Gen.Variant.Application.Bundler.InstallMonster.1_a5f1709b88

by malwarelabrobot on April 8th, 2016 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.InstallMonster.gen (Kaspersky), Gen:Variant.Application.Bundler.InstallMonster.1 (AdAware), Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a5f1709b880f9e3aafc89485161c84eb
SHA1: 20e42b79d3f3bd9e957c6735c27fd5a584978116
SHA256: 16af89598a9c853852bc22ee5599ad838c4e037c7d0c8ff8447903c4cae93d58
SSDeep: 98304:3C jOqStOZ4a6OVJ020P66Lsd5EQzzu0tq:UuZ4a6OVuAbEQzzun
Size: 3467648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1100

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCR\a5f1709b880f9e3aafc89485161c84eb.DynamicNS]
"(Default)" = "DynamicNS"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID]
"(Default)" = "a5f1709b880f9e3aafc89485161c84eb.DynamicNS"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}]
"(Default)" = "DynamicNS"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\a5f1709b880f9e3aafc89485161c84eb.DynamicNS\Clsid]
"(Default)" = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 4B 02 BE 06 B1 E7 61 8E FB 64 85 29 E7 32 94"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\a5f1709b880f9e3aafc89485161c84eb\DEBUG]
"Trace Level" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\a5f1709b880f9e3aafc89485161c84eb\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 14356480 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 14360576 2392064 2391040 5.47968 da893198cbd40aa78742deffda24722b
.rsrc 16752640 20480 19968 3.71923 6f364765da5d970e92c7ddb271f94b03

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
92321e1ab9309ebd74eb11da3478213b
6ce6cda6e71c5b1cf2fe29c80e22197b
92f49bcade2984599bfa96da75ab8472

URLs

URL IP
hxxp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834 104.31.68.20
hxxp://xakepy.soft-ingeniring.com.ua/unknownbrowser.png 104.31.68.20
hxxp://xakepy.soft-ingeniring.com.ua/li.js 104.31.68.20
hxxp://xakepi.ru/loading-img.gif 104.24.108.161
hxxp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
hxxp://counter.yadro.ru/hit?t45.6;r;s1276*846*32;uhttp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834;h%u0417%u0430%u0432%u0435%u0440%u0448%u0435%u043D%u0438%u0435 %u0443%u0441%u0442%u0430%u043D%u043E%u0432%u043A%u0438 Setup...;0.43160654467143244 88.212.201.194
hxxp://counter.yadro.ru/hit?q;t45.6;r;s1276*846*32;uhttp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834;h%u0417%u0430%u0432%u0435%u0440%u0448%u0435%u043D%u0438%u0435 %u0443%u0441%u0442%u0430%u043D%u043E%u0432%u043A%u0438 Setup...;0.43160654467143244 88.212.201.194
hxxp://tundra.site/pages/displayCore2_russian/typ2-1.html 148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/css/style.css 148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/images/icon2-green.png 148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/images/icon1-green.png 148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/images/icon3-green.png 148.62.4.84
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/scripts/1/adnl.min.js
hxxp://southronswrap.tech/pure.html?campid=11552&version=1.1.5.90&instid[appname]=Setup&instid[appsetupurl]=https://xakepy.soft-ingeniring.com.ua/zip/setup.zip&instid[appimageurl]=https://xakepy.soft-ingeniring.com.ua/img/installs/2.jpg&prefix=Setup&instid[thankyoupage]=http://mega-vzlom.com/?back=am&ti1=&instid[interrupted]=undefined
hxxp://southronswrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
hxxp://southronswrap.tech/myassets/pass_src/style.css
hxxp://neu-dl-api.cloudapp.net/api/vv/1?callback=cb_1460047587208&ts=1460047587208&sessionId=FdIzE&rfr=&siteId=9306&aus=3958,1,0
hxxp://southronswrap.tech/myassets/pass_src/jquery-1.3.2.min.js
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/layouts/graphic_300x250.js?v=4.4.28
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/images/1ad74167-6977-4580-930a-bf7c3478533c.png
hxxp://tundra.site/pages/displayCore2_russian/ 148.62.4.84
hxxp://southronswrap.tech/myassets/media/pass/bg.png
hxxp://southronswrap.tech/myassets/media/pass/header.png
hxxp://webpagescripts.net/util1.js?c=11552&s=ML
hxxp://southronswrap.tech/myassets/media/pass/01.png
hxxp://webpagescripts.net/mac-detect.js?c=11552
hxxp://southronswrap.tech/myassets/media/pass/03.png
hxxp://southronswrap.tech/myassets/media/pass/02.png
hxxp://southronswrap.tech/myassets/media/pass/str.png
hxxp://selfchecking.xyz/intro.php?wg=KWGMIXNUPRIjN6fGdpYGB a3txJCwkKCcxbWN6YnJ/bygoaAM3PyI3az0ocz0kJjtydAxsaghwYhQmMiAsZC40OT8/ZTQoIGxqCHBjFCk2JCZsawo0PXQiOXo4JzwrMzk8LjNhOT0rf2h2MzskeiU9LD4mdW&ix=EKcnULbGoILTE5Lic Yzo3KCF9OyUwIiMgKic7N3woOCpjPDlrZxYoIidifw8rKyElImUtLj1vNi84bQEuIzI9bzk PD1vIyMzPTp9fRR1YA1ydQsxOSUwICtlJCgrPXUnOzc3JT41JCc/YDY/P2UiJmh7Hi&up=c4N3d5ES4jOiwvOTwhbmUBf2cyPjJ2JzgyP3B4fjRnbWJtJDM4K2V/cyUhLi96fG8ifGhgdDgjMi90aWgmYW96M356KmEvZmNhfmFzdCs9KDcxayk2d3wqaHkxMmMoMSV/eGkoZWIxbSN2cHhseGVgZnNmf3w=
hxxp://mega-vzlom.com/?back=install 104.28.19.103
hxxp://www.overfaithfullywrap.tech/myassets/media/pass/bg.png 54.214.20.55
hxxp://www.overfaithfullywrap.tech/myassets/media/pass/02.png 54.214.20.55
hxxp://www.overfaithfullywrap.tech/myassets/media/pass/01.png 54.214.20.55
hxxp://www.overfaithfullywrap.tech/myassets/media/pass/03.png 54.214.20.55
hxxp://cdn.castplatform.com/scripts/1/adnl.min.js 198.232.124.20
hxxp://www.overfaithfullywrap.tech/myassets/media/pass/header.png 54.214.20.55
hxxp://d.castplatform.com/api/vv/1?callback=cb_1460047587208&ts=1460047587208&sessionId=FdIzE&rfr=&siteId=9306&aus=3958,1,0 40.127.174.50
hxxp://www.selfchecking.xyz/intro.php?wg=KWGMIXNUPRIjN6fGdpYGB a3txJCwkKCcxbWN6YnJ/bygoaAM3PyI3az0ocz0kJjtydAxsaghwYhQmMiAsZC40OT8/ZTQoIGxqCHBjFCk2JCZsawo0PXQiOXo4JzwrMzk8LjNhOT0rf2h2MzskeiU9LD4mdW&ix=EKcnULbGoILTE5Lic Yzo3KCF9OyUwIiMgKic7N3woOCpjPDlrZxYoIidifw8rKyElImUtLj1vNi84bQEuIzI9bzk PD1vIyMzPTp9fRR1YA1ydQsxOSUwICtlJCgrPXUnOzc3JT41JCc/YDY/P2UiJmh7Hi&up=c4N3d5ES4jOiwvOTwhbmUBf2cyPjJ2JzgyP3B4fjRnbWJtJDM4K2V/cyUhLi96fG8ifGhgdDgjMi90aWgmYW96M356KmEvZmNhfmFzdCs9KDcxayk2d3wqaHkxMmMoMSV/eGkoZWIxbSN2cHhseGVgZnNmf3w= 107.20.223.118
hxxp://www.overfaithfullywrap.tech/myassets/pass_src/style.css 54.214.20.55
hxxp://www.webpagescripts.net/util1.js?c=11552&s=ML 54.214.255.94
hxxp://www.overfaithfullywrap.tech/pure.html?campid=11552&version=1.1.5.90&instid[appname]=Setup&instid[appsetupurl]=https://xakepy.soft-ingeniring.com.ua/zip/setup.zip&instid[appimageurl]=https://xakepy.soft-ingeniring.com.ua/img/installs/2.jpg&prefix=Setup&instid[thankyoupage]=http://mega-vzlom.com/?back=am&ti1=&instid[interrupted]=undefined 54.214.20.55
hxxp://cdn.castplatform.com/images/1ad74167-6977-4580-930a-bf7c3478533c.png 198.232.124.20
hxxp://www.overfaithfullywrap.tech/myassets/media/pass/str.png 54.214.20.55
hxxp://www.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI 54.214.20.55
hxxp://www.overfaithfullywrap.tech/myassets/pass_src/jquery-1.3.2.min.js 54.214.20.55
hxxp://www.webpagescripts.net/mac-detect.js?c=11552 54.214.255.94
hxxp://cdn.castplatform.com/layouts/graphic_300x250.js?v=4.4.28 198.232.124.20


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pages/displayCore2_russian/images/icon1-green.png HTTP/1.1
Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tundra.site
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 07 Apr 2016 16:38:44 GMT
Content-Type: image/png
Content-Length: 3392
Last-Modified: Thu, 12 Jun 2014 09:04:00 GMT
Connection: keep-alive
ETag: "53996d00-d40"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y.
...........i][email protected].@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O.
.....GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l.........
.j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-.....
...<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)
......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f
.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'..
.....(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....
K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...
n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..
?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/.
..:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok.
.mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......&
gt;;...|Y.,3D.Gq.Mg.D..i.|..X.......[[email protected].*cYmj.=.3..2........W.
..vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".B
l.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..
........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.
Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0
...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.
....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ.
..['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].
<<< skipped >>>

GET /pages/displayCore2_russian/ HTTP/1.1


Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tundra.site
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 07 Apr 2016 16:38:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
114...............n. .......{BpRi.(.....hC..M..uy.A.i..ia.,0..l0L....O
LI.r.t0...V........I..5b..N......#.|.32........r.M.v..t.x..k.c$S.3...@
.....%.<.FDR.r....d....U].....6.....1....S...'..l^..s........"{.\..
l"[email protected]/...^f.0..zg..........9s}}9.*2.....I.-.....~.....
......0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Thu, 07 Apr 2016 
16:38:45 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Con
nection: keep-alive..Vary: Accept-Encoding..Content-Encoding: gzip..11
4...............n. .......{BpRi.(.....hC..M..uy.A.i..ia.,0..l0L....OLI
.r.t0...V........I..5b..N......#.|.32........r.M.v..t.x..k.c$S.3...@..
...%.<.FDR.r....d....U].....6.....1....S...'..l^..s........"{.\..l"
[email protected]/...^f.0..zg..........9s}}9.*2.....I.-.....~.......
....0..



GET /scripts/1/adnl.min.js HTTP/1.1
Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:20 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 59620
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: EWemSQBepDOLqdXHMBDo7g==
Last-Modified: Wed, 30 Mar 2016 12:54:04 GMT
ETag: 0x8D3589A5F8E2CCD
X-Node: cdn1
Server: NetDNA-cache/2.2
X-Cache: HIT
// CAST Delivery Agent v4.4.28 #12:54.!function(global,undefined){Arra
y.prototype.indexOf||(Array.prototype.indexOf=function(e,t){if(this===
undefined||null===this)throw new TypeError('"this" is null or not defi
ned');var n=this.length>>>0;for(t= t||0,1/0===Math.abs(t)&&(t
=0),0>t&&(t =n,0>t&&(t=0));n>t;t  )if(this[t]===e)return t;re
turn-1}),"object"!=typeof window.JSON&&(window.JSON={},window.JSON.str
ingify=function(e){if("[object Array]"===Object.prototype.toString.cal
l(e)){if(e.length>0){for(var t=e.length,n=[],a=0;t>a;  a)n.push(
this.stringify(e[a]));return"[" n.join(", ") "]"}return"[]"}if("object
"==typeof e&&null!==e){var n=[];for(a in e)n.push('"' a '": ' this.str
ingify(e[a]));return"{" n.join(", ") "}"}return"string"==typeof e?'"' 
e.replace(/"/g,'\\"') '"':e},window.JSON.parse=function(text,reviver){
function walk(e,t){var n,a,i=e[t];if(i&&"object"==typeof i)for(n in i)
Object.prototype.hasOwnProperty.call(i,n)&&(a=walk(i,n),a!==undefined?
i[n]=a:delete i[n]);return reviver.call(e,t,i)}var cx=/[\u0000\u00ad\u
0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\u
feff\ufff0-\uffff]/g,j;if(text=String(text),cx.lastIndex=0,cx.test(tex
t)&&(text=text.replace(cx,function(e){return"\\u" ("0000" e.charCodeAt
(0).toString(16)).slice(-4)})),/^[\],:{}\s]*$/.test(text.replace(/\\(?
:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|fals
e|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,"]").replace(/(?:^|:|,)(?:\
s*\[) /g,"")))return j=eval("(" text ")"),"function"==typeof reviv
<<< skipped >>>

GET /layouts/graphic_300x250.js?v=4.4.28 HTTP/1.1


Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:21 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 2972
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: KiIZm6dlzklWp1p98ApFMQ==
Last-Modified: Mon, 28 Mar 2016 09:00:09 GMT
ETag: 0x8D356E75DA2551A
X-Node: cdn2
Server: NetDNA-cache/2.2
X-Cache: HIT
cb_layout({transformer:{name:["Graphic_300x250"],mainLayout:"graphic_3
00_250_combo",subLayouts:["graphic_300_250_single_inner"]},addZoneType
s:function(e,a){a.graphic_layout={family:"layout_base",style:a.layout_
base.style ".namespace{overflow:hidden;background:#fff;border-top:soli
d 30px #39393a;border-bottom:solid 1px #f6f6f6}.namespace .slots{backg
round-color:#f9f9f9;overflow:hidden}.namespace .ca-sec-title{color:#ff
f;font-weight:400;line-height:30px;margin:0;font-size:12px;position:ab
solute;padding-left:10px;top:0}",template:'<div class="header ca-se
c-title cstm-title">{{adunit_title|default:we_recommend}}</div&g
t;<div class="slots cstm-bg"></div>'},a.graphic_inner=e.ex
tend({},a.inner_base,{style:a.inner_base.style ".namespace{display:blo
ck;overflow:hidden;position:relative;margin:0;border-bottom:solid 1px 
#3d3c3d;border-right:solid 1px #3d3c3d;border-left:solid 1px #3d3c3d}.
namespace h1,.namespace h2,.namespace h3,.namespace h4,.namespace h5,.
namespace p{margin:0}.namespace a{right:14px;bottom:12px;color:#2bb22f
;font-size:12px;font-weight:700}.namespace a.download_now_placeholder{
text-decoration:none}.namespace img{position:absolute;border:0}.namesp
ace .ca-title{font-weight:700;color:#4d4d4d;margin:0;height:auto}.name
space .ca-company{color:#768797;font-weight:400;font-size:14px;line-he
ight:24px}.namespace .ca-description{color:#5d5d5d;font-size:14px}.nam
espace .ca-stars-rating{margin-top:12px}.namespace .download_now{posit
ion:absolute;top:auto;right:auto;left:12px;bottom:9px}.namespace i
<<< skipped >>>

GET /images/1ad74167-6977-4580-930a-bf7c3478533c.png HTTP/1.1


Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:21 GMT
Content-Type: image/png; charset=utf-8
Content-Length: 1809
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: KZth6iAQTO7dVRd0ApjcRg==
Last-Modified: Thu, 10 Mar 2016 09:40:46 GMT
ETag: 0x8D348C80E8AB1A2
X-Node: cdn2
Server: NetDNA-cache/2.2
X-Cache: HIT
.PNG........IHDR...d...d.....p..T....tEXtSoftware.Adobe ImageReadyq.e&
lt;...hiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:05801174072068118083CC1380C2A5EB" xmpMM:DocumentID="xmp.did:B9C1
07F2A61611E28BEABCE338DCB390" xmpMM:InstanceID="xmp.iid:B9C107F1A61611
E28BEABCE338DCB390" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:AC7ABFA9382068118C
1498AF981ABACE" stRef:documentID="xmp.did:05801174072068118083CC1380C2
A5EB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?> ......?IDATx....OSQ.._...(.......VE.E. .@ 
...5.@.:1...F...?.A.'uW.7.&.$F.'[email protected].....{Z.'.-..i.>..=....
.|..$.T.T9.R...H%.....*.T..EG.....*..1.H=.D.u.?.tn..Vy.RH.lc..S.*-..J.
5.....#.3..N;......A.7......B...A. .!..\..7...4z....T..xdw.[.w.Kn.K.r]
..G%...o....rp].Wt.d...|[X...../.....B....#.......RX....lg<..]..`.m
[z.".o.(-...&i9\.).N..D.u....#.......:.2..*]'kh.&4........a..\.|.x....
..Z............c\..Bo.!)r.!....9r...V.9...m..O{ ...O...w.X!.;.d_..!...
-.O...lB.........hL^.}...S.ibN..C.Z. .*U.....:.Cn..._`.#$Y...-....
<<< skipped >>>


GET /util1.js?c=11552&s=ML HTTP/1.1
Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.webpagescripts.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/javascript
Date: Thu, 07 Apr 2016 16:46:22 GMT
Server: Apache/2.2.29 (Amazon)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
Content-Length: 20
Connection: keep-alive
........................


GET /mac-detect.js?c=11552 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.webpagescripts.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/javascript
Date: Thu, 07 Apr 2016 16:46:22 GMT
Server: Apache/2.2.29 (Amazon)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
Content-Length: 178
Connection: keep-alive
..........%.=.. .....?0...Te.!.....).D..Gkb....\....^..NVF.,&.[..h....
 ..TL.M.....^}......F.FD8..$C.........f.K&.B.N...r....c...g#.}'#.%..J.
..vhNy..|..l..=....m...........>x.....HTTP/1.1 200 OK..Content-Enco
ding: gzip..Content-Type: text/javascript..Date: Thu, 07 Apr 2016 16:4
6:22 GMT..Server: Apache/2.2.29 (Amazon)..Vary: Accept-Encoding..X-Pow
ered-By: PHP/5.3.28..Content-Length: 178..Connection: keep-alive......
......%.=.. .....?0...Te.!.....).D..Gkb....\....^..NVF.,&.[..h.... ..T
L.M.....^}......F.FD8..$C.........f.K&.B.N...r....c...g#.}'#.%..J...vh
Ny..|..l..=....m...........>x.......



GET /?back=install HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: mega-vzlom.com
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Date: Thu, 07 Apr 2016 16:46:49 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dfb506f57a943293a26ec4df3bdf85d691460047609; expires=Fri, 07-Apr-17 16:46:49 GMT; path=/; domain=.mega-vzlom.com; HttpOnly
Location: hXXps://mega-vzlom.com/?back=install
Server: cloudflare-n



GET /pure.html?campid=11552&version=1.1.5.90&instid[appname]=Setup&instid[appsetupurl]=https://xakepy.soft-ingeniring.com.ua/zip/setup.zip&instid[appimageurl]=https://xakepy.soft-ingeniring.com.ua/img/installs/2.jpg&prefix=Setup&instid[thankyoupage]=http://mega-vzlom.com/?back=am&ti1=&instid[interrupted]=undefined HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 302 Found
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Thu, 07 Apr 2016 16:46:20 GMT
Location: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Server: Apache/2.2.31 (Amazon)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
Content-Length: 20
........................


GET /JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Thu, 07 Apr 2016 16:46:21 GMT
Server: Apache/2.2.31 (Amazon)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
Content-Length: 1577
...........W[s.F.~Ng....4.. !.].#:. 6w.E0.t: i..$... D...G.;.M.N..>
..r.w.:..S.....g...d........R...aiZ.n..k..C.ZF6..........(H..L.iZ..jj.
..5{.mr,[email protected]...^X.Da,.....Zm...&.......8"...O8'\A..%....d..G..
.D>...T..L...r.!.Fj..s...."...Kg..r.~..@..~.T....}. k8.[..T......{.
....^o8-.K*C.h.4.....n..!..(..ME.2,....x.*.....Du.P.'...s..".$.....@..
p9M$....->...J.j..5....O..x.w.J...F9..O4...e..G.....T...Q"t...M....
..E.9<...Ot..a..R.......3&h<G .......u.1c ..2.D.V...2.1. .",...0
C.Pw.. ..KK.F..Q.....b.....b&..:....R.$....KpK.d[...35.......^..w..h.^
.N. /.]]....t.t....3......ds./..(k.x[f....,d.]l....,....B.[...>....
...|../...e.c..........X..My..<.-....s..T.[.$tR.5..7}E7f.....s..=.u
.......].}m.M.6.....q`.lh%.Q3....kS.....f...Mdo........V.m..l.oFM}....
.....X.]..w#6.[..d...|t7..[...U.c...9.F...D.....*1....NZ.........N4.. 
n6Zt*..<...U.1..iGv..j..As.I..5........./..V..y4..N...i7j...A.G...%
j.........G|....>..~.....O...vPq..A.>...A.... ..!u.......3T.c...
.X.........Hi..( ..5.P?U...~...5.P..0#.............<:...4.X^....._.
.`..V...Yl.....#.....Y.4._%......&9...qi...0.........}...,(......N{.O.
\.........?p.. ....H/....~...y .E#z......(,O..... .a.#.T...I....PP...{
.~^@.....t.C.#.9.m....lT....:.......C;,..%...|S..a.Qw84..?....tD<..
^..u5...X.2..v`..W..|....e..........$...f...,....U\.p... ..p.'.bz....l
iR.!.{.0.rWS(..G.....$C.uI".(.D...h....dGH`.K....bO...C.3..f19.e.....E
..#....<......3s.dJ.1..`g.....b..9J.....`.L1'.'6.39..R4Ct.9V.1.....
.C-...Cwt.lrzVA..y.E......4.GisZ-...V.P.w.C..m}..a...J.U....A`....
<<< skipped >>>

GET /myassets/pass_src/style.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Encoding: gzip
Content-Type: text/css
Date: Thu, 07 Apr 2016 16:46:21 GMT
ETag: "40cb3-87e-52984a6001b40"
Last-Modified: Sun, 17 Jan 2016 09:56:21 GMT
Server: Apache/2.2.31 (Amazon)
Vary: Accept-Encoding
Content-Length: 773
...........U.o.0.>.R..G $&5k.&[.......qC...M.%vd;k......$^....|....
.}.G>....KXtr......J6..2V...|v. ^..B....U....r.g(.(9.h.v.~.nNH(.b..
..u.v...iiy.....`..R..O. .. [email protected]....
.[..;.....A.2.........".{.QG....I.Y....7......`..r.....$k.....#.A6..&g
t;P..u......KD.9#...z. J...3c.i...~s ........VPm.......u.=.&8..$.5....
.V).....Y.x...$..........O.HQ.....n-w."..........a..4X.7|...At...DU. .
i=$.(K.A.7#....2!......^0.......|m.....z......X]..y..'i..U..q..8g.I.T.
RF.......9_.0f.....gq..C..5.H`....3X9........(.a..6..zZ...l...x^.....C
;..Z.O..~.....)O-.........xq^\......}..3.Fv..I5.7X&I..c...q...j......D
...]...h8Oc.sP...U....g$..&.....qUi%.m/.0....V.......'7.'.W.....t..../
?6m...#..d2A'...`...s.J...?.-...kBS...\....v..".....rz;..&q.]$.bY.'\..
.m......~...HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Encoding: g
zip..Content-Type: text/css..Date: Thu, 07 Apr 2016 16:46:21 GMT..ETag
: "40cb3-87e-52984a6001b40"..Last-Modified: Sun, 17 Jan 2016 09:56:21 
GMT..Server: Apache/2.2.31 (Amazon)..Vary: Accept-Encoding..Content-Le
ngth: 773.............U.o.0.>.R..G $&5k.&[.......qC...M.%vd;k......
$^....|.....}.G>....KXtr......J6..2V...|v. ^..B....U....r.g(.(9.h.v
.~.nNH(.b....u.v...iiy.....`..R..O. .. [email protected]
PaRV2.v.....[..;.....A.2.........".{.QG....I.Y....7......`..r.....$k..
...#.A6..>P..u......KD.9#...z. J...3c.i...~s ........VPm.......u.=.
&8..$.5.....V).....Y.x...$..........O.HQ.....n-w."..........a..4X.7|..
.At...DU. .i=$.(K.A.7#....2!......^0.......|m.....z......X]..y..'i
<<< skipped >>>

GET /myassets/media/pass/bg.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 07 Apr 2016 16:46:22 GMT
ETag: "40cb2-656b-5298474780d80"
Last-Modified: Sun, 17 Jan 2016 09:42:30 GMT
Server: Apache/2.2.31 (Amazon)
Content-Length: 25963
.PNG........IHDR..............)2.....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:22E6512CB9FD11E5A12BCF9D
0402DFF3" xmpMM:DocumentID="xmp.did:22E6512DB9FD11E5A12BCF9D0402DFF3"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:22E6512AB9FD11E5A1
2BCF9D0402DFF3" stRef:documentID="xmp.did:22E6512BB9FD11E5A12BCF9D0402
DFF3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>......a.IDATx.l.k.$.....u.2...`."........}.
.S......_X6.\9..*.....PSS[....?...v]....^......_..............>....
.jY.........o;.y....../...2..?.........v..........h|f.......?....._...
........o......G......c.$.....@n......._.o...w.5..m.._....s..e...f.9..
.......K_.~..5..._...........E......?.....X....t..~.,5K1............8.
gr........q.}9n.k.n........e.o.a.....o...z.cl.... ..ov.......Q....8.k|
rc..@........._....l.a..<`.Y.K.3~.....da]...<.|H...'.........9..
.W..X>v......7...x...S.7....W.o.l.G_s6b...P.A.X...};^..{m..........
...............w..p~...S._...h.__.s.K/....'.p...ee.b.v.A.g....l..G
<<< skipped >>>

GET /myassets/media/pass/01.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 07 Apr 2016 16:46:22 GMT
ETag: "40cb1-215d-5298474598900"
Last-Modified: Sun, 17 Jan 2016 09:42:28 GMT
Server: Apache/2.2.31 (Amazon)
Content-Length: 8541
.PNG........IHDR.............g..b....tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:BB25D9FAFEB9E51187C6A960DF887278" xmpMM:DocumentID="xmp.did:FE1E
576FBA0511E5A9F3FC36BE88F3CD" xmpMM:InstanceID="xmp.iid:FE1E576EBA0511
E5A9F3FC36BE88F3CD" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BB25D9FAFEB9E51187C6
A960DF887278" stRef:documentID="xmp.did:BB25D9FAFEB9E51187C6A960DF8872
78"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>`[email protected]..].x....I\.B#..ND.h...G..-BK.U.
G.....>....H.. .S.:-.SuI.o*TB{...4.:B."....K"....|.2ff...;......g?.
g.Y......kf.W...Xb0........s...`0....s..`.0.....9.`0........`0..N..\))
I:}ZJK3...........`e..D..e..6l(...6~.U....C,...C.....%w..w......A.'...
.`.*h...s..''?T.....V.P.p.....?....NY:..PZ....pc. -X M.V...*t.....o..B
B....t..a.8..Z..j...'_....B=..........?.WG.~.ii1lX<.B.[...j.I.v=...
....*L.....g......QQJM.'{.T...M.....}v.x.._?..OK..X..{bc.v.L..Q.......
&..)..u.N[..K....[.|.....&J.....|........c.HG.h...-.6}.......c.!..
<<< skipped >>>

GET /myassets/media/pass/03.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 07 Apr 2016 16:46:22 GMT
ETag: "40cbc-6319-529847468cb40"
Last-Modified: Sun, 17 Jan 2016 09:42:29 GMT
Server: Apache/2.2.31 (Amazon)
Content-Length: 25369
.PNG........IHDR.............g..b....tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:BB25D9FAFEB9E51187C6A960DF887278" xmpMM:DocumentID="xmp.did:DD67
AFBFBA0511E5AF65A6942F5CBB1F" xmpMM:InstanceID="xmp.iid:DD67AFBEBA0511
E5AF65A6942F5CBB1F" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BB25D9FAFEB9E51187C6
A960DF887278" stRef:documentID="xmp.did:BB25D9FAFEB9E51187C6A960DF8872
78"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>a..~.._IIDATx......W./^.ru......Q..lK.#Nk....
w..a..,x.p.....v.........y.....l.1&...H.-GYV.r..&...........g43..dY..:
..............S>.t...e.'_.|......|.e.'.|...'_.|.....|.e.'.|...'_.|.
....|.e.."E.^..:r....|.......nj...{n.L.............q.......^......:;.@
..ov.^..Q....r.....#|.....:`..7...n...'?9......=........`..<..}.a.p
.9..R$..V._.*..O..A.~.....m.B]s.Q..3..?..y....P...u...g..?...eI....q..
)?.^..W&..CM.f.v...^h..?-U....C...&u....J..3.,.....{...\..kWi.K_....."
..s%...s...n.0....z....M.N.....6..............]...P........Q(\.#..
<<< skipped >>>

GET /myassets/media/pass/02.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 07 Apr 2016 16:46:23 GMT
ETag: "40cbb-49cd-52bf7e1dfa480"
Last-Modified: Wed, 17 Feb 2016 14:15:30 GMT
Server: Apache/2.2.31 (Amazon)
Content-Length: 18893
.PNG........IHDR.............g..b....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:C5AAEE6ED58011E5A01CBAA5
D51261E7" xmpMM:DocumentID="xmp.did:C5AAEE6FD58011E5A01CBAA5D51261E7"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C5AAEE6CD58011E5A0
1CBAA5D51261E7" stRef:documentID="xmp.did:C5AAEE6DD58011E5A01CBAA5D512
61E7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>$.....FAIDATx..].|.E..v%w..B..J....D.)R...D
........."[email protected]}..ffos....1$...cnow...{o.{.f..$.R..
..Q.@.*.*T.2.B.*.*T.2.B.*.*T.2.B.*.*T.2.B.*.*T.2.BE%..6.e6S..P..P.....
......E.j.~.....[..mH....*$'S..Y.K.H....]..Q.2.J..P..'....Z.......R%..
..4B....K...9y..BO...'..:U.K.O..o2..I.^-..p.~........SS..eP...^..}..M.
nMm..G7.7.....%K.pZ\....u.R.?.....uk...*.. ..vmi..<?.f.;7.."...5.iP
.#!75.G(j;?.J.6..r...q W..:2..n....'>~\.........2..=..Aw..,o....E.Y
#....h...l.D0b(.....o_y4.WA..UR.kX .w........<"....:-).q?.{....YRNS
.B..^^r....o.) ...Q....L.:....p..\..Ve...|...........&G......4._.a
<<< skipped >>>

GET /myassets/media/pass/str.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 07 Apr 2016 16:46:23 GMT
ETag: "40c6a-9ea-5298474c458c0"
Last-Modified: Sun, 17 Jan 2016 09:42:35 GMT
Server: Apache/2.2.31 (Amazon)
Content-Length: 2538
.PNG........IHDR...M...".....B.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:B19115C6D532E2119898998DDE43F326" xmpMM:DocumentID="xmp.did:7FA5
5C0F679A11E2850EB458F25EC1E4" xmpMM:InstanceID="xmp.iid:7FA55C0E679A11
E2850EB458F25EC1E4" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8B0F89682265E2119B0C
DFBE3D551144" stRef:documentID="xmp.did:B19115C6D532E2119898998DDE43F3
26"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>.. .....IDATx...[oTU.....r(Rj.T.Z...x..#j.xJ.
..K...{g..[..7..`.....P.".... PJE...lEj.~..]a....t...y.........=.....a
............*.... h.... h.... h.....h.TOu..<......| ..Y.z.:...k.S..
..VS.t.i...P.l._./.^0....C..0....,9.e...Ff.k..\.d.e...kTnR...c.iz.`.(.
!.~X4h...,..v..:....,ujumRk..mR......".Rz....5...Y,n.h..........Z^g9/.
.3..t..0..n.i|fz.t.j.`.C...........1.-...wL...9?...F...{M.e....|......
..3TW..(.....0W............P.>.....#S.C.r.k2..z.65.^5]bz..-..`..~.P
e~. ....L...0=..Q....>...H..t|....[%.h....Mo.dl.....g:L...ge..p
<<< skipped >>>


GET /li.js HTTP/1.1
Accept: */*
Referer: hXXp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xakepy.soft-ingeniring.com.ua
Connection: Keep-Alive
Cookie: __cfduid=d6741696ca95828a451546784aa2ac1e31460047578; generaldownload=1


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:19 GMT
Content-Type: application/javascript
Content-Length: 314
Connection: keep-alive
Last-Modified: Sat, 26 Apr 2014 06:24:58 GMT
ETag: "15e2b53-1c8-4f7ec242b4280"
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block;
CF-Cache-Status: MISS
Expires: Thu, 07 Apr 2016 20:46:19 GMT
Cache-Control: public, max-age=14400
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 28fef47a633316dc-ARN
..........e.=o.0..w~..b(.N..U...K.t...R....Blt....%$..l.sz....M.Gu0..&
lt;...A.J.[.....[J9..h..8O..H. M....,..il.....~W.n..=...4a8*..k.G.:Z..
.x.p2.7...r~....i.$t. l.. .O.b..a.<.,]1..X...4....f...,...L. ..m.W.
... .<...B;.4.X1....??......#r....MO.|.,.^.....k.....>9.<.-).
..Q|=..vn.T.&`.....s:...y|.5...K.....y^...l......HTTP/1.1 200 OK..Date
: Thu, 07 Apr 2016 16:46:19 GMT..Content-Type: application/javascript.
.Content-Length: 314..Connection: keep-alive..Last-Modified: Sat, 26 A
pr 2014 06:24:58 GMT..ETag: "15e2b53-1c8-4f7ec242b4280"..Content-Encod
ing: gzip..X-Content-Type-Options: nosniff..X-XSS-Protection: 1; mode=
block;..CF-Cache-Status: MISS..Expires: Thu, 07 Apr 2016 20:46:19 GMT.
.Cache-Control: public, max-age=14400..Accept-Ranges: bytes..Server: c
loudflare-nginx..CF-RAY: 28fef47a633316dc-ARN............e.=o.0..w~..b
(.N..U...K.t...R....Blt....%$..l.sz....M.Gu0..<...A.J.[.....[J9..h.
.8O..H. M....,..il.....~W.n..=...4a8*..k.G.:Z...x.p2.7...r~....i.$t. l
.. .O.b..a.<.,]1..X...4....f...,...L. ..m.W.... .<...B;.4.X1....
??......#r....MO.|.,.^.....k.....>9.<.-)...Q|=..vn.T.&`.....s:..
.y|.5...K.....y^...l........
<<< skipped >>>


GET /intro.php?wg=KWGMIXNUPRIjN6fGdpYGB a3txJCwkKCcxbWN6YnJ/bygoaAM3PyI3az0ocz0kJjtydAxsaghwYhQmMiAsZC40OT8/ZTQoIGxqCHBjFCk2JCZsawo0PXQiOXo4JzwrMzk8LjNhOT0rf2h2MzskeiU9LD4mdW&ix=EKcnULbGoILTE5Lic Yzo3KCF9OyUwIiMgKic7N3woOCpjPDlrZxYoIidifw8rKyElImUtLj1vNi84bQEuIzI9bzk PD1vIyMzPTp9fRR1YA1ydQsxOSUwICtlJCgrPXUnOzc3JT41JCc/YDY/P2UiJmh7Hi&up=c4N3d5ES4jOiwvOTwhbmUBf2cyPjJ2JzgyP3B4fjRnbWJtJDM4K2V/cyUhLi96fG8ifGhgdDgjMi90aWgmYW96M356KmEvZmNhfmFzdCs9KDcxayk2d3wqaHkxMmMoMSV/eGkoZWIxbSN2cHhseGVgZnNmf3w= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.selfchecking.xyz
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Content-Disposition: attachment; filename="Setup__11552_il524418_26.exe"
Content-Type: application/x-msdownload
Date: Thu, 07 Apr 2016 16:46:26 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 290328
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........1.3.P.`.P.`
.P.`..i`.P.`..k`.P.`..h`.P.`.(%`.P.`.(5`.P.`.P.`.P.`..u`.P.`..o`.P.`.P
1`.P.`..j`.P.`Rich.P.`................PE..L...[..W....................
........g.............;.................................n.............
..........................,...P....p...............`..........X.......
[email protected].....................
.......text............................... ..`.rdata..Hc.......d......
............@[email protected][email protected]
......."..............@[email protected]...([email protected]....
......................................................................
......................................................................
......................................................................
......................................................................
............................................U...E.V.0.E.......t ....t 
:.|..7.A.AF..u......3......^]....9.u..>.u.3.3......^]....9.t......3
......^]...........U..j.h..;.d.....PQSVW.80<.3.P.E.d.......j.......
.....u..E.......t,.M....M..N..E..F..F......F......F......F....3..E....
..;[email protected]_^[..]...VW.......t.j..G...WV.......t.j..
G.Wj.PV.x....M.d......Y_^[..].......U..j.hm.;.d.....PQVW.80<.3.P.E.
d........>.......j............}..E.......t....E..Q..I....W..O..G...
...G......G......G....3..E......6..tHWV.".....t.j..F...VW.......t.
<<< skipped >>>


GET /hit?t45.6;r;s1276*846*32;uhttp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834;h%u0417%u0430%u0432%u0435%u0440%u0448%u0435%u043D%u0438%u0435 %u0443%u0441%u0442%u0430%u043D%u043E%u0432%u043A%u0438 Setup...;0.43160654467143244 HTTP/1.1
Accept: */*
Referer: hXXp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: counter.yadro.ru
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Date: Thu, 07 Apr 2016 16:46:19 GMT
Server: 0W/0.8c
Content-Type: text/html
Location: hXXp://counter.yadro.ru/hit?q;t45.6;r;s1276*846*32;uhttp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834;h%u0417%u0430%u0432%u0435%u0440%u0448%u0435%u043D%u0438%u0435 %u0443%u0441%u0442%u0430%u043D%u043E%u0432%u043A%u0438 Setup...;0.43160654467143244
Content-Length: 32
Expires: Tue, 07 Apr 2015 21:00:00 GMT
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="/w3c/p3p.xml", CP="UNI"
Set-Cookie: FTID=1N1exR2cY1vS1N1exR00EG1H; path=/; expires=Thu, 06 Apr 2017 21:00:00 GMT; domain=.yadro.ru
<html><body>Moved</body></html>.....


GET /hit?q;t45.6;r;s1276*846*32;uhttp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834;h%u0417%u0430%u0432%u0435%u0440%u0448%u0435%u043D%u0438%u0435 %u0443%u0441%u0442%u0430%u043D%u043E%u0432%u043A%u0438 Setup...;0.43160654467143244 HTTP/1.1


Accept: */*
Referer: hXXp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: counter.yadro.ru
Connection: Keep-Alive
Cookie: FTID=1N1exR2cY1vS1N1exR00EG1H


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:19 GMT
Server: 0W/0.8c
Connection: Close
Content-Type: image/gif
Content-Length: 104
Expires: Tue, 07 Apr 2015 21:00:00 GMT
Pragma: no-cache
Cache-control: no-cache
P3P: policyref="/w3c/p3p.xml", CP="UNI"
Set-Cookie: VID=02pbp72J_GfS1N1exR00EG1L; path=/; expires=Thu, 06 Apr 2017 21:00:00 GMT; domain=.yadro.ru
GIF87a.............,..........G...........e....}"..b.|.q....$...U....3
...&A...K. ....t.#KE..}.......3..;..



GET /loading-img.gif HTTP/1.1
Accept: */*
Referer: hXXp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xakepi.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:19 GMT
Content-Type: image/gif
Content-Length: 39507
Connection: keep-alive
Set-Cookie: __cfduid=d39983d76c094ef82b15c188bf929bed61460047579; expires=Fri, 07-Apr-17 16:46:19 GMT; path=/; domain=.xakepi.ru; HttpOnly
Last-Modified: Fri, 04 Apr 2014 03:19:20 GMT
ETag: "533e24b8-9a53"
CF-Cache-Status: HIT
Expires: Fri, 15 Apr 2016 16:46:19 GMT
Cache-Control: public, max-age=691200
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 28fef47acc393726-ARN
GIF89a . ..........XXX......   .......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...........!..NETSCAPE2.0.....!.......,.... . ........H......*\......#
J.H.....3j...... C..I....(S.\[email protected].*].....
P.J.J....X.j......`...K....h..].....p...K....x............L...... ^...
...#K.L.....3k.......C..M.....S.^......c..M.....s...........N...... _.
......K.N......k...........O......._.........O...............(....h...
&....6....F(...Vh...f....v... .(..$.h..(....,....0.(..4.h..8....<..
..@.)..D.i..H&...L6...PF)..TVi..Xf...\v...`.)..d.i..h....l....p.)..t.i
..x....|......*....j...&....6....F*...Vj...f....v.....*....j..........
.....*....j.............. ....k...&....6....F ...Vk...f....v..... ....
k.............. ....k..............,....l...'....7....G,...Wl...g....w
... .,..$.l..(....,....0.,..4.l..8....<[email protected]'...L7...
<<< skipped >>>


GET /api/vv/1?callback=cb_1460047587208&ts=1460047587208&sessionId=FdIzE&rfr=&siteId=9306&aus=3958,1,0 HTTP/1.1
Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.castplatform.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 1262
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
X-Country: UA
P3P: CP='NON UNI COM NAV STA OUR IND'
Set-Cookie: cuuid=797c9dcf-555d-4250-85af-263f954a0809; expires=Tue, 07 Apr 2026 16:46:21 GMT; domain=d.castplatform.com; path=/
X-Elapsed: 210
X-Node: NEU3940D0
Date: Thu, 07 Apr 2016 16:46:21 GMT
cb_1460047587208 && cb_1460047587208({"zones":[{"id":3958,"status":200
,"enabled":true,"template":"Graphic_300x250","data":[{"title":"Faceboo
k","description":"................ .............. Facebook\n..........
........................ .................. .. .......................
. .. ........","button":"......................","company":"","rating"
:0.0,"clk":"WMo78rsox1cAR2XDGNv-46QId5Gx8WQT89csMIjP_9KDqLdt-y_pbRhWM-
xhJjzZ5Bv5BEv83FWpV1gEluqi8qWD3gYdhk0HqIixpXp7E1EC20pPK2S6mf2-a_n2wsZd
A9UXOHCzTf_Xw5F4fxYs0v4u7DSaAqDMAFLtZn8bRFDSDu_Y2_7XH4PDBimcEVjwZUSkLO
uWFl7HUZEgAS1WcZg7ZOm-0JGDT5JZca4oJTh38MpPDrNonqxTL8sbzbsgUfzDWyC1PREp
o12IwJghJjjXKEw0fWrkDMIL-UpOsc-TwycrCzXfjfZNQhN4A7Kna9R1gajM5yRMELY2lb
XfgUbZfoo2bpto2bMLD_S4aTvRo2vUi1QH-Yf3R-WysPJWrrHEmUMn1HXxhwKN668XS1w0
KdcrP_RpDnA-y1DRYyXYRfxsvUh_LUHSYY-G4XaM4jd94f1NS92APZ7mMu0Fkw","width
":300,"height":250,"cUrl":"hXXp://d.castplatform.com/api/c/1?clk=%clk%
","trackers":[{"type":"Url","content":"hXXp://d.castplatform.com/api/v
p/1?clk=%clk%"}],"category":null,"assets":[{"assetDisplayType":2,"widt
h":96,"height":96,"url":"//cdn.castplatform.com/images/1ad74167-6977-4
580-930a-bf7c3478533c.png","javascript":"","clickTagVar":""}]}],"style
s":null,"settings":{"adUnitTitle":""},"displayType":"Size"}],"ts":210}
);..
<<< skipped >>>


GET /files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xakepy.soft-ingeniring.com.ua
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:18 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d6741696ca95828a451546784aa2ac1e31460047578; expires=Fri, 07-Apr-17 16:46:18 GMT; path=/; domain=.soft-ingeniring.com.ua; HttpOnly
Set-Cookie: generaldownload=1; expires=Fri, 07-Apr-2017 21:41:47 GMT; path=/
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block;
Server: cloudflare-nginx
CF-RAY: 28fef47435f916a6-ARN
Content-Encoding: gzip
44f.............U.n.F..-.z....T%.....E... j"'.....`..J........@.?}..F.
.@P }.......EQ[......kg$........wO.....1<}..x:..c......=9...-.k....
.6X.....H..6.Lr.....e...._...........~......].1.;{...}.#.ilY...x. @I`!
e...S.tt/.%..#.1.PJ...T.*..x."..N*...n.i...,..(%..Y.B..'.<%st......
.=...:....mS..I..p".U...-....8`?`.....k.. ..lKb"..,...HX.B.1.....F...M
...............;..w*..k.. `.{...-.nr]...F../D...z5.*.K..Q"E9">..f..
.}.I...0@l.?YH......1.Q&...h4.c.(..../..._..^...Cc...o5b.........Op...
i.I..0.Q.M....u...Vc>. ..hu.)[email protected].<...".k.>8.S.I
... 5...-.yD...Q".9.Vq.....*.$`.&1g..P)[.`.C....*..... .h.a.V..J......
.o.......~h...h...ss&..h&..Z`.....h6.."...&..h.f....n....N..N....h.6..
.......<..........GOO^.it.......I../........l...........Tt.V..F....
..pp A9-%...*..fUu...=)..<.Dl...7/E>k..n...`...(..Q.....Y]K.>
D.....x*].E.#E......yi...N"....fH.....=.D..G%.F.7.D7w..U.1.Ms.tb\E&r..
.,.9Y d...o...z .W*P..!./......T.........7.R.......#.#...U............
&.&....k..E....$.C.`~H..a*x...r..Z..9..X..N. .m....[.....A..DZ.g.\.2..
.F9W...Y=...u......N.D...8..#A....<....]o.......*.>;..L...s..i.t
?s.p...n..........?.......751...Y_o.F.....c.=I.DRR.$.. .l...K.>.AAK
$.1E2$eYv..I........@.......(......f..%...>...,rgf.;........^y..UPT
.b...N....... ......'....{d*k`...g.....rf......xE..9.|?...."....`..>
;.....B.>.4..[0....?G..e.......`."...&.y*...5......j7.hNd..x...cy..
.niqu...\X6.....y".Mau.8..a.4.4.{..}.w.....o..ah..U.L....ix}.y.^_...z.
....KYl\....`s)s.....#.%.By..e;..~../M(..0...P8|N.....8|>..T4..
<<< skipped >>>

GET /unknownbrowser.png HTTP/1.1


Accept: */*
Referer: hXXp://xakepy.soft-ingeniring.com.ua/files/?n=setup.zip&pp=monstr&subid=3-0-201601254261834
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xakepy.soft-ingeniring.com.ua
Connection: Keep-Alive
Cookie: __cfduid=d6741696ca95828a451546784aa2ac1e31460047578; generaldownload=1


HTTP/1.1 200 OK
Date: Thu, 07 Apr 2016 16:46:19 GMT
Content-Type: image/png
Content-Length: 44581
Connection: keep-alive
Last-Modified: Thu, 27 Feb 2014 14:21:10 GMT
ETag: "15e2bd6-ae25-4f3640865a180"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block;
CF-Cache-Status: MISS
Expires: Thu, 07 Apr 2016 20:46:19 GMT
Cache-Control: public, max-age=14400
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 28fef47a167f16a6-ARN
.PNG........IHDR.......X........#....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>


GET /myassets/pass_src/jquery-1.3.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Thu, 07 Apr 2016 16:46:21 GMT
Server: Apache/2.2.31 (Amazon)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
Content-Length: 19740
...........}kw.......X..-......9". ...v.._...A.....p.40...GU.J.'=k.]w.
..m.R.k.~...........1...../..h>yX....y.I_..../1..r...J.....G.}.R...
...|r{...#/..\.g....r.....3......d....8.8.G.......z.p6.5>t..E.hj...
E..........O.../............A.P.{..s{w."......yX.S.e...3?......RJ...&l
t;.FKHs...p......B..o...3#...'...|.t...{.y.|..r..)..of..l../..>(}.|
~=|..v........>....i..o....0.{?.... .>....\..|.U.. .>..e.....
 ..7.nz.ZP[.a......2.qk.Y<.z..[.`..aP..Sq..n.w......2.............&
W...Y,...............y.Rc..m.....^..V..o...8.F...`.........h.....hY.F.
........R....Vq2..(EMn.z...l..o..z....z.e.z,z"..E4.F.x.....n...I......
.E]..g4.....(...R4........O......{..1........7..?..j.......J..R...#x..
.mZG,&.F...f......`@.....[.f.. .p..G.t.b%.O.U.n.....d...H*....)....Wi@
U......... E..9%..M.<\...F2....]......./_. .|..St....:.Z........)O.
53..)W.S..P......S0rkK.(...s.Lu\.o\..7.F.}.Z....\z.4^.j..._.."....s{..
....^Ivv...r.o-..j...Ac.v.Rg..TDj4..`.....a..X.K#..hy..x..s..,o...:.Q.
.X~.F..=a..9.P.h......F6Z,|..B.].T.i2^.9.5>.EH..o..!./..4...|......
Z..n@E..=....8....1}....=.>&.u...m.8...*..X~.$....Rq.4..b.4...%.I..
W..BYF=h..P..c.Es.....zM.c.h.v....t.....}....^.....A*....N..c.....p..e
HK.a...O....tj..l... ....sk.0.i<.\..*...|.1.b../.....`'..n.....4...
... r......;.......lr.H.o...ck...Y.0..a!...`...`@N.........Up.w!.q|...
&.n8...^...1.....=..$^..i...As.....g.-...j..k.......).-..@UV.<.7Ks.
...T..v:.\O..R...nB(......I.?.....x..........JO..f..T....7(...7.$.."..
'...\....}.....R.............W. l...L..ta.X...o.a.H..P..s/.....`Z.
<<< skipped >>>

GET /myassets/media/pass/header.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.overfaithfullywrap.tech/JPSSoXl?7JZtLXyij4Xi5nRWJpV1xEDQdsORUhKBANVwUGf29GaigfVDlRQz8qUjgoRAEeQEdvaTVpaj9MWHJaLz0VYS4DBQVZGSk1GWlqP0xZclUrOR9paz0IBxJeJGcBIjwcDwNaUi58ADgrSFRMVUc5Zxw4LAkaTwd2b2gyaWo/EQtfUjojWj83Hx1HXVktPxolKhAHDRpUJTdaOTlcWyxOXjp/RgorHB0fRBkwMwRqNhgEV2dSPi8EajkJAAcJXz4uBD99SihPBnFvaDI0ORIMGk0ZOTUSOHUQBw1RWSMoHSI/VwoFWRk/O1F HhAEDREFDDMaPywYBQZHEngcRmIyCQ5MQUQvIkl9fgNbVwQROS4BLmVI
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.overfaithfullywrap.tech
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/png
Date: Thu, 07 Apr 2016 16:46:22 GMT
ETag: "40cbd-d7420-5298474b51680"
Last-Modified: Sun, 17 Jan 2016 09:42:34 GMT
Server: Apache/2.2.31 (Amazon)
Content-Length: 881696
.PNG........IHDR.............W.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:1D1B3B05B9FD11E583C2D45E
324DB3BA" xmpMM:DocumentID="xmp.did:1D1B3B06B9FD11E583C2D45E324DB3BA"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1D1B3B03B9FD11E583
C2D45E324DB3BA" stRef:documentID="xmp.did:1D1B3B04B9FD11E583C2D45E324D
B3BA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>.=.w..p.IDATx...m..J...L.N..J,....<.~{..
.^.//....H....H........*. ..@ .h...........}...jm..{....|}...:...?/...
......q..}~.<O...v............t^....m.w....u.....gc.G.>........6
.6.t.......A.....|}....l_k4o.k-..x..y...e......>........?6__..&.|..
..u.F......#.....o..._...-.w.]b?.>{.}..W._....].6/..4......}....5..
.....s8.1.Um.'.._.|B..yYw.c.4.7;d.a.z...7m8...__.?.h...w.||........}.7
..s.>..5......~......_.....h.?l.......G?.[..q.....]?o}.[_......o.g.
.V.............{...=Gn~w../.g....]q....k.t>.l.....W../..G0.0/.../l9
.>_..................?.......G.7.0.o.K.d..........f..{....>.
<<< skipped >>>


GET /pages/displayCore2_russian/typ2-1.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: digimatic.biz
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.0
Date: Thu, 07 Apr 2016 16:38:43 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.0</center>..</body>..</html>..HTTP/1
.1 301 Moved Permanently..Server: nginx/1.8.0..Date: Thu, 07 Apr 2016 
16:38:43 GMT..Content-Type: text/html..Content-Length: 184..Connection
: keep-alive..Location: hXXp://tundra.site/pages/displayCore2_russian/
typ2-1.html..<html>..<head><title>301 Moved Permanen
tly</title></head>..<body bgcolor="white">..<cent
er><h1>301 Moved Permanently</h1></center>..<h
r><center>nginx/1.8.0</center>..</body>..</htm
l>....



GET /pages/displayCore2_russian/typ2-1.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tundra.site
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.8.0
Vary: Accept-Encoding
Content-Type: text/html
Content-Encoding: gzip
Date: Thu, 07 Apr 2016 16:38:43 GMT
Transfer-Encoding: chunked
ETag: W/"558c0294-8c3"
Connection: keep-alive
Set-Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A; path=/
Last-Modified: Thu, 25 Jun 2015 13:31:00 GMT
37d.............V.n.0......f..& [email protected].;..!.q....B.A...
....7.8i........9>?.w...................c..{.k&.Db..8.D:F"..k..2..q
...7...!7..rI8x.0.Rr.....<.....t.K....(..bV..f..L..T2R..1.......;..
r.........B...>!...I.1\!.Lk..(.m....C.7.K.........4.h..h..Z.a.:1!..
..,............`...%l.QS../.O......H}Q}..7....G.W?...d*....r.$..hH....
.u...{......m..v..9r.b;..Y.F......O...X`(Dul0.V.....W...H......j.M....
%h..C.:...52:I..7...P..`q..y..CY........D..h..XA^.i.A"v...p".E.J...5#.
1.f....D..8..B.y.....b..6.....X....3`.....D..O..4k....^.W..O....J.t..:
c.n.vb..........*.U..h...W......'.....Zur.di...\.G...6.5...-j.....u..O
.K.!..\;AP?]......r......V.Q"....Wy=.Bb...d4.....;..V}k......7../....h
.......z.t...............0....6.....h........W..f.p1.....L.yD....r.vV.
R;......-...|....{....K..H.....o...tH....:..V.AX.Ko..Pn>...x.....&g
t;s.}<...........L....4K...{&."...O.W.Sl.-...$....{$O8...8..Y....%.
........0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Vary: Accept-Encoding
..Content-Type: text/html..Content-Encoding: gzip..Date: Thu, 07 Apr 2
016 16:38:43 GMT..Transfer-Encoding: chunked..ETag: W/"558c0294-8c3"..
Connection: keep-alive..Set-Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46
AD95C5D4A4E8F490A; path=/..Last-Modified: Thu, 25 Jun 2015 13:31:00 GM
T..37d.............V.n.0......f..& [email protected].;..!.q....B.A
.......7.8i........9>?.w...................c..{.k&.Db..8.D:F"..k..2
..q...7...!7..rI8x.0.Rr.....<.....t.K....(..bV..f..L..T2R..1.......
;..r.........B...>!...I.1\!.Lk..(.m....C.7.K.........4.h..h..Z.
<<< skipped >>>

GET /pages/displayCore2_russian/css/style.css HTTP/1.1


Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tundra.site
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 07 Apr 2016 16:38:44 GMT
Content-Type: text/css
Last-Modified: Mon, 16 Jun 2014 11:19:00 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"539ed2a4-71e"
Content-Encoding: gzip
291.............U.n.0.}._a...R..$...mv.....X1...$...;6..K.u.)....3.D".
\.UAe....o...I......TvJ../!....... .).....em. Y.f....A...}AH.]u.%'`Y.B
R.YP.R.geS.2...T Q...dH.. ..N.... [email protected]:.6....S.l....e99..$
.=G]*D..... g.JT..mdv.={A.<h...%.%..8.TF\..i....JC......D....)&...N
...D...%.s.....I..HD.c&ES&.a........o`.....a?.l.........e...........)D
B...W.I-8K0.........@-uC h..is..:@.m&......T.eZl1......{[.6........1.I
S....Btd..q.m`...]c...z....N$. ..&|[email protected]
.........X.....M.=R...S&yp..7.-.w.m..j%......&...u....j4v~..~9.FgP.:..
....N...........p.q....%...gh.rA1....6.......2.....x!...v.|.FF...l.h..
...yP...B$x..%Y..Mu.....;..q.........0......


GET /pages/displayCore2_russian/images/icon2-green.png HTTP/1.1


Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tundra.site
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 07 Apr 2016 16:38:44 GMT
Content-Type: image/png
Content-Length: 3782
Last-Modified: Thu, 12 Jun 2014 09:05:00 GMT
Connection: keep-alive
ETag: "53996d3c-ec6"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<...hIDATx..[kl#[email protected]. .}..}P@@.
[email protected]@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?.
.....c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B
...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.
,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.me
L..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v....
....K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}
qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;......
.[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4.
...........I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0....
.9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*
G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$..
.R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@
.'.<..x!..1.PU.ktr<[email protected]..'d..n.'|v*...R..=.uau0..u
C...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|....
.\...bf..Q*...p....Y..R......w........\[email protected].#.l!
)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(
.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{....
.9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s
|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ..
.Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....
<<< skipped >>>

GET /pages/displayCore2_russian/images/icon3-green.png HTTP/1.1


Accept: */*
Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tundra.site
Connection: Keep-Alive
Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 07 Apr 2016 16:38:44 GMT
Content-Type: image/png
Content-Length: 1519
Last-Modified: Thu, 12 Jun 2014 09:06:00 GMT
Connection: keep-alive
ETag: "53996d78-5ef"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq
.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$
..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....
S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......
./[email protected]:8.....!...............j..W.h..UvZ...bC.
B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli
.....L..`..n&...\[email protected].~.f......:.......x.i.g.......s
...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..
tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U..
..c..z.b....i........>....q.S .....'k3...6.......>D.qY.E........
....................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU.
.c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!...
....>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!
..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j".
..... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..]
.g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.
T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...
Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._
.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok.
.....=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....
7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*[email protected]~
h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







iexplore.exe_1592:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1100
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now