T..7.xT..8y.I.r:..s.0.......5.3.Q.].A....#........; c.............{8...grNsF. d.v.x.b.r.{X......$...&.f.`..<j?Hxb.m...w.f.MC...F......tM]I .%5.$(DQ.."w.\.y.6Q..g4....x.S4]H.M.8..7..<..U.H..T.E./._.U.8.mR....k..."D...}3a'6;<d..%..n.,/....z.....K..F.c....H@..1...E.<....N.c..c.Cg.....OY.. 1.......^..;.9.^.\/....xBW..$E....x).B'x,..1....c...uL........a....~...-...........%.d..dX..C...S4...y.....R&..k.P..Ai.V.t.b.....R...........'...(w8.>.x.[.t.*....F8...b.p.6.....#d.i..I...%.W.M..Tj.......T....`e.3k.....VIoAl.0w.,y....B.zH...J.B...}....w..a.k.Fv3|A ..'..5...S..s........F...?.. .G......h..C............PlN.Vkd.....F.j.........O.O.6..|.

<<< skipped >>>

GET /script/java.php?option=rotateur&r=438611 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246925; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: cbad08adf0c64328f3737ff434d1c98b = ok

Content-Encoding: gzip

12f6.............Y.r.F..?O...[.`,\.@t[....... .pD......w...Yj....]D7@Teef..e........=.-.'.....-s.....$k.U@........." ._.. .....#.........^.J.-._.50.F.."7^...L?#..k...$Nhi.W..It.CBO/.?...C....v{y..../.~..y........x..x.`..M._.W....k-....`. ..{i/q.'..zF.T.....J.b./.V.^..Z....Kb.)I.g..}....[(...b..T`...0),.....c....?..Z.EZ.....g.M.Vow0...#.....<.....E..`^ 6.>..'tW.,.....L...L ....3...S....X.=G ...*..uz....4V..o=...~F..<...../6.V..~y.....F|.........Z^X..|.......=?x.|_...I.5.}.(...v...w./.JO...h......a....$.wI......8w].&>C(0.;.}0)..*..>..E...j..\....>......../7.`.1m....;^.au........pq.U..[F.}.{...=.(......@...........`.},.....[......e.Z/..N/.... ..C.|k{.e..^#._..i=......ts...?A..s.....5......@...N.l......<.^$aUZw..I.l.'n...x..... 7...]..ho..........O...=e.]...@3.}....|7.W....X..s.R...).b.o|.?...._{..e..u...B.8..w..7e.z..E....v..V.\o{..p...zR.I.!anN....M .......l...;....?..w.{...M............5... ..7,.A...fn.O./.....g...~.....`.1.........qC..g..../.d.....=....t....zz'.w...........`..........;.....A!i....[..~.............\kk...y..o...{.7.....S......V.{....?..................M|....Wj..k<y...z..*.<.l.$..2w5os}P}....Y........._r....j....%.*.7.....k..Ro..V........8....#.DH.......U....0....t..(....y.,u....A.....~..........<....A..}.......lz.;.. . .P.>C}....=(.................Ks........Kz......}.z .M_a..r...\}../ .>...zG.ow.hr.K}..P....V......"...'.i.o;i..........D.A....k..7...E...W.... ..].*o.........}s..&F....... J..(.% W^.~....................['v?Gi..[..I.i...4.1.rH.E..l.....M..........

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:42 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 54416

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject

..................................LP/...[.............. ....,^......................B.e.b.a.s. .N.e.u.e. .B.o.l.d.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...3.0.0.....B.e.b.a.s.N.e.u.e.B.o.l.d................pFFTM`.}~........GDEF.......t... GPOS.(..........GSUB...........tOS/2mP:....x...`cmap*.K....l....gasp.......l....glyf4..........Xhead...........6hhea.P.K...4...$hmtx..3.........loca.v7:........maxp...O...X... name............post.......,...=..........^,_.<...........N.......N..w.M...~.........................w.w...........................L.................@...................X...K...X...^.2................./...[........DHRM. . "H........., .............. ...$.2.....M.........(.E.(.......".s."...)...%.../...............(...#...(.}.........l...(...".......#...!...!...........(...(.......#...(.h.............(.......(.p.(.X.(.......(...(.......(.S.(...'...'.....~.(.......(.v...d.....#.....3...........r...../.}.................,.......(.......(.p.(.X.(.......(...(.......(.S.(...'...'.....y.(.......(.v...d.....#.....3...........r.........................(...$....... ...........#.............c.........#...............#...*...$...............(...........".c...s.A.s.A.s.$.h...........................D.......p.(.p.(.p.(.p.(.......%...............'.......................&.......#...#...#...#.....y.(.............................D.......p.(.p.(.p.(.p.(.......%...............'...............................#...#...#...#.....y.(...............................................................(...(.........p.(.p.(.p.(.p.(.

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:43 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 10176

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject

.'...'............................LP..........................}o....................f.o.n.t.e.l.l.o.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...0.....f.o.n.t.e.l.l.o................`OS/2>)Is.......Vcmap.&.....D...Jcvt ....... ....fpgm...Y...,...pgasp............glyf]..F........head...H...0...6hhea..._...h...$hmtxW..........\loca0j4........0maxp........... name.......8....post..y.........prep.k....&....{...........z.......z.......1..............................PfEd.@.....R.j.Z.R...............................D...........(..................................................................................................................................................................................................................................................................................................................... .>.M.S...ROMB3..- ......#"'&7>.3...#"...76'../.&'..".#"&'..4.325'&5432.....2...6.."....>.2..... .7.......J6.(...F""......,V&.. .1...$....,.."8:tN..(Z........0`..*8"....&.....".....|.....f..n(&.F..&...........("t..".F.H4(.R..$.... ...44..........8.............*........."..@. ..........- ....&546%..632......#.6?..&.5!...#&....t......@Jb.^j...R.6ft..N8.rTT......00..F...(.P@.rPH..0\..Px.d~.............(...'..- ........'&...'7>.76.........3276&.676... ..j*N6 |..,..$...4.............(V*HL.vh......H..6B.......24 r...,L K .P.8..L`.~>6\......i...R. .-.:...60)$...- 5.46;......................'!"&%...!26...!"....;.26...#"....A..............r..............$..d.$. ....$$...$. ...$..q...bB

<<< skipped >>>

GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...C..S...ttRNS..................!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{.......................................................*......IDATH....W.`...7.B.....G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._.....CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l..a...;....3...D{..x....X....mz.....cG........IEND.B`.....

GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR....................$IDAT(.c`@.)$.@.8...H.D.3.h.v.i..%B.._...........IEND.B`.....

GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR....................$IDAT(.c`@.)$.@.8...H.D.3.h.v.i..%B.._...........IEND.B`.HTTP/1.1 200 OK..Date: Wed, 17 Jun 2015 22:24:44 GMT..Server: Apache..Vary: Accept-Encoding,User-Agent..Last-Modified: Sat, 23 May 2015 21:00:23 GMT..Accept-Ranges: bytes..Content-Length: 93..Keep-Alive: timeout=5, max=508..Connection: Keep-Alive..Content-Type: image/png...PNG........IHDR....................$IDAT(.c`@.)$.@.8...H.D.3.h.v.i..%B.._...........IEND.B`...

GET /images/slidein.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:42 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok

1397............|W.<.k......I..,.E..c.a.RS.9....1...3cf..].....A8.d..(.....L..ed..:u..9....;.....~..~..~.'...%.[l7...8........~..~.F........3..E..............=..x.<........~.q..P0hS.....nc t..h......8w<E............vuD.X....$C...9./.E.3K..;..(.. .CG..<...4..:...#e..E....P.....;R...0hsiC..^Z....S.P...A`.j.....*.0e........D.. ....\2.......Fg.....2.......h4.M.B.r...p.v...%..Df.(X...,.3.....r%Q\...m.{.H. ed~N...WX..G...A.X...Q... ..............F.-.$<..O&R.p..s..v&!...X....H......D...B$I.^T.Fcq..m.;..F.'.)X.....)..@\]..0..}....Fg.5`.30}.3*g....ag....j..5"...x.......j...6....{.z...z.=..O...7......jp5 ........?.....@.d...C........m../.......Z.c7..@.....[.{.....u............hI..W..;.[.....l9{..I...g.]an]Y.K...N...%L....5...U*.\&g..6-.....Z....Z.........n(...w.?f..=.}.G6.w..z..m..L......s.@.]..E@)..l..w......}7~b......Q.c?........hkni.y.x..C.;.$G.Q.....O..."cBDJ.....D..>v....%..4.m.n.r...`...bNA>.(#.JDg.O-...;..<ZT;f%....Q:..|.l|1r...=.=*..|...A.o.......g.sWw<...7P.]\......J.vV..b....]###X.E....X?:.....]...)......a.DqtLz..5_S..0.0....$p.CQ.~~..A.}......n.E..`...82>~...`..3~.Y.....q.J.z._.L[G...DASIPBG_......E..B..{...:.$].b..zFO...<._......=.@$:.\0..t:Um....&.....6......>...P..H..4.!...Z....{.;.`:::.....HT8..i.|.3X..o.c...|b.wYa~).s.L..18...r....7EQ..[.....vz....._*...S..).4Tc.....m.'...w.x<>.V....Z:..M...L...*H...-......$......3'.|6....RH1...*0.....Rjj.......E....i....6gf.7..pY............@.B.n...8yD.....5............P.r..{fIb}'S..".....#.....]..<.jW//...........L...../.....

<<< skipped >>>

GET /images/slide_close.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:41 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok

427..................PNG........IHDR.............Vu\.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R.....7bf..T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..

<<< skipped >>>

GET /swidget/fapcfcomz.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/small/00/23.png

Set-Cookie: uid=CgH9H1WB86Sp33djnmwVAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/

0..

GET /-KeOVqKDJ_FI/U6El6dSg1kI/AAAAAAAAAWw/HYf_f9E48S4/s1600/OS.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 3.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v16d"

Expires: Tue, 16 Jun 2015 11:38:06 GMT

Content-Disposition: inline;filename="OS.png"

Content-Type: image/png

X-Content-Type-Options: nosniff

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: fife

Content-Length: 25649

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 0

Alternate-Protocol: 80:quic,p=0

.PNG........IHDR.......I.......p.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /images/spacer.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

Last-Modified: Fri, 03 Aug 2012 18:09:08 GMT

ETag: "501c13c4-2b"

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

X-RevProc-1: n/a = ok

GIF89a.............!.......,...........D..;....

GET /images/slide_deploy.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:41 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok

b9d..................PNG........IHDR.............Vu\.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L.

<<< skipped >>>

GET /images/slide_fold.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:42 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok

ba8..................PNG........IHDR.............Vu\.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L.

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:42 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 60767

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject

_...y.............................LP.........................P......................F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i.o.n. .4...3...0. .2.0.1.5...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r.....BSGP...................T..q..u..*.......Y.D.M.F..x...>..........)Y......h..D....pj....f.i..)..U.'.&a..;`.*.../.....V...B.....OV..r.n.:..{$2D....:.&...m..d ..CeH.\../o.......U.M....X.`?....?.A....C...@..'.(g~......%(.Jl.&zw.....W#.mw".].At.....k.......p....E....[..=.gM.................go..W.R.q...`{.ZwUF.........o ..D.p)A8.....$..M.#.>..?....... d.No2..L.......<.t.....B..T..a....<...`.......e.SO.....cI[.p..E1R*.fMd.....>..2V.........z7..&. .....f..V.(8....aR.....x.Z\R.e..$.Vw.......K......gs.......*.... ..dI......6......)...rj..:Z."1.'...<....'.Q/....8..).B..5..tgk.AM.)...|~...."....2.... h...(.&.c..sw...(....h.Dg.k...w..zm%.f....//5.%....}....k.......... ...@....[#.D)..J<..?YAT.......o.s%....Z...G).5....#R'...#...).... R.....Z.z... ._....K&%'5.....(b.....Y..i_......|B.>U.......<q2i.....Q....7.....<2.._.y\n..9..u w.'!.p.5...q..u ...XU@.1OZt.I..g..'d...5.,.Y_.M.i.......D...H...Y.y.@.f....`Oqi...b...5..p......E1....x..............F?.....fS...n.>m"fE...u..n=.y..`LA&C.2].W&o.2pKDRI...3L...px..$.P ...p.P........$..........,a2T..X.!......av.....q.v,KZ...E..r?Z....m."..#&?.>.i]G^....Y....E&.(m>..?.hp..X..G.e^J...9[|...}...b..b..........P|q.......ka<..j$.....t5LG....i..#....h..W.kR..T.2...Of.e......b\~...fAh..L..La.......!...P~e...0.l ...Z.....$...0@.0.....GG.W....e..WE.

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:43 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 4864

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: image/svg xml

............[o.Hv...WT. H..b]Y..{.t.......$..iI...$S..._..m.H.}$..v#@.7yT$7..e..w.......{......y}.^.'.~.........'7.'...w_......_....p..o...._..O....z......o..................\....<=...._}.^...=..........n<.F=t*a!.:_.O..$k.7...y<.....x}...w...on..xw..rq...?.8......j..f7..........{s{.\L.......N....W..o.u...:.}............. ...'n.....]........c6....z}.y.F.......u.]......j........^.....F...?./..|..S.}u..u....~|w....i.hG...../d.....^zv{........0..^...z,........1-...}.a...NE.b.._.....K.i,V....B.\typit./.....}..........q..QW....g|.S.....".$....X....|...<.>{...zw[|..N....o.4...g.m.I.)......$M.Jx..b...Ik...a...a.....c.Y3..D.pu.....c...^..5..v-j.LS.2.q..q....OK.B...s..].^5.8W.r.^....BQN.1..X.........".k5A..;4......k....Y.KC.U.......2.QB.(.H7.c.~....Z_..wWg....7.....i...."...z....../p.q....g.(u.KhI.b.....I3.e..V.\.K......N.r...9.]F.............7....,.p%..k....Tb..2..?H.L..U...C.K.o..o....&'......t.1R.,8t?....U.Q.,......Q.pu}q{...).Iy..O..-..M%...2.lkFo....6..\%x.G.r....#jM6..N.HQ..0ysk)..#.>8-BQ......Y..1.4..E.......*..8..V.I.PC..d.....BS......&...(.rL(......sU.......H..a!&...........n....;.q.t.7."K....Q{BW....). .......(.dPf.....R......(Y.......\.ICD..m......X.O.....H..u.v....]n.j...!....F....E....T...%.M..r....wM6..y..32J.....p2OB.RQK|..6.A.>..~.u.........Ao.no.../ww.=2_~4_*.....(:p....mH...g..~...6z0.....>-=.........Q...5*..L'..cspDQ#]h..K.!F..q._.).).\"^...H@.......L".Q. j..]w).o...! 7..5f.4.......e.ee.$Wx._.U.Wd..f!.Xa......5...z.......P.!..0.A..K_.&zF..-..=...>4.........f..-G.-.q. ..q..4.8

<<< skipped >>>

GET /wp-content/themes/sahifa/images/patterns/body-bg32.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 4069

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR...F...F.....q.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx.t..r.I..E....?....A.4.,c^#..zT.3..j.......z.........w......G..~..y....._.~......{..........>.x.k...q..w....y.{|........o..9..,c..o..>c0.cq..........|.......g...<............p.]..../_...}...7...Y.'Sx..]........._..z.....2..dT.%S.....m,...f\.s.?....,.........b.2.].b...*M..={.K>.w.......q...........;6..q..X.z..d..@'...J(..L............v..p.] 1..$.^w.......E........Au....._..u>'..q..a%....y...~W..q...|....2....N..`..W.%X...]... .e..3.4.8E]z.(.J,..@.UR......H..A&.4....b.</......8...))NPu......T..T.j[....(....k;........si.*..=...N....z.%..@)S...30.I.S...p.... .T.w......>>/...{...5.....w~ Z.....m...J...E#....^-B.....;.>}z..U..)U..Y..^*.J.......!.P.Tk........2..cL.GU..J...... m...i_. ......z>.[G..|.q.-......V[.o%C&.u...V.TFV...^S.y...:hY..}s..w....1..U.\.....2........@'.X.T.[5.7..U..j..L.].l...E..=.`.<k.........K...j .c.;..hw....b.z....'....J....U.h..<#....8..........b!..J\....e..z'9-.}V..0..D..i(.........@4..WT].......'..~jo6. f)F)s.A........b.5.."<..{..K...kJ~...#....u.5t.H.I.mT.D.dj....K%`...e...6g.'6..AC..z_o..z.E.G.W..$...."..Z~U..M.p.......Hz.y....U.6..jK\..*%.".'....GmJ.R=.~EY....3...tqef.....g.S.5.R..V.....%.K5.Y.;..pBP.2/.ht.l-.DA@.ds..G.v.y|..u^s?..nX.lih..v...}7P.yE..s...F.T......R...q...$...h.V...7.Z...t.\.e........0...C..7X.Q2...L....N...r.qs8U.m@Qu3.._.b..&....*5..%.<3Vm..;.......{C.....&....z..eX............!B..A...Y .J...T.M.V%|..D.M=.70.9[lN.m..F.......B...E.......8.a...b.c..k...

<<< skipped >>>

GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR....................$IDAT(.c`@.)$.@.8...H.D.3.h.v.i..%B.._...........IEND.B`.....

GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:45 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...C..S...ttRNS..................!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{.......................................................*......IDATH....W.`...7.B.....G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._.....CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l..a...;....3...D{..x....X....mz.....cG........IEND.B`.HTTP/1.1 200 OK..Date: Wed, 17 J..

GET /ajax/libs/jquery/1.4.1/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT

Date: Sun, 14 Jun 2015 18:56:51 GMT

Expires: Mon, 13 Jun 2016 18:56:51 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 24050

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 271667

Alternate-Protocol: 80:quic,p=0

............i{.8.(.].B..q..-.I.}..f.f.NO..i..# }I..(K..%.#.......(...9..b. v.jCU.....|...s....?D....2[..?f.2..O......g.^/.Ngz.Y..b..T...X./..d.|.=.z...I..9]ec..r....l...4in.$]6.......f.l....._..* ..c.o.>l.X.;..l.M>.m.t...>......(....Ju....../.i.|]@..5t.........^...K....u.G..4.h....0..".._.....{.?yBm5....v!_...6...r?{..V.5g. ...=.....i....zy.]..b......,..x..*f3.....#..h=........l....;..s.,..f....%V...^..6r#/....Z.{.v4....f9.)..V....E.U...D.......4...........O......n....."_CG.5..t....?.v.#........"IOO.7.......d...E.....^.......S.lN..=K..z.....c....a...4...lG....y3....Jr/....'Q3...PCr.....Ivz::=..x.V..bey....i..Z"u#.).F..=.`%.=...!..:[6"....f.b.?..f.0....\n...8.....5.....IkS~....z.1>.#.B.M..6.W......'....6l.h......,.G.[8....a.......\.......o.........O......v..$[y...rD{.}J........z]......Vq............N..~1.BS*....n7mG....FK.?[..{.?z..xzv..,.R.....P}.:................0#......&...`...X.}.K.L.u.6...,.bW`...h.g....;..Q{.Y"...o.. ....3....U0.....<...A.Z....a....To`...m..s..f.B.........}J.1../...b..2..b.)Z..L.l.\$<-[...{........K...eI..AeN`"h|.-...r.x0R|ah.\^*`..'...C..............?98.m..F.......U ../f.0u;W...s....Njb..c.......$..N"...v.[;.?......e.7.[.......F..5..e..D5.....@)..*......E....[...mkn....Q.Ho..`.X..7.8!H..p...^...GB.N......'Q.p......@.R...{c...EQ...c....1...JD...au.^f...q.V....=.,.2 .w.F.sQ,..G\tOO.a{.Y,...=......"..9Y..E.................0]....&..........r1P4...?.....KI...B..........T}z-.vE....J...b.(..N.A.a......o.G....T.(..~j@.?L..%.2H.a..9..r..J....Wn.I.g.]......^...lac.>r...|(......

<<< skipped >>>

GET /ban/236180/141423_300x250_iLivid_DB-4S-FolderDL_ru.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cloud.cashtrafic.info

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:37 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dd15fed86d8bf2e1d341726dc12e9472a1434579877; expires=Thu, 16-Jun-16 22:24:37 GMT; path=/; domain=.cashtrafic.info; HttpOnly

Last-Modified: Thu, 13 Feb 2014 14:26:58 GMT

Expires: Thu, 18 Jun 2015 22:24:37 GMT

Cache-Control: public, max-age=86400

Content-Encoding: gzip

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1f822a6b0c570b02-WAW

2112.............wgTS..nB.....Q0../*.&EJ@.4.. H..@.......R.Fz7b(.B@.......C........{...8?.....s=..s.5.^ckh...Z....v.............*....=,s.........j.....^...../_~.7G.:.J...l..h..q..FL.ft.F.7..w-....?&.[.....# ...O....N..%."j...c.,.H.*[<<>Q}S.\12.y0[....;\........o...n....r/.x.ms.."eb...2......P:.m.8n...u..>......m.........o..A?~...&W.k.K....F :f..%..&.V.L.6D.&.7O.K...W...W......r.;r.K.....{....$#$..#e.Nm...?.....9v/..5.&W...O..a..U..m?t....U|.,.....c.fR..... .xm..S.......u|.Rc.R....~h.<.....^. jQ../..... ...!}D.=.Q...^o...b...5.....o|..0...S.o.......k/..?z...6.u.a.K./..(m:m, o@.1.9{.9..0....7..........D.k.K...........).L{i..s.P...M.R.a5.7..u...h.4X...[6._1."sR..T.u.#,.8..4q.y....J.~%..f.J1.H..Z{.a,.~....a..a......q#........)..)..Yd..g...V...E t.I..C..ad."q.cB...1...A.L'..H............H\.B.~........6..un.kC.5..../^..X6..J,...uY}..H.w/.l....r..1..{.....#5.v/..x.......i../.Bg7.5..Z.Y.y. y.,._....l_88)...6...l...H..uQ.l..4.\l.y.=..zi-k#.......pD9..Y.<._9..y(.X.8[.....m.......RA@.....1.9....D.n[..$a.."bRb.2b.`.p1.Q.....m1q9.......".'.....CU.....)......DE...E.%D.]^........E..o.A.v.tr.....z.........(7.g'.......7...........c'W..-H...Q...%*&..ut...........].{.lE...:.q.................wq.s(..T...8.:.i.*.....q.....PV..,.....&.&&{OBJVF.......55.?>.7.\LULF..............=u...........?\-'W7K'k...... ._.r.\l-..].;;.........]..Q.{.`7.88.8.......;Q[....6......m.....^V.nmi#~..nk}[LVR......mqiI.;......v......l....D..z...........(...[.?M...;...............u........u~nvfzj.2A.....&.......%.twuv....4.......P.....[u

<<< skipped >>>

GET /ban/992077/200313_jZip_728x90_DB-RoundedBlue.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cloud.cashtrafic.info

Connection: Keep-Alive

Cookie: __cfduid=dd15fed86d8bf2e1d341726dc12e9472a1434579877

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Mon, 01 Jul 2013 08:49:36 GMT

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: public, max-age=86400

Content-Encoding: gzip

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1f822a732d580b02-WAW

1ec7.............uy8.........(.2I.u...X..$....lS.(4."F....*M....D...$.2...]R...^...y..z.......>.9.....s..:..&.G..@..M..v~.....h...jccC....._..J:......r{zzfff&''..q..n....gxztttppP..........g..gp.......... ..OW......Ok.`o....cB....3...J:L..........O..Q..}l.......`Rt....[U..|......ou._o.hi.......=.~......-.f. .9S..S....K.....#.....*X9I:...5...1.E*.;6."G..V..8...[....._.2.X.>..].Z..20..G.x..}..0....._.(p..8F.w..IX*......X...#....<.ia.1!,l....y..O.....Y...P.........Ok-...[.8?...oa(......%|&.|p...q...xD...a..........1l.............^z.........PTT|...>q...m........jS.G......t.L.^...ux.3y%.....-..=>.Z9.{..C.2..;-...^.OMM...r>.#...y."tg.sx.|@.p<50...f16|P....h..7.......aE.........m.{5...'..`.{S...ANf.W..cx....].I.Q...=..9.;>>.8y..==..,htG..........w...-K%.x.lA.....q ^........].:4.V>.....R......,y....%..$.........V.p.ruu.....]...&.La../...._f..#jwG`.'5....9..tJn......#1......;...J..Q.....w..r.&.......u..R..}<.p.</y..I/U}..y{.I;hX..)F.^.f..z..nc.~......q}.n.N....3..........'...p.S....e.i.. A>z...l...4.....P. ..5.8M.2AM]KKK...'.U..*.U%..........!.W...E.[c....k.I{..QtTT.]..|MM9..%....G.................x._.....W.)A.....l....Az.....G...o.....IH.=.O%...BP.............?....(.*.....W.=.....R.3....htN^..{)n.....~..A..z..w.=.=tL....5...j......!A............:._../........5...1.pB.(^C[....?.j.fp.._...`......\...U...:FW=.........[.$....@...........#.Z.?.._qz^....0........x.?...c.m...S$..'k..F&.....&j...Z......91....._.......g............/W.6......_.?.67..VW..K...s.3.S?&'..F9#..............fuuv..

<<< skipped >>>

GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:41 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...C..S...ttRNS..................!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{.......................................................*......IDATH....W.`...7.B.....G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._.....CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l..a...;....3...D{..x....X....mz.....cG........IEND.B`.HTTP/1.1 200 OK..Date: Wed, 17 Jun 2015 22:24:41 GMT..Server: Apache..Vary: Accept-Encoding,User-Agent..Last-Modified: Sat, 23 May 2015 21:00:23 GMT..Accept-Ranges: bytes..Content-Length: 1022..Keep-Alive: timeout=5, max=512..Connection: Keep-Alive..Content-Type: image/png...PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...

<<< skipped >>>

GET /s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.gstatic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Type: font/eot

Last-Modified: Thu, 28 Aug 2014 20:40:42 GMT

Date: Tue, 09 Jun 2015 15:56:55 GMT

Expires: Wed, 08 Jun 2016 15:56:55 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: sffe

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Content-Length: 22021

Age: 714458

Alternate-Protocol: 80:quic,p=0

..........|.eL.l.`/........;.....\.....xq .^.x..|....Mv&.I..L...<.Z....../...uD..H8( ..........U...{...QZ...B.....T.^......I....`...O........qd.:..`...8....#.......S..|..l6.3...$......gZ.o.....l...5dT..w@....|..em..2..Y.....I..7g.Wr-~3F.........1k...UJQ...B.%d...my3.......R=...~..\..0...Y.Y..O7.........T.~.V....QbZ]-k.&...|.}......q6]N.`.....R...........\T`.nevV..*6Q\z.......X..I.Z3pOs.aM..F=..3.2...p..r.b.]..2...J.~?qh..I/F}%"ST:\w,uD.dq...nT.....O...gSq..U.m....3Gk..#..a.6.vb5`..{.{ARPv.[.......t.........J.5..............#.I.3@(VX.........H.8.. y|....Bz...d|.R.8..db'.i....N.M.....&h..,<.#H..%D...D\U%|#..cg.n..m)S..I.(.gX..) L.W.r<7.*CNSN..[..aN5#....z..1..J..A...Y.9D.0F'...T.;<.&{. 0YAnJ......C...Qm._V.L.$..H..........8...D.E.`.|....../.p......A.P..!.V!B7Tr ...4.2:...8.R.....D?.....Aw."...d........C..2p......_eO.*.k..q.V.P...9Y.....c#JCX.......o...*h-l.,.D..1.x...$.(bg....8....I.....?p.Y.L.r.1......C...85.K.,.Q.... M,pa]YN......I..n,..y...K....L..Gl>.....P5..."qb..1.e....t.j.....K..a&.(.#...%.....YJ0...AG.b.H.S.>..wp......pE/a-.....?K....E.#.....{-9.#..A.1:.q.7K.<....b..Z....)j&<E....\...d....T.....G^...a..8.[.]. {..K.}QBz..Q....c...ep..v......;>3..'......{.rH.J/v...Z...)......z...&...hx'p.....: ....L!..;vh]^.sD7B.....Z.C....#...of.U..>.GY.1...<-J-,B...L)*...6JEV9.pV..Z&....Vl....\D.-......9R........_...?...SE..p....H.fU...!..............v.....Pa.......&F.x.&g.<.k....=.Y..X..l.731..j.*...Tj....Y...NP..`mVS..Q.U81.U3.&a."..@14\...L....0U.......N.(.G/..-D.../Q.. ..!..........

<<< skipped >>>

GET /small/00/23.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: image/png

Content-Length: 317

Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT

Connection: keep-alive

Expires: Fri, 17 Jul 2015 22:24:36 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8......0.CC.u.`...;.....!QWD....42W......C........]..w./xu.mb.v^.....F...Z*.\.....]?2.E..K.IB.. .]`....0.._.@..8G....Y. .p...C}.N...}.....-C.{B..?.4.8e.d.....l.....a...'R..r...)S.M....\Y...I...n.....IEND.B`.HTTP/1.1 200 OK..Server: nginx/1.2.4..Date: Wed, 17 Jun 2015 22:24:36 GMT..Content-Type: image/png..Content-Length: 317..Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT..Connection: keep-alive..Expires: Fri, 17 Jul 2015 22:24:36 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes...PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...........IDAT8......0.CC.u.`...;.....!QWD....42W......C........]..w./xu.mb.v^.....F...Z*.\.....]?2.E..K.IB.. .]`....0.._.@..8G....Y. .p...C}.N...}.....-C.{B..?.4.8e.d.....l.....a...'R..r...)S.M....\Y...I...n.....IEND.B`...

GET /script/java.php?option=rotateur&r=438612 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:37 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246923; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: 6a7f053a97ce3844b73598b513dc0c7c = ok

Content-Encoding: gzip

1d0.............R]k.0.}.....-..$..X......$.<.......?.(....>y..{.@.JG..t.=..*g..(......[...q...(...._..5.;.....4U....W......... .0X...S....R..V:.j..wq<.c$K%.u..&> kz.?.AF}......#....<-E..b.N(.(.3QQ..FH.D..KD%RE.i...Z..A.XX.6..C...S.Cc.....LpF)&DP..F.r.......d.d......x#....F.......m.....AJ..l..#.g..<....5.>.=Y.....l..*..Uw.E..W...o.......a,.....=@.ZP6......dS.|?...'..rY..'.....i...lY.,..8[.....].h...R...Vw..b.g.8..A.'.w..o..l.`.|.xO>.o...\os{..F. ^-c...{..0...?.8......0..HTTP/1.1 200 OK..Server: openresty..Date: Wed, 17 Jun 2015 22:24:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Expires: Sat, 26 Jul 1997 05:00:00 GMT..Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246923; path=/..P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"..Vary: Accept-Encoding..X-Robots-Tag: noindex..Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0..Pragma: no-cache..X-RevProc-1: 6a7f053a97ce3844b73598b513dc0c7c = ok..Content-Encoding: gzip..1d0.............R]k.0.}.....-..$..X......$.<.......?.(....>y..{.@.JG..t.=..*g..(......[...q...(...._..5.;.....4U....W......... .0X...S....R..V:.j..wq<.c$K%.u..&> kz.?.AF}......#....<-E..b.N(.(.3QQ..FH.D..KD%RE.i...Z..A.XX.6..C...S.Cc.....LpF)&DP..F.r.......d.d......x#....F.......m.....AJ..l..#.g..<....5.>.=Y.....l..*..Uw.E..W...o.......a,.....=@.ZP6......dS.|?...'..rY..'.....i...lY.,..8[.....].h..

<<< skipped >>>

GET /ban/236180/2026221_300x250_iLivid_DB-Megabyte.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Fri, 15 Aug 2014 12:49:23 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok

1326.............UwT....E.H..".F..@H... J...Yt!..D@..$@D...$HU\AE.MZ...."U.-.".T:.H.p.p....w~g.;o...;.}.......5...#..X..........ti.....8..........j.n,z....@.~Y..J...BH&..Q..WR.....u;....8!]..X9..].5q4...rM?......f.n5XO-.v.f.... =..%?,<.E.J{..'.}..i.-*l.j.L.i.x.L..bW<.b.(,./dvz.-..{.*_PG..O_.v...kq.{t..a.z.\q..U..&...=.3..`.{.....m~....t...w<4....c..e........2....W....H.. .s.H.........O......J..JA9... R...RPH..T......^.7([..l...&....|..|%.@@` ..J!E ".D,....|..{.4..n...........Ho....r..S.Mo.y....N.z....z.z4G...rK.....[...n..>.........M.r..&..f.vgT\....P.7..HS~7!..7#,.a.........w...<L.?.P|.z.>g...w.O^....Z.3...Rj/.4...lQj.*.%...X......jn83.._7lllP.;.n..U..Q..qfdbn$.Y..P.%.v...Z.zNSdR......%.M...z|e...t.R..#...r.........R...D......b...Hf.. wM;...os..T.w...j^/...7^......j.[..8.8Z.C,.%..ex.(.Qx.B....f....\.34....Cc}..M..)y-..2.....O..y.qeN.q1.Y..Z~K/...6..A..0Nj8..F.[.q9m...]...............VX"v{=z...z.{..../....-.5..}.L.\..p{.....mx...p.......^j.....LH..@o".L..."..L..^...&....05._.............`o0R....#..F..zH...B.......z0=}..........{.m[...d.de...m.T..H...`aaa.a.....0=ccc...C ...(.j..K......`.M.....}qA..2."..h...3.@...?.............x.........&.../.;.p.*....M...{zo....S.N......1.w;).. .gH.w....Tm.F......@`..z........4.....4."=Q^(==.......?....F........;a`q..a.0..<al`.@ .r...Dl...O..?.....5.....q.gq...U....q....li.W..... /\....4...w.o...u0....;...'..O..7....~.m.`..x~.mW...?..-..L.A.....*B.?.omn|[_[]Y...eq.................#....}34.{.......}..z..:;.....4s.....jk8.UO* ..JK......y..s..23X....=../5...w.

<<< skipped >>>

GET /css?family=Droid Sans:regular,700 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Expires: Wed, 17 Jun 2015 22:24:31 GMT

Date: Wed, 17 Jun 2015 22:24:31 GMT

Cache-Control: private, max-age=86400

Content-Length: 187

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic,p=0

@font-face {. font-family: 'Droid Sans';. font-style: normal;. font-weight: 400;. src: url(hXXp://fonts.gstatic.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot);.}.HTTP/1.1 200 OK..Content-Type: text/css..Access-Control-Allow-Origin: *..Timing-Allow-Origin: *..Expires: Wed, 17 Jun 2015 22:24:31 GMT..Date: Wed, 17 Jun 2015 22:24:31 GMT..Cache-Control: private, max-age=86400..Content-Length: 187..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Server: GSE..Alternate-Protocol: 80:quic,p=0..@font-face {. font-family: 'Droid Sans';. font-style: normal;. font-weight: 400;. src: url(hXXp://fonts.gstatic.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot);.}...

GET /wp-content/themes/sahifa/style.css HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:32 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sun, 24 May 2015 07:06:39 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 37587

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: text/css

...............H. ..k6.......$..=%..V.2.f.=m]5..g.W..`.-.`..RY2}.~.>...C..N..#.=...T}v..*...{.{x.......o.}..E.<.............W............a_......x.|...].<..UZ$.|L8..H.......)./...3.z.u.g.|..... .*....>|....aE^.m........V>... .YW...T7.?4E.&./..D.._..}..H6E!.q..]y.Mvu._Y./...nXue..k.<.=....a..Z4...b..'..we^.[6.J~IN...h[l.K|...E...E..*.~....*k.......lE=|....Y........c{...s..U..hw-......$?.]}.m...mS..[...."c..........&;.U.gw._.KHU..:........|..%.J~.......*Z....=....k...*.....S....~.L......-..7...<..;..B=..........C..!.D?.$..f.....(.f..ht...b...F....-..]...G.b.w....bPm?..*..I...2.dUv.9...\n.Cv,Og....(..rSo.u....%...y#...TO.N.e.}.:6C...^h..].O....)..|3>..f...>v.]v(..g......2.rl..N^4eV]'l7n.c&..e.Fm..;X.M.[.tv2.p.....B.{[6..b.5....1.r.......Dz..Mzs..uv.fU...c...uu..m&7T}l..`O............^.'...:Vu.Nc....U......}.........r.-.>...tr.`v....r. :C.....d.es..u.?.LU..^.M.1...............h....O.?3.......,..... dE..9d..=....(.0.U.18........#...k..........3.j..sW...p..Qof*Sk2....d.`.-...$.B..=..u.KO&f...{x_..rf.<.,i$.HJ...q.F{>.e$.`.n......[........7O..YU....a.N5.M.b...`....*;......5.H.....G.#3K.?.............e........s....d..?.p...z;b....'...".....y.E.M1*....w...k.n..m.VP..<.....LT0*....f._..k. Fw% .1.|.H.%e...#.^..!*.]6.....f.B.zf...n=.@.[.B..d.C....Oj......n.-...Cz.....GJ.....x.&...Fl.....g?..ax.(...rV.......-...5LZ..>d...u{F.'..4...L...T.OL.c,....2.V.%.n.y...........1..oN....C..t3......".(.....Z.]..?......M.{w.*~-....?.[Ppn:......S].}..O.te.U#A....(PU8-.....e.S0..0.BVB.L0...V...!..@6

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:33 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 54416

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject

..................................LP/...[.............. ....,^......................B.e.b.a.s. .N.e.u.e. .B.o.l.d.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...3.0.0.....B.e.b.a.s.N.e.u.e.B.o.l.d................pFFTM`.}~........GDEF.......t... GPOS.(..........GSUB...........tOS/2mP:....x...`cmap*.K....l....gasp.......l....glyf4..........Xhead...........6hhea.P.K...4...$hmtx..3.........loca.v7:........maxp...O...X... name............post.......,...=..........^,_.<...........N.......N..w.M...~.........................w.w...........................L.................@...................X...K...X...^.2................./...[........DHRM. . "H........., .............. ...$.2.....M.........(.E.(.......".s."...)...%.../...............(...#...(.}.........l...(...".......#...!...!...........(...(.......#...(.h.............(.......(.p.(.X.(.......(...(.......(.S.(...'...'.....~.(.......(.v...d.....#.....3...........r...../.}.................,.......(.......(.p.(.X.(.......(...(.......(.S.(...'...'.....y.(.......(.v...d.....#.....3...........r.........................(...$....... ...........#.............c.........#...............#...*...$...............(...........".c...s.A.s.A.s.$.h...........................D.......p.(.p.(.p.(.p.(.......%...............'.......................&.......#...#...#...#.....y.(.............................D.......p.(.p.(.p.(.p.(.......%...............'...............................#...#...#...#.....y.(...............................................................(...(.........p.(.p.(.p.(.p.(.

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:34 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 10176

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject

.'...'............................LP..........................}o....................f.o.n.t.e.l.l.o.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...0.....f.o.n.t.e.l.l.o................`OS/2>)Is.......Vcmap.&.....D...Jcvt ....... ....fpgm...Y...,...pgasp............glyf]..F........head...H...0...6hhea..._...h...$hmtxW..........\loca0j4........0maxp........... name.......8....post..y.........prep.k....&....{...........z.......z.......1..............................PfEd.@.....R.j.Z.R...............................D...........(..................................................................................................................................................................................................................................................................................................................... .>.M.S...ROMB3..- ......#"'&7>.3...#"...76'../.&'..".#"&'..4.325'&5432.....2...6.."....>.2..... .7.......J6.(...F""......,V&.. .1...$....,.."8:tN..(Z........0`..*8"....&.....".....|.....f..n(&.F..&...........("t..".F.H4(.R..$.... ...44..........8.............*........."..@. ..........- ....&546%..632......#.6?..&.5!...#&....t......@Jb.^j...R.6ft..N8.rTT......00..F...(.P@.rPH..0\..Px.d~.............(...'..- ........'&...'7>.76.........3276&.676... ..j*N6 |..,..$...4.............(V*HL.vh......H..6B.......24 r...,L K .P.8..L`.~>6\......i...R. .-.:...60)$...- 5.46;......................'!"&%...!26...!"....;.26...#"....A..............r..............$..d.$. ....$$...$. ...$..q...bB

<<< skipped >>>

GET /wp-includes/js/jquery/jquery-migrate.min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:34 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Tue, 23 Jul 2013 22:28:26 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 3068

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: application/javascript

...........Yms.6..~3..h6g.....{.He4n.4..iS......LB.m.P.P.k....@R.....LD..b........Qp....!8.3...6....4......h.O...~.,{.J.r. ..w2....@...A....ui.6...7..)...<.........r..?...".....`t|L..=.Q.(e.g..,.......h.u.c...F.b........n&.q?q-s..h].%ld..XGw0{||$...&.....p......_..p.{.u..'.......n[.8....)../...7".Q*...?h...>P..........N.#\n.g.......d...(.v...6.4Q..[f.o..v...n)....dI.}......_iu $....<..h.<~.N..5.....[.t..Be{....SY.........p....p...D..S?..r.1..|.....]..-..... .Zs....J......s...IXG.('.....|...v.|(s}k.\....J..._.r]....=..w1>...[..p...c..o$3..de..V.[.mxQ.fYg*..W.S...(.,.s2.GdlY...!..S....J.g...0?{....gC..k8....f*|Z.....A&U....H ..Ta*@..U...nZ-.4..*.ZW........OVZ.T....~...Z......D.H....~sL...C...eC...0P{..7:2.k- .D.../v...[....<..;u'. n .Y.[...._>...6]......^..D..=..!.......>Q..........A......XD.y.F2.....3..Rx$9....*.b~|...`).,..{....^s....`...'..%... ..'(.$P.H...A.t.q...{..k......Q.V.d~|..'&.Ej.]..KV.io]..)B.....9\.hTU...t.ex..Z.T..9.}.wf}..x..)...].......Nu.wc.......4...m... ..x.Sn..{]...3..F3.!p.q......jU#...@..m.l.3.S....d...`....j..N.p...!.=..!.4Q...UJ0).#.$..\.K..e..j .&.i_..,...BLN.......en...K..a...z..j.G....tz.5........h....`T...x.-.c.............._....?q...o.>..}...Hi.[W/2.d...;.en..a....^|..=`......9%_....~..^R.y.3...v_.C5.&..T.HC.......&.(Pn~(x.=....h...H.....[V.g0......J.......3KF........o/....A&X....k.k...'.k.v[.........V.../`IPp.`.c.y&.v.2..}..t. .sz.p...s<.N>. "...=2.N..........G~....l.f.T...ce..P....A.....Z..@R_..E...Q..a.b.....c.....u...H.w6.....$....|..VVPW].a.7..

<<< skipped >>>

GET /wp-content/themes/sahifa/js/selectivizr-min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 2437

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: application/javascript

............ks.:........X..v`...J..^h.$....;.-'N.;.N..s......>..t2..y.Us..C.h.......!.vC..x..k.#.'..K.,.....T..^..,OCw.s7..6.E..K.."]gZ.....T.BO..0.H0.d. ...lc.%1^.}}.N1'.T..4....M.=...%i.g......P')..T..5.M...QD..N.`..D.....Z.....D..{.g...:.....DOh.fs[...... .... .>...~.J...R.g..@.....t]...V .#.......(..-yz.cQ.9...."t......}.. 9x<......@...`'.t....b......v......%../.Yv.....M..M..k{U.i..l5.......n.....'#H_.<t..V..D.\d9..'...p.}.....IQ...D].Y.-^..3..C..[..2..*-...2.<...9$.......LF.....;u......QD*....fK..E...V.]...@jy...U..*.......U.%...>....d..!..........8..)h`K.pVS...hbKn..C..........9......Qy...9Q...nC...]......$......oSj.......m....~c.49O...@...W...y......Y.@f..X.l...7z..0_.:......'....1q.. .$-../.j......A......J.*`.a..........W.(...72;o.)...F...o....s.FP......J'....1.v.{...Z.....~....P.........Rm...B.U..7....?j.K.d........,..#...5.m....Q.].......A.m3.`......6E..e..)|/.h.h.l3...H".k$.N@%<....;.,.k...B..AX.o... 5.."..(....\.I......N{..cy..#.vJ.BG.H.U.....]...../.7EXV.Y..U....5..;...C. M:..L.kY.............^.....<H..O!...J....e.}.....uF.4..vf.r.$F..z.{...#..E.<..Boj...y...X.6FI....b..S..y...M6...1..IP5.QK...k"..@G}.s.S.0B.._....G.:....U..9..cn.....-..C#.U....~...`@...vD.....V....i.Z..{.^..Z...v.#..x.(..Bc#.....p.y...{~r2.!^.&.]o*..v..}....My.n\9.....)v.".\...f........ ...M#.t_.j ..".j........yasX.`..#......O.........L./.f..q...LE`....9..E.....r...R.<k.N..d..G_a..D..j..h......B<..2.Lv.ed...Q.........G....%.....6.......~..Z......dp..F...7..U.7]...$.......hY.q......$....y...........

<<< skipped >>>

GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:36 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=507

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...C..S...ttRNS..................!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{.......................................................*......IDATH....W.`...7.B.....G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._.....CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l..a...;....3...D{..x....X....mz.....cG........IEND.B`.HTTP/1.1 200 OK..Date: Wed, 17 Jun 2015 22:24:36 GMT..Server: Apache..Vary: Accept-Encoding,User-Agent..Last-Modified: Sat, 23 May 2015 21:00:23 GMT..Accept-Ranges: bytes..Content-Length: 1022..Keep-Alive: timeout=5, max=507..Connection: Keep-Alive..Content-Type: image/png...PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...III...

<<< skipped >>>

GET /wp-content/themes/sahifa/js/tie-scripts.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:39 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 20775

Keep-Alive: timeout=5, max=506

Connection: Keep-Alive

Content-Type: application/javascript

............kw.8. ......4..&-H.....L....r.....=5}..<|I.M.J...,..~#...$%;.......r.$....x!....uR<8q.....r.E....t...4_:.....|.._....E^./.".2....k^...]..VIa..iZ.G.....~..........z...5..A./....,.0K.#......h.7....YU.3...`..M:u..A.Y...R...... .~-........'..ZM.h^.8eV..a...mPX.".~...ub..i..c..N-.....z5.\...f..mf......J........[5O...0T...-.}.....9,BC.......9..7YP.@.."..7 ..h5....#...@$.....7>V.."._..P.g.'{..E~W6*..l.....M.$.C....K.. .*....az..c ...w..Q<5..8...};.......I.NN.2@b?_W.....Bg@....W...<......h..."5...A)..n..\KR..s$...4.U.....f..g..8.:.bU..<~..........]/({S$.......9..h..,/.#..H.u...AV&c..o.x..;t..uc..U.k...~....;G...g....qY...8)......*.e9..Eim6].R..]....X......(.#...;`...Kg`G5..p.b..`p.&..."..,...^..r..9&n.6;.p..uF.......'...a...U(...Grn.M ...B3..9:..[ .}...>?;...r......@.....Z..,..U.YvG_m.Y5....s.f..).v.......Z...={j..i..9....C.!'.@..>.8JM..........n.B..@...~_%..|... A.D.`...a.B.....ZUP0.R@...Y@...=.......Rx......i...fK..ut.Z.......%......$.E......i2=......C..r.......NMDV.J.Z..........v.Q.$<6...Y...R~)Vppn.......[;zo.....P%h....S......._. [..e.W...;..F.|.5 ..@O..|....7M...V..f. .%7I."....[@U.D.....X.7..\....yx1.Y@..5..[.....Q..0..|.....^2..E......).......*.M..y...%..2].U.<..y...t.e..at.\S)..Y99. "..1/ ..g`Z.....p..'.UNs..-..UP...........=.5...2A....X^...7D!U.gU."....j ....:...(.....y..q...f...n....X.m.@.2....|..r.........UO...`.ov....}.?.v..r......6....d'..</...g...V..'A...Z.?.,..]...........FM~g.K...>.:u..E.:..2.Hw..........y.bI-O..j.-Kk-.C......E.5G.Tg\.(.......|.:.....o...

<<< skipped >>>

GET /wp-content/themes/sahifa/js/search.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:40 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 3635

Keep-Alive: timeout=5, max=505

Connection: Keep-Alive

Content-Type: application/javascript

............ko...........$$S.].$.........k......\.<S.@R~......I.%9.h..$.....{v.p...& ..eD..?{.....xQ....E.>.!.c......[./...zF.p...zBXu%.../[...|..i.V.\..........I..@.O...Y.&......=q..l.7@......6...F#...w..#....c.t.F5...:.IRq...0...WYA.eE8K..........$'5.'.,...5......,.NV...j..._Kr.n9..........u..z.....MT..D.R.f]...y...gGq......C6._S...8l..LP...-B.N..!.....Q.8...&4..ii..~..D^.T.3...&..P..E..'/.U,......@...3#.:.'8.dK^...E.3..:. ........p*..;3j;.A...UU.MM.._..&.oY........T.q..d.'?.2.4U..uS&.r........"..../r`.A-.wY..(.yq.\.....<........m78I.[.....OI.......C.O...3.}..u...~.f.*g...,..].6..`.y...2&.......H...;..g.X.&.$A../..h...!...U...),......5z.sRy..../=[....R2........R.....y.4.r......*....t.6S.O..o....\t...*......q..P....N9u..S.........1\....\...e./......."..A.8e....0...Yr.*.'D.....I.)..k.......5 c.O..3..@O.jF.....%.._.$%......<.8.`.....|./.2.......(....=../....z.....W\2.\......9.....E.....Y.!=Y....2.`..r.|.0T8.y...:l9nw)z......`..l..`.$6.....Z..6.~.K?x< ?Ky..Fn.n[....k...gy.R..x. .W....E.......F..(...Gr.d...I....A.~4...H..W.Q.........X...IHh..k...T=.0f..Xz#.p...f."E...a....C...t.8..........o...0..f...xY/.9. .5_.........m....z......P...b<....q./..>VJx..rh6eQ.b..Y......z.....G.L.;.k.E6g......!.....9.!..W2.q..s..B.Gg.[...K'.ye..&...b....."..9@#...T./<..*4.....UGQ....>#}...T....B..}U....C- .xI..$9?4;.r......0...8..Z.R...v .A....4=).c.u..!..J....c.d<.Yq.3.....2n...!.$a......5..u.V<.L.&.7.0..c].-....w.&(~*..k.d.....H.......GS.L:..t.h...GG.O...J.U.|.a..x...1D...C@.&"^Ml..\]. !......`i.....

<<< skipped >>>

GET /plugins/likebox.php?href=hXXps://VVV.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.facebook.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://VVV.facebook.com/plugins/likebox.php?href=https://VVV.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false

X-Content-Type-Options: nosniff

X-UA-Compatible: IE=edge,chrome=1

Content-Type: text/html

X-FB-Debug: GgKCikBkR1elnc/oPEIuDYI 69Y048gF/4NYEWAu8l076KabvWVp8o pOIL3O8Cx93P6V srgHc5QWWjlWfO7w==

Date: Wed, 17 Jun 2015 22:24:36 GMT

Connection: keep-alive

Content-Length: 0

HTTP/1.1 302 Found..Location: hXXps://VVV.facebook.com/plugins/likebox.php?href=https://VVV.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false..X-Content-Type-Options: nosniff..X-UA-Compatible: IE=edge,chrome=1..Content-Type: text/html..X-FB-Debug: GgKCikBkR1elnc/oPEIuDYI 69Y048gF/4NYEWAu8l076KabvWVp8o pOIL3O8Cx93P6V srgHc5QWWjlWfO7w==..Date: Wed, 17 Jun 2015 22:24:36 GMT..Connection: keep-alive..Content-Length: 0..

GET /wp-includes/js/wp-emoji-release.min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:31 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Mon, 11 May 2015 09:59:01 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 4284

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: application/javascript

..........u..r.8....S8.-.,.2....WWOz*.}.........C[.,i$*IO.W.y.y.}...]~L;.l.. ........WWg...k-......B..F6W.....<..f...b......>.....B...".?...9....n.....T...ki....Y...,..^.j..|j.Z..5....@E....`........j#Q=......j..jC..^...f..:.&....P......&....\.w......W......H*3\...~_I.UU%..p....&.&/...-..l..W.I=J..........OH.I..........n}....LK.G.I8.........:.j.m.$...:./..i8..$.#9.n...>.E...h.-.U..h.m.6.V.V..........."..M.".*..J......]W.at_mo>.F...i...| ..*~.P-.MD....9k.y.0.-.|..V......j.....3J...^..j....z..o..."....Hom.....nd........<.T2.j>..~.............j!...>.;.d8{...m.aG.=.Y..o-..i..Y.m%hO.o....r.\.z.\W...h9.s..t...p...hj`...T=.A4h.|#...Q..Zuu....>."..zY.O...K]...,..|..X.......W..).~.Rkk....kY..._.v.0|.c.mz...JG?W..:...U.. ...Y..k..f..G]..f.{...Lq.uuT..)ugU..j..y...^.._T....p..../.c..C.....W..|co...tm..'......^.?\......ek.}..^Vl.....^...SOp....7Xl.kY[.n...l.....|.\..:.p..............z.yk=OEIi].0..E.....UP.......h..E:)/....$......"H.4;...N..u.<.Y......r.ym.....{N.S....l....P...v.:.F...^.nT.......vP./....cWD..o.4....u.@.Y.{..at.e...u..d.}....W..C....@Z..|%X.....;c-....m7..q..n...:...J..k...tus..[E._c.k.9........................g..@......Z."0...a8l.{:...].....\..s[)..........M....=|X..A....m..P?V.....}..6.n../..Y...z...r~}x8u..Ax1.:....6....vB..>..l....d...........\|.u;......^.j.....]...S.....R.........7.....c;..Qw.>E....h_o..uF......U.\O...q...#..u.. (\..`.J|....H......L.@...T..o|..LX.>....j$n.....d....{.g.... ...?s/{.^.....{.....h..5...=!..CP...PR`k..).6ak..61.4......Lr.......;c6=V...1.3N

<<< skipped >>>

GET /wp-content/themes/sahifa/css/ilightbox/dark-skin/skin.css HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:32 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 1319

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: text/css

...........Y.o.8..n...>.....BZ.4.=...>.........`dL?....lc.....j.i..g......sLp...}..3b...c......I.7O..E......?...8;=;..<......{A....\.w0./k..!.....[.....;!....I.?z......P0ry.1.......).....`.R.....%..3..8M.@.aq.I.s|.......^._.s.;_]..c.aHO.......1.x.3.i...r.^..d.....nC.e....G... 7....*NS.2^.t.!q...g&....q.....d.UGM!A..uRK.:.T..f...0........A....20.n(._.9'D.A..6........`.....|'l...C.V<.t..<k......y...........0"(V:..n0...2_.M......$..^....~.k....b....M%....L....e..|T.....{t......K%GD..{O...(.G-J.. ...j..L..Q#...d.....X.,......I......z'.S..y.....5.n..IX/l.B..C..z.`!R..v.....S..7#0.s. .e._.J.....ts...a...uW.z@.t..);..FX........_Xp..H...e5....g..?7q.....dB..P..l.u....K"U..g.O..;.^V...*..N.(.^D.*.'[.4.SR."...oV..R#.9..$..C_.....G5.'@U.. 8B..N.=L...5..E'....MI..z.m6..a..d.v.........V.....B.!._...9Re..S.M..(..!.!c..$>N.6c..=..8..;.81i<;.....W3.k...#.Yj.i.\?....Ss.Z...J.cu.yF....p......L.0'..[1*i$.V%....@......\.4.7G...._..._U.U......w..%...U....{.Q..f....`..v..Mw.C~.....w.>J!&yg.>.t<R/y...u..}R.M.?...3P...m.8.....{.1..;.ET..*d...0|.7M.8).....}Y.ve.Z..{..._...U..M..............4..._.{{H.h.............. .......}.zg..E.....^:wXu.$r...$.rh$.l...v3ox.A&.d......3C.P.....F..z..dH..7...|s........up..Q!..@....Kki..j@.h....B..e...../......4.R]..Nu`;.%...^...}...Sf%.. ..._.n.S....QG....W.7..c.\.......).......@...<L.y.......

<<< skipped >>>

GET /wp-includes/js/jquery/jquery.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:32 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Mon, 11 May 2015 09:59:01 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 33287

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: application/javascript

............yw.../....".G..%Jl..'.!<....x.....h/L.$N"..d...o...*....s.[....E.P..k...y....w....m....^..O.,8yqq.........Vw.<..VKu..2.Q..[|..6..., .......t.w....D....J..l.E..q]..'.U~7/NO.|.....f....Q..W...X...j.\.a.P.4...2K..nV.'.....f..........m..Irr?[...~....)...M...,O....._...............'.Mg[U...ds.E.............2KvjL....TM...(....i.tP.h...^.6..D]..4.~{..n.Z.....A.y...yj.U.........*....A-.._.W....^}............|.V..l.=;W.....^...o..|2S.................-G..z...0a....p.h....].[m.......=O...d7./.n..f.<. l..{Y2...n....Uv....|.....2..s.t....G....jeX...$..T.ULi$.b3)8k.......14......#..)....y5/*=."..a.T.z..-)Y.E.n.%Wi;.S..._....l.D.KI.4.zyO..q.......G.........g...X....Ay..;...)Oq.2....,.&].....v.k........2.....h..G.~....]......Fz_.c.%0..A...]....?.....Q;..8....!.b....Pc:.v".....N.4.....f..Q.?.......H.%........R.TW.....a'...7.~f.5..{.B.$...hF.Md.N.....r:@E.[.D.E.. @........h2.G.R.~&.(....S......l)sM7.5.S5..A.. ....O.%....... N...Mw...4d4..u..i.....j..\..p.J5.hR...D.MB.<.W..........A......X......>%(.y..m./..1.\...Me../...x.Z.....]..C..$ZD......S.._3Q.}K...4J.(..q.yz.Dt........ofYK...RT.l.l..g.U.....X..W...Q..y.y...II.k..U.pig.[J.......qF..'..*/...l..;}*[.m..A$..?=.\..L...{...-P^v.....o.^....~...*S..{.[./."@.4....!..I2[X.7-o..;Y..M.[_Z.8.z^....Dg...x:....Q9...N.o.J......l......0.....L.....l3[...J....u....E.,.9p...$.@..G..W.........P......|.Mk....juo..Ll5....%.}H.=...2.{...cwf..N.',.`|Y....9./.k2,.|..-F...tS$7.bNH5.........d.Q.P..c............u..|..r.....qn.... .....A.B.....AlP.Ly[.....l/..DF...........]M.

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:33 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 60767

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject

_...y.............................LP.........................P......................F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i.o.n. .4...3...0. .2.0.1.5...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r.....BSGP...................T..q..u..*.......Y.D.M.F..x...>..........)Y......h..D....pj....f.i..)..U.'.&a..;`.*.../.....V...B.....OV..r.n.:..{$2D....:.&...m..d ..CeH.\../o.......U.M....X.`?....?.A....C...@..'.(g~......%(.Jl.&zw.....W#.mw".].At.....k.......p....E....[..=.gM.................go..W.R.q...`{.ZwUF.........o ..D.p)A8.....$..M.#.>..?....... d.No2..L.......<.t.....B..T..a....<...`.......e.SO.....cI[.p..E1R*.fMd.....>..2V.........z7..&. .....f..V.(8....aR.....x.Z\R.e..$.Vw.......K......gs.......*.... ..dI......6......)...rj..:Z."1.'...<....'.Q/....8..).B..5..tgk.AM.)...|~...."....2.... h...(.&.c..sw...(....h.Dg.k...w..zm%.f....//5.%....}....k.......... ...@....[#.D)..J<..?YAT.......o.s%....Z...G).5....#R'...#...).... R.....Z.z... ._....K&%'5.....(b.....Y..i_......|B.>U.......<q2i.....Q....7.....<2.._.y\n..9..u w.'!.p.5...q..u ...XU@.1OZt.I..g..'d...5.,.Y_.M.i.......D...H...Y.y.@.f....`Oqi...b...5..p......E1....x..............F?.....fS...n.>m"fE...u..n=.y..`LA&C.2].W&o.2pKDRI...3L...px..$.P ...p.P........$..........,a2T..X.!......av.....q.v,KZ...E..r?Z....m."..#&?.>.i]G^....Y....E&.(m>..?.hp..X..G.e^J...9[|...}...b..b..........P|q.......ka<..j$.....t5LG....i..#....h..W.kR..T.2...Of.e......b\~...fAh..L..La.......!...P~e...0.l ...Z.....$...0@.0.....GG.W....e..WE.

<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:34 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 4864

Keep-Alive: timeout=5, max=507

Connection: Keep-Alive

Content-Type: image/svg xml

............[o.Hv...WT. H..b]Y..{.t.......$..iI...$S..._..m.H.}$..v#@.7yT$7..e..w.......{......y}.^.'.~.........'7.'...w_......_....p..o...._..O....z......o..................\....<=...._}.^...=..........n<.F=t*a!.:_.O..$k.7...y<.....x}...w...on..xw..rq...?.8......j..f7..........{s{.\L.......N....W..o.u...:.}............. ...'n.....]........c6....z}.y.F.......u.]......j........^.....F...?./..|..S.}u..u....~|w....i.hG...../d.....^zv{........0..^...z,........1-...}.a...NE.b.._.....K.i,V....B.\typit./.....}..........q..QW....g|.S.....".$....X....|...<.>{...zw[|..N....o.4...g.m.I.)......$M.Jx..b...Ik...a...a.....c.Y3..D.pu.....c...^..5..v-j.LS.2.q..q....OK.B...s..].^5.8W.r.^....BQN.1..X.........".k5A..;4......k....Y.KC.U.......2.QB.(.H7.c.~....Z_..wWg....7.....i...."...z....../p.q....g.(u.KhI.b.....I3.e..V.\.K......N.r...9.]F.............7....,.p%..k....Tb..2..?H.L..U...C.K.o..o....&'......t.1R.,8t?....U.Q.,......Q.pu}q{...).Iy..O..-..M%...2.lkFo....6..\%x.G.r....#jM6..N.HQ..0ysk)..#.>8-BQ......Y..1.4..E.......*..8..V.I.PC..d.....BS......&...(.rL(......sU.......H..a!&...........n....;.q.t.7."K....Q{BW....). .......(.dPf.....R......(Y.......\.ICD..m......X.O.....H..u.v....]n.j...!....F....E....T...%.M..r....wM6..y..32J.....p2OB.RQK|..6.A.>..~.u.........Ao.no.../ww.=2_~4_*.....(:p....mH...g..~...6z0.....>-=.........Q...5*..L'..cspDQ#]h..K.!F..q._.).).\"^...H@.......L".Q. j..]w).o...! 7..5f.4.......e.ee.$Wx._.U.Wd..f!.Xa......5...z.......P.!..0.A..K_.&zF..-..=...>4.........f..-G.-.q. ..q..4.8

<<< skipped >>>

GET /wp-content/themes/sahifa/js/html5.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 1220

Keep-Alive: timeout=5, max=506

Connection: Keep-Alive

Content-Type: application/javascript

...........Vmo.6..._A.C"....k?.QS4[..m1 ..!K...$&..Q.W....Q/........;......8......{.nJ.F.....K..k.S.@...>..j..Z..8............_.=C........~SLW`..%jtk..Qim...E!l...h,.uo}Q.J.h.kt.x...bVh.P...i..a.....F.pj.O.W\...8$.l...{...GZ|...p.i.....s4.4k....2..F!.....@$..Ec7....t./...d..pc..\...H..^.Bf ....a..Z.C.4.....<.M.u...7..U.K.5.....aL.f..:.I.mG..?.w;?..].Z.."..put ...nE..d./.=....p... .5.BNo..e..W..V...x..<.......K..6|...{$..Uo...P..NNf..x....*..A..:.....).\...<...m.L%.a...z...<L..$.s...^.0..^K.x...... ....D.....S...9.......8.PT...I..:y.].../T..<..q0.....`.C.i2.....X.$'...'..T....`....gk8........U...D.5ix..6.P.t..R.......=..vpyk..5..K..B...C....../ZW.yw[.,.......-...-...g......=.DT.?..^.....O..%.......wPHR....$.....Xz6r..,K......2N[..... W..5...:.?[...tz.."7@7N...W.o..B...E].F{...eb.r.e.p;x(.]....].. _.....iQ.N...N..K'.....r.Z......5...N.65U.hF...t.,M.3....l...E.l.?(.g.ke.CN.Up.\,I...B.?"..../........P.X@..........V~.)q..l..'.....J.~Z..F./f..}...H.._2[.....W0.Z......F...J...Zk./...Fc.BH.tq.....y....D....Ir...N.l._C.z..rO$.e...c.........AA....#.....N...=..C....0...L..,..n.9.i.......\...Fi&...(....)..F.B{.B.U....@Uh.*...U.....n-\.......4..j..47......0......fI2;'..?... ....@.........[.t.H......R4d....m...Z.......

<<< skipped >>>

GET /wp-content/themes/sahifa/images/patterns/body-bg32.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 4069

Keep-Alive: timeout=5, max=505

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR...F...F.....q.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx.t..r.I..E....?....A.4.,c^#..zT.3..j.......z.........w......G..~..y....._.~......{..........>.x.k...q..w....y.{|........o..9..,c..o..>c0.cq..........|.......g...<............p.]..../_...}...7...Y.'Sx..]........._..z.....2..dT.%S.....m,...f\.s.?....,.........b.2.].b...*M..={.K>.w.......q...........;6..q..X.z..d..@'...J(..L............v..p.] 1..$.^w.......E........Au....._..u>'..q..a%....y...~W..q...|....2....N..`..W.%X...]... .e..3.4.8E]z.(.J,..@.UR......H..A&.4....b.</......8...))NPu......T..T.j[....(....k;........si.*..=...N....z.%..@)S...30.I.S...p.... .T.w......>>/...{...5.....w~ Z.....m...J...E#....^-B.....;.>}z..U..)U..Y..^*.J.......!.P.Tk........2..cL.GU..J...... m...i_. ......z>.[G..|.q.-......V[.o%C&.u...V.TFV...^S.y...:hY..}s..w....1..U.\.....2........@'.X.T.[5.7..U..j..L.].l...E..=.`.<k.........K...j .c.;..hw....b.z....'....J....U.h..<#....8..........b!..J\....e..z'9-.}V..0..D..i(.........@4..WT].......'..~jo6. f)F)s.A........b.5.."<..{..K...kJ~...#....u.5t.H.I.mT.D.dj....K%`...e...6g.'6..AC..z_o..z.E.G.W..$...."..Z~U..M.p.......Hz.y....U.6..jK\..*%.".'....GmJ.R=.~EY....3...tqef.....g.S.5.R..V.....%.K5.Y.;..pBP.2/.ht.l-.DA@.ds..G.v.y|..u^s?..nX.lih..v...}7P.yE..s...F.T......R...q...$...h.V...7.Z...t.\.e........0...C..7X.Q2...L....N...r.qs8U.m@Qu3.._.b..&....*5..%.<3Vm..;.......{C.....&....z..eX............!B..A...Y .J...T.M.V%|..D.M=.70.9[lN.m..F.......B...E.......8.a...b.c..k...

<<< skipped >>>

GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:36 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=504

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR....................$IDAT(.c`@.)$.@.8...H.D.3.h.v.i..%B.._...........IEND.B`.HTTP/1.1 200 OK..Date: Wed, 17 Jun 2015 22:24:36 GMT..Server: Apache..Vary: Accept-Encoding,User-Agent..Last-Modified: Sat, 23 May 2015 21:00:23 GMT..Accept-Ranges: bytes..Content-Length: 93..Keep-Alive: timeout=5, max=504..Connection: Keep-Alive..Content-Type: image/png...PNG........IHDR....................$IDAT(.c`@.)$.@.8...H.D.3.h.v.i..%B.._...........IEND.B`.....

GET /wp-content/themes/sahifa/js/ilightbox.packed.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:39 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 23364

Keep-Alive: timeout=5, max=503

Connection: Keep-Alive

Content-Type: application/javascript

...........}y[.H....).:MKA......k .@X..f..........{~.J.lHw...<.M7V..:u.lu.....?.....i4zT.G.fk.=xPr.Yt7.N'.A...N.)..;m..(..L..........d..M.).....Fc*.(.i.y..<.N......`(v.*&Y...5.9.A.. ;-.~4.xHI.e[...atg...lk.......i?@...........'.M.=.i.M.#.mD.Uu|m....a..y....kZ...y....8........=..h....5..;.9..T.P..Y..k .j..a.."m._..H...x0..^.W.. ..p..W...3....z.;%....z..I......:.{.5.W..WW.......{.....P.2.....8h.MU7PF....p...Y..4....d.....>.....<...|.....s~F...KVE.....j.N...m..P.....4.T.:.`.....a..u..d..w....G..."...^.Pi.%..iz.o.,.8pU........3.u.lz.{..."...f6G......Y...[..V..!.......4..mK..?.......&".i.."ji.[......Y.iOv.......v..EV]..M.oZ=...O.!.#....W.....%.P._.l9V..Z.WW.&...i.;......^.9....Z."..#M......V...Z.Y.0.o..hI.$.....,.......2EY.....H..A.....%,Y.^..\.P.........F......h...5.:.....k.X]E..f..!.&....,.f.fu...k..4..k.k.Z....F.....s......`........M.....3L.<.9k%.A.P.|......"......7.FTL.\....Q..7T..'.....4.:H"...Q.C..z^v...v....}f..b..........3~.................z...4s4..Z....^.......R.<.[.i.?|......D......!..~...~.8..:.y.?.....RU..S....!.m...S. ..(\......p..."\~.pE.3.p..3......F..d.....QoM........:.F`.:R.)...y.(.....f&..O..X.bA#....5|....t.of.QK.DIT...bS..........g...t".4."..VW..F........./..a.?.o...Z......o..eC.:.ih......E......kyC.j...f.k\...-....i~.......&IL.W......eV...>??...2....DlE!B`D..._.}.?;..._:....'.prE..O|...F....o..lc.X..r....19.K._.K..r..Gn..3m2....j.\..`.d...t..'..%...o6R..\...3.).Cz..`.w...*..#....S.A.|z.z=r}...i.KhR..M..(...\ .O....k<t../.f j..O1....sf..,..$p<E..:u4..C.33R7U.~.D.(>..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1380:

.text

`.rsrc

SHDocVwCtl.WebBrowser

6|!6z!6w"6u"5u"5u"5s$5nO(3[ 2N.1B1083/14/ 5/(5/&6/&6/&6/&6/&6/&6/&6/&6/&6/&5/'4/*3//106/1>-2I*3U&4b$5m"6u 6{

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

6{!6x"5u"5r#5q"5r"5r"5r$5nO(3[ 2N.1B1083/14/ 5/(5/&5/&5/)4/ 301109.1C 2O(3\%4g#5o"5t"5u"5u"5t"5u"5u"5s#5o%4g(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

!6y%4i(3[*3S 2Q*3S(3[O"5u

#5qO&4e$5n

$5k(3^(3]O 6{

"6u'3_*2R 2O)3VO

O 2O/1>2034/ 5/(6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&@@@@@@@@@@@@

$5l'4a(3]'3_O#5p

#5p&4d'4`O"6u

!6xO(3\(3Z&4c"5u

#5pOO#5p

!6xO(3\(3[&4d!6x

%4h)3Y 2Q 2P)3XO

6{%4i)3Y,2K/1B01

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P-1F/1>00:00:/1>-1F 2P(3\O$5m#5p#5q#5p$5n$5n#5p"5s!6w 6{

WWW.VINACF.COM

Project1.ucAsyncDLHost

Project1.ucAsyncDLStripe

ieframe.dll

WebBrowser

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

A%System%\ieframe.oca

wininet.dll

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

user32.dll

ClearWeb

shell32.dll

ShellExecuteA

kernel32.dll

PSAPI.DLL

ntdll.dll

msvbvm60.dll

%System%\msvbvm60.dll\3

LIB.dll

advapi32.dll

GetAsyncKeyState

GetWindowsDirectoryA

VBA6.DLL

RegCreateKeyA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

GetCtlKeyForURL

GetCtlKeyForLocalFileName

DownloadStripeByURL

MSVBVM60.DLL

.rsrc

.reloc

.lS\d~"

.tTP\

%fJ>0

".oCh

`.data

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

HttpAddRequestHeadersA

InternetOpenUrlA

`.rdata

@.data

@.reloc

^}â€¢D}

KERNEL32.dll

SHELL32.dll

GetCPInfo

%WinDir%\SYSTEM32\miniads.exe

%WinDir%\SYSTEM32\shellfile.dl

%WinDir%\SYSTEM32\dllshell.dll

miniads.exe

HGWC.exe

crossfire.dat

%WinDir%\SYSTEM32\miniads2.exe

miniads2.exe

msvcrt.dll

Kernel32.dll

WebBrowser1

AWebBrowser1

`C:\Windows\System32\ieframe.oca

4*5054585

0004080

.data

ATL.DLL

ADVAPI32.dll

SHLWAPI.dll

ole32.dll

GDI32.dll

USER32.dll

DUser.dll

DUI70.dll

0%D[$

H$l%%u;

autoplay.pdb

_amsg_exit

GetProcessHeap

RegCreateKeyExW

?OnAdjustWindowSize@HWNDHost@DirectUI@@UAEHHHI@Z

?OnKeyFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z

?SetKeyFocus@HWNDHost@DirectUI@@UAEXXZ

?MessageCallback@HWNDHost@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@HWNDHost@DirectUI@@UAE_NXZ

?OnWindowStyleChanged@HWNDHost@DirectUI@@UAEXIPBUtagSTYLESTRUCT@@@Z

?SetKeyFocus@Element@DirectUI@@UAEXXZ

?MessageCallback@Element@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@Element@DirectUI@@UAE_NXZ

ShellExecuteExW

?SetHandleEnterKey@XProvider@DirectUI@@IAEX_N@Z

?CreateDUI@XProvider@DirectUI@@UAGJPAVIXElementCP@2@PAPAUHWND__@@@Z

?SetButtonClassAcceptsEnterKey@XProvider@DirectUI@@UAGJ_N@Z

AUTOPLAY.dll

Can't find ordinal import.

keybd_event

MSVCRT.dll

U: %d ]

06 / 03 / 2015

vdk.dll

avifil32.dll

VINACF.DAT

[ ]|[ - ]

CrossHair

OFF|KEY: R|X1|X2|MAX

OFF|KEY: F

OFF|KEY: B

FAPCFLIB.DLL

FAPCF.DLL

00????00????000

CShell.dll

d3dx9_29.dll

5]5#696>6D6K6P6U6Z6`6g6l6q6v6|6

Object.dll

d3d9.dll

hXXp:///

Nisual Studio\VB98\C2.EXE

Nisual Studio\VB98\C2.EXE.Man

Nisual Studio\VB98\C2.EXE.Manifes

Q*\A%Documents and Settings%\Admin\Desktop\VINACF MOD - CHONG MOD v24\Project1.vbp

REZ\NationMsz\SA_MSG_DEFINE.msz

REZ\NationMsz\SPAIN_MSG_DEFINE.msz

REZ\NationMsz\EU_MSG_DEFINE.msz

REZ\NationMsz\ID_MSG_DEFINE.msz

REZ\NationMsz\US_MSG_DEFINE.msz

REZ\NationMsz\PHILLIPPINES_MSG_DEFINE.msz

REZ\NationMsz\RU_MSG_DEFINE.msz

REZ\NationMsz\VIETNAM_MSG_DEFINE.msz

REZ\NationMsz\KOREA_MSG_DEFINE.msz

REZ\NationMsz\SEA_MSG_DEFINE.msz

hXXp://cfpro0009.googlecode.com/svn/trunk/

anti.txt

VINACF.HTML

hXXp://bit.ly/1MBMSIF

font:'Courier New', Courier, monospace;background-color: #000;background-image: url(5000320727_636b010314.jpg);background-repeat: no-repeat;}

.keyclick1 {color: maroon;font-size: 40px;}

.keyclick1:hover {text-decoration: none;color: blue;background: yellow;}

.keyword {font-size: 8px;}

.box{position:fixed;top:-200px;left:30%;right:30%;background-color: #000;color:#7f7f7f;padding:20px;

a.activator{width:153px;height:150px;position:absolute;top:0px;right:0px;background: url(clickme.png) no-repeat top right;z-index:1;cursor:pointer;}

.overlay{background:transparent url(overlay.png) repeat top left;position:fixed;top:0px;bottom:0px;left:0px;right:0px;z-index:100;}

border:2px solid #ccc;-moz-border-radius: 20px;-webkit-border-radius:20px;-khtml-border-radius:20px;-moz-box-shadow: 0 1px 5px #333;-webkit-box-shadow: 0 1px 5px #333;z-index:101;}

document.onselectstart=new Function ('return false')

.box h1{border-bottom: 1px dashed #7F7F7F;margin:-20px -20px 0px -20px;padding:10px;background-color:#FF0;color: #000;-moz-border-radius:20px 20px 0px 0px;-webkit-border-top-left-radius: 20px;-webkit-border-top-right-radius: 20px;-khtml-border-top-left-radius: 20px;-khtml-border-top-right-radius: 20px;}

a.boxclose{float:right;width:26px;height:26px;background:transparent url(cancel.png) repeat top left;margin-top:-30px;margin-right:-30px;cursor:pointer;}

.drop { position: absolute; width: 3; filter: flipV(), flipH(); font-size: 40; color: blue }

if (window.sidebar){

CVN.SYS

Document.onmousedown = disableselect

Document.onclick = reEnable}

if (document.all){return false;}}

if(document.layers||(document.getElementById&&!document.all)){

if (e.which==2||e.which==3){

if (document.layers){

document.captureEvents(Event.MOUSEDOWN);

document.onmousedown=nrcNS;

}else{document.onmouseup=nrcNS;document.oncontextmenu=nrcIE;}

document.oncontextmenu=new Function('return false');

var minutes = Math.floor(time / 60);

FVN.SYS

minutes = Math.floor(time / 60);

function stime(){document.getElementById('STATUS').innerHTML = 'T? ??NG K

if(jgt == 0|document.getElementById('KICHHOAT').innerHTML=='100%')

clearInterval(timing);document.getElementById('STATUS').innerHTML='K

document.getElementById('KICHHOAT').innerHTML='100%';}

\system32\RunDll32.exe

a.exe

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

vdk.exe

Aegis.exe

XTrap.xt

crossfire.exe

IEXPLORE.EXE

runads.exe

cfpro.exe

REZ\REZOK.EXE

DDRAW.DLL

VN.SYS

hXXp://cfpro0009.googlecode.com/svn/trunk/VINACF.HTML

hXXp://cfpro0009.googlecode.com/svn/trunk/anti.txt

MiniObject.dat

hXXp://dlprotest.googlecode.com/svn/trunk/

hXXp://zsmodz.googlecode.com/svn/trunk/

patcher_cf2.exe

\runads.exe

\miniads.exe

\miniads2.exe

WEBPOP

hXXp://VVV.hackcf.biz/VINACF/p/active-success.html

\System32\drivers\etc\hosts.ics

0123456789

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

%System%\RunDll32.exe

adf.ly

InternetExplorer.Application

LocationURL

sh.st

adf.ly/ad/locked

Windows Internet Explorer

Web Browser

iexplore.exe - Application Error

WScript.Shell

WindowStyle

\Mozilla Firefox

\Google Chrome

Win32s on Windows 3.1

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista/Server 2008

Windows 7/Server 2008 R2

Windows 8

Windows 95

Windows Me

Windows 98

Unable to identify your version of Windows.

We already have a Download with that URL in the List

.ucAsyncDLStripe

VB.Timer

HGWC.EXE

N*\A%Documents and Settings%\Admin\Desktop\VINACF MOD - CHONG MOD v24\Project1.vbp

FAPCF.COM

C:\UsersP

@*\AG:\ADS\LOAD\Project1.vbp

C:\Windows\System32\miniads2.exe

C:\Windows\System32\miniads.exe

C:\Windows\System32\runads.exe

C:\Windows\System32\dllshell.dll

explorer.exe

myads.exe

@*\AG:\ADS\Project1.vbp

hXXp://asdsadsadsad.googlecode.com/svn/trunk/newrent.txt

Message from webpage

@*\AG:\ADS\shorte.st\Project1.vbp

hXXps://asdsadsadsad.googlecode.com/svn/trunk/sh.txt

@*\AG:\ADS\Shell\Project1.vbp

shell32.dll,-3

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

%systemroot%\system32\DeviceCenter.dll,-1

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices\

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices

7e1fe788-0747-4e00-895b-c3461b1ddd97

comctl32.dll

mshelp://windows/?id=

ShellExecuteParams

ShellExecuteVerb

ShellExecute

]d3d9.dll

VINACFPRO.EXE

%original file name%.exe_1380_rwx_00401000_00198000:

SHDocVwCtl.WebBrowser

6|!6z!6w"6u"5u"5u"5s$5nO(3[ 2N.1B1083/14/ 5/(5/&6/&6/&6/&6/&6/&6/&6/&6/&6/&5/'4/*3//106/1>-2I*3U&4b$5m"6u 6{

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

6{!6x"5u"5r#5q"5r"5r"5r$5nO(3[ 2N.1B1083/14/ 5/(5/&5/&5/)4/ 301109.1C 2O(3\%4g#5o"5t"5u"5u"5t"5u"5u"5s#5o%4g(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

!6y%4i(3[*3S 2Q*3S(3[O"5u

#5qO&4e$5n

$5k(3^(3]O 6{

"6u'3_*2R 2O)3VO

O 2O/1>2034/ 5/(6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&@@@@@@@@@@@@

$5l'4a(3]'3_O#5p

#5p&4d'4`O"6u

!6xO(3\(3Z&4c"5u

#5pOO#5p

!6xO(3\(3[&4d!6x

%4h)3Y 2Q 2P)3XO

6{%4i)3Y,2K/1B01

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P-1F/1>00:00:/1>-1F 2P(3\O$5m#5p#5q#5p$5n$5n#5p"5s!6w 6{

WWW.VINACF.COM

Project1.ucAsyncDLHost

Project1.ucAsyncDLStripe

ieframe.dll

WebBrowser

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

A%System%\ieframe.oca

wininet.dll

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

user32.dll

ClearWeb

shell32.dll

ShellExecuteA

kernel32.dll

PSAPI.DLL

ntdll.dll

msvbvm60.dll

%System%\msvbvm60.dll\3

LIB.dll

advapi32.dll

GetAsyncKeyState

GetWindowsDirectoryA

VBA6.DLL

RegCreateKeyA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

GetCtlKeyForURL

GetCtlKeyForLocalFileName

DownloadStripeByURL

MSVBVM60.DLL

.text

.rsrc

.reloc

.lS\d~"

.tTP\

%fJ>0

".oCh

`.data

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

HttpAddRequestHeadersA

InternetOpenUrlA

`.rdata

@.data

@.reloc

^}â€¢D}

KERNEL32.dll

SHELL32.dll

GetCPInfo

%WinDir%\SYSTEM32\miniads.exe

%WinDir%\SYSTEM32\shellfile.dl

%WinDir%\SYSTEM32\dllshell.dll

miniads.exe

HGWC.exe

crossfire.dat

%WinDir%\SYSTEM32\miniads2.exe

miniads2.exe

msvcrt.dll

Kernel32.dll

WebBrowser1

AWebBrowser1

`C:\Windows\System32\ieframe.oca

4*5054585

0004080

.data

ATL.DLL

ADVAPI32.dll

SHLWAPI.dll

ole32.dll

GDI32.dll

USER32.dll

DUser.dll

DUI70.dll

0%D[$

H$l%%u;

autoplay.pdb

_amsg_exit

GetProcessHeap

RegCreateKeyExW

?OnAdjustWindowSize@HWNDHost@DirectUI@@UAEHHHI@Z

?OnKeyFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z

?SetKeyFocus@HWNDHost@DirectUI@@UAEXXZ

?MessageCallback@HWNDHost@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@HWNDHost@DirectUI@@UAE_NXZ

?OnWindowStyleChanged@HWNDHost@DirectUI@@UAEXIPBUtagSTYLESTRUCT@@@Z

?SetKeyFocus@Element@DirectUI@@UAEXXZ

?MessageCallback@Element@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@Element@DirectUI@@UAE_NXZ

ShellExecuteExW

?SetHandleEnterKey@XProvider@DirectUI@@IAEX_N@Z

?CreateDUI@XProvider@DirectUI@@UAGJPAVIXElementCP@2@PAPAUHWND__@@@Z

?SetButtonClassAcceptsEnterKey@XProvider@DirectUI@@UAGJ_N@Z

AUTOPLAY.dll

Can't find ordinal import.

keybd_event

MSVCRT.dll

U: %d ]

06 / 03 / 2015

vdk.dll

avifil32.dll

VINACF.DAT

[ ]|[ - ]

CrossHair

OFF|KEY: R|X1|X2|MAX

OFF|KEY: F

OFF|KEY: B

FAPCFLIB.DLL

FAPCF.DLL

00????00????000

CShell.dll

d3dx9_29.dll

5]5#696>6D6K6P6U6Z6`6g6l6q6v6|6

Object.dll

d3d9.dll

hXXp:///

Nisual Studio\VB98\C2.EXE

Nisual Studio\VB98\C2.EXE.Man

Nisual Studio\VB98\C2.EXE.Manifes

Q*\A%Documents and Settings%\Admin\Desktop\VINACF MOD - CHONG MOD v24\Project1.vbp

REZ\NationMsz\SA_MSG_DEFINE.msz

REZ\NationMsz\SPAIN_MSG_DEFINE.msz

REZ\NationMsz\EU_MSG_DEFINE.msz

REZ\NationMsz\ID_MSG_DEFINE.msz

REZ\NationMsz\US_MSG_DEFINE.msz

REZ\NationMsz\PHILLIPPINES_MSG_DEFINE.msz

REZ\NationMsz\RU_MSG_DEFINE.msz

REZ\NationMsz\VIETNAM_MSG_DEFINE.msz

REZ\NationMsz\KOREA_MSG_DEFINE.msz

REZ\NationMsz\SEA_MSG_DEFINE.msz

hXXp://cfpro0009.googlecode.com/svn/trunk/

anti.txt

VINACF.HTML

hXXp://bit.ly/1MBMSIF

font:'Courier New', Courier, monospace;background-color: #000;background-image: url(5000320727_636b010314.jpg);background-repeat: no-repeat;}

.keyclick1 {color: maroon;font-size: 40px;}

.keyclick1:hover {text-decoration: none;color: blue;background: yellow;}

.keyword {font-size: 8px;}

.box{position:fixed;top:-200px;left:30%;right:30%;background-color: #000;color:#7f7f7f;padding:20px;

a.activator{width:153px;height:150px;position:absolute;top:0px;right:0px;background: url(clickme.png) no-repeat top right;z-index:1;cursor:pointer;}

.overlay{background:transparent url(overlay.png) repeat top left;position:fixed;top:0px;bottom:0px;left:0px;right:0px;z-index:100;}

border:2px solid #ccc;-moz-border-radius: 20px;-webkit-border-radius:20px;-khtml-border-radius:20px;-moz-box-shadow: 0 1px 5px #333;-webkit-box-shadow: 0 1px 5px #333;z-index:101;}

document.onselectstart=new Function ('return false')

.box h1{border-bottom: 1px dashed #7F7F7F;margin:-20px -20px 0px -20px;padding:10px;background-color:#FF0;color: #000;-moz-border-radius:20px 20px 0px 0px;-webkit-border-top-left-radius: 20px;-webkit-border-top-right-radius: 20px;-khtml-border-top-left-radius: 20px;-khtml-border-top-right-radius: 20px;}

a.boxclose{float:right;width:26px;height:26px;background:transparent url(cancel.png) repeat top left;margin-top:-30px;margin-right:-30px;cursor:pointer;}

.drop { position: absolute; width: 3; filter: flipV(), flipH(); font-size: 40; color: blue }

if (window.sidebar){

CVN.SYS

Document.onmousedown = disableselect

Document.onclick = reEnable}

if (document.all){return false;}}

if(document.layers||(document.getElementById&&!document.all)){

if (e.which==2||e.which==3){

if (document.layers){

document.captureEvents(Event.MOUSEDOWN);

document.onmousedown=nrcNS;

}else{document.onmouseup=nrcNS;document.oncontextmenu=nrcIE;}

document.oncontextmenu=new Function('return false');

var minutes = Math.floor(time / 60);

FVN.SYS

minutes = Math.floor(time / 60);

function stime(){document.getElementById('STATUS').innerHTML = 'T? ??NG K

if(jgt == 0|document.getElementById('KICHHOAT').innerHTML=='100%')

clearInterval(timing);document.getElementById('STATUS').innerHTML='K

document.getElementById('KICHHOAT').innerHTML='100%';}

\system32\RunDll32.exe

a.exe

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

vdk.exe

Aegis.exe

XTrap.xt

crossfire.exe

IEXPLORE.EXE

runads.exe

cfpro.exe

REZ\REZOK.EXE

DDRAW.DLL

VN.SYS

hXXp://cfpro0009.googlecode.com/svn/trunk/VINACF.HTML

hXXp://cfpro0009.googlecode.com/svn/trunk/anti.txt

MiniObject.dat

hXXp://dlprotest.googlecode.com/svn/trunk/

hXXp://zsmodz.googlecode.com/svn/trunk/

patcher_cf2.exe

\runads.exe

\miniads.exe

\miniads2.exe

WEBPOP

hXXp://VVV.hackcf.biz/VINACF/p/active-success.html

\System32\drivers\etc\hosts.ics

0123456789

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

%System%\RunDll32.exe

adf.ly

InternetExplorer.Application

LocationURL

sh.st

adf.ly/ad/locked

Windows Internet Explorer

Web Browser

iexplore.exe - Application Error

WScript.Shell

WindowStyle

\Mozilla Firefox

\Google Chrome

Win32s on Windows 3.1

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista/Server 2008

Windows 7/Server 2008 R2

Windows 8

Windows 95

Windows Me

Windows 98

Unable to identify your version of Windows.

We already have a Download with that URL in the List

.ucAsyncDLStripe

VB.Timer

HGWC.EXE

N*\A%Documents and Settings%\Admin\Desktop\VINACF MOD - CHONG MOD v24\Project1.vbp

FAPCF.COM

C:\UsersP

@*\AG:\ADS\LOAD\Project1.vbp

C:\Windows\System32\miniads2.exe

C:\Windows\System32\miniads.exe

C:\Windows\System32\runads.exe

C:\Windows\System32\dllshell.dll

explorer.exe

myads.exe

@*\AG:\ADS\Project1.vbp

hXXp://asdsadsadsad.googlecode.com/svn/trunk/newrent.txt

Message from webpage

@*\AG:\ADS\shorte.st\Project1.vbp

hXXps://asdsadsadsad.googlecode.com/svn/trunk/sh.txt

@*\AG:\ADS\Shell\Project1.vbp

shell32.dll,-3

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

%systemroot%\system32\DeviceCenter.dll,-1

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices\

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices

7e1fe788-0747-4e00-895b-c3461b1ddd97

comctl32.dll

mshelp://windows/?id=

ShellExecuteParams

ShellExecuteVerb

ShellExecute

]d3d9.dll

%original file name%.exe_1380_rwx_0059A000_00002000:

kernel32.dll

VINACFPRO.EXE

iexplore.exe_1940:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.fg>

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps