MD5: 41ab28e172436934a4761ab4915846d5
SHA1: 0cddf60521906bd5cf55a5ce3080528231a274df
SHA256: ed1d01b7e5edde6bcc38e30d9388849c861ac2c01349148d4f353308bba8d539
SSDeep: 6144:L RiARI5cpt5zbX/UUyQZI4Jj8ncv2pyjJbrP8:L 7RBzTM5Vm8c Qjxg
Size: 275456 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-28 03:40:10
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

41ab28e17243693:1380

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 41ab28e17243693:1380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts.ics (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DMCABadgeHelper.min[1].js (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dmca_protected_sml_120l[1].png (2 bytes)
%System%\drivers\etc\hosts (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\anti[1].txt (747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ajax-loader[1].gif (3966 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\11[1].png (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\VINACF[1].HTML (1260 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

Registry activity

The process 41ab28e17243693:1380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 EF 27 19 B9 17 48 B7 81 78 8B A3 9A EE BE A5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://bit.ly/1MBMSIF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp1res.dll,-11003" = "Launch Internet Explorer Browser"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 3796 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: MS
Product Name: Project1
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: VINACFPRO.EXE
Internal Name: VINACFPRO
File Version: 1.00
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://119.81.52.54/wp-includes/js/wp-emoji-release.min.js
hxxp://googleadapis.l.google.com/css?family=Droid Sans:regular,700
hxxp://119.81.52.54/wp-content/themes/sahifa/style.css
hxxp://119.81.52.54/wp-content/themes/sahifa/css/ilightbox/dark-skin/skin.css
hxxp://119.81.52.54/wp-includes/js/jquery/jquery.js
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot?
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot?
hxxp://gstaticadssl.l.google.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071
hxxp://119.81.52.54/wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071
hxxp://119.81.52.54/wp-includes/js/jquery/jquery-migrate.min.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/html5.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/selectivizr-min.js
hxxp://119.81.52.54/wp-content/themes/sahifa/images/patterns/body-bg32.png
hxxp://119.81.52.54/wp-content/themes/sahifa/images/home.png
hxxp://photos-ugc.l.googleusercontent.com/-KeOVqKDJ_FI/U6El6dSg1kI/AAAAAAAAAWw/HYf_f9E48S4/s1600/OS.png
hxxp://67.202.94.94/swidget/fapcfcomz.png
hxxp://adcash.com/a/display.php?r=428475
hxxp://119.81.52.54/wp-content/themes/sahifa/images/stripe.png
hxxp://173.192.200.70/small/00/23.png
hxxp://adcash.com/a/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f&cbrandom=0.96737650282128
hxxp://star.c10r.facebook.com/plugins/likebox.php?href=https://www.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false
hxxp://adcash.com/script/java.php?option=rotateur&r=438612
hxxp://adcash.com/script/java.php?option=rotateur&r=438609
hxxp://cloud.cashtrafic.info/ban/236180/141423_300x250_iLivid_DB-4S-FolderDL_ru.gif	141.101.118.183
hxxp://adcash.com/ban/236180/2026221_300x250_iLivid_DB-Megabyte.gif
hxxp://adcash.com/script/java.php?option=rotateur&r=438611
hxxp://adcash.com/images/spacer.gif
hxxp://adcash.com/images/slidein.png
hxxp://adcash.com/images/slide_deploy.png
hxxp://adcash.com/images/slide_close.png
hxxp://adcash.com/images/slide_fold.png
hxxp://cloud.cashtrafic.info/ban/992077/200313_jZip_728x90_DB-RoundedBlue.gif	141.101.118.183
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.4.1/jquery.min.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/tie-scripts.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/ilightbox.packed.js
hxxp://119.81.52.54/wp-content/themes/sahifa/js/search.js
hxxp://vinacf.com/wp-content/themes/sahifa/js/selectivizr-min.js
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071
hxxp://vinacf.com/wp-content/themes/sahifa/images/patterns/body-bg32.png
hxxp://vinacf.com/wp-content/themes/sahifa/images/home.png
hxxp://vinacf.com/wp-includes/js/jquery/jquery.js
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot?
hxxp://www.adcash.com/a/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f&cbrandom=0.96737650282128
hxxp://widgets.amung.us/small/00/23.png
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js	216.58.209.170
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071
hxxp://vinacf.com/wp-content/themes/sahifa/js/search.js
hxxp://www.adcash.com/a/display.php?r=428475
hxxp://vinacf.com/wp-content/themes/sahifa/images/stripe.png
hxxp://3.bp.blogspot.com/-KeOVqKDJ_FI/U6El6dSg1kI/AAAAAAAAAWw/HYf_f9E48S4/s1600/OS.png	216.58.209.161
hxxp://www.adcash.com/ban/236180/2026221_300x250_iLivid_DB-Megabyte.gif
hxxp://vinacf.com/wp-content/themes/sahifa/css/ilightbox/dark-skin/skin.css
hxxp://whos.amung.us/swidget/fapcfcomz.png
hxxp://www.adcash.com/script/java.php?option=rotateur&r=438609
hxxp://vinacf.com/wp-content/themes/sahifa/style.css
hxxp://vinacf.com/wp-includes/js/jquery/jquery-migrate.min.js
hxxp://www.adcash.com/script/java.php?option=rotateur&r=438612
hxxp://vinacf.com/wp-content/themes/sahifa/js/ilightbox.packed.js
hxxp://fonts.gstatic.com/s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot	216.58.209.163
hxxp://www.facebook.com/plugins/likebox.php?href=https://www.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false	31.13.93.3
hxxp://www.adcash.com/script/java.php?option=rotateur&r=438611
hxxp://vinacf.com/wp-content/themes/sahifa/js/html5.js
hxxp://vinacf.com/wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot?
hxxp://vinacf.com/wp-includes/js/wp-emoji-release.min.js
hxxp://fonts.googleapis.com/css?family=Droid Sans:regular,700	64.233.164.95
hxxp://vinacf.com/wp-content/themes/sahifa/js/tie-scripts.js
2.bp.blogspot.com	216.58.209.161

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /a/display.php?r=428475 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-RevProc-1: a8ec481510bfe6cd3a9a746afe7461c5 = ok
27b..(function(document, scriptElement, firstScript) {.scriptElement =
 document.createElement('script');.scriptCFASync = document.createAttr
ibute("data-cfasync");.scriptCFASync.value = false;.scriptElement.setA
ttributeNode(scriptCFASync);.scriptElement.src = "http:\/\/VVV.adcash.
com\/a\/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnf
y9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f"   '&cbrandom='   Math.random
();.firstScript = document.scripts[0];.if(typeof firstScript == 'undef
ined'){.  firstScript = document.getElementsByTagName( 'script' )[0];.
}.firstScript.parentNode.insertBefore(scriptElement, firstScript).}(do
cument));...0..HTTP/1.1 200 OK..Server: openresty..Date: Wed, 17 Jun 2
015 22:24:36 GMT..Content-Type: application/javascript..Transfer-Encod
ing: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-RevProc
-1: a8ec481510bfe6cd3a9a746afe7461c5 = ok..27b..(function(document, sc
riptElement, firstScript) {.scriptElement = document.createElement('sc
ript');.scriptCFASync = document.createAttribute("data-cfasync");.scri
ptCFASync.value = false;.scriptElement.setAttributeNode(scriptCFASync)
;.scriptElement.src = "http:\/\/VVV.adcash.com\/a\/display.php?r=42847
5&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf
1d1831d50f15f"   '&cbrandom='   Math.random();.firstScript = document.
scripts[0];.if(typeof firstScript == 'undefined'){.  firstScript = doc
ument.getElementsByTagName( 'script' )[0];.}.firstScript.parentNode.in
sertBefore(scriptElement, firstScript).}(document));...0...
<<< skipped >>>

GET /a/display.php?r=428475&runauction=1&crr=17b4a792355f11147d67 wnfy9zdyB3f4dmP sSYlVWea865aaf1d1831d50f15f&cbrandom=0.96737650282128 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246927; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: 32ddea80e5c4fc80bb77fcffe58f8cf6 = ok

Content-Encoding: gzip
14d0.............Zkw.:..._A.....%H...q.rO.\[email protected]:..;
..4......}..........$..A...X.....5.Xv.bu..Q.'......bQ......~<......
a.L.e5.%...e.l`x.2..a..M..........c......=.f.}...M..fo..{~.o4.A...r...
..r...6.V9...3..j..Q......Yo0...Mf2...~.,.z....|.....yv..1....f...m.H.
.4}.?...>O.h....].c..x....d>.5.D.l.....G.......$..?......A......
...$...........e..z=..EL|........*6.;..........f..('.3...r..}....hk...
.....,..?.....<.E. [email protected]"q..D...0... ...."..).8../CE.n.j......j.g
Z....g ....a.=...~.Aa..~.4|...f.V..E..k5.(.....|..v.....YA...f..0.u>
;`[email protected]...'....8... .......m...Xo..Ne...G.....T..
..._.K....w.7..-..)q.....)..`.M..,..0..D.t_....j..y...*..Y..._..J.....
f..(W.mO..-U....O{oX...4...A.O.F^.......M..W...U......@}[.T..........b
\.V.Q8..w....Vs.q.w...........W...v.?..2T.._lU.m.a....X..j...2.....`x.
.....l..[.U.. ..g......ZQ..._.G:...k.z.#..mSe.*..e.T........../...J...
.F.6&...j..W. ....%v..^...}.........S..wU^S..D..h.......j.Po..l..3...n
.58....Q5..b....d>..*kJ...V...f.Z.XeSU1..h[..K.YZ{X.3...o.c.z...%c.
(V..F.(...}G..h...D{.X.nrG1..n=.:B;.....Oh? :.}t.......h..7..h....k...
]4...!ZPgSE........h#[email protected]..#.....1......=..K....N.....F. t.....;
.3E.A....0..>p.....\./1..........Eo.. ...t.........h .6C.....L..z..
.E.(:872..`...5.S...q.>.m.A.T..q.X./.,......dgb...9S.1.. :.'W..s..]
..y....^....b...U....R....y.'.....N=....=k....eF...4.BNYH.E1e);.....Q.
Wa..........n..v.........a...?Y..F.Z...."8o........:....u...mv.N.Z{.WT
e..t....uo]...a ....;.... ?2U.u.....du...N.fc.......s.=...J...i. .
<<< skipped >>>

GET /script/java.php?option=rotateur&r=438609 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246922; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: e620540d01040c38e9ddb42c9892cdbd = ok

Content-Encoding: gzip
c4d.............Z{s.6......M-.bK$...t...t.&..o.....H.bB.,IIvS...-@..$?
.$s... [email protected].. b.....y^;f.,..9..w../.."X..%.....G....}.I....dI.^
.0.#......q$.coEH.... ..1k.fq...d........#..,..2.h..O.g,.N...Z.....e..
....... (....F0q5f..\...k.....8."._.X....%.>.<^bI...FL=%q...#6..
.?f..g.Y.....o..-..SB..A....!=?P0./.JR.e........!xaG....'Wuv4fy..X....
../..T.....K.0<....Skw..J.Y._...Fcs.V^..#^.#..[.n{Cs.....QCU...c/.n
...I..p.....<.f0....2^e<^.T.E.O_..|F......0*..&......9....\..e..
"..Vi.X.y2j.\.C.5.x....%.ZEP6....,.).!.j..p..~N......Q..EC..m1[....r.-
.S...!.t.D ...!..ija.....U.......e.....B....i.......x...,t....j.....,K
...AB..y....`.Ca..F.)Dn....BZ./.....bZ.P..X.,;..8.d...W0...%.,...r.X.)
..'o.fq:.K.Q.S..........<_.......4...=...'a|....*j}..q..F...#......
"....o.....t|R...*.q.....|..E...i....B...(.i....T........!..f.Q...=..O
c.*.......(....5.. .>.#...0.r............T..7.xT..8y.I.r:..s.0.....
..5.3.Q.].A....#........; c.............{8...grNsF. d.v.x.b.r.{X......
$...&.f.`..<j?Hxb.m...w.f.MC...F......tM]I .%5.$(DQ.."w.\.y.6Q..g4.
...x.S4]H.M.8..7..<..U.H..T.E./._.U.8.mR....k..."D...}3a'6;<d..%
..n.,/[email protected].<....N.c..c.Cg.....OY.. 1......
.^..;.9.^.\/....xBW..$E....x).B'x,..1....c...uL........a....~...-.....
......%.d..dX..C...S4...y.....R&..k.P..Ai.V.t.b.....R...........'...(w
8.>.x.[.t.*....F8...b.p.6.....#d.i..I...%.W.M..Tj.......T....`e.3k.
....VIoAl.0w.,y....B.zH...J.B...}....w..a.k.Fv3|A ..'..5...S..s.......
.F...?.. .G......h..C............PlN.Vkd.....F.j.........O.O.6..|.
<<< skipped >>>

GET /script/java.php?option=rotateur&r=438611 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246925; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: cbad08adf0c64328f3737ff434d1c98b = ok

Content-Encoding: gzip
12f6.............Y.r.F..?O...[.`,\.@t[....... .pD......w...Yj....]D7@T
eef..e........=.-.'.....-s.....$k.U@........." ._.. .....#.........^.J
.-._.50.F.."7^...L?#..k...$Nhi.W..It.CBO/.?...C....v{y..../.~..y......
..x..x.`..M._.W....k-....`. ..{i/q.'..zF.T.....J.b./.V.^..Z....Kb.)I.g
..}....[(...b..T`...0),.....c....?..Z.EZ.....g.M.Vow0...#.....<....
.E..`^ 6.>..'tW.,.....L...L ....3...S....X.=G ...*..uz....4V..o=...
~F..<...../6.V..~y.....F|.........Z^X..|.......=?x.|_...I.5.}.(...v
...w./.JO...h......a....$.wI......8w].&>C(0.;.}0)..*..>..E...j..
\....>......../7.`.1m....;^.au........pq.U..[F.}.{...=.(......@....
.......`.},.....[......e.Z/..N/.... ..C.|k{.e..^#._..i=......ts...?A..
[email protected]......<.^$aUZw..I.l.'n...x..... 7...]..ho......
....O...=e.]...@3.}....|7.W....X..s.R...).b.o|.?...._{..e..u...B.8..w.
.7e.z..E....v..V.\o{..p...zR.I.!anN....M .......l...;....?..w.{...M...
.........5... ..7,.A...fn.O./.....g...~.....`.1.........qC..g..../.d..
...=....t....zz'.w...........`..........;.....A!i....[..~.............
\kk...y..o...{.7.....S......V.{....?..................M|....Wj..k<y
...z..*.<.l.$..2w5os}P}....Y........._r....j....%.*.7.....k..Ro..V.
.......8....#.DH.......U....0....t..(....y.,u....A.....~..........<
....A..}.......lz.;.. . .P.>C}....=(.................Ks........Kz..
....}.z .M_a..r...\}../ .>...zG.ow.hr.K}..P....V......"...'.i.o;i..
........D.A....k..7...E...W.... ..].*o.........}s..&F....... J..(.% W^
.~....................['v?Gi..[..I.i...4.1.rH.E..l.....M..........
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:42 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 54416

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject
..................................LP/...[.............. ....,^........
..............B.e.b.a.s. .N.e.u.e. .B.o.l.d.....R.e.g.u.l.a.r.....V.e.
r.s.i.o.n. .1...3.0.0.....B.e.b.a.s.N.e.u.e.B.o.l.d................pFF
TM`.}~........GDEF.......t... GPOS.(..........GSUB...........tOS/2mP:.
...x...`cmap*.K....l....gasp.......l....glyf4..........Xhead..........
.6hhea.P.K...4...$hmtx..3.........loca.v7:........maxp...O...X... name
............post.......,...=..........^,_.<...........N.......N..w.
M...~.........................w.w...........................L.........
[email protected]...^.2................./...[.....
...DHRM. . "H........., .............. ...$.2.....M.........(.E.(.....
..".s."...)...%.../...............(...#...(.}.........l...(...".......
#...!...!...........(...(.......#...(.h.............(.......(.p.(.X.(.
......(...(.......(.S.(...'...'.....~.(.......(.v...d.....#.....3.....
......r...../.}.................,.......(.......(.p.(.X.(.......(...(.
......(.S.(...'...'.....y.(.......(.v...d.....#.....3...........r.....
....................(...$....... ...........#.............c.........#.
..............#...*...$...............(...........".c...s.A.s.A.s.$.h.
..........................D.......p.(.p.(.p.(.p.(.......%.............
..'.......................&.......#...#...#...#.....y.(...............
..............D.......p.(.p.(.p.(.p.(.......%...............'.........
......................#...#...#...#.....y.(...........................
....................................(...(.........p.(.p.(.p.(.p.(.
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:43 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 10176

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject
.'...'............................LP..........................}o......
..............f.o.n.t.e.l.l.o.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1.
..0.....f.o.n.t.e.l.l.o................`OS/2>)Is.......Vcmap.&.....
D...Jcvt ....... ....fpgm...Y...,...pgasp............glyf]..F........h
ead...H...0...6hhea..._...h...$hmtxW..........\loca0j4........0maxp...
........ name.......8....post..y.........prep.k....&....{...........z.
[email protected].......
........................D...........(.................................
......................................................................
......................................................................
......................................................................
.................................................................. .&g
t;.M.S...ROMB3..- ......#"'&7>.3...#"...76'../.&'..".#"&'..4.325'&5
432.....2...6.."....>.2..... .7.......J6.(...F""......,V&.. .1...$.
...,.."8:tN..(Z........0`..*8"....&.....".....|.....f..n(&.F..&.......
....("t..".F.H4(.R..$.... ...44..........8.............*........."..@.
 ..........- ....&546%..632......#.6?..&.5!...#&....t......@Jb.^j...R.
6ft..N8.rTT......00..F...([email protected]\..Px.d~.............(...'..- ....
....'&...'7>.76.........3276&.676... ..j*N6 |..,..$...4............
.(V*HL.vh......H..6B.......24 r...,L K .P.8..L`.~>6\......i...R. .-
.:...60)$...- 5.46;......................'!"&%...!26...!"....;.26...#"
....A..............r..............$..d.$. ....$$...$. ...$..q...bB
<<< skipped >>>

GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...III...III...III...III...I
II...III...III...III...III...III...III...III...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...C..S...ttRNS.............
.....!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{...............
........................................*......IDATH....W.`...7.B.....
G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&
.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.
$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._....
.CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?
cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..
i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l
..a...;....3...D{..x....X....mz.....cG........IEND.B`.....


GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR....................$IDAT(.c`@.)[email protected]..%
B.._...........IEND.B`.....


GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR....................$IDAT(.c`@.)[email protected]..%
B.._...........IEND.B`.HTTP/1.1 200 OK..Date: Wed, 17 Jun 2015 22:24:4
4 GMT..Server: Apache..Vary: Accept-Encoding,User-Agent..Last-Modified
: Sat, 23 May 2015 21:00:23 GMT..Accept-Ranges: bytes..Content-Length:
 93..Keep-Alive: timeout=5, max=508..Connection: Keep-Alive..Content-T
ype: image/png...PNG........IHDR....................$IDAT(.c`@.)[email protected].
..H.D.3.h.v.i..%B.._...........IEND.B`...

GET /images/slidein.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:42 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok
1397............|W.<.k......I..,.E..c.a.RS.9....1...3cf..].....A8.d
..(.....L..ed..:u..9....;.....~..~..~.'...%.[l7...8........~..~.F.....
...3..E..............=..x.<........~.q..P0hS.....nc t..h......8w<
;E............vuD.X....$C...9./.E.3K..;..(.. .CG..<...4..:...#e..E.
...P.....;R...0hsiC..^Z....S.P...A`.j.....*.0e........D.. ....\2......
.Fg.....2.......h4.M.B.r...p.v...%..Df.(X...,.3.....r%Q\...m.{.H. ed~N
...WX..G...A.X...Q... ..............F.-.$<..O&R.p..s..v&!...X....H.
.....D...B$I.^T.Fcq..m.;..F.'.)X.....)..@\]..0..}....Fg.5`.30}.3*g....
ag....j..5"...x.......j...6....{.z...z.=..O...7......jp5 ........?....
[email protected]../.......Z.c7..@.....[.{.....u............hI..W..;.[
.....l9{..I...g.]an]Y.K...N...%L....5...U*.\&g..6-.....Z....Z.........
n(...w.?f..=.}.G6.w..z..m..L......s.@.]..E@)..l..w......}7~b......Q.c?
........hkni.y.x..C.;.$G.Q.....O..."cBDJ.....D..>v....%..4.m.n.r...
`...bNA>.(#.JDg.O-...;..<ZT;f%....Q:..|.l|1r...=.=*..|...A.o....
...g.sWw<...7P.]\......J.vV..b....]###X.E....X?:.....]...)......a.D
qtLz..5_S..0.0....$p.CQ.~~..A.}......n.E..`...82>~...`..3~.Y.....q.
J.z._.L[G...DASIPBG_......E..B..{...:.$].b..zFO...<._......=.@$:.\0
..t:Um....&.....6......>...P..H..4.!...Z....{.;.`:::.....HT8..i.|.3
X..o.c...|b.wYa~).s.L..18...r....7EQ..[.....vz....._*...S..).4Tc.....m
.'...w.x<>.V....Z:..M...L...*H...-......$......3'.|6....RH1...*0
[email protected].......
.....P.r..{fIb}'S..".....#.....]..<.jW//...........L...../.....
<<< skipped >>>

GET /images/slide_close.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:41 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok
427..................PNG........IHDR.............Vu\.....pHYs.........
.......OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..
J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5
...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....
[email protected]..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E
.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..&l
t;.$9E.[.-q.WW..(.I. [email protected]..._-...."bb.
[email protected]~..,/...;..m..%..h^[email protected].~<<E.........J.B[
a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D.
..2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G
.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/
[email protected]..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T 
UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.
0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7..
.Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..
9.,  .......3...!.[[email protected].(R.jJ....4..e.2AU..R.....7bf..T.5.ZB...R.Q
...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L....
..T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.
;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R
..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.
....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<
.5qo<./...QC][email protected]......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..
<<< skipped >>>

GET /swidget/fapcfcomz.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://widgets.amung.us/small/00/23.png

Set-Cookie: uid=CgH9H1WB86Sp33djnmwVAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/
0..

GET /-KeOVqKDJ_FI/U6El6dSg1kI/AAAAAAAAAWw/HYf_f9E48S4/s1600/OS.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 3.bp.blogspot.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

ETag: "v16d"

Expires: Tue, 16 Jun 2015 11:38:06 GMT

Content-Disposition: inline;filename="OS.png"

Content-Type: image/png

X-Content-Type-Options: nosniff

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: fife

Content-Length: 25649

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=86400, no-transform

Age: 0

Alternate-Protocol: 80:quic,p=0
.PNG........IHDR.......I.......p.....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /images/spacer.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

Last-Modified: Fri, 03 Aug 2012 18:09:08 GMT

ETag: "501c13c4-2b"

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

X-RevProc-1: n/a = ok
GIF89a.............!.......,...........D..;....


GET /images/slide_deploy.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:41 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok
b9d..................PNG........IHDR.............Vu\.....pHYs.........
.......OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..
J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5
...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....
[email protected]..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E
.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..&l
t;.$9E.[.-q.WW..(.I. [email protected]..._-...."bb.
[email protected]~..,/...;..m..%..h^[email protected].~<<E.........J.B[
a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D.
..2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G
.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/
[email protected]..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T 
UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.
0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7..
.Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..
9.,  .......3...!.[[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9
...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071.
.....oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.o
T?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...
q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S
.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<
;./...QC][email protected]......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L.
<<< skipped >>>

GET /images/slide_fold.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 15 Aug 2012 15:30:42 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok
ba8..................PNG........IHDR.............Vu\.....pHYs.........
.......OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..
J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5
...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....
[email protected]..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E
.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..&l
t;.$9E.[.-q.WW..(.I. [email protected]..._-...."bb.
[email protected]~..,/...;..m..%..h^[email protected].~<<E.........J.B[
a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D.
..2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G
.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/
[email protected]..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T 
UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.
0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7..
.Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..
9.,  .......3...!.[[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9
...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071.
.....oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.o
T?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...
q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S
.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<
;./...QC][email protected]......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L.
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:42 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 60767

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject
_...y.............................LP.........................P........
..............F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i.o.
n. .4...3...0. .2.0.1.5...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r.....
BSGP...................T..q..u..*.......Y.D.M.F..x...>..........)Y.
.....h..D....pj....f.i..)..U.'.&a..;`.*.../.....V...B.....OV..r.n.:..{
$2D....:.&...m..d ..CeH.\../o.......U.M....X.`?....?.A....C...@..'.(g~
......%(.Jl.&zw.....W#.mw".].At.....k.......p....E....[..=.gM.........
........go..W.R.q...`{.ZwUF.........o ..D.p)A8.....$..M.#.>..?.....
.. d.No2..L.......<.t.....B..T..a....<...`.......e.SO.....cI[.p.
.E1R*.fMd.....>..2V.........z7..&. .....f.&#.V.(8....aR.....x.Z\R.e
..$.Vw.......K......gs.......*.... ..dI......6......)...rj..:Z."1.'...
<....'.Q/....8..).B..5..tgk.AM.)...|~...."....2.... h...(.&.c..sw..
.(....h.Dg.k...w..zm%.f....//5.%....}....k.......... ...@....[#.D)..J&
lt;..?YAT.......o.s%....Z...G).5....#R'...#...).... R.....Z.z... ._...
.K&%'5.....(b.....Y..i_......|B.>U.......<q2i.....Q....7.....<
;2.._.y\n..9..u w.'!.p.5...q..u [email protected]..'d...5.,.Y_.M.i.....
[email protected]....`Oqi...b...5..p......E1....x..............F?.....
fS...n.>m"fE...u..n=.y..`LA&C.2].W&o.2pKDRI...3L...px..$.P ...p.P..
......$..........,a2T..X.!......av.....q.v,KZ...E..r?Z....m."..#&?.>
;.i]G^....Y....E&.(m>..?.hp..X..G.e^J...9[|...}...b..b..........P|q
.......ka<..j$.....t5LG....i..#....h..W.kR..T.2...Of.e......b\~...f
Ah..L..La.......!...P~e...0.l [email protected].
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:43 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 4864

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: image/svg xml
............[o.Hv...WT. H..b]Y..{.t.......$..iI...$S..._..m.H.}$..v#@.
7yT$7..e..w.......{......y}.^.'.~.........'7.'...w_......_....p..o....
_..O....z......o..................\....<=...._}.^...=..........n<
;.F=t*a!.:_.O..$k.7...y<.....x}...w...on..xw..rq...?.8......j..f7..
........{s{.\L.......N....W..o.u...:.}............. ...'n.....].......
.c6....z}.y.F.......u.]......j........^.....F...?./..|..S.}u..u....~|w
....i.hG...../d.....^zv{........0..^...z,........1-...}.a...NE.b.._...
..K.i,V....B.\typit./.....}..........q..QW....g|.S.....".$....X....|..
.<.>{...zw[|..N....o.4...g.m.I.)......$M.Jx..b...Ik...a...a.....
c.Y3..D.pu.....c...^..5..v-j.LS.2.q..q....OK.B...s..].^5.8W.r.^....BQN
.1..X.........".k5A..;4......k....Y.KC.U.......2.QB.(.H7.c.~....Z_..wW
g....7.....i...."...z....../p.q....g.(u.KhI.b.....I3.e..V.\.K......N.r
...9.]F.............7....,.p%..k....Tb..2..?H.L..U...C.K.o..o....&'...
...t.1R.,8t?....U.Q.,......Q.pu}q{...).Iy..O..-..M%...2.lkFo....6..\%x
.G.r....#jM6..N.HQ..0ysk)..#.>8-BQ......Y..1.4..E.......*..8..V.I.P
C..d.....BS......&...(.rL(......sU.......H..a!&...........n....;.q.t.7
."K....Q{BW....). .......(.dPf.....R......(Y.......\.ICD..m......X.O..
...H..u.v....]n.j...!....F....E....T...%.M..r....wM6..y..32J.....p2OB.
RQK|..6.A.>..~.u.........Ao.no.../ww.=2_~4_*.....(:p....mH...g..~..
.6z0.....>-=.........Q...5*..L'..cspDQ#]h..K.!F..q._.).).\"^...H@..
.....L".Q. j..]w).o...! 7..5f.4.......e.ee.$Wx._.U.Wd..f!.Xa......5...
z.......P.!..0.A..K_.&zF..-..=...>4.........f..-G.-.q. ..q..4.8
<<< skipped >>>

GET /wp-content/themes/sahifa/images/patterns/body-bg32.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 4069

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR...F...F.....q.......tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.t..r.I..E....?....A.4.,c^#..zT.3..j.......z.........w....
..G..~..y....._.~......{..........>.x.k...q..w....y.{|........o..9.
.,c..o..>c0.cq..........|.......g...<............p.]..../_...}..
.7...Y.'Sx..]........._..z.....2..dT.%S.....m,...f\.s.?....,.........b
.2.].b...*M..={.K>.w.......q...........;6..q..X.z..d..@'...J(..L...
.........v..p.] 1..$.^w.......E........Au....._..u>'..q..a%....y...
~W..q...|....2....N..`..W.%X...]... .e..3.4.8E]z.(.J,[email protected]&
.4....b.</......8...))NPu......T..T.j[....(....k;........si.*..=...
N....z.%..@)S...30.I.S...p.... .T.w......>>/...{...5.....w~ Z...
..m...J...E#....^-B.....;.>}z..U..)U..Y..^*.J.......!.P.Tk........2
..cL.GU..J...... m...i_. ......z>.[G..|.q.-......V[.o%C&.u...V.TFV.
..^S.y...:hY..}s..w....1..U.\.....2........@'.X.T.[5.7..U..j..L.].l...
E..=.`.<k.........K...j .c.;..hw....b.z....'....J....U.h..<#....
8..........b!..J\....e..z'9-.}V..0..D..i([email protected]].......'..~jo
6. f)F)s.A........b.5.."<..{..K...kJ~...#....u.5t.H.I.mT.D.dj....K%
`...e...6g.'6..AC..z_o..z.E.G.W..$...."..Z~U..M.p.......Hz.y....U.6..j
K\..*%.".'....GmJ.R=.~EY....3...tqef.....g.S.5.R..V.....%.K5.Y.;..pBP.
2/[email protected]|..u^s?..nX.lih..v...}7P.yE..s...F.T......R...q.
..$...h.V...7.Z...t.\.e........0...C..7X.Q2...L....N...r.qs8U.m@Qu3.._
.b..&....*5..%.<3Vm..;.......{C.....&....z..eX............!B..A...Y
 .J...T.M.V%|..D.M=.70.9[lN.m..F.......B...E.......8.a...b.c..k...
<<< skipped >>>

GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:44 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR....................$IDAT(.c`@.)[email protected]..%
B.._...........IEND.B`.....


GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:45 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...III...III...III...III...I
II...III...III...III...III...III...III...III...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...C..S...ttRNS.............
.....!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{...............
........................................*......IDATH....W.`...7.B.....
G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&
.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.
$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._....
.CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?
cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..
i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l
..a...;....3...D{..x....X....mz.....cG........IEND.B`.HTTP/1.1 200 OK.
.Date: Wed, 17 J..

GET /ajax/libs/jquery/1.4.1/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ajax.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Type: text/javascript; charset=UTF-8

Last-Modified: Mon, 02 Apr 2012 18:24:28 GMT

Date: Sun, 14 Jun 2015 18:56:51 GMT

Expires: Mon, 13 Jun 2016 18:56:51 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 24050

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Age: 271667

Alternate-Protocol: 80:quic,p=0
............i{.8.(.].B..q..-.I.}..f.f.NO..i..# }I..(K..%.#.......(...9
..b. v.jCU.....|...s....?D....2[..?f.2..O......g.^/.Ngz.Y..b..T...X./.
.d.|.=.z...I..9]ec..r....l...4in.$]6.......f.l....._..* ..c.o.>l.X.
;..l.M>.m.t...>......(....Ju....../.i.|]@..5t.........^...K....u
.G..4.h....0..".._.....{.?yBm5....v!_...6...r?{..V.5g. ...=.....i....z
y.]..b......,..x..*f3.....#..h=........l....;..s.,..f....%V...^..6r#/.
...Z.{.v4....f9.)..V....E.U...D.......4...........O......n....."_CG.5.
.t....?.v.#........"IOO.7.......d...E.....^.......S.lN..=K..z.....c...
.a...4...lG....y3....Jr/....'Q3...PCr.....Ivz::=..x.V..bey....i..Z"u#.
).F..=.`%.=...!..:[6"....f.b.?..f.0....\n...8.....5.....IkS~....z.1>
;.#.B.M..6.W......'....6l.h......,.G.[8....a.......\.......o.........O
......v..$[y...rD{.}J........z]......Vq............N..~1.BS*....n7mG..
..FK.?[..{.?z..xzv..,.R.....P}.:................0#......&...`...X.}.K.
L.u.6...,.bW`...h.g....;..Q{.Y"...o.. ....3....U0.....<...A.Z....a.
...To`...m..s..f.B.........}J.1../...b..2..b.)Z..L.l.\$<-[...{.....
...K...eI..AeN`"h|.-...r.x0R|ah.\^*`..'...C..............?98.m..F.....
..U ../f.0u;W...s....Njb..c.......$..N"...v.[;.?......e.7.[.......F..5
..e..D5.....@)..*......E....[...mkn....Q.Ho..`.X..7.8!H..p...^...GB.N.
.....'[email protected]...{c...EQ...c....1...JD...au.^f...q.V....=.,.2 .w.F
.sQ,..G\tOO.a{.Y,...=......"..9Y..E.................0]....&..........r
1P4...?.....KI...B..........T}z-.vE....J...b.(..N.A.a......o.G....T.(.
.~j@.?L..%.2H.a..9..r..J....Wn.I.g.]......^...lac.>r...|(......
<<< skipped >>>

GET /ban/236180/141423_300x250_iLivid_DB-4S-FolderDL_ru.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cloud.cashtrafic.info

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:37 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dd15fed86d8bf2e1d341726dc12e9472a1434579877; expires=Thu, 16-Jun-16 22:24:37 GMT; path=/; domain=.cashtrafic.info; HttpOnly

Last-Modified: Thu, 13 Feb 2014 14:26:58 GMT

Expires: Thu, 18 Jun 2015 22:24:37 GMT

Cache-Control: public, max-age=86400

Content-Encoding: gzip

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1f822a6b0c570b02-WAW
2112.............wgTS..nB.....Q0../*[email protected].. [email protected](.B@...
....C........{...8?.....s=..s.5.^ckh...Z....v.............*....=,s....
.....j.....^...../_~.7G.:.J...l..h..q..FL.ft.F.7..w-....?&.[.....# ...
O....N..%."j...c.,.H.*[<<>Q}S.\12.y0[....;\........o...n....r
/.x.ms.."eb...2......P:.m.8n...u..>......m.........o..A?~...&W.k.K.
...F :f..%..&.V.L.6D.&.7O.K...W...W......r.;r.K.....{....$#$..#e.Nm...
?.....9v/..5.&W...O..a..U..m?t....U|.,.....c.fR..... .xm..S.......u|.R
c.R....~h.<.....^. jQ../..... ...!}D.=.Q...^o...b...5.....o|..0...S
.o.......k/..?z...6.u.a.K./..(m:m, [email protected]{.9..0....7..........D.k.K...
........).L{i..s.P...M.R.a5.7..u...h.4X...[6._1."sR..T.u.#,.8..4q.y...
.J.~%..f.J1.H..Z{.a,.~....a..a......q#........)..)..Yd..g...V...E t.I.
.C..ad."q.cB...1...A.L'..H............H\.B.~........6..un.kC.5..../^..
X6..J,...uY}..H.w/.l....r..1..{.....#5.v/..x.......i../.Bg7.5..Z.Y.y. 
y.,._....l_88)...6...l...H..uQ.l..4.\l.y.=..zi-k#.......pD9..Y.<._9
..y(.X.8[[email protected][..$a.."bRb.2b.`.p1.Q.....m1q9
.......".'.....CU.....)......DE...E.%D.]^........E..o.A.v.tr.....z....
.....(7.g'.......7...........c'W..-H...Q...%*&..ut...........].{.lE...
:.q.................wq.s(..T...8.:.i.*.....q.....PV..,.....&.&&{OBJVF.
......55.?>.7.\LULF..............=u...........?\-'W7K'k...... ._.r.
\l-..].;;.........]..Q.{.`7.88.8.......;Q[....6......m.....^V.nmi#~..n
k}[LVR......mqiI.;......v......l....D..z...........(...[.?M...;.......
........u........u~nvfzj.2A.....&.......%.twuv....4.......P.....[u
<<< skipped >>>

GET /ban/992077/200313_jZip_728x90_DB-RoundedBlue.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cloud.cashtrafic.info

Connection: Keep-Alive

Cookie: __cfduid=dd15fed86d8bf2e1d341726dc12e9472a1434579877

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Mon, 01 Jul 2013 08:49:36 GMT

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: public, max-age=86400

Content-Encoding: gzip

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1f822a732d580b02-WAW
1ec7.............uy8.........(.2I.u...X..$....lS.(4."F....*M....D...$.
2...]R...^...y..z.......>.9.....s..:[email protected]~.....h...jccC...
.._..J:......r{zzfff&''..q..n....gxztttppP..........g..gp.......... ..
OW......Ok.`o....cB....3...J:L..........O..Q..}l.......`Rt....[U..|...
...ou._o.hi.......=.~......-.f. .9S..S....K.....#.....*X9I:...5...1.E*
.;6."G..V..8...[....._.2.X.>..].Z..20..G.x..}..0....._.(p..8F.w..IX
*......X...#....<.ia.1!,l....y..O.....Y...P.........Ok-...[.8?...oa
(......%|&.|p...q...xD...a..........1l.............^z.........PTT|...&
gt;q...m........jS.G......t.L.^...ux.3y%.....-..=>.Z9.{..C.2..;-...
^.OMM...r>.#...y."tg.sx.|@.p<50...f16|P....h..7.......aE........
.m.{5...'..`.{S...ANf.W..cx....].I.Q...=..9.;>>.8y..==..,htG....
......w...-K%.x.lA.....q ^........].:4.V>.....R......,y....%..$....
.....V.p.ruu.....]...&.La../...._f..#jwG`.'5....9..tJn......#1......;.
..J..Q.....w..r.&.......u..R..}<.p.</y..I/U}..y{.I;hX..)F.^.f..z
..nc.~......q}.n.N....3..........'...p.S....e.i.. A>z...l...4.....P
. ..5.8M.2AM]KKK...'.U..*.U%..........!.W...E.[c....k.I{..QtTT.]..|MM9
..%....G.................x._.....W.)A.....l....Az.....G...o.....IH.=.O
%...BP.............?....(.*.....W.=.....R.3....htN^..{)n.....~..A..z..
w.=.=tL....5...j......!A............:._../........5...1.pB.(^C[....?.j
.fp.._...`......\...U...:FW=.........[.$....@...........#.Z.?.._qz^...
.0........x.?...c.m...S$..'k..F&.....&j...Z......91....._.......g.....
......./W.6......_.?.67..VW..K...s.3.S?&'..F9#..............fuuv..
<<< skipped >>>

GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:41 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...III...III...III...III...I
II...III...III...III...III...III...III...III...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...C..S...ttRNS.............
.....!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{...............
........................................*......IDATH....W.`...7.B.....
G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&
.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.
$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._....
.CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?
cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..
i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l
..a...;....3...D{..x....X....mz.....cG........IEND.B`.HTTP/1.1 200 OK.
.Date: Wed, 17 Jun 2015 22:24:41 GMT..Server: Apache..Vary: Accept-Enc
oding,User-Agent..Last-Modified: Sat, 23 May 2015 21:00:23 GMT..Accept
-Ranges: bytes..Content-Length: 1022..Keep-Alive: timeout=5, max=512..
Connection: Keep-Alive..Content-Type: image/png...PNG........IHDR.....
..N......`Vg...bPLTEIII...III...III...III...III...III...III...III...II
I...III...III...III...III...III...III...III...III...III...III...III...
III...III...III...III...III...III...III...III...III...III...III...
<<< skipped >>>

GET /s/droidsans/v6/s-BiyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.gstatic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Type: font/eot

Last-Modified: Thu, 28 Aug 2014 20:40:42 GMT

Date: Tue, 09 Jun 2015 15:56:55 GMT

Expires: Wed, 08 Jun 2016 15:56:55 GMT

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Server: sffe

X-XSS-Protection: 1; mode=block

Cache-Control: public, max-age=31536000

Content-Length: 22021

Age: 714458

Alternate-Protocol: 80:quic,p=0
..........|.eL.l.`/........;.....\.....xq .^.x..|....Mv&.I..L...<.Z
....../...uD..H8( ..........U...{...QZ...B.....T.^......I....`...O....
....qd.:..`...8....#.......S..|..l6.3...$......gZ.o.....l...5dT..w@...
.|..em..2..Y.....I..7g.Wr-~3F.........1k...UJQ...B.%d...my3.......R=..
.~..\..0...Y.Y..O7.........T.~.V....QbZ]-k.&...|.}......q6]N.`.....R..
.........\T`.nevV..*6Q\z.......X..I.Z3pOs.aM..F=..3.2...p..r.b.]..2...
J.~?qh..I/F}%"ST:\w,uD.dq...nT.....O...gSq..U.m....3Gk..#..a.6.vb5`..{
.{ARPv.[.......t.........J.5..............#.I.3@(VX.........H.8.. y|..
..Bz...d|.R.8..db'.i....N.M.....&h..,<.#H..%D...D\U%|#..cg.n..m)S..
I.(.gX..) L.W.r<7.*CNSN..[..aN5#....z..1..J..A...Y.9D.0F'...T.;<
.&{. 0YAnJ......C...Qm._V.L.$..H..........8...D.E.`.|....../.p......A.
P..!.V!B7Tr ...4.2:...8.R.....D?.....Aw."...d........C..2p......_eO.*.
k..q.V.P...9Y.....c#JCX.......o...*h-l.,.D..1.x...$.(bg....8....I.....
?p.Y.L.r.1......C...85.K.,.Q.... M,pa]YN......I..n,..y...K....L..Gl>
;.....P5..."qb..1.e....t.j.....K..a&.(.#...%.....YJ0...AG.b.H.S.>..
wp......pE/a-.....?K....E.#.....{-9.#..A.1:.q.7K.<....b..Z....)j&&l
t;E....\...d....T.....G^...a..8.[.]. {..K.}QBz..Q....c...ep..v......;&
gt;3..'......{.rH.J/v...Z...)......z...&...hx'p.....: ....L!..;vh]^.sD
7B.....Z.C....#...of.U..>.GY.1...<-J-,B...L)*...6JEV9.pV..Z&....
Vl....\D.-......9R........_...?...SE..p....H.fU...!..............v....
.Pa.......&F.x.&g.<.k....=.Y..X..l.731..j.*...Tj....Y...NP..`mVS..Q
.U81.U3.&a."..@14\...L....0U.......N.(.G/..-D.../Q.. ..!..........
<<< skipped >>>

GET /small/00/23.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Wed, 17 Jun 2015 22:24:36 GMT

Content-Type: image/png

Content-Length: 317

Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT

Connection: keep-alive

Expires: Fri, 17 Jul 2015 22:24:36 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes
.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................z
c.....z.UC..n.'-00/...555...........IDAT8......0.CC.u.`...;.....!QWD..
..42W......C........]..w./xu.mb.v^.....F...Z*.\.....]?2.E..K.IB.. .]`.
[email protected]. .p...C}.N...}.....-C.{B..?.4.8e.d.....l.....a...'R
..r...)S.M....\Y...I...n.....IEND.B`.HTTP/1.1 200 OK..Server: nginx/1.
2.4..Date: Wed, 17 Jun 2015 22:24:36 GMT..Content-Type: image/png..Con
tent-Length: 317..Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT..Connec
tion: keep-alive..Expires: Fri, 17 Jul 2015 22:24:36 GMT..Cache-Contro
l: max-age=2592000..Accept-Ranges: bytes...PNG........IHDR...P........
.D......9PLTE.bM.nX.82.G:................zc.....z.UC..n.'-00/...555...
........IDAT8......0.CC.u.`...;.....!QWD....42W......C........]..w./xu
.mb.v^.....F...Z*.\.....]?2.E..K.IB.. .]`[email protected]. .p...C}.
N...}.....-C.{B..?.4.8e.d.....l.....a...'R..r...)S.M....\Y...I...n....
.IEND.B`...

GET /script/java.php?option=rotateur&r=438612 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:37 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Set-Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-2037 23:00:00 GMT; Max-Age=711246923; path=/

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Vary: Accept-Encoding

X-Robots-Tag: noindex

Cache-Control: no-store, no-cache, no-transform, must-revalidate, max-age=0, post-check=0, pre-check=0

Pragma: no-cache

X-RevProc-1: 6a7f053a97ce3844b73598b513dc0c7c = ok

Content-Encoding: gzip
1d0.............R]k.0.}.....-..$..X......$.<.......?.(....>y..{.
@.JG..t.=..*g..(......[...q...(...._..5.;.....4U....W......... .0X...S
....R..V:.j..wq<.c$K%.u..&> kz.?.AF}......#....<-E..b.N(.(.3Q
Q..FH.D..KD%RE.i...Z..A.XX.6..C...S.Cc.....LpF)&DP..F.r.......d.d.....
.x#....F.......m.....AJ..l..#.g..<....5.>.=Y.....l..*..Uw.E..W..
.o.......a,[email protected].|?...'..rY..'.....i...lY.,..8[.....].h.
..R...Vw..b.g.8..A.'.w..o..l.`.|.xO>.o...\os{..F. ^-c...{..0...?.8.
.....0..HTTP/1.1 200 OK..Server: openresty..Date: Wed, 17 Jun 2015 22:
24:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connec
tion: keep-alive..Expires: Sat, 26 Jul 1997 05:00:00 GMT..Set-Cookie: 
acnetwork=64e2ab5b8266d4377a1fc211ff908977b733; expires=Wed, 30-Dec-20
37 23:00:00 GMT; Max-Age=711246923; path=/..P3P: CP="NOI ADM DEV PSAi 
COM NAV OUR OTRo STP IND DEM"..Vary: Accept-Encoding..X-Robots-Tag: no
index..Cache-Control: no-store, no-cache, no-transform, must-revalidat
e, max-age=0, post-check=0, pre-check=0..Pragma: no-cache..X-RevProc-1
: 6a7f053a97ce3844b73598b513dc0c7c = ok..Content-Encoding: gzip..1d0..
...........R]k.0.}.....-..$..X......$.<.......?.(....>y..{[email protected].
.t.=..*g..(......[...q...(...._..5.;.....4U....W......... .0X...S....R
..V:.j..wq<.c$K%.u..&> kz.?.AF}......#....<-E..b.N(.(.3QQ..FH
.D..KD%RE.i...Z..A.XX.6..C...S.Cc.....LpF)&DP..F.r.......d.d......x#..
..F.......m.....AJ..l..#.g..<....5.>.=Y.....l..*..Uw.E..W...o...
....a,[email protected].|?...'..rY..'.....i...lY.,..8[.....].h..
<<< skipped >>>

GET /ban/236180/2026221_300x250_iLivid_DB-Megabyte.gif HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.adcash.com

Connection: Keep-Alive

Cookie: acnetwork=64e2ab5b8266d4377a1fc211ff908977b733

HTTP/1.1 200 OK

Server: openresty

Date: Wed, 17 Jun 2015 22:24:38 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Fri, 15 Aug 2014 12:49:23 GMT

Vary: Accept-Encoding

Expires: Thu, 18 Jun 2015 22:24:38 GMT

Cache-Control: max-age=86400

Content-Encoding: gzip

X-RevProc-1: n/a = ok
1326.............UwT....E.H..".F..@H... J...Yt!..D@..$@D...$HU\AE.MZ..
.."U.-.".T:.H.p.p....w~g.;o...;.}.......5...#..X..........ti.....8....
......j.n,z....@.~Y..J...BH&..Q..WR.....u;....8!]..X9..].5q4...rM?....
..f.n5XO-.v.f.... =..%?,<.E.J{..'.}..i.-*l.j.L.i.x.L..bW<.b.(,./
dvz.-..{.*_PG..O_.v...kq.{t..a.z.\q..U..&...=.3..`.{.....m~....t...w&l
t;4....c..e........2....W....H.. .s.H.........O......J..JA9... R...RPH
..T......^.7([..l...&....|..|%.@@` ..J!E ".D,....|..{.4..n...........H
o....r..S.Mo.y....N.z....z.z4G...rK.....[...n..>.........M.r..&..f.
vgT\....P.7..HS~7!..7#,.a.........w...<L.?.P|.z.>g...w.O^....Z.3
...Rj/.4...lQj.*.%...X......jn83.._7lllP.;.n..U..Q..qfdbn$.Y..P.%.v...
Z.zNSdR......%.M...z|e...t.R..#...r.........R...D......b...Hf.. wM;...
os..T.w...j^/...7^......j.[..8.8Z.C,.%..ex.(.Qx.B....f....\.34....Cc}.
.M..)y-..2.....O..y.qeN.q1.Y..Z~K/...6..A..0Nj8..F.[.q9m...]..........
.....VX"v{=z...z.{..../....-.5..}.L.\..p{.....mx...p.......^j.....LH..
@o".L..."..L..^...&....05._.............`o0R....#..F..zH...B.......z0=
}..........{.m[...d.de...m.T..H...`aaa.a.....0=ccc...C ...(.j..K......
`.M.....}qA..2."..h...3.@...?.............x.........&.../.;.p.*....M..
.{zo....S.N......1.w;).. .gH.w....Tm.F......@`..z........4.....4."=Q^(
==.......?....F........;a`q..a.0..<al`.@ .r...Dl...O..?.....5.....q
.gq...U....q....li.W..... /\....4...w.o...u0....;...'..O..7....~.m.`..
x~.mW...?..-..L.A.....*B.?.omn|[_[]Y...eq.................#....}34.{..
.....}..z..:;.....4s.....jk8.UO* ..JK......y..s..23X....=../5...w.
<<< skipped >>>

GET /css?family=Droid Sans:regular,700 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fonts.googleapis.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Access-Control-Allow-Origin: *

Timing-Allow-Origin: *

Expires: Wed, 17 Jun 2015 22:24:31 GMT

Date: Wed, 17 Jun 2015 22:24:31 GMT

Cache-Control: private, max-age=86400

Content-Length: 187

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Server: GSE

Alternate-Protocol: 80:quic,p=0
@font-face {.  font-family: 'Droid Sans';.  font-style: normal;.  font
-weight: 400;.  src: url(hXXp://fonts.gstatic.com/s/droidsans/v6/s-Biy
weUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot);.}.HTTP/1.1 200 OK..Conten
t-Type: text/css..Access-Control-Allow-Origin: *..Timing-Allow-Origin:
 *..Expires: Wed, 17 Jun 2015 22:24:31 GMT..Date: Wed, 17 Jun 2015 22:
24:31 GMT..Cache-Control: private, max-age=86400..Content-Length: 187.
.X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-P
rotection: 1; mode=block..Server: GSE..Alternate-Protocol: 80:quic,p=0
..@font-face {.  font-family: 'Droid Sans';.  font-style: normal;.  fo
nt-weight: 400;.  src: url(hXXp://fonts.gstatic.com/s/droidsans/v6/s-B
iyweUPV0v-yRb-cjciFQlYEbsez9cZjKsNMjLOwM.eot);.}...

GET /wp-content/themes/sahifa/style.css HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:32 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sun, 24 May 2015 07:06:39 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 37587

Keep-Alive: timeout=5, max=512

Connection: Keep-Alive

Content-Type: text/css
...............H. ..k6.......$..=%..V.2.f.=m]5..g.W..`.-.`..RY2}.~.>
;...C..N..#.=...T}v..*...{.{x.......o.}..E.<.............W.........
...a_......x.|...].<..UZ$.|L8..H.......)./...3.z.u.g.|..... .*....&
gt;|....aE^.m........V>... .YW...T7.?4E.&./..D.._..}..H6E!.q..]y.Mv
u._Y./...nXue..k.<.=....a..Z4...b..'..we^.[6.J~IN...h[l.K|...E...E.
.*.~....*k.......lE=|....Y........c{...s..U..hw-......$?.]}.m...mS..[.
..."c..........&;.U.gw._.KHU..:........|..%.J~.......*Z....=....k...*.
....S....~.L......-..7...<..;..B=..........C..!.D?.$..f.....(.f..ht
...b...F....-..]...G.b.w....bPm?..*..I...2.dUv.9...\n.Cv,Og....(..rSo.
u....%...y#...TO.N.e.}.:6C...^h..].O....)..|3>..f...>v.]v(..g...
...2.rl..N^4eV]'l7n.c&..e.Fm..;X.M.[.tv2.p.....B.{[6..b.5....1.r......
.Dz..Mzs..uv.fU...c...uu..m&7T}l..`O............^.'...:Vu.Nc....U.....
.}.........r.-.>...tr.`v....r. :C.....d.es..u.?.LU..^.M.1..........
.....h....O.?3.......,..... dE..9d..=....(.0.U.18........#...k........
..3.j..sW...p..Qof*Sk2....d.`.-...$.B..=..u.KO&f...{x_..rf.<.,i$.HJ
...q.F{>.e$.`.n......[........7O..YU....a.N5.M.b...`....*;......5.H
.....G.#3K.?.............e........s....d..?.p...z;b....'...".....y.E.M
1*....w...k.n..m.VP..<.....LT0*....f._..k. Fw% .1.|.H.%e...#.^..!*.
]6.....f.B.zf...n=.@.[.B..d.C....Oj......n.-...Cz.....GJ.....x.&...Fl.
....g?..ax.(...rV.......-...5LZ..>d...u{F.'..4...L...T.OL.c,....2.V
.%.n.y...........1..oN....C..t3......".(.....Z.]..?......M.{w.*~-....?
.[Ppn:......S].}..O.te.U#A....(PU8-.....e.S0..0.BVB.L0...V...!..@6
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/BebasNeue/BebasNeue-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:33 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 54416

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject
..................................LP/...[.............. ....,^........
..............B.e.b.a.s. .N.e.u.e. .B.o.l.d.....R.e.g.u.l.a.r.....V.e.
r.s.i.o.n. .1...3.0.0.....B.e.b.a.s.N.e.u.e.B.o.l.d................pFF
TM`.}~........GDEF.......t... GPOS.(..........GSUB...........tOS/2mP:.
...x...`cmap*.K....l....gasp.......l....glyf4..........Xhead..........
.6hhea.P.K...4...$hmtx..3.........loca.v7:........maxp...O...X... name
............post.......,...=..........^,_.<...........N.......N..w.
M...~.........................w.w...........................L.........
[email protected]...^.2................./...[.....
...DHRM. . "H........., .............. ...$.2.....M.........(.E.(.....
..".s."...)...%.../...............(...#...(.}.........l...(...".......
#...!...!...........(...(.......#...(.h.............(.......(.p.(.X.(.
......(...(.......(.S.(...'...'.....~.(.......(.v...d.....#.....3.....
......r...../.}.................,.......(.......(.p.(.X.(.......(...(.
......(.S.(...'...'.....y.(.......(.v...d.....#.....3...........r.....
....................(...$....... ...........#.............c.........#.
..............#...*...$...............(...........".c...s.A.s.A.s.$.h.
..........................D.......p.(.p.(.p.(.p.(.......%.............
..'.......................&.......#...#...#...#.....y.(...............
..............D.......p.(.p.(.p.(.p.(.......%...............'.........
......................#...#...#...#.....y.(...........................
....................................(...(.........p.(.p.(.p.(.p.(.
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.eot?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:34 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 10176

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject
.'...'............................LP..........................}o......
..............f.o.n.t.e.l.l.o.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1.
..0.....f.o.n.t.e.l.l.o................`OS/2>)Is.......Vcmap.&.....
D...Jcvt ....... ....fpgm...Y...,...pgasp............glyf]..F........h
ead...H...0...6hhea..._...h...$hmtxW..........\loca0j4........0maxp...
........ name.......8....post..y.........prep.k....&....{...........z.
[email protected].......
........................D...........(.................................
......................................................................
......................................................................
......................................................................
.................................................................. .&g
t;.M.S...ROMB3..- ......#"'&7>.3...#"...76'../.&'..".#"&'..4.325'&5
432.....2...6.."....>.2..... .7.......J6.(...F""......,V&.. .1...$.
...,.."8:tN..(Z........0`..*8"....&.....".....|.....f..n(&.F..&.......
....("t..".F.H4(.R..$.... ...44..........8.............*........."..@.
 ..........- ....&546%..632......#.6?..&.5!...#&....t......@Jb.^j...R.
6ft..N8.rTT......00..F...([email protected]\..Px.d~.............(...'..- ....
....'&...'7>.76.........3276&.676... ..j*N6 |..,..$...4............
.(V*HL.vh......H..6B.......24 r...,L K .P.8..L`.~>6\......i...R. .-
.:...60)$...- 5.46;......................'!"&%...!26...!"....;.26...#"
....A..............r..............$..d.$. ....$$...$. ...$..q...bB
<<< skipped >>>

GET /wp-includes/js/jquery/jquery-migrate.min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:34 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Tue, 23 Jul 2013 22:28:26 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 3068

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: application/javascript
...........Yms.6..~3..h6g.....{[email protected]
D..b........Qp....!8.3...6....4......h.O...~.,{.J.r. [email protected]....
ui.6...7..)...<.........r..?...".....`t|L..=.Q.(e.g..,.......h.u.c.
..F.b........n&.q?q-s..h].%ld..XGw0{||$...&.....p......_..p.{.u..'....
...n[.8....)../...7".Q*...?h...>P..........N.#\n.g.......d...(.v...
6.4Q..[f.o..v...n)....dI.}......_iu $....<..h.<~.N..5.....[.t..B
e{....SY.........p....p...D..S?..r.1..|.....]..-..... .Zs....J......s.
..IXG.('.....|...v.|(s}k.\....J..._.r]....=..w1>...[..p...c..o$3..d
e..V.[.mxQ.fYg*..W.S...(.,.s2.GdlY...!..S....J.g...0?{....gC..k8....f*
|Z.....A&U....H ..Ta*@..U...nZ-.4..*.ZW........OVZ.T....~...Z......D.H
....~sL...C...eC...0P{..7:2.k- .D.../v...[....<..;u'. n .Y.[...._&g
t;...6]......^..D..=..!.......>Q..........A......XD.y.F2.....3..Rx$
9....*.b~|...`).,..{....^s....`...'..%... ..'(.$P.H...A.t.q...{..k....
..Q.V.d~|..'&.Ej.]..KV.io]..)B.....9\.hTU...t.ex..Z.T..9.}.wf}..x..)..
.].......Nu.wc.......4...m... ..x.Sn..{]...3..F3.!p.q......jU#[email protected].
l.3.S....d...`....j..N.p...!.=..!.4Q...UJ0).#.$..\.K..e..j .&.i_..,...
BLN.......en...K..a...z..j.G....tz.5........h....`T...x.-.c...........
..._....?q...o.>..}...Hi.[W/2.d...;.en..a....^|..=`......9%_....~..
^R.y.3...v_.C5.&..T.HC.......&.(Pn~(x.=....h...H.....[V.g0......J.....
..3KF........o/....A&X....k.k...'.k.v[.........V.../`IPp.`.c.y&.v.2..}
..t.  .sz.p...s<.N>.  "...=2.N..........G~....l.f.T...ce..P....A
.....Z..@R_..E...Q..a.b.....c.....u...H.w6.....$....|..VVPW].a.7..
<<< skipped >>>

GET /wp-content/themes/sahifa/js/selectivizr-min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 2437

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: application/javascript
............ks.:........X..v`...J..^h.$....;.-'N.;.N..s......>..t2.
.y.Us..C.h.......!.vC..x..k.#.'..K.,.....T..^..,OCw.s7..6.E..K.."]gZ..
...T.BO..0.H0.d. ...lc.%1^.}}.N1'.T..4....M.=...%i.g......P')..T..5.M.
..QD..N.`..D.....Z.....D..{.g...:.....DOh.fs[...... .... .>...~.J..
[email protected]]...V .#.......(..-yz.cQ.9...."t......}.. 9x<......@..
.`'.t....b......v......%../.Yv.....M..M..k{U.i..l5.......n.....'#H_.&l
t;t..V..D.\d9..'...p.}.....IQ...D].Y.-^..3..C..[..2..*-...2.<...9$.
......LF.....;u......QD*....fK..E...V.][email protected]..*.......U.%...>.
...d..!..........8..)h`K.pVS...hbKn..C..........9......Qy...9Q...nC...
][email protected][email protected]
_.:......'....1q.. .$-../.j......A......J.*`.a..........W.(...72;o.)..
.F...o....s.FP......J'....1.v.{...Z.....~....P.........Rm...B.U..7....
?j.K.d........,..#...5.m....Q.].......A.m3.`......6E..e..)|/.h.h.l3...
H".k$.N@%<....;.,.k...B..AX.o... 5.."..(....\.I......N{..cy..#.vJ.B
G.H.U.....]...../.7EXV.Y..U....5..;...C. M:..L.kY.............^.....&l
t;H..O!...J....e.}.....uF.4..vf.r.$F..z.{...#..E.<..Boj...y...X.6FI
....b..S..y...M6...1..IP5.QK...k"..@G}.s.S.0B.._....G.:....U..9..cn...
..-..C#.U....~...`@...vD.....V....i.Z..{.^..Z...v.#..x.(..Bc#.....p.y.
..{~r2.!^.&.]o*..v..}....My.n\9.....)v.".\...f........ ...M#.t_.j ..".
j........yasX.`..#......O.........L./.f..q...LE`....9..E.....r...R.<
;k.N..d..G_a..D..j..h......B<..2.Lv.ed...Q.........G....%.....6....
...~..Z......dp..F...7..U.7]...$.......hY.q......$....y...........
<<< skipped >>>

GET /wp-content/themes/sahifa/images/home.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:36 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 1022

Keep-Alive: timeout=5, max=507

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR.......N......`Vg...bPLTEIII...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...III...III...III...III...I
II...III...III...III...III...III...III...III...III...III...III...III..
.III...III...III...III...III...III...III...III...III...III...III...III
...III...III...III...III...III...III...III...C..S...ttRNS.............
.....!!$$''--00336699<<??BBKKNNTTWWZZ``iillooxx{{...............
........................................*......IDATH....W.`...7.B.....
G...[.......H...tB.<..o..4.4..~.........97WH.$..$.]:...W...Y."..a.&
.'m..( 5V..&..KR.f...X......4(....E2...........'W./..k"n....L.....\.5.
$7\`........].....Fw..._/QWr.0....R....w.D.*.......O.m...uo...kr._....
.CyL.?7.s^.7..7y/..U...R..u..S...>....;.D.EX..Bxu......[...R.c.J.X?
cW.":...~....e.......%!.0B.....u.s....G5...*k.{.......'...Suk"...P.H..
i.&.0c..:.G..O/...Y.....G....^ B.Ut...w....!v...Oy.#..l..1.N....m..y.l
..a...;....3...D{..x....X....mz.....cG........IEND.B`.HTTP/1.1 200 OK.
.Date: Wed, 17 Jun 2015 22:24:36 GMT..Server: Apache..Vary: Accept-Enc
oding,User-Agent..Last-Modified: Sat, 23 May 2015 21:00:23 GMT..Accept
-Ranges: bytes..Content-Length: 1022..Keep-Alive: timeout=5, max=507..
Connection: Keep-Alive..Content-Type: image/png...PNG........IHDR.....
..N......`Vg...bPLTEIII...III...III...III...III...III...III...III...II
I...III...III...III...III...III...III...III...III...III...III...III...
III...III...III...III...III...III...III...III...III...III...III...
<<< skipped >>>

GET /wp-content/themes/sahifa/js/tie-scripts.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:39 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 20775

Keep-Alive: timeout=5, max=506

Connection: Keep-Alive

Content-Type: application/javascript
............kw.8. ......4..&-H.....L....r.....=5}..<|I.M.J...,..~#.
..$%;.......r.$....x!....uR<8q.....r.E....t...4_:.....|.._....E^./.
".2....k^...]..VIa..iZ.G.....~..........z...5..A./....,.0K.#......h.7.
...YU.3...`..M:u..A.Y...R...... .~-........'..ZM.h^.8eV..a...mPX.".~..
.ub..i..c..N-.....z5.\...f..mf......J........[5O...0T...-.}.....9,BC..
.....9..7YP.@.."..7 ..h5....#...@$.....7>V.."._..P.g.'{..E~W6*..l..
...M.$.C....K.. .*....az..c ...w..Q<5..8...};.......I.NN.2@b?_W....
[email protected]...<......h..."5...A)..n..\KR..s$...4.U.....f..g..8.:.bU..
<~..........]/({S$.......9..h..,/.#..H.u...AV&c..o.x..;t..uc..U.k..
.~....;G...g....qY...8)......*.e9..Eim6].R..]....X......(.#...;`...Kg`
G5..p.b..`p.&..."..,...^..r..9&n.6;.p..uF.......'...a...U(...Grn.M ...
B3..9:..[ .}...>?;[email protected]..,..U.YvG_m.Y5....s.f..).v.....
..Z...={j..i..9....C.!'.@..>.8JM..........n.B..@...~_%..|... A.D.`.
[email protected]@...=.......Rx......i...fK..ut.Z.......%......$.E
......i2=......C..r.......NMDV.J.Z..........v.Q.$<6...Y...R~)Vppn..
.....[;zo.....P%h....S......._. [..e.W...;..F.|.5 ..@O..|....7M...V..f
. .%7I."....[@U.D.....X.7..\[email protected]..[.....Q..0..|.....^2..E....
..).......*.M..y...%..2].U.<..y...t.e..at.\S)..Y99. "..1/ ..g`Z....
.p..'.UNs..-..UP...........=.5...2A....X^...7D!U.gU."....j ....:...(..
[email protected]....|..r.........UO...`.ov....}.?.v..r......
6....d'..</...g...V..'A...Z.?.,..]...........FM~g.K...>.:u..E.:.
.2.Hw..........y.bI-O..j.-Kk-.C......E.5G.Tg\.(.......|.:.....o...
<<< skipped >>>

GET /wp-content/themes/sahifa/js/search.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:40 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 3635

Keep-Alive: timeout=5, max=505

Connection: Keep-Alive

Content-Type: application/javascript
............ko...........$$S.].$.........k......\.<S.@R~......I.%9.
h..$.....{v.p...& ..eD..?{.....xQ....E.>.!.c......[./...zF.p...zBXu
%.../[...|..i.V.\[email protected][email protected]#...w.
.#....c.t.F5...:.IRq...0...WYA.eE8K..........$'5.'.,...5......,.NV...j
..._Kr.n9..........u..z.....MT..D.R.f]...y...gGq......C6._S...8l..LP..
.-B.N..!.....Q.8...&4..ii..~..D^.T.3...&..P..E..'/.U,[email protected]#.:.'8
.dK^...E.3..:. ........p*..;3j;.A...UU.MM.._..&.oY........T.q..d.'?.2.
4U..uS&.r........"..../r`.A-.wY..(.yq.\.....<........m78I.[.....OI.
......C.O...3.}..u...~.f.*g...,..].6..`.y...2&.......H...;..g.X.&.$A..
/..h...!...U...),......5z.sRy..../=[....R2........R.....y.4.r......*..
..t.6S.O..o....\t...*......q..P....N9u..S.........1\....\...e./.......
"..A.8e....0...Yr.*.'D.....I.)..k.......5 [email protected].....%.._.$%...
...<.8.`.....|./.2.......(....=../....z.....W\2.\......9.....E.....
Y.!=Y....2.`..r.|.0T8.y...:l9nw)z......`..l..`.$6.....Z..6.~.K?x< ?
Ky..Fn.n[....k...gy.R..x. .W....E.......F..(...Gr.d...I....A.~4...H..W
.Q.........X...IHh..k...T=.0f..Xz#.p...f."E...a....C...t.8..........o.
..0..f...xY/.9. .5_.........m....z......P...b<....q./..>VJx..rh6
eQ.b..Y......z.....G.L.;.k.E6g......!.....9.!..W2.q..s..B.Gg.[...K'.ye
..&...b....."..9@#...T./<..*4.....UGQ....>#}...T....B..}U....C- 
.xI..$9?4;.r......0...8..Z.R...v .A....4=).c.u..!..J....c.d<.Yq.3..
...2n...!.$a......5..u.V<.L.&.7.0..c].-....w.&(~*..k.d.....H.......
GS.L:..t.h...GG.O...J.U.|.a..x...1D...C@.&"^Ml..\]. !......`i.....
<<< skipped >>>

GET /plugins/likebox.php?href=hXXps://VVV.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.facebook.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://VVV.facebook.com/plugins/likebox.php?href=https://VVV.facebook.com/vinacfpro&width=300&height=250&colorscheme=light&show_faces=true&header=false&stream=false&show_border=false

X-Content-Type-Options: nosniff

X-UA-Compatible: IE=edge,chrome=1

Content-Type: text/html

X-FB-Debug: GgKCikBkR1elnc/oPEIuDYI 69Y048gF/4NYEWAu8l076KabvWVp8o pOIL3O8Cx93P6V srgHc5QWWjlWfO7w==

Date: Wed, 17 Jun 2015 22:24:36 GMT

Connection: keep-alive

Content-Length: 0
HTTP/1.1 302 Found..Location: hXXps://VVV.facebook.com/plugins/likebox
.php?href=https://VVV.facebook.com/vinacfpro&width=300&height=
250&colorscheme=light&show_faces=true&header=false&stream=false&show_b
order=false..X-Content-Type-Options: nosniff..X-UA-Compatible: IE=edge
,chrome=1..Content-Type: text/html..X-FB-Debug: GgKCikBkR1elnc/oPEIuDY
I 69Y048gF/4NYEWAu8l076KabvWVp8o pOIL3O8Cx93P6V srgHc5QWWjlWfO7w==..Da
te: Wed, 17 Jun 2015 22:24:36 GMT..Connection: keep-alive..Content-Len
gth: 0..

GET /wp-includes/js/wp-emoji-release.min.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:31 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Mon, 11 May 2015 09:59:01 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 4284

Keep-Alive: timeout=5, max=511

Connection: Keep-Alive

Content-Type: application/javascript
..........u..r.8....S8.-.,.2....WWOz*.}.........C[.,i$*IO.W.y.y.}...]~
L;.l.. ........WWg...k-......B..F6W.....<..f...b......>.....B...
".?...9....n.....T...ki....Y...,..^.j..|j.Z..5....@E....`........j#Q=.
.....j..jC..^...f..:.&....P......&....\.w......W......H*3\...~_I.UU%..
p....&.&/...-..l..W.I=J..........OH.I..........n}....LK.G.I8.........:
.j.m.$...:./..i8..$.#9.n...>.E...h.-.U..h.m.6.V.V..........."..M.".
*..J......]W.at_mo>.F...i...| ..*~.P-.MD....9k.y.0.-.|..V......j...
..3J...^..j....z..o..."....Hom.....nd........<.T2.j>..~.........
....j!...>.;.d8{...m.aG.=.Y..o-..i..Y.m%hO.o....r.\.z.\W...h9.s..t.
..p...hj`...T=.A4h.|#...Q..Zuu....>."..zY.O...K]...,..|..X.......W.
.).~.Rkk....kY..._.v.0|.c.mz...JG?W..:...U.. ...Y..k..f..G]..f.{...Lq.
uuT..)ugU..j..y...^.._T....p..../.c..C.....W..|co...tm..'......^.?\...
...ek.}..^Vl.....^...SOp....7Xl.kY[.n...l.....|.\..:.p..............z.
yk=OEIi].0..E.....UP.......h..E:)/....$......"H.4;...N..u.<.Y......
r.ym.....{N.S....l....P...v.:.F...^.nT.......vP./[email protected]
.{..at.e...u..d.}....W..C....@Z..|%X.....;c-....m7..q..n...:...J..k...
tus..[[email protected]."0...a8l.{:...].....
\..s[)..........M....=|X..A....m..P?V.....}..6.n../..Y...z...r~}x8u..A
x1.:....6....vB..>..l....d...........\|.u;......^.j.....]...S.....R
.........7.....c;..Qw.>E....h_o..uF......U.\O...q...#..u.. (\..`.J|
[email protected]|..LX.>....j$n.....d....{.g.... ...?s/{.^.....
{.....h..5...=!..CP...PR`k..).6ak..61.4......Lr.......;c6=V...1.3N
<<< skipped >>>

GET /wp-content/themes/sahifa/css/ilightbox/dark-skin/skin.css HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:32 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 1319

Keep-Alive: timeout=5, max=510

Connection: Keep-Alive

Content-Type: text/css
...........Y.o.8..n...>.....BZ.4.=...>.........`dL?....lc.....j.
i..g......sLp...}..3b...c......I.7O..E......?...8;=;..<......{A....
\.w0./k..!.....[.....;!....I.?z......P0ry.1.......).....`.R.....%..3..
[email protected]|.......^._.s.;_]..c.aHO.......1.x.3.i...r.^..d.....nC.e...
.G... 7....*NS.2^.t.!q...g&....q.....d.UGM!A..uRK.:.T..f...0........A.
...20.n(._.9'D.A..6........`.....|'l...C.V<.t..<k......y........
...0"(V:..n0...2_.M......$..^....~.k....b....M%....L....e..|T.....{t..
....K%GD..{O...(.G-J.. ...j..L..Q#...d.....X.,......I......z'.S..y....
.5.n..IX/l.B..C..z.`!R..v.....S..7#0.s. [email protected]..)
;..FX........_Xp..H...e5....g..?7q.....dB..P..l.u....K"U..g.O..;.^V...
*..N.(.^D.*.'[.4.SR."...oV..R#.9..$..C_.....G5.'@U.. 8B..N.=L...5..E'.
...MI..z.m6..a..d.v.........V.....B.!._...9Re..S.M..(..!.!c..$>N.6c
..=..8..;.81i<;.....W3.k...#.Yj.i.\?....Ss.Z...J.cu.yF....p......L.
0'..[1*i$.V%....@......\.4.7G...._..._U.U......w..%...U....{.Q..f....`
..v..Mw.C~.....w.>J!&yg.>.t<R/y...u..}R.M.?...3P...m.8.....{.
1..;.ET..*d...0|.7M.8).....}Y.ve.Z..{..._...U..M..............4..._.{{
H.h.............. .......}.zg..E.....^:wXu.$r...$.rh$.l...v3ox.A&.d...
...3C.P.....F..z..dH..7...|[email protected]@.h....B..e....
./......4.R]..Nu`;.%...^...}...Sf%.. ..._.n.S....QG....W.7..c.\.......
).......@...<L.y.......
<<< skipped >>>

GET /wp-includes/js/jquery/jquery.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:32 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Mon, 11 May 2015 09:59:01 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 33287

Keep-Alive: timeout=5, max=509

Connection: Keep-Alive

Content-Type: application/javascript
............yw.../....".G..%Jl..'.!<....x.....h/L.$N"..d...o...*...
.s.[....E.P..k...y....w....m....^..O.,8yqq.........Vw.<..VKu..2.Q..
[|..6..., .......t.w....D....J..l.E..q]..'.U~7/NO.|.....f....Q..W...X.
..j.\.a.P.4...2K..nV.'.....f..........m..Irr?[...~....)...M...,O....._
...............'.Mg[U...ds.E.............2KvjL....TM...(....i.tP.h...^
.6..D]..4.~{..n.Z.....A.y...yj.U.........*....A-.._.W....^}...........
.|.V..l.=;W.....^...o..|2S.................-G..z...0a....p.h....].[m..
.....=O...d7./.n..f.<. l..{Y2...n....Uv....|.....2..s.t....G....jeX
...$..T.ULi$.b3)8k.......14......#..)....y5/*=."..a.T.z..-)Y.E.n.%Wi;.
S..._....l.D.KI.4.zyO..q.......G.........g...X....Ay..;...)Oq.2....,.&
].....v.k........2.....h..G.~....]......Fz_.c.%0..A...]....?.....Q;..8
....!.b....Pc:.v".....N.4.....f..Q.?.......H.%........R.TW.....a'...7.
~f.5..{.B.$...hF.Md.N.....r:@E.[.D.E.. @........h2.G.R.~&.(....S......
l)sM7.5.S5..A.. ....O.%....... N...Mw...4d4..u..i.....j..\..p.J5.hR...
D.MB.<.W..........A......X......>%(.y..m./..1.\...Me../...x.Z...
..]..C..$ZD......S.._3Q.}K...4J.(..q.yz.Dt........ofYK...RT.l.l..g.U..
...X..W...Q..y.y...II.k..U.pig.[J.......qF..'..*/...l..;}*[.m..A$..?=.
\..L...{...-P^v.....o.^....~...*S..{.[./."@.4....!..I2[X.7-o..;Y..M.[_
Z.8.z^....Dg...x:....Q9...N.o.J......l......0.....L.....l3[...J....u..
..E.,[email protected]......|.Mk....juo..Ll5....%.}H.=...2.{..
.cwf..N.',.`|Y....9./.k2,.|..-F...tS$7.bNH5.........d.Q.P..c..........
..u..|..r.....qn.... .....A.B.....AlP.Ly[.....l/..DF...........]M.
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/fontawesome/fontawesome-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:33 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 60767

Keep-Alive: timeout=5, max=508

Connection: Keep-Alive

Content-Type: application/vnd.ms-fontobject
_...y.............................LP.........................P........
..............F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i.o.
n. .4...3...0. .2.0.1.5...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r.....
BSGP...................T..q..u..*.......Y.D.M.F..x...>..........)Y.
.....h..D....pj....f.i..)..U.'.&a..;`.*.../.....V...B.....OV..r.n.:..{
$2D....:.&...m..d ..CeH.\../o.......U.M....X.`?....?.A....C...@..'.(g~
......%(.Jl.&zw.....W#.mw".].At.....k.......p....E....[..=.gM.........
........go..W.R.q...`{.ZwUF.........o ..D.p)A8.....$..M.#.>..?.....
.. d.No2..L.......<.t.....B..T..a....<...`.......e.SO.....cI[.p.
.E1R*.fMd.....>..2V.........z7..&. .....f.&#.V.(8....aR.....x.Z\R.e
..$.Vw.......K......gs.......*.... ..dI......6......)...rj..:Z."1.'...
<....'.Q/....8..).B..5..tgk.AM.)...|~...."....2.... h...(.&.c..sw..
.(....h.Dg.k...w..zm%.f....//5.%....}....k.......... ...@....[#.D)..J&
lt;..?YAT.......o.s%....Z...G).5....#R'...#...).... R.....Z.z... ._...
.K&%'5.....(b.....Y..i_......|B.>U.......<q2i.....Q....7.....<
;2.._.y\n..9..u w.'!.p.5...q..u [email protected]..'d...5.,.Y_.M.i.....
[email protected]....`Oqi...b...5..p......E1....x..............F?.....
fS...n.>m"fE...u..n=.y..`LA&C.2].W&o.2pKDRI...3L...px..$.P ...p.P..
......$..........,a2T..X.!......av.....q.v,KZ...E..r?Z....m."..#&?.>
;.i]G^....Y....E&.(m>..?.hp..X..G.e^J...9[|...}...b..b..........P|q
.......ka<..j$.....t5LG....i..#....h..W.kR..T.2...Of.e......b\~...f
Ah..L..La.......!...P~e...0.l [email protected].
<<< skipped >>>

GET /wp-content/themes/sahifa/fonts/tiefont/fontello.svg?14434071 HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:34 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 4864

Keep-Alive: timeout=5, max=507

Connection: Keep-Alive

Content-Type: image/svg xml
............[o.Hv...WT. H..b]Y..{.t.......$..iI...$S..._..m.H.}$..v#@.
7yT$7..e..w.......{......y}.^.'.~.........'7.'...w_......_....p..o....
_..O....z......o..................\....<=...._}.^...=..........n<
;.F=t*a!.:_.O..$k.7...y<.....x}...w...on..xw..rq...?.8......j..f7..
........{s{.\L.......N....W..o.u...:.}............. ...'n.....].......
.c6....z}.y.F.......u.]......j........^.....F...?./..|..S.}u..u....~|w
....i.hG...../d.....^zv{........0..^...z,........1-...}.a...NE.b.._...
..K.i,V....B.\typit./.....}..........q..QW....g|.S.....".$....X....|..
.<.>{...zw[|..N....o.4...g.m.I.)......$M.Jx..b...Ik...a...a.....
c.Y3..D.pu.....c...^..5..v-j.LS.2.q..q....OK.B...s..].^5.8W.r.^....BQN
.1..X.........".k5A..;4......k....Y.KC.U.......2.QB.(.H7.c.~....Z_..wW
g....7.....i...."...z....../p.q....g.(u.KhI.b.....I3.e..V.\.K......N.r
...9.]F.............7....,.p%..k....Tb..2..?H.L..U...C.K.o..o....&'...
...t.1R.,8t?....U.Q.,......Q.pu}q{...).Iy..O..-..M%...2.lkFo....6..\%x
.G.r....#jM6..N.HQ..0ysk)..#.>8-BQ......Y..1.4..E.......*..8..V.I.P
C..d.....BS......&...(.rL(......sU.......H..a!&...........n....;.q.t.7
."K....Q{BW....). .......(.dPf.....R......(Y.......\.ICD..m......X.O..
...H..u.v....]n.j...!....F....E....T...%.M..r....wM6..y..32J.....p2OB.
RQK|..6.A.>..~.u.........Ao.no.../ww.=2_~4_*.....(:p....mH...g..~..
.6z0.....>-=.........Q...5*..L'..cspDQ#]h..K.!F..q._.).).\"^...H@..
.....L".Q. j..]w).o...! 7..5f.4.......e.ee.$Wx._.U.Wd..f!.Xa......5...
z.......P.!..0.A..K_.&zF..-..=...>4.........f..-G.-.q. ..q..4.8
<<< skipped >>>

GET /wp-content/themes/sahifa/js/html5.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 1220

Keep-Alive: timeout=5, max=506

Connection: Keep-Alive

Content-Type: application/javascript
...........Vmo.6..._A.C"....k?.QS4[..m1 ..!K...$&..Q.W....Q/........;.
.....8......{.nJ.F.....K..k.S.@...>..j..Z..8............_.=C.......
.~SLW`..%jtk..Qim...E!l...h,.uo}Q.J.h.kt.x...bVh.P...i..a.....F.pj.O.W
\...8$.l...{...GZ|...p.i.....s4.4k....2..F!.....@$..Ec7....t./...d..pc
..\...H..^.Bf ....a..Z.C.4.....<.M.u...7..U.K.5.....aL.f..:.I.mG..?
.w;?..].Z.."..put ...nE..d./.=....p... .5.BNo..e..W..V...x..<......
.K..6|...{$..Uo...P..NNf..x....*..A..:.....).\...<...m.L%.a...z...&
lt;L..$.s...^.0..^K.x...... ....D.....S...9.......8.PT...I..:y.].../T.
.<..q0.....`.C.i2.....X.$'...'..T....`....gk8........U...D.5ix..6.P
.t..R.......=..vpyk..5..K..B...C....../ZW.yw[.,.......-...-...g......=
.DT.?..^.....O..%.......wPHR....$.....Xz6r..,K......2N[..... W..5...:.
?[...tz.."[email protected]].F{...eb.r.e.p;x(.]....].. _.....iQ.N...N.
.K'.....r.Z......5...N.65U.hF...t.,M.3....l...E.l.?(.g.ke.CN.Up.\,I...
B.?"..../[email protected]~.)q..l..'.....J.~Z..F./f..}...H.._2[.
....W0.Z......F...J...Zk./...Fc.BH.tq.....y....D....Ir...N.l._C.z..rO$
.e...c.........AA....#.....N...=..C....0...L..,..n.9.i.......\...Fi&..
.(....)..F.B{.B.U....@Uh.*...U.....n-\.......4..j..47......0......fI2;
'..?... ....@.........[.t.H......R4d....m...Z.......
<<< skipped >>>

GET /wp-content/themes/sahifa/images/patterns/body-bg32.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:35 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 4069

Keep-Alive: timeout=5, max=505

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR...F...F.....q.......tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx.t..r.I..E....?....A.4.,c^#..zT.3..j.......z.........w....
..G..~..y....._.~......{..........>.x.k...q..w....y.{|........o..9.
.,c..o..>c0.cq..........|.......g...<............p.]..../_...}..
.7...Y.'Sx..]........._..z.....2..dT.%S.....m,...f\.s.?....,.........b
.2.].b...*M..={.K>.w.......q...........;6..q..X.z..d..@'...J(..L...
.........v..p.] 1..$.^w.......E........Au....._..u>'..q..a%....y...
~W..q...|....2....N..`..W.%X...]... .e..3.4.8E]z.(.J,[email protected]&
.4....b.</......8...))NPu......T..T.j[....(....k;........si.*..=...
N....z.%..@)S...30.I.S...p.... .T.w......>>/...{...5.....w~ Z...
..m...J...E#....^-B.....;.>}z..U..)U..Y..^*.J.......!.P.Tk........2
..cL.GU..J...... m...i_. ......z>.[G..|.q.-......V[.o%C&.u...V.TFV.
..^S.y...:hY..}s..w....1..U.\.....2........@'.X.T.[5.7..U..j..L.].l...
E..=.`.<k.........K...j .c.;..hw....b.z....'....J....U.h..<#....
8..........b!..J\....e..z'9-.}V..0..D..i([email protected]].......'..~jo
6. f)F)s.A........b.5.."<..{..K...kJ~...#....u.5t.H.I.mT.D.dj....K%
`...e...6g.'6..AC..z_o..z.E.G.W..$...."..Z~U..M.p.......Hz.y....U.6..j
K\..*%.".'....GmJ.R=.~EY....3...tqef.....g.S.5.R..V.....%.K5.Y.;..pBP.
2/[email protected]|..u^s?..nX.lih..v...}7P.yE..s...F.T......R...q.
..$...h.V...7.Z...t.\.e........0...C..7X.Q2...L....N...r.qs8U.m@Qu3.._
.b..&....*5..%.<3Vm..;.......{C.....&....z..eX............!B..A...Y
 .J...T.M.V%|..D.M=.70.9[lN.m..F.......B...E.......8.a...b.c..k...
<<< skipped >>>

GET /wp-content/themes/sahifa/images/stripe.png HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:36 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Length: 93

Keep-Alive: timeout=5, max=504

Connection: Keep-Alive

Content-Type: image/png
.PNG........IHDR....................$IDAT(.c`@.)[email protected]..%
B.._...........IEND.B`.HTTP/1.1 200 OK..Date: Wed, 17 Jun 2015 22:24:3
6 GMT..Server: Apache..Vary: Accept-Encoding,User-Agent..Last-Modified
: Sat, 23 May 2015 21:00:23 GMT..Accept-Ranges: bytes..Content-Length:
 93..Keep-Alive: timeout=5, max=504..Connection: Keep-Alive..Content-T
ype: image/png...PNG........IHDR....................$IDAT(.c`@.)[email protected].
..H.D.3.h.v.i..%B.._...........IEND.B`.....


GET /wp-content/themes/sahifa/js/ilightbox.packed.js HTTP/1.1

Accept: */*

Referer: hXXp://vinacf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vinacf.com

Connection: Keep-Alive

Cookie: __test

HTTP/1.1 200 OK

Date: Wed, 17 Jun 2015 22:24:39 GMT

Server: Apache

Vary: Accept-Encoding,User-Agent

Last-Modified: Sat, 23 May 2015 21:00:23 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 23364

Keep-Alive: timeout=5, max=503

Connection: Keep-Alive

Content-Type: application/javascript
...........}y[.H....).:MKA......k [email protected]..........{~.J.lHw...<.M7V.
.:u.lu.....?.....i4zT.G.fk.=xPr.Yt7.N'.A...N.)..;m..(..L..........d..M
.).....Fc*.(.i.y..<.N......`(v.*&Y...5.9.A.. ;-.~4.xHI.e[...atg...l
k.......i?@...........'.M.=.i.M.#.mD.Uu|m....a..y....kZ...y....8......
..=..h....5..;.9..T.P..Y..k .j..a.."m._..H...x0..^.W.. ..p..W...3....z
.;%....z..I......:.{.5.W..WW.......{.....P.2.....8h.MU7PF....p...Y..4.
...d.....>.....<...|.....s~F...KVE.....j.N...m..P.....4.T.:.`...
..a..u..d..w....G..."...^.Pi.%..iz.o.,.8pU........3.u.lz.{..."...f6G..
....Y...[..V..!.......4..mK..?.......&".i.."ji.[......Y.iOv.......v..E
V]..M.oZ=...O.!.#....W.....%.P._.l9V..Z.WW.&...i.;......^.9....Z."..#M
......V...Z.Y.0.o..hI.$.....,.......2EY.....H..A.....%,Y.^..\.P.......
..F......h...5.:.....k.X]E..f..!.&....,.f.fu...k..4..k.k.Z....F.....s.
.....`........M.....3L.<.9k%.A.P.|......"......7.FTL.\....Q..7T..'.
....4.:H"...Q.C..z^v...v....}f..b..........3~.................z...4s4.
.Z....^.......R.<.[.i.?|......D......!..~...~.8..:.y.?.....RU..S...
.!.m...S. ..(\......p..."\~.pE.3.p..3......F..d.....QoM........:.F`.:R
.)...y.(.....f&..O..X.bA#....5|....t.of.QK.DIT...bS..........g...t".4.
"..VW..F........./..a.?.o...Z......o..eC.:.ih......E......kyC.j...f.k\
...-....i~.......&IL.W......eV...>??...2....DlE!B`D..._.}.?;..._:..
..'.prE..O|...F....o..lc.X..r....19.K._.K..r..Gn..3m2....j.\..`.d...t.
.'..%...o6R..\...3.).Cz..`.w...*..#....S.A.|z.z=r}...i.KhR..M..(...\ .
O....k<t../.f j..O1....sf..,..$p<E..:u4..C.33R7U.~.D.(>..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rsrc

SHDocVwCtl.WebBrowser

6|!6z!6w"6u"5u"5u"5s$5nO(3[ 2N.1B1083/14/ 5/(5/&6/&6/&6/&6/&6/&6/&6/&6/&6/&5/'4/*3//106/1>-2I*3U&4b$5m"6u 6{

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

6{!6x"5u"5r#5q"5r"5r"5r$5nO(3[ 2N.1B1083/14/ 5/(5/&5/&5/)4/ 301109.1C 2O(3\%4g#5o"5t"5u"5u"5t"5u"5u"5s#5o%4g(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

!6y%4i(3[*3S 2Q*3S(3[O"5u

#5qO&4e$5n

$5k(3^(3]O 6{

"6u'3_*2R 2O)3VO

O 2O/1>2034/ 5/(6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&@@@@@@@@@@@@

$5l'4a(3]'3_O#5p

#5p&4d'4`O"6u

!6xO(3\(3Z&4c"5u

#5pOO#5p

!6xO(3\(3[&4d!6x

%4h)3Y 2Q 2P)3XO

6{%4i)3Y,2K/1B01<01</1A,2J)3VO!6v

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P-1F/1>00:00:/1>-1F 2P(3\O$5m#5p#5q#5p$5n$5n#5p"5s!6w 6{

WWW.VINACF.COM

Project1.ucAsyncDLHost

Project1.ucAsyncDLStripe

ieframe.dll

WebBrowser

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

A%System%\ieframe.oca

wininet.dll

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

user32.dll

ClearWeb

shell32.dll

ShellExecuteA

kernel32.dll

PSAPI.DLL

ntdll.dll

msvbvm60.dll

%System%\msvbvm60.dll\3

LIB.dll

advapi32.dll

GetAsyncKeyState

GetWindowsDirectoryA

VBA6.DLL

RegCreateKeyA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

GetCtlKeyForURL

GetCtlKeyForLocalFileName

DownloadStripeByURL

MSVBVM60.DLL

.rsrc

.reloc

.lS\d~"

.tTP\

%fJ>0

".oCh

`.data

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

HttpAddRequestHeadersA

InternetOpenUrlA

`.rdata

@.data

@.reloc

^}•D}

KERNEL32.dll

SHELL32.dll

GetCPInfo

%WinDir%\SYSTEM32\miniads.exe

%WinDir%\SYSTEM32\shellfile.dl

%WinDir%\SYSTEM32\dllshell.dll

miniads.exe

HGWC.exe

crossfire.dat

%WinDir%\SYSTEM32\miniads2.exe

miniads2.exe

msvcrt.dll

Kernel32.dll

WebBrowser1

AWebBrowser1

`C:\Windows\System32\ieframe.oca

4*5054585<5

0004080

.data

ATL.DLL

ADVAPI32.dll

SHLWAPI.dll

ole32.dll

GDI32.dll

USER32.dll

DUser.dll

DUI70.dll

0%D[$

H$l%%u;

autoplay.pdb

_amsg_exit

GetProcessHeap

RegCreateKeyExW

?OnAdjustWindowSize@HWNDHost@DirectUI@@UAEHHHI@Z

?OnKeyFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z

?SetKeyFocus@HWNDHost@DirectUI@@UAEXXZ

?MessageCallback@HWNDHost@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@HWNDHost@DirectUI@@UAE_NXZ

?OnWindowStyleChanged@HWNDHost@DirectUI@@UAEXIPBUtagSTYLESTRUCT@@@Z

?SetKeyFocus@Element@DirectUI@@UAEXXZ

?MessageCallback@Element@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@Element@DirectUI@@UAE_NXZ

ShellExecuteExW

?SetHandleEnterKey@XProvider@DirectUI@@IAEX_N@Z

?CreateDUI@XProvider@DirectUI@@UAGJPAVIXElementCP@2@PAPAUHWND__@@@Z

?SetButtonClassAcceptsEnterKey@XProvider@DirectUI@@UAGJ_N@Z

AUTOPLAY.dll

Can't find ordinal import.

keybd_event

MSVCRT.dll

U: %d ]

06 / 03 / 2015

vdk.dll

avifil32.dll

VINACF.DAT

[   ]|[ - ]

CrossHair

OFF|KEY: R|X1|X2|MAX

OFF|KEY: F

OFF|KEY: B

FAPCFLIB.DLL

FAPCF.DLL

00????00????000

CShell.dll

d3dx9_29.dll

5]5#696>6D6K6P6U6Z6`6g6l6q6v6|6

Object.dll

d3d9.dll

hXXp:///

Nisual Studio\VB98\C2.EXE

Nisual Studio\VB98\C2.EXE.Man

Nisual Studio\VB98\C2.EXE.Manifes

Q*\A%Documents and Settings%\Admin\Desktop\VINACF   MOD - CHONG MOD v24\Project1.vbp

REZ\NationMsz\SA_MSG_DEFINE.msz

REZ\NationMsz\SPAIN_MSG_DEFINE.msz

REZ\NationMsz\EU_MSG_DEFINE.msz

REZ\NationMsz\ID_MSG_DEFINE.msz

REZ\NationMsz\US_MSG_DEFINE.msz

REZ\NationMsz\PHILLIPPINES_MSG_DEFINE.msz

REZ\NationMsz\RU_MSG_DEFINE.msz

REZ\NationMsz\VIETNAM_MSG_DEFINE.msz

REZ\NationMsz\KOREA_MSG_DEFINE.msz

REZ\NationMsz\SEA_MSG_DEFINE.msz

hXXp://cfpro0009.googlecode.com/svn/trunk/

anti.txt

VINACF.HTML

hXXp://bit.ly/1MBMSIF

<br><br><br><img src=hXXp://VVV.ecb.int/shared/img/loading.gif border='0'></img></center>

font:'Courier New', Courier, monospace;background-color: #000;background-image: url(5000320727_636b010314.jpg);background-repeat: no-repeat;}

.keyclick1 {color: maroon;font-size: 40px;}

.keyclick1:hover {text-decoration: none;color: blue;background: yellow;}

.keyword {font-size: 8px;}

.box{position:fixed;top:-200px;left:30%;right:30%;background-color: #000;color:#7f7f7f;padding:20px;

a.activator{width:153px;height:150px;position:absolute;top:0px;right:0px;background: url(clickme.png) no-repeat top right;z-index:1;cursor:pointer;}

.overlay{background:transparent url(overlay.png) repeat top left;position:fixed;top:0px;bottom:0px;left:0px;right:0px;z-index:100;}

border:2px solid #ccc;-moz-border-radius: 20px;-webkit-border-radius:20px;-khtml-border-radius:20px;-moz-box-shadow: 0 1px 5px #333;-webkit-box-shadow: 0 1px 5px #333;z-index:101;}

document.onselectstart=new Function ('return false')

.box h1{border-bottom: 1px dashed #7F7F7F;margin:-20px -20px 0px -20px;padding:10px;background-color:#FF0;color: #000;-moz-border-radius:20px 20px 0px 0px;-webkit-border-top-left-radius: 20px;-webkit-border-top-right-radius: 20px;-khtml-border-top-left-radius: 20px;-khtml-border-top-right-radius: 20px;}

a.boxclose{float:right;width:26px;height:26px;background:transparent url(cancel.png) repeat top left;margin-top:-30px;margin-right:-30px;cursor:pointer;}

.drop { position: absolute; width: 3; filter: flipV(), flipH(); font-size: 40; color: blue }

if (window.sidebar){

<b><marquee direction='left' scrollamount='7' onmouseover='this.stop();' onmouseout='this.start();'><font size='4' color='#00FF00'>

</br><img src=hXXps://lh4.googleusercontent.com/-yVB7dkAk2JI/UejFyvE1heI/AAAAAAAAAF0/SO0MKar_c24/h120/ajax-loader.gif border='0'></img>

CVN.SYS

Document.onmousedown = disableselect

Document.onclick = reEnable}

if (document.all){return false;}}

if(document.layers||(document.getElementById&&!document.all)){

if (e.which==2||e.which==3){

if (document.layers){

document.captureEvents(Event.MOUSEDOWN);

document.onmousedown=nrcNS;

}else{document.onmouseup=nrcNS;document.oncontextmenu=nrcIE;}

document.oncontextmenu=new Function('return false');</script>

var minutes = Math.floor(time / 60);

FVN.SYS

minutes = Math.floor(time / 60);

function stime(){document.getElementById('STATUS').innerHTML = 'TỰ ĐỘNG K

if(jgt == 0|document.getElementById('KICHHOAT').innerHTML=='100%')

clearInterval(timing);document.getElementById('STATUS').innerHTML='K

document.getElementById('KICHHOAT').innerHTML='100%';}

</br></br><img src=hXXps://lh4.googleusercontent.com/-yVB7dkAk2JI/UejFyvE1heI/AAAAAAAAAF0/SO0MKar_c24/h120/ajax-loader.gif border='0'></img>

\system32\RunDll32.exe

a.exe

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

vdk.exe

Aegis.exe

XTrap.xt

crossfire.exe

IEXPLORE.EXE

runads.exe

cfpro.exe

REZ\REZOK.EXE

DDRAW.DLL

VN.SYS

hXXp://cfpro0009.googlecode.com/svn/trunk/VINACF.HTML

hXXp://cfpro0009.googlecode.com/svn/trunk/anti.txt

MiniObject.dat

hXXp://dlprotest.googlecode.com/svn/trunk/

hXXp://zsmodz.googlecode.com/svn/trunk/

patcher_cf2.exe

\runads.exe

\miniads.exe

\miniads2.exe

WEBPOP

hXXp://VVV.hackcf.biz/VINACF/p/active-success.html

\System32\drivers\etc\hosts.ics

0123456789

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

%System%\RunDll32.exe

adf.ly

InternetExplorer.Application

LocationURL

sh.st

adf.ly/ad/locked

Windows Internet Explorer

Web Browser

iexplore.exe - Application Error

WScript.Shell

WindowStyle

\Mozilla Firefox

\Google Chrome

Win32s on Windows 3.1

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista/Server 2008

Windows 7/Server 2008 R2

Windows 8

Windows 95

Windows Me

Windows 98

Unable to identify your version of Windows.

We already have a Download with that URL in the List

.ucAsyncDLStripe

VB.Timer

HGWC.EXE

N*\A%Documents and Settings%\Admin\Desktop\VINACF   MOD - CHONG MOD v24\Project1.vbp

FAPCF.COM

C:\UsersP

@*\AG:\ADS\LOAD\Project1.vbp

C:\Windows\System32\miniads2.exe

C:\Windows\System32\miniads.exe

C:\Windows\System32\runads.exe

C:\Windows\System32\dllshell.dll

explorer.exe

myads.exe

@*\AG:\ADS\Project1.vbp

hXXp://asdsadsadsad.googlecode.com/svn/trunk/newrent.txt

Message from webpage

@*\AG:\ADS\shorte.st\Project1.vbp

hXXps://asdsadsadsad.googlecode.com/svn/trunk/sh.txt

@*\AG:\ADS\Shell\Project1.vbp

shell32.dll,-3

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

%systemroot%\system32\DeviceCenter.dll,-1

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices\

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices

7e1fe788-0747-4e00-895b-c3461b1ddd97

comctl32.dll

mshelp://windows/?id=

ShellExecuteParams

ShellExecuteVerb

ShellExecute

]d3d9.dll

VINACFPRO.EXE

%original file name%.exe_1380_rwx_00401000_00198000:

SHDocVwCtl.WebBrowser

6|!6z!6w"6u"5u"5u"5s$5nO(3[ 2N.1B1083/14/ 5/(5/&6/&6/&6/&6/&6/&6/&6/&6/&6/&5/'4/*3//106/1>-2I*3U&4b$5m"6u 6{

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

6{!6x"5u"5r#5q"5r"5r"5r$5nO(3[ 2N.1B1083/14/ 5/(5/&5/&5/)4/ 301109.1C 2O(3\%4g#5o"5t"5u"5u"5t"5u"5u"5s#5o%4g(3\ 2P.1E01=00:00:/1>-1F 2P(3\O$5n"5r"5s"5r#5q"5r"5u!6x 6{

!6y%4i(3[*3S 2Q*3S(3[O"5u

#5qO&4e$5n

$5k(3^(3]O 6{

"6u'3_*2R 2O)3VO

O 2O/1>2034/ 5/(6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&6/&@@@@@@@@@@@@

$5l'4a(3]'3_O#5p

#5p&4d'4`O"6u

!6xO(3\(3Z&4c"5u

#5pOO#5p

!6xO(3\(3[&4d!6x

%4h)3Y 2Q 2P)3XO

6{%4i)3Y,2K/1B01<01</1A,2J)3VO!6v

6|!6z!6w"6u"5u"5u"5s#5oO(3\ 2P-1F/1>00:00:/1>-1F 2P(3\O$5m#5p#5q#5p$5n$5n#5p"5s!6w 6{

WWW.VINACF.COM

Project1.ucAsyncDLHost

Project1.ucAsyncDLStripe

ieframe.dll

WebBrowser

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

A%System%\ieframe.oca

wininet.dll

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindCloseUrlCache

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

user32.dll

ClearWeb

shell32.dll

ShellExecuteA

kernel32.dll

PSAPI.DLL

ntdll.dll

msvbvm60.dll

%System%\msvbvm60.dll\3

LIB.dll

advapi32.dll

GetAsyncKeyState

GetWindowsDirectoryA

VBA6.DLL

RegCreateKeyA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

GetCtlKeyForURL

GetCtlKeyForLocalFileName

DownloadStripeByURL

MSVBVM60.DLL

.text

.rsrc

.reloc

.lS\d~"

.tTP\

%fJ>0

".oCh

`.data

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

HttpAddRequestHeadersA

InternetOpenUrlA

`.rdata

@.data

@.reloc

^}•D}

KERNEL32.dll

SHELL32.dll

GetCPInfo

%WinDir%\SYSTEM32\miniads.exe

%WinDir%\SYSTEM32\shellfile.dl

%WinDir%\SYSTEM32\dllshell.dll

miniads.exe

HGWC.exe

crossfire.dat

%WinDir%\SYSTEM32\miniads2.exe

miniads2.exe

msvcrt.dll

Kernel32.dll

WebBrowser1

AWebBrowser1

`C:\Windows\System32\ieframe.oca

4*5054585<5

0004080

.data

ATL.DLL

ADVAPI32.dll

SHLWAPI.dll

ole32.dll

GDI32.dll

USER32.dll

DUser.dll

DUI70.dll

0%D[$

H$l%%u;

autoplay.pdb

_amsg_exit

GetProcessHeap

RegCreateKeyExW

?OnAdjustWindowSize@HWNDHost@DirectUI@@UAEHHHI@Z

?OnKeyFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z

?SetKeyFocus@HWNDHost@DirectUI@@UAEXXZ

?MessageCallback@HWNDHost@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@HWNDHost@DirectUI@@UAE_NXZ

?OnWindowStyleChanged@HWNDHost@DirectUI@@UAEXIPBUtagSTYLESTRUCT@@@Z

?SetKeyFocus@Element@DirectUI@@UAEXXZ

?MessageCallback@Element@DirectUI@@UAEIPAUtagGMSG@@@Z

?GetKeyFocused@Element@DirectUI@@UAE_NXZ

ShellExecuteExW

?SetHandleEnterKey@XProvider@DirectUI@@IAEX_N@Z

?CreateDUI@XProvider@DirectUI@@UAGJPAVIXElementCP@2@PAPAUHWND__@@@Z

?SetButtonClassAcceptsEnterKey@XProvider@DirectUI@@UAGJ_N@Z

AUTOPLAY.dll

Can't find ordinal import.

keybd_event

MSVCRT.dll

U: %d ]

06 / 03 / 2015

vdk.dll

avifil32.dll

VINACF.DAT

[   ]|[ - ]

CrossHair

OFF|KEY: R|X1|X2|MAX

OFF|KEY: F

OFF|KEY: B

FAPCFLIB.DLL

FAPCF.DLL

00????00????000

CShell.dll

d3dx9_29.dll

5]5#696>6D6K6P6U6Z6`6g6l6q6v6|6

Object.dll

d3d9.dll

hXXp:///

Nisual Studio\VB98\C2.EXE

Nisual Studio\VB98\C2.EXE.Man

Nisual Studio\VB98\C2.EXE.Manifes

Q*\A%Documents and Settings%\Admin\Desktop\VINACF   MOD - CHONG MOD v24\Project1.vbp

REZ\NationMsz\SA_MSG_DEFINE.msz

REZ\NationMsz\SPAIN_MSG_DEFINE.msz

REZ\NationMsz\EU_MSG_DEFINE.msz

REZ\NationMsz\ID_MSG_DEFINE.msz

REZ\NationMsz\US_MSG_DEFINE.msz

REZ\NationMsz\PHILLIPPINES_MSG_DEFINE.msz

REZ\NationMsz\RU_MSG_DEFINE.msz

REZ\NationMsz\VIETNAM_MSG_DEFINE.msz

REZ\NationMsz\KOREA_MSG_DEFINE.msz

REZ\NationMsz\SEA_MSG_DEFINE.msz

hXXp://cfpro0009.googlecode.com/svn/trunk/

anti.txt

VINACF.HTML

hXXp://bit.ly/1MBMSIF

<br><br><br><img src=hXXp://VVV.ecb.int/shared/img/loading.gif border='0'></img></center>

font:'Courier New', Courier, monospace;background-color: #000;background-image: url(5000320727_636b010314.jpg);background-repeat: no-repeat;}

.keyclick1 {color: maroon;font-size: 40px;}

.keyclick1:hover {text-decoration: none;color: blue;background: yellow;}

.keyword {font-size: 8px;}

.box{position:fixed;top:-200px;left:30%;right:30%;background-color: #000;color:#7f7f7f;padding:20px;

a.activator{width:153px;height:150px;position:absolute;top:0px;right:0px;background: url(clickme.png) no-repeat top right;z-index:1;cursor:pointer;}

.overlay{background:transparent url(overlay.png) repeat top left;position:fixed;top:0px;bottom:0px;left:0px;right:0px;z-index:100;}

border:2px solid #ccc;-moz-border-radius: 20px;-webkit-border-radius:20px;-khtml-border-radius:20px;-moz-box-shadow: 0 1px 5px #333;-webkit-box-shadow: 0 1px 5px #333;z-index:101;}

document.onselectstart=new Function ('return false')

.box h1{border-bottom: 1px dashed #7F7F7F;margin:-20px -20px 0px -20px;padding:10px;background-color:#FF0;color: #000;-moz-border-radius:20px 20px 0px 0px;-webkit-border-top-left-radius: 20px;-webkit-border-top-right-radius: 20px;-khtml-border-top-left-radius: 20px;-khtml-border-top-right-radius: 20px;}

a.boxclose{float:right;width:26px;height:26px;background:transparent url(cancel.png) repeat top left;margin-top:-30px;margin-right:-30px;cursor:pointer;}

.drop { position: absolute; width: 3; filter: flipV(), flipH(); font-size: 40; color: blue }

if (window.sidebar){

<b><marquee direction='left' scrollamount='7' onmouseover='this.stop();' onmouseout='this.start();'><font size='4' color='#00FF00'>

</br><img src=hXXps://lh4.googleusercontent.com/-yVB7dkAk2JI/UejFyvE1heI/AAAAAAAAAF0/SO0MKar_c24/h120/ajax-loader.gif border='0'></img>

CVN.SYS

Document.onmousedown = disableselect

Document.onclick = reEnable}

if (document.all){return false;}}

if(document.layers||(document.getElementById&&!document.all)){

if (e.which==2||e.which==3){

if (document.layers){

document.captureEvents(Event.MOUSEDOWN);

document.onmousedown=nrcNS;

}else{document.onmouseup=nrcNS;document.oncontextmenu=nrcIE;}

document.oncontextmenu=new Function('return false');</script>

var minutes = Math.floor(time / 60);

FVN.SYS

minutes = Math.floor(time / 60);

function stime(){document.getElementById('STATUS').innerHTML = 'TỰ ĐỘNG K

if(jgt == 0|document.getElementById('KICHHOAT').innerHTML=='100%')

clearInterval(timing);document.getElementById('STATUS').innerHTML='K

document.getElementById('KICHHOAT').innerHTML='100%';}

</br></br><img src=hXXps://lh4.googleusercontent.com/-yVB7dkAk2JI/UejFyvE1heI/AAAAAAAAAF0/SO0MKar_c24/h120/ajax-loader.gif border='0'></img>

\system32\RunDll32.exe

a.exe

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

vdk.exe

Aegis.exe

XTrap.xt

crossfire.exe

IEXPLORE.EXE

runads.exe

cfpro.exe

REZ\REZOK.EXE

DDRAW.DLL

VN.SYS

hXXp://cfpro0009.googlecode.com/svn/trunk/VINACF.HTML

hXXp://cfpro0009.googlecode.com/svn/trunk/anti.txt

MiniObject.dat

hXXp://dlprotest.googlecode.com/svn/trunk/

hXXp://zsmodz.googlecode.com/svn/trunk/

patcher_cf2.exe

\runads.exe

\miniads.exe

\miniads2.exe

WEBPOP

hXXp://VVV.hackcf.biz/VINACF/p/active-success.html

\System32\drivers\etc\hosts.ics

0123456789

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2

%System%\RunDll32.exe

adf.ly

InternetExplorer.Application

LocationURL

sh.st

adf.ly/ad/locked

Windows Internet Explorer

Web Browser

iexplore.exe - Application Error

WScript.Shell

WindowStyle

\Mozilla Firefox

\Google Chrome

Win32s on Windows 3.1

Windows NT

Windows NT 3.5

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista/Server 2008

Windows 7/Server 2008 R2

Windows 8

Windows 95

Windows Me

Windows 98

Unable to identify your version of Windows.

We already have a Download with that URL in the List

.ucAsyncDLStripe

VB.Timer

HGWC.EXE

N*\A%Documents and Settings%\Admin\Desktop\VINACF   MOD - CHONG MOD v24\Project1.vbp

FAPCF.COM

C:\UsersP

@*\AG:\ADS\LOAD\Project1.vbp

C:\Windows\System32\miniads2.exe

C:\Windows\System32\miniads.exe

C:\Windows\System32\runads.exe

C:\Windows\System32\dllshell.dll

explorer.exe

myads.exe

@*\AG:\ADS\Project1.vbp

hXXp://asdsadsadsad.googlecode.com/svn/trunk/newrent.txt

Message from webpage

@*\AG:\ADS\shorte.st\Project1.vbp

hXXps://asdsadsadsad.googlecode.com/svn/trunk/sh.txt

@*\AG:\ADS\Shell\Project1.vbp

shell32.dll,-3

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

%systemroot%\system32\DeviceCenter.dll,-1

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices\

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\KnownDevices

7e1fe788-0747-4e00-895b-c3461b1ddd97

comctl32.dll

mshelp://windows/?id=

ShellExecuteParams

ShellExecuteVerb

ShellExecute

]d3d9.dll

%original file name%.exe_1380_rwx_0059A000_00002000:

kernel32.dll

VINACFPRO.EXE

iexplore.exe_1940:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\drivers\etc\hosts.ics (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DMCABadgeHelper.min[1].js (505 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dmca_protected_sml_120l[1].png (2 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\anti[1].txt (747 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ajax-loader[1].gif (3966 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\11[1].png (312 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\VINACF[1].HTML (1260 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.