MD5: c2438343963277712a9450eb3d69f267
SHA1: 95de1f6e2280bbf398a0de0e09a07203be0b5d30
SHA256: 5b83d288759b90b4937ff29f7426907def9430aeab0cc76842f1a33a314eac66
SSDeep: 12288:h1PDz t9w4SPnufjaSFQsi2s78aApwfuGsNGOimJbEldxIlsoTrrH2MyrhNBSscU:LAi4SPnufjayimaswj5ODJEtQssWvhWk
Size: 783847 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MEW11SEv12, MEW11SEv11, UPolyXv05_v6, Mew11SEv12Eng
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:392

File activity

The process %original file name%.exe:392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].html (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\level_MIN_12.04[1].css (1443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b744ef7cf7616402b9cd75cd3b296755[1].jpg (3536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\idx_share_mood_v1[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1013v1400493293416348850[2].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1013v1401084571894271838[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dd4a181d99e9ef08ab7d0a6475f7d97f[2].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1401446314925913930[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA01Q30P.htm (976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[1] (621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[2] (7838 bytes)
%System%\drivers\etc\hosts (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\level_MIN_12.04[1].css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1013v1401447060362197786[1].jpg (2068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bd5463690a93c57a1039c47e11ab0f97[1].jpg (2876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a7e7de85243a438ba91ea4d3d8a017b2[1].jpg (4108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\firstpay[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base_MIN_11.05[2].css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6R4L2I.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\135960371121375988[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (642 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (205 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (644 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA63OHCV.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_MIN_11.99[1].css (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1013v1401369311257246325[2].jpg (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ab7b8d4601229526cb46e315af28c9db[2].jpg (5596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[2].aspx (372 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\975b51f2ce89d444e33414de976c88a0[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\LAB_0.1[1].js (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\LAB_0.1[1].js (6 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (642 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1395126094590286213[1].jpg (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index_MIN_11.99[1].css (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.05[2].css (1698 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\6[1].htm (7444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\eca1e2f901a17103ab05f7b46c358f6e[1].jpg (3988 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eca1e2f901a17103ab05f7b46c358f6e[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1013v1401447060362197786[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.05[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\LAB_0.1[2].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\level_MIN_12.04[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_MIN_11.99[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1013v1395126094590286213[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\level_MIN_12.04[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dd4a181d99e9ef08ab7d0a6475f7d97f[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1013v1401446314925913930[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6R4L2I.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base_MIN_11.05[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ab7b8d4601229526cb46e315af28c9db[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\firstpay[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[2].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd5463690a93c57a1039c47e11ab0f97[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\idx_share_mood_v1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\a7e7de85243a438ba91ea4d3d8a017b2[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index_MIN_11.99[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ab7b8d4601229526cb46e315af28c9db[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\975b51f2ce89d444e33414de976c88a0[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b744ef7cf7616402b9cd75cd3b296755[1].jpg (0 bytes)

Registry activity

The process %original file name%.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D E6 0E 6D 87 F5 46 25 F1 5F D1 9C 14 41 A5 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\MediaPlayer\Health\{12C8B8B5-8085-4512-AAE9-007203359F62}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1248 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://foshan.zcxsf.com/
hxxp://foshan.zcxsf.com/index.html
hxxp://c.myzwqwe12.com/AShow.aspx?AID=9842	115.236.16.240
hxxp://c.myzwqwe12.com/AShow.aspx?AID=9756	115.236.16.240
hxxp://foshan.zcxsf.com/Ä¢¹½Í¼Æ¬.gif
hxxp://c.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA315807783AEEE769939383F6E9FBAB7CBC49906&referer=http://www.cfmogu.com/&utz=1401548258923	115.236.16.240
hxxp://c.myzwqwe12.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F4733086192982B566766DC900B92C93FD57EF1C125A375B2E1110AF3F&Url=&referer=http://www.cfmogu.com/	115.236.16.240
hxxp://c.split.cnzz.com/stat.php?id=4693566&show=pic1
hxxp://c.myzwqwe12.com/pic/spacegif.gif	115.236.16.240
hxxp://c.myzwqwe12.com/pic/close.png	115.236.16.240
hxxp://c.myzwqwe12.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/2013.11.261.gif&gourl=http://z.myzwqwe12.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A6085337B3F658C8AAB6EA94E43CB687422F042AA031A1F28A8&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393	115.236.16.240
hxxp://c.myzwqwe12.com/pic/logo.png	115.236.16.240
hxxp://www.wgrdr.com/	112.218.71.150
hxxp://c.split.cnzz.com/core.php?web_id=4693566&show=pic1&t=z
hxxp://z10.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=486052776
hxxp://www.wgrdr.com/images/style.css	112.218.71.150
hxxp://115.236.19.58/xm/2013.11.261.gif
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1676874966
hxxp://c.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770522CB88AFFA3F95A453F57488EF6209&referer=http://www.cfmogu.com/&utz=1401548261783	115.236.16.240
hxxp://www.wgrdr.com/images/bg.jpg	112.218.71.150
hxxp://icon.cnzz.com/img/pic1.gif	42.156.162.7
hxxp://c.split.cnzz.com/z_stat.php?id=1000386919&show=pic
hxxp://pcookie.split.cnzz.com/app.gif?&cna=niARDPK2920CAbhrJiZfzYxx
hxxp://c.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770ADAEE0E95B9ECFF0DD9277764F29D77&referer=http://www.cfmogu.com/&utz=1401548261861	115.236.16.240
hxxp://www.wgrdr.com/images/boxm.jpg	112.218.71.150
hxxp://c.split.cnzz.com/core.php?web_id=1000386919&show=pic&t=z
hxxp://z6.cnzz.com/stat.htm?id=1000386919&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=448490370-1401565855-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=1716897286	42.156.140.19
hxxp://www.wgrdr.com/images/t1.png	112.218.71.150
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1317414180
hxxp://icon.cnzz.com/img/pic.gif	42.156.162.7
hxxp://c.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770522CB88AFFA3F95A453F57488EF6209&referer=http://www.cfmogu.com/&utz=1401548260001	115.236.16.240
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1411165327
hxxp://z6.cnzz.com/stat.htm?id=1000386919&r=&lg=en-us&ntime=1401565855&repeatip=0&rtime=0&cnzz_eid=448490370-1401565855-&showp=1024x768&st=-17586&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=326117420	42.156.140.19
hxxp://c.myzwqwe12.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F4733086192982B566766DC90063264FACC835BF4A885D10235DA95AF0&Url=&referer=http://www.cfmogu.com/	115.236.16.240
hxxp://c.myzwqwe12.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/2013.11.261.gif&gourl=http://z.myzwqwe12.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A6085337B3F658C8AAB4734339BDB1BEF4A78245679B95E357C&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393	115.236.16.240
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1368847842
hxxp://z10.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=1&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17582&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=1274859904
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1773767685
hxxp://z10.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=2&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17581&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=628499311
hxxp://www.wgrdr.com/images/main1.jpg	112.218.71.150
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=2135677016
hxxp://js.union001.com/PClick.aspx?AID=15235&KEY=6FBCE2FEBE3F1F4B34035BDB1B9868C2CC3F7B0F77DABDE2
hxxp://1st.xdwscache.glb0.lxdns.com/?lq_aid=1398&uid=14516
hxxp://z10.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=3&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17581&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=115457607
hxxp://www.gm2468.com/68503.html?sid=10352	219.129.239.210
hxxp://c.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580774F589AF7166A99E38777B38C181F4178&referer=http://www.cfmogu.com/&utz=1401548269173	115.236.16.240
hxxp://c.myzwqwe12.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F4733086192982B566766DC900C8E9EE0D455F1460B196181AEDD96181&Url=&referer=http://www.cfmogu.com/	115.236.16.240
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=210753610
hxxp://c.myzwqwe12.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/2013.11.261.gif&gourl=http://z.myzwqwe12.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A6085337B3F658C8AABBF9806643B5380687428F80A055C674B&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393	115.236.16.240
hxxp://z10.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=4&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17580&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=1910486935
hxxp://clc.gmhuowan.com/aa.php?cid=68503&sid=10352&ref=	59.34.148.194
hxxp://1st.xdwscache.glb0.lxdns.com/index.swf?20120720
hxxp://1st.xdwscache.glb0.lxdns.com/mhjh/42/images/path.txt?20101020
hxxp://oall.s1.cdndns.4399hhh.com/qs/hw_xemw522/index.html?cid=16850340782&oid=100037702&dirtype=0&sid=68503&site_id=10352&p=
hxxp://1st.xdwscache.glb0.lxdns.com/mhjh/42/images/bg1.swf
hxxp://myconf6room.dtwscache.glb0.lxdns.com/?src=tuiga834
hxxp://1st.xdwscache.glb0.lxdns.com/mhjh/42/images/reg.swf
hxxp://1st.xdwscache.glb0.lxdns.com/mhjh/42/images/ren01.swf
hxxp://xnop006.tlgslb.com/15/index.html?ida=AHSG_126_29_26&idu=
hxxp://1st.xdwscache.glb0.lxdns.com/stat.js
hxxp://uimg.unionli.com/jsorigin/AC_RunActiveContent.js
hxxp://txt.unionli.com/txlink.php?alid=40782&oid=7702&game=qs
hxxp://myconf6room.dtwscache.glb0.lxdns.com/css/level_MIN_12.04.css
hxxp://myconf6room.dtwscache.glb0.lxdns.com/css/base_MIN_11.05.css
hxxp://cc00013.h.cncssr.chinacache.net/imges/live2013/logo.jpg
hxxp://cc00013.h.cncssr.chinacache.net/imges/pixel.gif
hxxp://1st.xdwscache.glb0.lxdns.com/mhjh/wm/mhjh_42.flv
hxxp://cc00013.h.cncssr.chinacache.net/imges/live/index/firstpay.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/2014/05/29/21/1013v1401369311257246325.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/2014/05/30/18/1013v1401447060362197786.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/2014/05/26/14/1013v1401084571894271838.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/2014/05/19/17/1013v1400493293416348850.jpg
hxxp://foshan.zcxsf.com/1.htm
hxxp://myconf6room.dtwscache.glb0.lxdns.com/event/promimg/?src=pming393
hxxp://1st.xdwscache.glb0.lxdns.com/adstat.php?wsite=snsfun&lq_aid=1398&lq_placeid=14516
hxxp://cc00013.h.cncssr.chinacache.net/live/33/84/bd5463690a93c57a1039c47e11ab0f97.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/69/59/eca1e2f901a17103ab05f7b46c358f6e.jpg
hxxp://oall.s1.cdndns.4399hhh.com/qs/hw_xemw522/index.html?cid=16850340782&oid=100037702&dirtype=0&sid=68503&p=
hxxp://myconf6room.dtwscache.glb0.lxdns.com/css/index_MIN_11.99.css
hxxp://cc00013.h.cncssr.chinacache.net/live/2014/05/30/18/1013v1401446314925913930.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/2014/03/18/15/1013v1395126094590286213.jpg
hxxp://wpa.qq.com/pa?p=1:1305643224:17	112.90.83.87
hxxp://wpa.qq.com/pa?p=1:494666586:17	112.90.83.87
hxxp://cc00013.h.cncssr.chinacache.net/live/08/80/a7e7de85243a438ba91ea4d3d8a017b2.jpg
hxxp://cc00013.h.cncssr.chinacache.net/imges/live2013/idx_share_mood_v1.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/59/88/135960371121375988.jpg
hxxp://cc00013.h.cncssr.chinacache.net/imges/live/CSSIMG/base_head_search.png
hxxp://cc00013.h.cncssr.chinacache.net/imges/live2013/idx_bgrepeat_v2.png
hxxp://cc00013.h.cncssr.chinacache.net/live/63/67/b744ef7cf7616402b9cd75cd3b296755.jpg
hxxp://cc00013.h.cncssr.chinacache.net/live/15/38/975b51f2ce89d444e33414de976c88a0.jpg
hxxp://c.split.cnzz.com/stat.php?id=2157618&web_id=2157618
hxxp://wpa.qq.com/pa?p=1:1712482633:17	112.90.83.87
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/s/tracing_3.js
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/s/e6u5-min.js?101016
hxxp://c.split.cnzz.com/stat.php?id=1360447&web_id=1360447
hxxp://cc00013.h.cncssr.chinacache.net/v/j7/42813b289d7baf467f18ecfa2f7738bf.png
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/z_MIN_14.72.js
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/index_MIN_12.84.js
hxxp://42.156.140.24/stat.htm?id=1360447&r=http://www.gm2468.com/68503.html?sid=10352&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1973986219-1401565865-http://www.gm2468.com/&showp=1024x768&st=0&sin=http://www.gm2468.com/68503.html?sid=10352&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=857216144
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/jquery-1.8.2_v4.js
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/s/login_3.js
hxxp://180.169.18.136/MTFlashStore.swf
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/mootools_MIN_1.4.5.js
hxxp://myconf6room.dtwscache.glb0.lxdns.com/api/liveInfoCk.php
hxxp://txt.unionli.com/_reg.php?tpl=1400759847&game=qs&dirtype=0
hxxp://myconf6room.dtwscache.glb0.lxdns.com/js/im_new_MIN_0.36.js
hxxp://enop007.tlgslb.com/live.6.cn/e6u2/r.php?location=www.6.cn/?src=tuiga834#r4&referer=www.cfmogu.com/&browser=mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; .net clr 2.0.50727; .net clr 3.0.04506.648; .net clr 3.5.21022; .net4.0c)&flash=10.0&msr=1024,768&uid=0&pro=4&stamp=1401548276939
hxxp://oall.s1.cdndns.4399hhh.com/tpl/hw_xemw522/rw.swf
hxxp://oall.s1.cdndns.4399hhh.com/tpl/hw_xemw522/rw1.swf
hxxp://oall.s1.cdndns.4399hhh.com/tpl/hw_xemw522/top.swf
hxxp://txt.unionli.com/_regload.php?tpl=1400759847&game=qs&dirtype=0
hxxp://oall.s1.cdndns.4399hhh.com/tpl/hw_xemw522/tc.swf
hxxp://oall.s1.cdndns.4399hhh.com/tpl/hw_xemw522/mu.swf
hxxp://www.wgrdr.com/images/xw.png	112.218.71.150
hxxp://p35.tcdn.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516
hxxp://p35.tcdn.qq.com/web201305/jscss/c_com.css
hxxp://p34.tcdn.qq.com/images/js/foot_js/gwfoot.min.js
hxxp://p34.tcdn.qq.com/images/bl/web201305/c_wrap.jpg
hxxp://p34.tcdn.qq.com/images/bl/web201305/body_bg.jpg
hxxp://p34.tcdn.qq.com/images/bl/server/c_header.jpg
hxxp://p34.tcdn.qq.com/images/bl/web201305/c_l_rep.jpg
hxxp://p34.tcdn.qq.com/images/bl/web201305/c_main.jpg
hxxp://p34.tcdn.qq.com/images/bl/web201305/c_spr.png
hxxp://p34.tcdn.qq.com/images/bl/server/latst_bg.jpg
hxxp://p34.tcdn.qq.com/images/bl/server/spr.png
hxxp://p34.tcdn.qq.com/images/js/foot_js/images/gw_footer.css
hxxp://p34.tcdn.qq.com/images/bl/web201305/f_logo.png
hxxp://p34.tcdn.qq.com/images/js/foot_js/images/foot_logo_q.png
hxxp://www.gm3579.com/tpl/hw_xemw522/tc.swf	60.21.154.181
hxxp://ossweb-img.qq.com/images/bl/server/latst_bg.jpg	203.205.142.142
hxxp://vj1.6rooms.com/css/index_MIN_11.99.css	61.146.152.57
hxxp://go.lequ.com/adstat.php?wsite=snsfun&lq_aid=1398&lq_placeid=14516	8.37.231.21
hxxp://go.snsfun.cc/mhjh/wm/mhjh_42.flv	8.37.231.19
hxxp://vj0.6rooms.com/js/z_MIN_14.72.js	106.38.244.64
hxxp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/2013.11.261.gif&gourl=http://z.myzwqwe12.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A6085337B3F658C8AABBF9806643B5380687428F80A055C674B&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393	115.236.16.240
hxxp://vi2.6rooms.com/live/2014/03/18/15/1013v1395126094590286213.jpg	222.161.226.83
hxxp://vi1.6rooms.com/live/08/80/a7e7de85243a438ba91ea4d3d8a017b2.jpg	222.161.226.43
hxxp://vi4.6rooms.com/live/2014/05/19/17/1013v1400493293416348850.jpg	122.143.24.24
hxxp://hzs7.cnzz.com/stat.htm?id=1360447&r=http://www.gm2468.com/68503.html?sid=10352&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1973986219-1401565865-http://www.gm2468.com/&showp=1024x768&st=0&sin=http://www.gm2468.com/68503.html?sid=10352&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=857216144
hxxp://ossweb-img.qq.com/images/bl/web201305/c_wrap.jpg	203.205.142.142
hxxp://vr0.6.cn/imges/pixel.gif	103.224.232.67
hxxp://go.snsfun.cc/mhjh/42/images/bg1.swf	8.37.231.19
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1317414180	42.120.219.171
hxxp://ossweb-img.qq.com/images/bl/server/c_header.jpg	203.205.142.142
hxxp://v.6.cn/event/promimg/?src=pming393	61.146.152.57
hxxp://ossweb-img.qq.com/images/bl/web201305/c_main.jpg	203.205.142.142
hxxp://vi7.6rooms.com/live/69/59/eca1e2f901a17103ab05f7b46c358f6e.jpg	101.28.252.33
hxxp://ossweb-img.qq.com/images/js/foot_js/images/foot_logo_q.png	203.205.142.142
hxxp://go.snsfun.cc/mhjh/42/images/path.txt?20101020	8.37.231.19
hxxp://vi5.6rooms.com/live/33/84/bd5463690a93c57a1039c47e11ab0f97.jpg	119.188.139.156
hxxp://www.cfmogu.com/index.html	121.12.125.78
hxxp://vi5.6rooms.com/live/2014/05/29/21/1013v1401369311257246325.jpg	119.188.139.156
hxxp://vj0.6rooms.com/js/s/e6u5-min.js?101016	106.38.244.64
hxxp://www.cfmogu.com/Ä¢¹½Í¼Æ¬.gif	121.12.125.78
hxxp://vj1.6rooms.com/css/level_MIN_12.04.css	61.146.152.57
hxxp://v1.cnzz.com/z_stat.php?id=1000386919&show=pic	1.99.192.15
hxxp://www.gm3579.com/qs/hw_xemw522/index.html?cid=16850340782&oid=100037702&dirtype=0&sid=68503&p=	60.21.154.181
hxxp://vr0.6rooms.com/v/j7/42813b289d7baf467f18ecfa2f7738bf.png	60.217.241.8
hxxp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516	203.205.143.146
hxxp://p.tuigoo.com/pic/close.png	115.236.16.240
hxxp://go.snsfun.cc/?lq_aid=1398&uid=14516	8.37.231.19
hxxp://www.6.cn/api/liveInfoCk.php	61.146.152.57
hxxp://uimg.xiaoangel.com/jsorigin/AC_RunActiveContent.js	121.10.141.89
hxxp://vr0.6.cn/imges/live/CSSIMG/base_head_search.png	103.224.232.67
hxxp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/2013.11.261.gif&gourl=http://z.myzwqwe12.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A6085337B3F658C8AAB4734339BDB1BEF4A78245679B95E357C&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393	115.236.16.240
hxxp://pcookie.cnzz.com/app.gif?&cna=niARDPK2920CAbhrJiZfzYxx	42.120.219.171
hxxp://ossweb-img.qq.com/images/bl/web201305/f_logo.png	203.205.142.142
hxxp://p.tuigoo.com/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/2013.11.261.gif&gourl=http://z.myzwqwe12.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A6085337B3F658C8AAB6EA94E43CB687422F042AA031A1F28A8&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393	115.236.16.240
hxxp://www.gm3579.com/tpl/hw_xemw522/top.swf	60.21.154.181
hxxp://vi6.6rooms.com/live/2014/05/30/18/1013v1401447060362197786.jpg	119.188.139.168
hxxp://www.gm3579.com/tpl/hw_xemw522/mu.swf	60.21.154.181
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=3&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17581&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=115457607	42.156.140.23
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1411165327	42.120.219.171
hxxp://z.myzwqwe12.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F4733086192982B566766DC90063264FACC835BF4A885D10235DA95AF0&Url=&referer=http://www.cfmogu.com/	115.236.16.240
hxxp://z.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770ADAEE0E95B9ECFF0DD9277764F29D77&referer=http://www.cfmogu.com/&utz=1401548261861	115.236.16.240
hxxp://z.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580774F589AF7166A99E38777B38C181F4178&referer=http://www.cfmogu.com/&utz=1401548269173	115.236.16.240
hxxp://vj0.6rooms.com/js/jquery-1.8.2_v4.js	106.38.244.64
hxxp://ossweb-img.qq.com/images/bl/web201305/c_l_rep.jpg	203.205.142.142
hxxp://ossweb-img.qq.com/images/bl/web201305/body_bg.jpg	203.205.142.142
hxxp://js.tuigoo.com/pic/spacegif.gif	115.236.16.240
hxxp://www.gm3579.com/qs/hw_xemw522/index.html?cid=16850340782&oid=100037702&dirtype=0&sid=68503&site_id=10352&p=	60.21.154.181
hxxp://ossweb-img.qq.com/images/bl/server/spr.png	203.205.142.142
hxxp://z.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770522CB88AFFA3F95A453F57488EF6209&referer=http://www.cfmogu.com/&utz=1401548261783	115.236.16.240
hxxp://c.cnzz.com/core.php?web_id=1000386919&show=pic&t=z	42.156.140.11
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1676874966	42.120.219.171
hxxp://adm.qule.com/15/index.html?ida=AHSG_126_29_26&idu=	122.228.251.71
hxxp://u.union178.com/_reg.php?tpl=1400759847&game=qs&dirtype=0	115.238.73.92
hxxp://vj1.6rooms.com/css/base_MIN_11.05.css	61.146.152.57
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=1&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17582&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=1274859904	42.156.140.23
hxxp://vi0.6rooms.com/live/63/67/b744ef7cf7616402b9cd75cd3b296755.jpg	221.204.21.61
hxxp://vj0.6rooms.com/js/im_new_MIN_0.36.js	106.38.244.64
hxxp://vi0.6rooms.com/live/15/38/975b51f2ce89d444e33414de976c88a0.jpg	221.204.21.61
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=2&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17581&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=628499311	42.156.140.23
hxxp://z.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA315807783AEEE769939383F6E9FBAB7CBC49906&referer=http://www.cfmogu.com/&utz=1401548258923	115.236.16.240
hxxp://www.gm3579.com/tpl/hw_xemw522/rw.swf	60.21.154.181
hxxp://ossweb-img.qq.com/images/js/foot_js/gwfoot.min.js	203.205.142.142
hxxp://vj0.6rooms.com/js/mootools_MIN_1.4.5.js	106.38.244.64
hxxp://vi4.6rooms.com/live/2014/05/26/14/1013v1401084571894271838.jpg	122.143.24.24
hxxp://www.gm3579.com/tpl/hw_xemw522/rw1.swf	60.21.154.181
hxxp://vr6.6.cn/imges/live/index/firstpay.jpg	119.188.139.144
hxxp://z.myzwqwe12.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F4733086192982B566766DC900B92C93FD57EF1C125A375B2E1110AF3F&Url=&referer=http://www.cfmogu.com/	115.236.16.240
hxxp://p.tuigoo.com/pic/spacegif.gif	115.236.16.240
hxxp://ossweb-img.qq.com/images/js/foot_js/images/gw_footer.css	203.205.142.142
hxxp://u.union178.com/_regload.php?tpl=1400759847&game=qs&dirtype=0	115.238.73.92
hxxp://z.myzwqwe12.com/AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770522CB88AFFA3F95A453F57488EF6209&referer=http://www.cfmogu.com/&utz=1401548260001	115.236.16.240
hxxp://ossweb-img.qq.com/images/bl/web201305/c_spr.png	203.205.142.142
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=486052776	42.156.140.23
hxxp://www.gm3579.com/tpl/hw_xemw522/bg.swf	60.21.154.181
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=210753610	42.120.219.171
hxxp://shrek.6.cn/live.6.cn/e6u2/r.php?location=www.6.cn/?src=tuiga834#r4&referer=www.cfmogu.com/&browser=mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; .net clr 2.0.50727; .net clr 3.0.04506.648; .net clr 3.5.21022; .net4.0c)&flash=10.0&msr=1024,768&uid=0&pro=4&stamp=1401548276939	122.228.251.141
hxxp://vi2.6rooms.com/live/2014/05/30/18/1013v1401446314925913930.jpg	222.161.226.83
hxxp://vi5.6rooms.com/live/59/88/135960371121375988.jpg	119.188.139.156
hxxp://pt.rbc.cn/PClick.aspx?AID=15235&KEY=6FBCE2FEBE3F1F4B34035BDB1B9868C2CC3F7B0F77DABDE2	115.238.73.171
hxxp://www.cfmogu.com/1.htm	121.12.125.78
hxxp://irs01.net/MTFlashStore.swf
hxxp://c.cnzz.com/core.php?web_id=4693566&show=pic1&t=z	42.156.140.11
hxxp://txt.union178.com/txlink.php?alid=40782&oid=7702&game=qs	115.238.73.92
hxxp://vr0.6.cn/imges/live2013/idx_bgrepeat_v2.png	103.224.232.67
hxxp://www.cfmogu.com/	121.12.125.78
hxxp://go.lequ.com/stat.js	8.37.231.21
hxxp://go.snsfun.cc/index.swf?20120720	8.37.231.19
hxxp://go.snsfun.cc/mhjh/42/images/ren01.swf	8.37.231.19
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1368847842	42.120.219.171
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1773767685	42.120.219.171
hxxp://vj0.6rooms.com/js/s/login_3.js	106.38.244.64
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=2135677016	42.120.219.171
hxxp://www.6.cn/?src=tuiga834	61.146.152.57
hxxp://vj0.6rooms.com/js/index_MIN_12.84.js	106.38.244.64
hxxp://hzs9.cnzz.com/stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=4&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17580&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=1910486935	42.156.140.23
hxxp://vj0.6rooms.com/js/s/tracing_3.js	106.38.244.64
hxxp://vr0.6.cn/imges/live2013/idx_share_mood_v1.jpg	103.224.232.67
hxxp://s6.cnzz.com/stat.php?id=4693566&show=pic1	1.99.192.15
hxxp://p.tuigoo.com/pic/logo.png	115.236.16.240
hxxp://bl.qq.com/web201305/jscss/c_com.css	203.205.143.146
hxxp://vr0.6.cn/imges/live2013/logo.jpg	103.224.232.67
hxxp://go.snsfun.cc/mhjh/42/images/reg.swf	8.37.231.19
hxxp://z.myzwqwe12.com/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F4733086192982B566766DC900C8E9EE0D455F1460B196181AEDD96181&Url=&referer=http://www.cfmogu.com/	115.236.16.240
pub.idqqimg.com	103.7.30.59
www.qule.com	222.73.155.30
www.huowan.com	113.107.160.136
s9.cnzz.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Outdated Windows Flash Version IE
SURICATA STREAM SHUTDOWN RST invalid ack
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM ESTABLISHED invalid ack
SURICATA STREAM FIN out of window

Traffic

GET /?lq_aid=1398&uid=14516 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: go.snsfun.cc

HTTP/1.1 200 OK

Date: Sat, 31 May 2014 19:50:59 GMT

Server: nginx/1.0.12

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.2.17p1

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

Content-Encoding: gzip

X-Via: 1.1 dls21:2 (Cdn Cache Server V2.0)

Connection: keep-alive
4ba.............VKo.6.>....V....EK.... ....i.l.....IZb"..HYy.?f....
.V.T...P.....).. .z.`@.pf8..7C.>..s:.pq."........S.41..}.q..G.}1...
yn..r.*..LI.....r"....eY.e..y..o..........,]..s.....o.8U..~.v.S.W..0c.
pM V.5.....9....n.n3. Z..G.......F$W\...o{..............o..../.....O=\
Ia[.[.^i|~...."........D.... ..d..hD.u.."e..V.e6VK.g...LG]...8.".tw.Z.
."Rhil.....3...4^P....V_...$cH....."..o ..a.."L....9..M..b.)..L#....\.
)....).......$-...Z....*#.......T$K..I...Jc,...,......r..<.u..W...I
!..._.G...q.!....V.qLTT.o.L.x.:s..a..C..G...*$phN..........`....n._...
.<....%%&47..8X'#Y..(&....'.s.<y.l.Kb..Ke.e.SL(.Ja.'.......v..(.
..uJ....2..N....!(...a4...1......"..............u"e.....c.`.|.E.zrt...
T....`...w.?.=k......G.....~s{{{g....\o.6d|D...N..2.%anBh.....(d..C..u
I..S2R...!..vA.:.............mc...,..........2....A).........#<...$
...9.0F...l....X......|8...'m'.t...[G....C..s]K.g...X......3sK........
k..{......L..y.fQ.....a...wy..sDh@cA._....,....5.SfA.@^..e.......@ap.]
Ex.."!!Wx.N.".....~.-OF.!......?....b[.,...a...b...09....*.......8....
.d..5./[email protected]{.t......I....w....:..z...4..X..".p.9...ao.3 T..
.n*Sn/........./....;.k.....C.........-....J.C.i.4...P.i.K...,.R...wwU
../[email protected]......
<<< skipped >>>

GET /index.swf?20120720 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://go.snsfun.cc/?lq_aid=1398&uid=14516

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: go.snsfun.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 30 Jun 2014 17:18:40 GMT

Date: Sat, 31 May 2014 17:18:40 GMT

Server: nginx/1.0.12

Content-Type: application/x-shockwave-flash

Content-Length: 1020

Last-Modified: Fri, 20 Jul 2012 06:00:21 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 dls21:2 (Cdn Cache Server V2.0)

Connection: keep-alive
CWS.n...x.uT.o.E...^...Gk'.C1e....J.H=P.I MSK.....H..........G{I..ZAZ.
.%$8 .....P.^.\@=r@ 8q.AH9....7...U...yo~...v|.....U.}..N..Y.E;.......
{...n.........z..0X[......I...6...BS7..r......*.=..u...F......j.IC.z..
...u...a.3...Y.].h..sb..).....:.?........v....s....c.0..z ;..=|....k[.
... p..;?K..[...q%......kWZ.<.C.3.........Go~..i&[..).|Y..... .}sc.
._SW7...J*m\........g..'..$.=U.0!.P...2......c.^.}....UUF..... ..`. 9.
|.;...t...p....*6h...s..s.rt.7.....y.....$....o........b.Y.n.n..q.y.Vq
[email protected].%.E...V.5...Y=..j.bb.E..8iM..'`....6...o2GiI7
k./.....y8...WM,.s........4....x.K9j[.........A.g&gsKM~..\s......`8a..
P.............9&..........i...vw..O.$..-..I.rK.M:..M....M...E2dR.G....
M....7..)......R.....}...1z}1....G.W.../M.I..V..1z...a...~!.....D..V..
j..jO.k..tL`.~q....dG..!..C.....:.p.H.Lu.T.....Bd......Bk.........8*.{
/$...N..,W.,.`Q"VU".,.=..l...A.c..y4......U.....^\..]..}....."...`..:.
.P0%...&y".TJ(..y.:.8.y.....JD...>..MU:F.. ..T-.... B...Q."jQ.Z.v@Q
HV..L..E.......B.c..{igW...2.J..O.S........rt.HTTP/1.1 200 OK..Expires
: Mon, 30 Jun 2014 17:18:40 GMT..Date: Sat, 31 May 2014 17:18:40 GMT..
Server: nginx/1.0.12..Content-Type: application/x-shockwave-flash..Con
tent-Length: 1020..Last-Modified: Fri, 20 Jul 2012 06:00:21 GMT..Cache
-Control: max-age=2592000..Accept-Ranges: bytes..Age: 1..X-Via: 1.1 dl
s21:2 (Cdn Cache Server V2.0)..Connection: keep-alive..CWS.n...x.uT.o.
E...^...Gk'.C1e....J.H=P.I MSK.....H..........G{I..ZAZ..%$8 .....P.^.\
@=r@ 8q.AH9....7...U...yo~...v|.....U.}..N..Y.E;.......{...n......
<<< skipped >>>

GET /mhjh/42/images/path.txt?20101020 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://go.snsfun.cc/index.swf?20120720

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: go.snsfun.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 31 May 2014 19:41:08 GMT

Server: nginx/1.0.12

Content-Type: text/plain

Content-Length: 18

Last-Modified: Wed, 23 Apr 2014 09:10:45 GMT

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx34:8106 (Cdn Cache Server V2.0), 1.1 dls21:2 (Cdn Cache Server V2.0)

Connection: keep-alive
urls=bg1,reg,ren01HTTP/1.1 200 OK..Date: Sat, 31 May 2014 19:41:08 GMT
..Server: nginx/1.0.12..Content-Type: text/plain..Content-Length: 18..
Last-Modified: Wed, 23 Apr 2014 09:10:45 GMT..Accept-Ranges: bytes..Ag
e: 1..X-Via: 1.1 zjjhdx34:8106 (Cdn Cache Server V2.0), 1.1 dls21:2 (C
dn Cache Server V2.0)..Connection: keep-alive..urls=bg1,reg,ren01t>....


GET /mhjh/42/images/bg1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://go.snsfun.cc/index.swf?20120720

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: go.snsfun.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 30 Jun 2014 17:09:03 GMT

Date: Sat, 31 May 2014 17:09:03 GMT

Server: nginx/1.0.12

Content-Type: application/x-shockwave-flash

Content-Length: 116108

Last-Modified: Sat, 15 Mar 2014 05:41:04 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx35:88 (Cdn Cache Server V2.0), 1.1 dls21:2 (Cdn Cache Server V2.0)

Connection: keep-alive
CWS.....x.4.eT.M.....N....[[email protected]...[.Bqw....-ZBa......{NN..\....
.......@0. .[..,.._...w.E..w.....a@[email protected]..|.......?.)
[email protected].*..._- ../.A.. D...3.0..D....y..}[email protected].\DL..'...
o [email protected][email protected]...."y.Z.p.fM.......T"b......p....%.di...vO..|....
..Ju..nZ.....y..;.T.N...:.....q....5.w.......Em..:..x. ..#.../[email protected]
.J'I...y..}.\............/=s.f..D..5...0..R.]...W.ib.t@........>.f7
a...ge....t.VR..m.....G..BZ..\.. RL.]'..C%.5..A.Y.?&......h....1...#.X
[email protected]..>\.K......~B.....S...h l.t.;....p"V...3n).T....._....
WB..pn...C....,..7B.n<O\X....t..zU..y..KU../b[7._h..=..WS.....*..Ok
.....=...Z.....m ...d.....r.,.N.....H0.....Ce.q.)......w...N:......yJ.
\.T.O..7.q.2...$..Y...h>y.<..9...o._......V...V..xD.V.....Z.LA.)
3\=..3......|>QdT6.YO.\..`..vr.fn............._N7D....;./....d..?0.
.........;F.1..Y.,:?9<.Ms9.. ._..J....... ......$...;`...W......'|.
...l..?.....**CUg=D...q:.d....:..)z..(._.v.G.......c....o.........nG.g
4.....\.......\...j.....z..)#[............`S.-.B......D...T.` -k.z....
m.3"g%l..w..&vC.o$a.9l....Ua.Uzf.0{.Z..... I..R...CA|..yH.<$&....Y.
w....hW.y.e...g..D.%.M..\2..l..\N.>....U..._.7p....\9..Z.G........c
'..:...(..eU.(.*....qPr^."..s/.....=.....M.{\;..v.&#.q...^..T....W..$2
R.[.........&$...D......{......}>..l..........tP..lAbv.......T..I.u
...{....`.`........k..d.#p....|aE.......]. [email protected]?.&l
t;.C.^..X.>o .aE.\.k;l....$..i.:e?...tr.....b/...3(. ..mH..4.1.9...
...]..'0.<..PM.,2....[....*.1.....a..P...*.. V7...Fy.........L;
<<< skipped >>>

GET /mhjh/42/images/ren01.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://go.snsfun.cc/index.swf?20120720

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: go.snsfun.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 30 Jun 2014 17:09:03 GMT

Date: Sat, 31 May 2014 17:09:03 GMT

Server: nginx/1.0.12

Content-Type: application/x-shockwave-flash

Content-Length: 90259

Last-Modified: Wed, 23 Apr 2014 09:10:35 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx36:8107 (Cdn Cache Server V2.0), 1.1 dls21:2 (Cdn Cache Server V2.0)

Connection: keep-alive
CWS..4..x....<T..?~,Yc.-a*.H*I...I....$....4.![.O..2"$.T...]..d,cF.
.........|...<.........-/....}_.u_.u.....:.........E...8.\.........
.K.A..o.......i ..{'BE#.'...#(.4..\@8...B..E.1(!... ...kT2.}.B........
.~.../b.5.\H..Z..kNw\n....<..........r.G?f..,.O.S...N....p;RA.. .rh
....3R..r...-..T..P....z.D,D........[.6.....p..x.4~.........t.A...8.K.
0I.K.....R...;...n.._......*~....B.B.?B...MX....).....P'V....N..1....-
.3..E..#.3`.<.f.>._.\.%c...S.N*5.5......=y....[.....e.z7..`48..L
%...1.t......J....1..o.%h........G[...#$..O..w..#..4..s.........`...~S
......V}Q9$.b......D{...._..,..|..).~.4W.>i...T..J.Jk.e......O.....
.Lx.?..i.PL5.H.\h....{7*......xn...m.;Y..k..=..FV.L......6..y...7Q.K?.
.w.....8.u.:.....c.....IY..Ov...>..... ..E..<V.3a......<:.*.'
s.!..QwB.Y...z..}lB...v&..I....]6.o.I....]...CF).>vg..3......o{w.2*
.V.. .Zfg..I..M.e......J..).......Z.5..I..T.v.t,=.LHv.u*..g......`....
......}t...kT...NW...C.e....fu.x$Q, .p......g.......uX.....?w7......=o
|...././~{.&a.V.."..=...56.xf.....h}..cY.Y\....../..j...y..7_...|R..hn
....}.>R5.F....j...r5{$O.im.;..]2v.\........Z...{...:c...#...x.....
..,..E....2........ty.B.......Cb.':...j...<.ra..ptlj.N1.V@..'F....d
..S..IM)..f }D...o..&K....n.........D.2?p...........G.c.\bR^7j..T.M...
[email protected][email protected]"...S..p...%.....|y..|.....E.\...~....1o<
;........D.I.9.......O..a)[$....8.A...........`.....D..F6.../q....I...
..z...............3.B(.?.....EI.....2<.......|......|.....q.k6.....
..G..L...t........q)$..../..T.... .) sd...%......lo..M............
<<< skipped >>>

GET /server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: bl.qq.com

HTTP/1.1 200 OK

Server: P35_DK

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:21 GMT

Cache-Control: max-age=90

Expires: Sat, 31 May 2014 19:52:51 GMT

Last-Modified: Sat, 31 May 2014 19:50:53 GMT

Content-Type: text/html

Content-Length: 5920

Content-Encoding: gzip

X-Cache-Lookup: Hit From MemCache Gz
...........<k...u...?....Y.1|......-.r.HA...b83$gw8....wM..q..v...e
I..v..r"[.-[R.~H..A.A."h.h...;.;3w...........{.....]9v..k....:.....u.Z
..#..D}.._....8x...Qv....b..4.MK....W,..|t^.GJ.7..a[<'.....Z.4.....
.{h.......C..3...V"..1.3.....&.l){S..i..x........=.....~..>........
\..{........f.......[.u....... W.../o.z......r..>......K...?\..y#..
......|.U........E..[..'.  .d.c[5t....,....w.|.65t.}\....}......>.j
kJ......./>y.} ....l%......:;......te...m%.n.X.. .|V4.Bs y..@t,..~.
/7n_.&i.nk*.2..../.^....O.Va..7o.v.ZQ(..B%[.`..{W>}..w.^.6..q3.....
r..9....l...poq...y....k.(`<CS....T.!j....$..K]@....y...3.r.......'
J[....rsbj).$...wV..<...8P.|O.6..Z.T.... .4..........DU.I.".M..a..6
Dl.~..u.lMU..6..0.m.EYV.AS.*.1xk.Ds..0..l0H..D...Z...^2.Q..b.).m...:.g
..ZcM.k.bOSZ..7y.E1.Ag..g...*P......./- .4..r0D...F3@*...Q.Y......,=` 
.vV....$...q.t..tÃ...k..z.4k.N..]......F..2......=..4C.jQrmQXX.9. .z
(.....f.vSS.6.tw..W.......Y......c.R1>6...Lq...#`.V=.V|.......Z.^..
.3.~....q.!...."......Vw......{....n.....~Y.".,D...j..=9s....R..iV1=.&
lt;}.t..~.....f........i...T4...4..j.5A[~Ch..J..\..5.....B..p.T.......
....\.~.F`..NT.tM.pD...P^@[email protected]@.........*.
.......F.>......1#I......K.[(..6..dt7=....7G.p.D...8.U......eh.[iq.
.U]...e...2.A0D...s$.`_@...'-...IyC.i:.G-j..xH.J63.dIR..........Tf..G.
.j,..p.PI`..P1. }].......=...'8.DA.....3...H.<.?U[k..2...........Z.
. .6H...r820..j)..}~j.B.....b..Aj .U..........#.1....MG.ZT....T%.~.k.`
R?]:u*.6x....z .......a?Y..J%o.k.......M.q....vK..S......"...<g
<<< skipped >>>

GET /web201305/jscss/c_com.css HTTP/1.1

Accept: */*

Referer: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bl.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: P35_DK

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:22 GMT

Cache-Control: max-age=0

Last-Modified: Fri, 23 May 2014 09:56:16 GMT

Content-Type: text/css

Content-Length: 958

Content-Encoding: gzip

X-Cache-Lookup: Hit From MemCache Gz
...........U...6../..@. @v......$Y$.|@N.).....%......6)..L. ...Y,V...m
"...sGp.3...&r..i...NU9.v:.cB..........yPt..X[...........<....z)...
R(......e...d.?8....UT..C..).2.jz..b.R.W/..y ZZ....?f..?-..b0gu.s.....
..U... ..C.&E..].....r[K..U.K.c.u...P...lW{_.x...l.k.|.}X..0.R..iMj...
?!I;.5....Z. [email protected]..^.O.A..79..).
K.9u..;1x.>l...:......duc.{.......cN.([email protected].
........F.=.!A.."@.7A.W.....^.Sr.:AV.....`...[....m .1^..?...D1.~g....
.lwl....l..r...f..w........Ma.....N..(.{M..}./..5....C.E-....x...I..F]
......1A0(.....R;.V.j.sxu..k../.Ay.k.O.]<....42[.:L.....:..kD.....!
.l4Di,.|....;V.e67....W4gc.`...F....(:..gqn. .ah.=....!2.!|..o......9.
..v....4..??'........X_5...G..o.X..Wi..2>..G..p. ......Ow...k......
h...4.l....*........L...p.%3........&D....l.C.D..'.`...;.E8.....i#...'
.v.......[i..?....-...,q.y3...(.._l..... 1~y.).E...j.Z.u7...rlC(.=.*..
.2KWW...xc...z..B..... .......4...."\.$MhYVQF.0.....>#..\.....

GET /PClick.aspx?AID=15235&KEY=6FBCE2FEBE3F1F4B34035BDB1B9868C2CC3F7B0F77DABDE2 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: pt.rbc.cn

HTTP/1.1 302 Found

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Location: hXXp://VVV.gm2468.com/68503.html?sid=10352

Server: Microsoft-IIS/7.5

X-AspNet-Version: 2.0.50727

Set-Cookie: Union001ADShow=2165; expires=Sat, 31-May-2014 22:50:48 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:48 GMT

Content-Length: 159
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.g
m2468.com/68503.html?sid=10352">here</a>.</h2>..</bo
dy></html>....

GET /images/bl/web201305/c_wrap.jpg HTTP/1.1

Accept: */*

Referer: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ossweb-img.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: P34_HY_NWS

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:25 GMT

Cache-Control: max-age=604800

Expires: Sat, 07 Jun 2014 19:51:25 GMT

Last-Modified: Wed, 05 Jun 2013 10:53:31 GMT

Content-Type: image/jpeg

Content-Length: 102803

Access-Control-Allow-Origin:  * 

X-Cache-Lookup: Hit From DiskCache
......JFIF.....H.H.....C..............................................
.........          ...C................                               
                  ....................................................
U....................!....1Aaq....Q......".....#2RB$3b...4Cr..%.Tcdst.
.....'7DS.....................................=.......................
..!1A.."23Qaq...#..b...$BR..4C.Sr...............?...|..o..I>.Y.'.k6
..-f..........|..`O..l..Z..>.Y.'.k6..-f.........'.k6..-f..........|
..`O..l.............|..`O..l..Z..>.Y.'.k6..-f...........I.a>.|.|
o6 E=..p....`E$.1$S....L..q.=..B|..`O..l.....|.$..d...|.$...N.A..T..J.
.^. 3..W...........N..i$...V..K.BJ.*.OF..x\O.~.......6R$....e..1....y_
H....\..~.....~.... .L..._;....e.~..&y....?\..........................
......................................................................
...............................K....O.,'..<.............O..i.Z....O
..l..Z..>.Y.'.k6..-f..........|..`O..l..Z..>.Y.'.k6..-f.........
.|....-f....."|O.L.)...'...N..P......?..O...'.|.|..`O..l..Z....O...-f.
.........|..`O..l...Y..t-f.I....r....#.I.Z..;2..>"....|..{O...t-f.$
S..TIOb..3...'.k6..)...Z..>.Y.'.k6..-f..........|..`O..l.....Oi....
..=...I..=...{O.$.S......I..=...{O.O...Oi......=..'.O.$...I.>...|.'
...Oi......:O..t-f.):....N.I'@$...I..........$.S..$....I..Sfg....e..zU
JI?dIj.).{V!3...YV~'.a.=....'.%$...N..I..$......1...VBk~.Jl.g..x.Qt3.f
n...mE...'..........>....p.....V#qg..0......bt.:m....rOJ.:8q..Y....
<~........_.E.....?8...........................................
<<< skipped >>>

GET /images/bl/web201305/c_l_rep.jpg HTTP/1.1

Accept: */*

Referer: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ossweb-img.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: P34_HY_NWS

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:26 GMT

Cache-Control: max-age=604800

Expires: Sat, 07 Jun 2014 19:51:26 GMT

Last-Modified: Wed, 05 Jun 2013 10:53:31 GMT

Content-Type: image/jpeg

Content-Length: 973

Access-Control-Allow-Origin:  * 

X-Cache-Lookup: Hit From DiskCache
......JFIF.....H.H.....C..............................................
......................C...............................................
..........................0......................................."...
...........................!%..............................%..........
.................!.1"2$A.............?..C..u....5.\.o..#j[;..Oq.r1."..
.-..=...z....K....>..w..c]).-n.....f..o.:...".i...Jk....r.4..[D....
[.'v..... Nk11....z.Dqj^.K...^&..10..$................................
.....................>.....s.E....7..KR.._ms.5.......#..*m.ls.mi...
...f.)5....3..1.......7.b..H.#(.......iZZ..f#..T..?"..K^bg.b..X..6....
s..-j..h...Lr...mZ}q.s0..&g...3.:O...i.u....7.}v.[k..o.Ge....G.w<..
..;.[..x...s.'.kD..i.......~I...?.{...:i...........8.^9...............
.......................................:i_C..g...m"'..1k...3...[V.... 
nD|..D. .........Mc.m.....V"r..6.w.kJ.4.kX.......<O..4.:.j?..|..q..
.O..|Dc..bi.31X..}WI...ZZ..../*  |xGv00|d4e8071bb3e8cdd6af1f854ae18916
b8 */....


GET /images/bl/web201305/c_main.jpg HTTP/1.1

Accept: */*

Referer: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ossweb-img.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: P34_HY_NWS

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:26 GMT

Cache-Control: max-age=604800

Expires: Sat, 07 Jun 2014 19:51:26 GMT

Last-Modified: Wed, 05 Jun 2013 10:53:31 GMT

Content-Type: image/jpeg

Content-Length: 16309

Access-Control-Allow-Origin:  * 

X-Cache-Lookup: Hit From DiskCache
......JFIF.....H.H.....C..............................................
.........          ...C................                               
                  ....................................................
I...........................!1.AR.."Qaq..#2..3B.....bs..$&6CSr.L...5
.................................3........................!12"A..3Qqa.
.....B...#Rb.............?.... ......."...O*f..f..........t...G.....l.
.V;.f.^...1.E=...n.\m...k.UV.[....yS\..?....<&....].m*q[....w......
..9.|.....k....K.m}..V..W~..........7f..:>..7.;........^..2.8......
.. ..ye.J.S.YG.....S..o.fh.O2).;G.g....W....b...}.t..........[....2.q9
..h..#,....nL.Y.,...>.Y..j....f../..9...Tm..S.E..n......1.}.?.}....
...L ..M..LGW6.8.x....$..).v.`Q.0.FY.N.....l.....n....Q1].wf...f3.>
3....i..;.......B...&x.{.....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..
2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.
(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,.
.W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%
^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x
....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..
2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.
(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x....%^).,.
.W.|.(.U..2.8.x....%^).,..W.|.(.U..2.8.x........d..L....hQ...Vj.S...a.
...........wEQT.|c&N.}K7vr.......9G...2..f..-Q........*..0....E....v..
.jumJ........v.{.Q.....oG.ra.............Q5NV.....<N6.^.6..fo.4
<<< skipped >>>

GET /images/bl/web201305/c_spr.png HTTP/1.1

Accept: */*

Referer: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ossweb-img.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: P34_HY_NWS

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:26 GMT

Cache-Control: max-age=604800

Expires: Sat, 07 Jun 2014 19:51:26 GMT

Last-Modified: Wed, 05 Jun 2013 10:53:31 GMT

Content-Type: image/png

Content-Length: 28899

Access-Control-Allow-Origin:  * 

X-Cache-Lookup: Hit From DiskCache
.PNG........IHDR...8...7.............tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:F210CB1B82C6E211A401AA471D610C6A" xmpMM:DocumentID="xmp.did:6D12
AA7DC85411E28FDFF9F6A4F35820" xmpMM:InstanceID="xmp.iid:6D12AA7CC85411
E28FDFF9F6A4F35820" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1498CF9052C8E2118167
DFC079A75DF9" stRef:documentID="xmp.did:F210CB1B82C6E211A401AA471D610C
6A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>j.......PLTE..x.Y...D.....k.Q..H...m.....w.[!
.q)..:..Gyk@....[ .vJqc:..V....W......ggZ4.S........d(.i,..X.nO....m/.
.M.] ....a$.i%..I.Y..y5.....m.l/.U...y....U...S.p2.u4.J..e%...........
p.q/..........e'........q........4.m,....~f..........v*.i)._!..h....f(
.~r....o0.t0.Y..l(WQH..Q.......|N.v,._".m-......toc.p .y:.f(:4 .h).b#M
D:.MM..=.{B.i!.d%.~6..H.....u.a$.];.....Tp.1.l*....X"..b.......I..=..h
0.....ag^P.b$.....|.d&.t*.z/.....2._".j ....^!.e!.a..,...C.q*..Md...d'
.r3.@=.....:.i .r2.I0.t4.V..q,..........O5....U.Lph.u..r3....^ ...
<<< skipped >>>

GET /images/bl/server/spr.png HTTP/1.1

Accept: */*

Referer: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ossweb-img.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: P34_HY_NWS

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:27 GMT

Cache-Control: max-age=604800

Expires: Sat, 07 Jun 2014 19:51:27 GMT

Last-Modified: Thu, 05 Sep 2013 02:12:19 GMT

Content-Type: image/png

Content-Length: 11114

Access-Control-Allow-Origin:  * 

X-Cache-Lookup: Hit From DiskCache
.PNG........IHDR.......@......$uo....tEXtSoftware.Adobe ImageReadyq.e&
lt;....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com
/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:
stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http
://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocum
entID="uuid:619B3580B6B0DF11B7F4BF3FDBAE0E5F" xmpMM:DocumentID="xmp.di
d:54A633CB0ED011E3B9869D252A2F0013" xmpMM:InstanceID="xmp.iid:54A633CA
0ED011E3B9869D252A2F0013" xmp:CreatorTool="Adobe Photoshop CC (Windows
)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3E0CFBF80ECF11E
3A2B0E201F634F387" stRef:documentID="xmp.did:3E0CFBF90ECF11E3A2B0E201F
634F387"/> </rdf:Description> </rdf:RDF> </x:xmpmeta
> <?xpacket end="r"?>C.......PLTEyj>..............v.......
....\.....Y..T............veB................xM.....L......n`8cV/~pD~q
I....rE...eX2.......vI..VylB..btf=j\5vh>.yJ.uF....tI..V....~R.zN...
..S..M....}N.|QcV2...rd:zmEpb:....uL..Fvi@rd<...........R......yk@.
....n.rJ.qB..i...l^6|oE.....W..Z........W....|N.....q}nB....xF.oA.sF..
......^.}J......te;..h..dg[4.....K.....T.....S.vM...|l?.._......xkC...
..h..a.vDoa7..\|oH.sB~oC...k^7....{O..|.o?.tC`S/..O...fY3|mA..S..V
<<< skipped >>>

GET /images/bl/web201305/f_logo.png HTTP/1.1

Accept: */*

Referer: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ossweb-img.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: P34_HY_NWS

Connection: keep-alive

Date: Sat, 31 May 2014 19:51:27 GMT

Cache-Control: max-age=604800

Expires: Sat, 07 Jun 2014 19:51:27 GMT

Last-Modified: Mon, 19 May 2014 09:20:17 GMT

Content-Type: image/png

Content-Length: 4507

Access-Control-Allow-Origin:  * 

X-Cache-Lookup: Hit From DiskCache
.PNG........IHDR...)...M......UbH....tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE..................p`L.ten^I...WL\...~qa...........|........
.........y..........\1sX5...............kYD............1t..~qufT...'$(
.yk...0'..............l.eR:...fT=.....{..............v...cq=.i%.n"....
../ [email protected]\G.....
.Feh....|n......ylZ....vgsdQ...........t...yjY......dQ9{n]............
...}o_.xi...........................F9'$..<1"......fS<..........
.....lgo....z.`ZdvuwhV?MEQ...m\u.v....dbd...P? ;8=......rcPui{SD......
.B<E......UG1...{m.VTW......ra|[M8.........bP7.}oeXE...`Mh.........
...k[F.........CJI............WI2......cUA\WF.........................
..........................|p`...`R>............l`M.................
...................j]J...............dW:.........nbP...^P;......a.B...
vkY........"...ZlJdQ9<.......tRNS..................................
......................................................................
......................................................................
......................................................................
............S..%[email protected]`L..4.j..HC. C.....F...QH
..1I.w..U.T....8u....-...L....q..rz.}I.....l.}...{...=./...9.O.0.....?
\R.....R.p*.WU..V.;.S.4...[..u.qZ.%6...fV.;.Sa.k..0.x.v'..Xw..`..h.k'i
....u.p.Y.K....^.....Nle1m.Xw.'.J....:d.5{.#.y[.b...8.o.Gq:..Cg...')V.
..ha..'5....d.DXUuS....gH! ..L.:...bB...v'.*N....m.)d........])N.x.!%.
Xm.w...:.w{....w}'.'.n....'..w.V%..j:|.1.."u.O...w.j.....6...N....
<<< skipped >>>

GET /app.gif?&cna=niARDPK2920CAbhrJiZfzYxx HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pcookie.cnzz.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx

HTTP/1.1 200 OK

Server: Tengine

Date: Sat, 31 May 2014 19:50:59 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=niARDPK2920CAbhrJiZfzYxx; expires=Tue, 28-May-24 19:50:59 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;....


GET /app.gif?&cna=niARDPK2920CAbhrJiZfzYxx HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pcookie.cnzz.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx

HTTP/1.1 200 OK

Server: Tengine

Date: Sat, 31 May 2014 19:50:59 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=niARDPK2920CAbhrJiZfzYxx; expires=Tue, 28-May-24 19:50:59 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;..

GET /tpl/hw_xemw522/rw.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.gm3579.com/tpl/hw_xemw522/main.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.gm3579.com

Connection: Keep-Alive

Cookie: CNZZDATA1360447=cnzz_eid=1973986219-1401565865-http%3A%2F%2FVVV.gm2468.com%2F&ntime=1401565865&cnzz_a=0&sin=http%3A%2F%2FVVV.gm2468.com%2F68503.html%3Fsid%3D10352<ime=1401548276923

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 31 May 2014 19:51:06 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 181557

Connection: keep-alive

Last-Modified: Thu, 22 May 2014 11:54:50 GMT

Expires: Sat, 07 Jun 2014 18:33:45 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

Age: 4641

Via: http/1.1 4399_cluster (CDN CACHE V1.0)
CWS..R..x...eX.[..]4....B..i...-4.,Hc..C..........!.C .....9s...33.;..
~z....]{.....wm.U...o..p.~.s8@....._.LD..p45.S.."u........._;9..13....
]..v........,l.llL..L0w['c7&[.....o..f0.GK{'K;[._...........u...]...66
.{e.6..2...3..Y...<...;..;.9j......."..1..&Uq.37.....mH...H.H_9[...
r...0......$.v!6.V.&.N&66.Vn>..>6n...>........\....M.........
.......d............KR...D........](...k......l..p.7cV3..9;..=.S.^;..|
..0'c[.3Y.......)..'77.(..(.$.$;  ....$/..8/......o7.g.?.$.L..f.N..../
.....5eGK.....oT.E.x.%.Yx9..*.&.!.-..**%%.#..........9Z...J9.A...{cG..
.H....._a.-.|...&6q)Q1IIvQ..tc.............jv.....%H.^1....u.65.{..wv.
...25a6.1.u6.C e...05.3.s..;.....X....dvc...3.v5v1c2..{.0....^......) 
.JNN..C{. .......JRV..FV.-.....Y....v.....sJ>\..........`..~'.3B.,1
t.........6....d."..;.)i.r... $.p.U....X....?....rR.R.....=../...6..s.
..*..f...Op...0s.q2.P=%..bacc.{....h.h.9.~..p1s............~.GDMF..LFB
H.....K......9.5.??./sA.N..f6>._..\l\..........f8Rx8r......w...?\$.
...........P............... zp.'c..EP5&w...>F.a....^G.8..x...[3..I.
p..p...P....@p ..$........DU...Dq.b.'..Op.....4.........a~..@X......$.
.J..<....c....U...F;.....).;eA.j..t"b..@'.. .N....|Ll..tv...w.C..H(
..*.......|..9%.m.X.o.U...}.$......&....G..J....T..............S621.;.
=..e..uM.p.5..6.!....:.)J....2Y)n.Q..T.).OY.......nK.(..#.....):/9<
..iG8.N.j9.<..X....\......#......Yon~..[......-,......2.Cg....y....
4O. I...)R.....T......X..i.v...T:SJ...r;..2.....$......Su.........(.'L
..4{......i.e#?D.N%.EB..T.[...o...Z....Q'g....o?.^x\.$..[.*t.....%
<<< skipped >>>

GET /tpl/hw_xemw522/tc.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.gm3579.com/tpl/hw_xemw522/main.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.gm3579.com

Connection: Keep-Alive

Cookie: CNZZDATA1360447=cnzz_eid=1973986219-1401565865-http%3A%2F%2FVVV.gm2468.com%2F&ntime=1401565865&cnzz_a=0&sin=http%3A%2F%2FVVV.gm2468.com%2F68503.html%3Fsid%3D10352<ime=1401548276923

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 31 May 2014 19:51:08 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 23121

Connection: keep-alive

Last-Modified: Thu, 22 May 2014 11:54:50 GMT

Expires: Sat, 07 Jun 2014 05:59:36 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

Age: 49892

Via: http/1.1 4399_cluster (CDN CACHE V1.0)
CWS.9...x....TS..>...J...4C..{'TQz...7i"ECGAEE....t...4A@[email protected]
,.vP...{.{...{o...g...^e.o.9....... |.....3.h....N.. .P.ruW4........ B
g*\.!!..bb....=.%...!&... &.)&))....>.........................!.;9.
...pq.......X.`Q'[email protected]@.y@...:a.F..)..c........w
..h..bD0..^...iy.e.....,7-..*).!%".'".c.).(..(%-$..(.....#.O5p.qru.q.9
Y..)")i.!.(!.(#...?..1=......4....e.....f[W..L....../W.17_7?7..`...{.u
uQt...s.Qu....rq".......p.9...&.N0......]H.....c........b......6?..&f.
...........0......C..]..i.B..^^.....R..Zr.....R......Zr:...::....{....
....\B.v.!... ...?...yyxA!.'R.5%..u..e..e.%!...Mi-.MM.YM.I..R.D.oX....
.\u..........F....OS...g_E.?1........S........SZ...3....o...N...b?..*.
h.333..p(A..,PC.B..X..S...).....1...Op....Wh.1.y......lW(.p......[..0.
........L...B.a ..."..v.....F....G..Hz....J....h'e.z.h.)........z..a..
H%f.A]....}0.Nn..B..:mZ._.y.......|m...B{.~.......".}.=.=K...Z..b.A>
;......O.I!..o..F..I......H:P#U.f..Sw.1.'....M...J."Y_=.|.7....bvww ..
.1."..F.3..kZjW....]2.. !$.D.$.22.Zy...Pk.-...... .#.h.u..8/......F...
=........H...4.}E..s..].....}.z.[.&.J.....?t...I.]g;.Av%......)t....;.
..v......>Z^Ts..[...O5.....V-..(~~4.z......."5..9.rz.t7...O\.m.v. d
Ee,.x.K.N........i...*m..da6a.g..v.8.sr/.O.b,k..:..._V........W..$.W..
^..'?7......e2B.b9..U.kI[......l........BR.....k.?...t.i.mz...........
5..G..ZV..;.....V.....G.4... .......f.|j1.x(S.V).U.l{..iG.......i.W.z%
.d..PLx..U.X....x....C. .....W1..$.),..{.y.3...2....}u1...Q(.b #K=....
[..F.....R)..:..]..&.)Y..].)..;..2#..VBn8n...}M............$.../..
<<< skipped >>>

GET /tpl/hw_xemw522/mu.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.gm3579.com/tpl/hw_xemw522/main.swf

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.gm3579.com

Connection: Keep-Alive

Cookie: CNZZDATA1360447=cnzz_eid=1973986219-1401565865-http%3A%2F%2FVVV.gm2468.com%2F&ntime=1401565865&cnzz_a=0&sin=http%3A%2F%2FVVV.gm2468.com%2F68503.html%3Fsid%3D10352<ime=1401548276923

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 31 May 2014 19:51:10 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 60967

Connection: keep-alive

Last-Modified: Thu, 22 May 2014 11:54:49 GMT

Expires: Sat, 07 Jun 2014 09:23:34 GMT

Cache-Control: max-age=604800

Accept-Ranges: bytes

Age: 37656

Via: http/1.1 4399_cluster (CDN CACHE V1.0)
CWS.k...x.$.eTT].......)....n$..A.^.@..[.;......K.c.~.7.X.Y.....>{.
....Z.....Q..dp@./iX..d..........`@.... ?D`......./o...$..A.s......<
;h.....0..B...p..$./..?..J.....;p0..f..a....Tb.Ixb....F...`S..L.....C.
.....~q.^.........Z..z.8P.@.=#..r.el..m.qt.x.o.6..q._.......)..8.J6@..
g....6... ....K..EMJ...F`..:.d.2.qZ8X..a..A...........kd*..T.a.l.2dw@.
..=....wS.8..`;...0>.......%e.e....<..F$.<.$...........L.$...
.I'...N.,.j.j.J.OM..'p._z?b.GY...H.{...s..y..M."..ow.o)W.._K... ..'...
.._;...&.R.....;. .Dg...*$.ci.vd.....C./).j<@.J.e...{...P]K..o.....
_e.....C.lP.Wx{.=.GZU)........zv.2...8.&............i.....S...:..t..t.
./..|[..6&.x.eT..... .....u.8..1".x...Z...q.."\~.a....Px<.h..,...|.
e#.^*....0.|.!.:3.....e..Md. Q.;...o.^...;~<(...\@eC.(..r....=.rx)S
.{.._}?Y|.:\5QW.=..T.K)...q.5...!..I...>W..J,&P...\..=..dP!w_p.....
OEt...G.....T?.!.r.Su..bp..H..3...2...y."....T...^....v.I.#..... K..m.
[Vf.j.(<.}..}m"[email protected]"....Q.K.....$J$.2B.{..-.... .&...
#&.....w.En..\D..o.....0F.(uL...7.s...9...C(..........._..L3J...{..d..
g..h...#A.e./g..$.....4.w...%..4t..>.O?.H.TJ.:.."Vs.G2-..\>d..i.
1h....vW......|.2K..................4.......#A.............o......3...
..#E.b.../frj.\.... ...M...6H.#l^.....a.........#.........=r!.t..V....
...G(H.......\.&O...7.....7.T.'....]............T..U..<..U.k.^@;..,
.n(.."]<NNP...#.!........a:.:....Anyq..a=....MK.....32...(..i ...e.
kq....8..T.Q2[6/...Z....`.4.r~....4Z.l.;1\uo.....j.....*...wt.$._x....
.| [email protected]...(.....Qa...<<.(hhC.D.fSw...k}..M.
<<< skipped >>>

GET /imges/live2013/logo.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr0.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.3

Content-Length: 4111

Cache-Control: max-age=31104000

Date: Fri, 23 May 2014 18:04:24 GMT

Content-Type: image/jpeg

Expires: Mon, 18 May 2015 18:04:24 GMT

Last-Modified: Mon, 02 Sep 2013 08:45:57 GMT

ETag: "235671128"

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697598

Powered-By-ChinaCache: HIT from 06010923Sf
......Exif..II*.................Ducky.......O..... hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmp
MM:InstanceID="xmp.iid:22A6BBA813A911E38CBF872E69BADB11" xmpMM:Documen
tID="xmp.did:22A6BBA913A911E38CBF872E69BADB11"> <xmpMM:DerivedFr
om stRef:instanceID="xmp.iid:22A6BBA613A911E38CBF872E69BADB11" stRef:d
ocumentID="xmp.did:22A6BBA713A911E38CBF872E69BADB11"/> </rdf:Des
cription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?
>....Adobe.d.......................................................
......................................................................
......................d...............................................
.............................................!1..AQ...a"2..q...BRb#35.
..r.$4e..S.t...U.('........................1A.!Qa."...q.....2BRbr.....
...S.T.............?.......Q .Rvl....L......P.........R..O..G.z.1....?
L..g..-....).K.].K..2%....t..g.c...3..q.2[JCM..\......I.==..s..v..^.&l
t;....WT..-c~7.....i9z..K..!nFk.0..mf*)O@[email protected]...
.'z..q.R"..=u.6.....0....F.jEv..l.{.V....*<...DC...O`. ......%J
<<< skipped >>>

GET /imges/live2013/idx_share_mood_v1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr0.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.3

Date: Fri, 23 May 2014 18:04:34 GMT

Content-Type: image/jpeg

Content-Length: 9123

Expires: Mon, 18 May 2015 18:04:34 GMT

Cache-Control: max-age=31104000

ETag: "451315935"

Last-Modified: Thu, 12 Sep 2013 08:58:03 GMT

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697589

Powered-By-ChinaCache: HIT from 06010923Sf
......JFIF.....d.d......Ducky.......P......Adobe.d....................
......................................................................
.........................................................J............
......................................................................
..........!..1".AQa#.q2B.R3........................!..1AQ.aq"...2...B.
...#..b...Rr...3s.T............?...... ...5...m..t...x.....2Fd.)......
.O.N.....0NBr.I...O!.19a....]..v..u.....u.....U.. ..O..^.H...]..Y.)(..
c Z`...<.>........O.|~g..\q.rT.2.x)<[email protected].....
..D..D'... #$C.....9....%.....s...[....!.".?I*f8.G...<.a...VQ..]1..
......u..J%..U........R.....Qe.R.*.. .9.8...K2.U<[&...n.&....0..u1.
..l.c....R5.........b.6..R..B4.yz.....:.81.0&5.|!..aKhl_a.L.SO)0..8..r
.$......t..X.Qa.....)1....z......s..6....)._z3.4HB/Gp.y.T.. 1!$...>
z.R8..P....H.>..). .:.8.....[.i......n..,y.l:..7.R..=...AU..(.E.E.~
.i...._.....)..2.3*.........#.D`.i1.Gf\G...H....Hm......TTT...D....em[
.pC....=..H.g#k.......k,.R..2.~{$.8. }.*.{..:...7RG.?...d.g^.s{,H...m?
.s..;s.......]D.fti.,F4..O..0.....-..Qk...$.?..*}..........N6......j{R
.*."....B.f.......} ....'...0.by.2...#jH..|T.)..UO...A..lP.T.`.....1..
n..a._.jZ..=w....lY....Dn.3....p.u.p8..x*.."...n..a.p.?._.....n.gps..e
U.63...*.Kf5B......dI.2..\.E.../C...c....n<...-........T.W."'^.q.R.
.$.#.{.Y.}c. ..*.wL....,...1....g~...pH*..ITR.6..9..Q.........u..kj..h
z.....}.Y.X4....0pD.$04B...*/tTT..$ ....7-..J....G..xbSU.....F...j..."
"..*.......WQKZ.>'..>xi..=...n...N.HE...'.P3f!T.F4.....ZG...
<<< skipped >>>

GET /imges/live2013/idx_bgrepeat_v2.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr0.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.3

Content-Length: 1004

Cache-Control: max-age=31104000

Date: Fri, 23 May 2014 18:04:02 GMT

Content-Type: image/png

Expires: Mon, 18 May 2015 18:04:02 GMT

Last-Modified: Thu, 05 Sep 2013 10:45:40 GMT

ETag: "416038717"

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697621

Powered-By-ChinaCache: HIT from 06010923Sf
.PNG........IHDR.............].%.....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:FF7DFB74161411E39E44FAF0
F70EA2C5" xmpMM:DocumentID="xmp.did:FF7DFB75161411E39E44FAF0F70EA2C5"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FF7DFB72161411E39E
44FAF0F70EA2C5" stRef:documentID="xmp.did:FF7DFB73161411E39E44FAF0F70E
A2C5"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>........PLTE................0.=...EIDATx...
... ....d..Y..E.&......e.m%._...:...t.A......A.]....@.]...#..a.tqLD...
...IEND.B`...

GET /stat.htm?id=1000386919&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=448490370-1401565855-&showp=1024x768&st=0&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=1716897286 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z6.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Sat, 31 May 2014 19:50:57 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..

GET /AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F4733086192982B566766DC900B92C93FD57EF1C125A375B2E1110AF3F&Url=&referer=http://VVV.cfmogu.com/ HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z.myzwqwe12.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1805; expires=Sat, 31-May-2014 22:50:41 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:41 GMT

Content-Length: 372
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"~..q3..U.........]{....L>...
7N~..|...E.L/..'.y}..........".Z.?w~.o..x..:..f]..giYM3.7n............
U.*.8}....{..........~...'.G.m}...O>.......;w..nq.e.~...e....hG.2_^
...q.k..S...^..}d`...._......a..'..o.........H?j ..# U..[..w..z..^..Yu
5.#[email protected].......


GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770ADAEE0E95B9ECFF0DD9277764F29D77&referer=http://VVV.cfmogu.com/&utz=1401548261861 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1805|859

HTTP/1.1 302 Found

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Location: hXXp://pt.rbc.cn/PClick.aspx?AID=15235&KEY=6FBCE2FEBE3F1F4B34035BDB1B9868C2CC3F7B0F77DABDE2

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1805|859|505; expires=Sat, 31-May-2014 22:50:45 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:45 GMT

Content-Length: 212
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://pt.rb
c.cn/PClick.aspx?AID=15235&KEY=6FBCE2FEBE3F1F4B34035BDB1B9868C2CC3
F7B0F77DABDE2">here</a>.</h2>..</body></html&g
t;......


GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580774F589AF7166A99E38777B38C181F4178&referer=http://VVV.cfmogu.com/&utz=1401548269173 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1805|859|505|1899

HTTP/1.1 302 Found

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Location: hXXp://VVV.wgrdr.com/

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1805|859|505|1899|1955; expires=Sat, 31-May-2014 22:50:49 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:48 GMT

Content-Length: 138
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.w
grdr.com/">here</a>.</h2>..</body></html>..
..

GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA315807783AEEE769939383F6E9FBAB7CBC49906&referer=http://VVV.cfmogu.com/&utz=1401548258923 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z.myzwqwe12.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Location: hXXp://VVV.wgrdr.com/

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=859; expires=Sat, 31-May-2014 22:50:41 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:41 GMT

Content-Length: 138
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.w
grdr.com/">here</a>.</h2>..</body></html>..
....


GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770522CB88AFFA3F95A453F57488EF6209&referer=http://VVV.cfmogu.com/&utz=1401548261783 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1805

HTTP/1.1 302 Found

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Location: hXXp://VVV.wgrdr.com/

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1805|859; expires=Sat, 31-May-2014 22:50:44 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:44 GMT

Content-Length: 138
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://VVV.w
grdr.com/">here</a>.</h2>..</body></html>..
....


GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA31580770522CB88AFFA3F95A453F57488EF6209&referer=http://VVV.cfmogu.com/&utz=1401548260001 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1805|859|505

HTTP/1.1 302 Found

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Location: hXXp://go.snsfun.cc/?lq_aid=1398&uid=14516

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1805|859|505|1899; expires=Sat, 31-May-2014 22:50:47 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:46 GMT

Content-Length: 163
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://go.sn
sfun.cc/?lq_aid=1398&uid=14516">here</a>.</h2>..<
;/body></html>......


GET /AP5Min.aspx?AID=9842&Auth=1D705CD055EE5F1D8134080DA315807783AEEE769939383F6E9FBAB7CBC49906&referer=http://VVV.cfmogu.com/&utz=1401548258923 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1805|859|505|1899

HTTP/1.1 302 Found

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Location: hXXp://bl.qq.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1805|859|505|1899|2033; expires=Sat, 31-May-2014 22:51:12 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:51:11 GMT

Content-Length: 199
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://bl.qq
.com/server/server.shtml?ADTAG=media.buy.tuigaounion.tuigaounion.14516
">here</a>.</h2>..</body></html>....

GET /live.6.cn/e6u2/r.php?location=VVV.6.cn/?src=tuiga834#r4&referer=VVV.cfmogu.com/&browser=mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; .net clr 2.0.50727; .net clr 3.0.04506.648; .net clr 3.5.21022; .net4.0c)&flash=10.0&msr=1024,768&uid=0&pro=4&stamp=1401548276939 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: shrek.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: DNION-2.1

Date: Sat, 31 May 2014 19:51:06 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 31 May 2014 18:51:06 GMT

Last-Modified: Sat, 31 May 2014 19:51:06 GMT

Cache-Control: max-age=0

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Set-Cookie: __uu=B2140156586672591; expires=Tue, 28-May-2024 19:51:06 GMT; path=/; domain=shrek.6.cn

Set-Cookie: __ut=140156586608103; path=/; domain=shrek.6.cn

Set-Cookie: eid=deleted; expires=Fri, 31-May-2013 19:51:05 GMT
1..1..0..

GET /MTFlashStore.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://VVV.6.cn/?src=tuiga834

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: irs01.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 31 May 2014 19:51:05 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 1877

Last-Modified: Thu, 06 Mar 2014 08:35:02 GMT

Connection: close

Vary: Accept-Encoding

ETag: "53183336-755"

Content-Encoding: gzip

Expires: Sun, 15 Jun 2014 19:51:05 GMT

Cache-Control: max-age=1296000
....V*.S..MTFlashStore.swf..-...CWS.....x..V]o...>..t..[.e....YI...
LJ..H....ex.. [email protected]."...........n.t.2l......aEWx....%A.?......sHY.
./.:.&..y..y..J...6....0.A1<...a...0k....b)...t G...u.n..akkkbkr.0o
..l6 ..!.I.D...mi;.[...q...-.T..j.q.,..-{....n7.]Z...j.:.....-5...(P..
..L,...f..|...%M......`.".../T.f...G.q...g.t&%^I..k.l...e....9Q<b."
].UlK5....O.&...$..M..5>....5U..V....Y...}.|..n:.-SsjT......m..4...
&...lH...lj.,QBa;e.......S.M.....]]"........p....Xy5.Z.ib.....)c.?.i..
...n......<..P.Z.4-..S...L>..N..3......b..(.K.'..M......y......#
..leS...6=.5;U\.f.2..L....K....li.8}%3.=d=... 6.M\ .F..BS2-L35.8L.M...
.zB.&.[`/.....K@/.....O..#E.[..y:.............`..E......x?....@.......
....MC.y ......k.p....{....o55i..jl.......Ef..N...T..........%.....X.9
UW......*K.i.....U..[.^S...r..<..7..k..L..R[a..j....s(.uh..~.i.6.p|
...]........s.A ..M....].. HN.gx.......s...............~..._......v.~.
...?...............m"M..^.,._.I....,i.G/..;p.....t...........{......*.
[email protected].?y...&j..l.VV.T6....j6I..lB....7.....{....n.R.
.._.}.Qr.W...............1Y<....I.w?.....~..{.>iSR5i]..J../....;
.E....l....R.V ...W..ew..Q..d.e...k.}...va...bKv.B...*....q.:.....|...
_<..o..M..I.....`....U..P..c..~.}.'w.....(.z.../....0........c..@l0
...Ec...kL..".......P_x.A.A.A.1^...<......"O/.....0..A...g....q.."&
gt;."..|..K....e..........".i.. .*.Y_..."~.., &..E...S....u....7.\..q.
L..Y...H..1....<.^..t.........g..2.C. ... ...........9`8o0t......&l
t;[email protected].`@^..1R..-...!..9..`L.....x..<U..3...[.$O.,[...0
<<< skipped >>>

GET /pa?p=1:1305643224:17 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: wpa.qq.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: tws

Date: Sat, 31 May 2014 19:51:03 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Location: hXXp://pub.idqqimg.com/qconn/wpa/button/button_old_170.gif

Pragma: no-cache

Cache-Control: no-cache; must-revalidate
0..

GET /stat.htm?id=1000386919&r=&lg=en-us&ntime=1401565855&repeatip=0&rtime=0&cnzz_eid=448490370-1401565855-&showp=1024x768&st=-17586&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=326117420 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z6.cnzz.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Sat, 31 May 2014 19:50:57 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..

GET /v/j7/42813b289d7baf467f18ecfa2f7738bf.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr0.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Fri, 15 May 2015 03:43:05 GMT

Cache-Control: max-age=31104000

Content-Type: image/png

ETag: "1980421947"

Last-Modified: Tue, 20 May 2014 03:43:04 GMT

Content-Length: 2733

Date: Tue, 20 May 2014 03:43:05 GMT

Server: tux/3.3

Powered-By-ChinaCache: HIT from 01057413L3

Age: 1008480

Powered-By-ChinaCache: HIT from 060531B337
.PNG........IHDR...8.........}.dr....sBIT.....O.....PLTE..............
......................................................................
......................................................................
.........}..........................s........~..}..k..y|.|..f..~..ux.s
v.y|.w{.uy.sw.ty.x{.ru.kn.sw.im.fj.ch.`c.ff.ae.]a.]a.X[.]a.UY.[^.V\.PS
.MQ.MR.KP.GK.GK.EI.?C.<A.<C.8<.CG.@D.=A.27.5;.33.4:./3.27./4.
)..&*.'..$(.&,..#.$*.. ..%.#(.#(.....#.. .....!.."..#..$..............
...............tRNS...................................................
......................................................................
.........................|.....pHYs...........~.....tEXtCreation Time.
05/20/14(Sn.....tEXtSoftware.Adobe Fireworks CS4........IDATx...._.G..
p'1..PD)[email protected] ^..P9.Zj=......._...2...........c6;......p.X
';....v.^[email protected].;(G..:....{...q..F..=W.
...X..*_O...d?..k...n.....Q4...e7:.m..E[C#.m.0.....L.4..NU:.5.."G...d.
/..o)..Q.0.gu..zK...ES..v?......X...18.V.]..JDK...n's.S...a.Sp.m.n.1..
.....=j.!{4F..\..i=d.h.2..T.3..N..j...YO.......F.8.tk....j...&.a....."
[...L.....NR....{k>~..}w....@H.^!p....H[.8.\l........oo]8....&.....
M....-4(7....56......."A[h.....Z7)7)o..56.N.X..6 ........_M..7......A-
....\K..V0.C.ES...a%....I....w.%.M..$)...l:.v..!.G%.j.MB.....0.2..L.%^
s........~..p.0.2.......b.e..u&2./Y....C......S..hMC.5....,....!.p.(..
.([email protected].........@..)L.K..C...Q.....yD ........a8d..JH
4..W....t.da8d...o.}...e......]F.....Ni}..........e.q._I...,...r..
<<< skipped >>>

GET /stat.js HTTP/1.1

Accept: */*

Referer: hXXp://go.snsfun.cc/?lq_aid=1398&uid=14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: go.lequ.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sat, 31 May 2014 17:39:18 GMT

Date: Sat, 31 May 2014 16:39:18 GMT

Server: nginx/1.0.12

Content-Type: application/x-javascript

Content-Length: 755

Last-Modified: Tue, 15 Jan 2013 06:01:46 GMT

Cache-Control: max-age=3600

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx39:8107 (Cdn Cache Server V2.0), 1.1 dls19:1 (Cdn Cache Server V2.0)

Connection: keep-alive
// JavaScript Document..function _lqGetQueryString(name) {..   var reg
 = new RegExp("(^|&)"   name   "=([^&]*)(&|$)","i");..   var r = windo
w.location.search.substr(1).match(reg);..   if (r!=null) return unesca
pe(r[2]); return null;..}..var lq_sid = _lqGetQueryString("sid");..var
 stat_uid = _lqGetQueryString("uid");..var stat_aid = window.lq_aid?lq
_aid:_lqGetQueryString('lq_aid');..var lq_url = "hXXp://go.lequ.com/ad
stat.php?wsite=snsfun";..if(stat_aid)... lq_url=lq_url   '&lq_aid='   
stat_aid;..if(lq_sid)... lq_url=lq_url   '&lq_placeid='   lq_sid;..if(
stat_uid)... lq_url=lq_url   '&lq_placeid='   stat_uid;..document.writ
e("<script src='"   lq_url   "'></script>");..//document.w
rite("<iframe src='"   lq_url   "' width=150 height=50></ifra
me>");....


GET /adstat.php?wsite=snsfun&lq_aid=1398&lq_placeid=14516 HTTP/1.1

Accept: */*

Referer: hXXp://go.snsfun.cc/?lq_aid=1398&uid=14516

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: go.lequ.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 31 May 2014 19:51:03 GMT

Server: nginx/1.0.12

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.2.17p1

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Pragma: no-cache

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Set-Cookie: lq_placeid=14516; expires=Sun, 01-Jun-2014 19:51:03 GMT; path=/; domain=lequ.com

Set-Cookie: lq_aid=1398; expires=Sun, 01-Jun-2014 19:51:03 GMT; path=/; domain=lequ.com

Set-Cookie: lq_serverid=0; expires=Sun, 01-Jun-2014 19:51:03 GMT; path=/; domain=lequ.com

Content-Encoding: gzip

X-Via: 1.1 dls22:4 (Cdn Cache Server V2.0)

Connection: keep-alive
14........................0..HTTP/1.1 200 OK..Date: Sat, 31 May 2014 1
9:51:03 GMT..Server: nginx/1.0.12..Content-Type: text/html..Transfer-E
ncoding: chunked..X-Powered-By: PHP/5.2.17p1..Expires: Mon, 26 Jul 199
7 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Pragma: no-c
ache..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PR
E COM NAV OTC NOI DSP COR"..Set-Cookie: lq_placeid=14516; expires=Sun,
 01-Jun-2014 19:51:03 GMT; path=/; domain=lequ.com..Set-Cookie: lq_aid
=1398; expires=Sun, 01-Jun-2014 19:51:03 GMT; path=/; domain=lequ.com.
.Set-Cookie: lq_serverid=0; expires=Sun, 01-Jun-2014 19:51:03 GMT; pat
h=/; domain=lequ.com..Content-Encoding: gzip..X-Via: 1.1 dls22:4 (Cdn 
Cache Server V2.0)..Connection: keep-alive..14........................
0..

GET /jsorigin/AC_RunActiveContent.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gm3579.com/qs/hw_xemw522/index.html?cid=16850340782&oid=100037702&dirtype=0&sid=68503&site_id=10352&p=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: uimg.xiaoangel.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 31 May 2014 19:51:02 GMT

Content-Type: application/x-javascript; charset=utf-8

Last-Modified: Tue, 30 Nov 2010 13:33:18 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sat, 31 May 2014 20:51:02 GMT

Cache-Control: max-age=3600

Content-Encoding: gzip
a7f.............Yio....l...7.C%..6o..@q. ...:p....E.$&4..G..7...;.I..S
$.`k..s.9w.a...wN..v.t....>....t!d.....J...4..E.q$.E/[email protected]...[.
Mg.....>.Nh..cA.......M.T.S. .v.FqLzAFR.....v...({..hH.._FS_.....V.
N........;...k..!..[...\.zB.?..S..s.l..._....~&....*J....\H....6...M.I
S.....d.h..i.(....f............,.?...}e 1..{...k......o)~.0...kfJ..i..
......M ....M.L..IC.<.f..1.0~.y..X..b..U....fB.$.t....1..; i.A.."..
.U...gi.u./..]g....b.w..!.Q..P....q,.......F....5EKk.M.....-..........
cXd..4.....6........Q.)[email protected]:3?..
..,.....N*.-.|)&..C....b./b.4..I$3E..8....MZ.....{:n...~...Xj.X.a ....
<..|..".(L.|.* .x.f.....8.H.!....c..._0P...<?^..YYb.O.u.|.}c8...
....b.Mx.._...........jZ.......bK.7._2....F.....?2........T7C.?..0..h.
Q.........C@.....>.j.!..._.:...D...4.."..".o. .zu../.osV.5..k.....!
...&.B6[w..%..k.....!.P0..W.f....9...../.... .....DM0.b...(.fQ.5=Y ~..
.*..X$S5...3....eQd...N.........zW...;[A..W.....V.....<..5.3.]8...8
....wXz.GF..NX....\yp.n....%..l.G..Q.I.....^.....=.L,....[...T=l..q...
%.<.{W.>. ..D3...W).s......c.X...2?.*F&kg..b.d.....{G.e.........
m..d.1:.(.6..SA...:...T...?'.N...d..x...v.zm.W....[.u.C...Q.f..`c...c.
.j.l.:A.4....d....~..O...c..s..Tf...4...P,..m....e...${X(.~.:@..{.)..'
....=.b.8DB4.7.....Z.........b..OI..0.L...Ur....9} U&G.q..>.~.....n
uW.26*.....m....~8H`.K]f.s.(5...S....../..@P:H.c..-5..%.eO[&.. .......
"[.s.#.&[....&...@.(XM}....Kk...h.....Peg'O..^C.!Hr..s>1./...&/[email protected]
6.G. .../..!...ez..kSq....(..........F......oh.6c.m.i........,.5..
<<< skipped >>>

GET /AShow.aspx?AID=9842 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|505; expires=Sat, 31-May-2014 22:50:37 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:37 GMT

Content-Length: 4156
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:...Y...W...~.:.E...|.....:_.
.m..?..s..'....-.e...................S...^~..a...5cz................w.
......-.F.......O../9......:'.w~1.k.....7.]..Yu5n..xVM..|...j.........
.>[email protected];.;.$/.\...._.K..~....f...... Ej4........~!u.
Q|..'.......U.4k.......~.....i..y..HLM....%^....?...E..........zT....U
~q.n......3...>A.O>.l.{.....ug..g~.;Dq.>.c.......G...I...R.C.
....;. ..r...C..&Dot...|....w....8b.4@|2.Wx...F...I?I..[..;...........
.-rj..QMg0.....G.....v....uN.A....6....u[.....p.S....]..U....~...C.T..
......]U..?gY.......!...o.....>[f..E.V.x........'.....~,._.........
_.>;.;n.........>.].....;.._.._(.~.~.M...>.?e.U93.......T>
.zu..=0..}t.M.......e^..m.3?s.'~.I]].....Vq...Gw....._......n>...6.
n:..E....]................$Fx^]..I...1....(......n.l7...........k.....
.(....o.u.>J.3..;..A.~..=a..{.IsN_........V...............^;B./...h
.4{.....f.-.A.u.!...6[.....o;t.....t..bE.Xb...6..V..osAr..h.&.........
..._../....0..../w.}....t>m.b..G..j.........).......bF......y^\.[.u
ZfM..'._.=}...g.?......{.............{.Ov.......q....~< .{..GG..J.G
. 6{.......u.....j...G....5..2?o..........7.&x......~<.{J......n?.j
..o.......S........C............Yq.h..Y.W ...h...~..y;$..U.H3V....EN.K
/..........4.......j.A.....o.@.\....^Q.f=Y..^...M.g..W>b.....YS{.|.
F.~.....c.. x.b..q.....o-.Kk....L.|A......=.P..6....|..=z.0....gl.....
.........o.....F.......9.....R.e...?..bY......`.........b<.f..j
<<< skipped >>>

GET /AShow.aspx?AID=9842 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|1955; expires=Sat, 31-May-2014 22:50:38 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:38 GMT

Content-Length: 4128
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:...Y...W...~.:.E...|.....:_.
.m..?..s..'....-.e...................S...^~..a...5cz................w.
......-.F.......O../9......:'.w~1.k.....7.]..Yu5n..xVM..|...j.........
.>[email protected];.;.$/.\...._.K..~....f...... Ej4........~!u.
Q|..'.......U.4k.......~.....i..y..HLM....%^....?...E..........zT....U
~q.n......3...>A.O>.l.{.....ug..g~.;Dq.>.c.......G...I...R.C.
....;. ..r...C..&Dot...|....w....8b.4@|2.Wx...F...I?I..[..;...........
.-rj..QMg0.....G.....v....uN.A....6....u[.....p.S....]..U....~...C.T..
......]U..?gY.......!...o.....>[f..E.V.x........'.....~,._.........
_.>;.;n.........>.].....;.._.._(.~.~.M...>.?e.U93.......T>
.zu..=0..}t.M.......e^..m.3?s.'~.I]].....Vq...Gw....._......n>...6.
n:..E....]................$Fx^]..I...1....(......n.l7...........k.....
.(....o.u.>J.3..;..A.~..=a..{.IsN_........V...............^;B./...h
.4{.....f.-.A.u.!...6[.....o;t.....t..bE.Xb...6..V..osAr..h.&.........
..._../....0..../w.}....t>m.b..G..j.........).......bF......y^\.[.u
ZfM..'._.=}...g.?......{.............{.Ov.......q....~< .{..GG..J.G
. 6{.......u.....j...G....5..2?o..........7.&x......~<.{J......n?.j
..o.......S........C............Yq.h..Y.W ...h...~..y;$..U.H3V....EN.K
/..........4.......j.A.....o.@.\....^Q.f=Y..^...M.g..W>b.....YS{.|.
F.~.....c.. x.b..q.....o-.Kk....L.|A......=.P..6....|..=z.0....gl.....
.........o.....F.......9.....R.e...?..bY......`.........b<.f..j
<<< skipped >>>

GET /AShow.aspx?AID=9756 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899|1955

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|1955|1805; expires=Sat, 31-May-2014 22:50:40 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:39 GMT

Content-Length: 2550
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:m.u.....]=.{ww..x.........w.
-..........>.._.......^....~0^\....]..{.i..{..'O.b.v.5.w......v.v..
.......?....v..........{..}z.....{..<......'...O>==~............
..........=.}.wp|..."....~/........O..%.._...~..jQ,......ySO..{...X^.{
x...i.:?.....Y5]/..qYM.....&....F{...w..~...../|Z-.bI.>.{....C2.<
;.9~.........|..p.......~...O..<..y.p....gO.?8}.{..w.....O.NwVVV...
{.d.....!..F..'.rZ...^..T.U...my....j..EU...|Vd..U1#\......o.yq1o?....
...f5...0.......y..=...?...M..PW..o.S.....16....5Q~.5......U...e~.~vo?
.`..'-..I.M.j......8O...U^.o....<k...]....>.x.....2.}..._....."k
..HU.-..e6)...........z9..n..?...~....._.K...s....n....../.y........D.
..t..K........e..gu.....b...........~..........g..........uU._N~.>.
Z..y......Y....T._...L?V...~........vkvg$.~..w......x.~....V*.....3?#.
..?L...8.?..>.?.n.".p.P0.{N..g.....8..........z...}`..{..O.>.?..
......I..^Ek?#...y..e.~.......$...i3.....m...9..v^a.B...&m..Z0....GO..
[...~4.7....-.C~..,....2.....l......b....}....7u.l.I6._...Mu.....<.
o.W.,.........U1.[Rg...b..? ..E....g...s.Q.W?.z.Ye...2..G) RRQ.w.hMRF.
......v....)1.............!..7UWu..[.?...(f.}..................\......
.....?..H..{....? .............?.x..P..~/.r.I......a....GG..X(.>..l
.T.......n.........}..0........%Q....]..C........3y....)$kJ..L?.....\.
v.....fE.*..GK2........>...2k.u.j...pwc.n..a...z)R...p..o....&Ve...
G..........Bp.H| T..Rp...|.!&..{...}...E........-f..q..I...suu..*m
<<< skipped >>>

GET /AShow.aspx?AID=9756 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899|1955

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|1955|1805; expires=Sat, 31-May-2014 22:50:44 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:44 GMT

Content-Length: 2549
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:m.u.....]=.{ww..x.........w.
-..........>.._.......^....~0^\....]..{.i..{..'O.b.v.5.w......v.v..
.......?....v..........{..}z.....{..<......'...O.....w....Ov..>.
?~p........<..z...._..a..~.{...wN....:.....2_..sUW.bqA......z......
.....{f M[..yN......zAo..j..E..6....4...X..O.....O...j..K......_x..a..
...O..h...|..p.......~...O..<..........ON....Bd88..twg........?.a2|
......A....|9.f.W..N...Z....a..Q.....~.E> .......{.v...............
.i...WL.f^]MW...].........&.H. ....)}..D....u~..(?...W.AO.....2?o?...k
0........&m..l.S.Q..[..*...~....5.......g.}.^...b..>N../L..eq..UM..
....2....N.....p.|........?.^.z.E../.%...9...X7y}|Ac....h.O......D.Y.\
....YYe...2...:[...n.|V....o.E^G?.@.^]T.].....}..G.....*./'?M......x..
....lr|.../..A.. .Gw.x}vzw..M.5.3.O?}.......w.c....p ..?.?..........Za
....O...J.M.?8x(..=.?.3.s..}...c.t.YA.\..}.>...=........|...{....~.
....N..<...h?.Yvp.~...o....w.N..^K..^K;.0]!CVa..Ye-..w...'..-.?k?..
...?...!?~L....u....yQ.y....E1{...>[d...:[6.$../.b..:o...j.....l..[
du.Huu....-...jy1j...U."o.....o.9.(........iN..F....)....T.&)#.}R...g;
w.`....qn...y.~@\.........h.....HM...>..............O..F.T_UM..z.@.
..l..B.=J.v........C..Q.r...|.zw(Xv..O...j.j.h...G.....a,.X..v6i.r..q.
mG.......b@.>.s.N.uS.....(E......!L..~K....<..G...5..d......B.G.
..Gdt..Y....%.\..j...g..tv.5..X...P..1w.u....u.....H8Q.7.?....2`....w.
..Kc..u!8.$>..vi)...t>...d..............Q.....p.8K.........h
<<< skipped >>>

GET /live/63/67/b744ef7cf7616402b9cd75cd3b296755.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vi0.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 23 May 2014 18:04:00 GMT

Content-Type: image/jpeg

Content-Length: 40920

Expires: Mon, 18 May 2015 18:04:00 GMT

Cache-Control: max-age=31104000

ETag: "2046553676"

Last-Modified: Fri, 12 Oct 2012 03:19:52 GMT

Powered-By-ChinaCache: HIT from 01057413L3

Age: 697623

Powered-By-ChinaCache: HIT from 060108b3Se
......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62),
 quality = 100....C...................................................
.................C....................................................
........................".............................................
...............}........!1A..Qa."q.2....#B...R..$3br........%&'()*4567
89:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...................................
......................................................................
.....................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&
'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
........................................................?...|Y._...F..
^:.g.....fT..|[.i~.....2,...uie.:.2......)#...?...............m.......
?.|RX....,.?.t..YC<$.....x... ..!..9/...>3|}......}......u.V....
. ...|C}!?...K..B..}.{.......P..................._.~.|.l:...k....J.r._
.f..c...........^.w.<..i.E.e..W.....I.E.2.s sB.q.....UF....N..$..~.
p~..?....heT..g....7....=.6 ;.......],%*...F2................~....hO..
.<.E.x_.....*x.u.....s.-e"...k%.EK.".w..#........I...j^V....d...2q.
.c.....?)gQn..V-..]...$.?....*B.\...?0.......n..._...O......%..<-..
.3..,\..W.......?ygos5..^_.......o.7S..P[...G.P.A..........tX...<v.
.^!..F.([.._9|.{7....%.....%Lf3.5x.*..K.5....R{?....>j.O..D..O....j
qp........I4...NS...M.=.oe.k.;?.....?....o.e..V..g.5....y;...B..... ..
...Ldi.cs..c{..|.... ...>.K4..$...........x.....5.2.....7..9.&.2...
.......... ...:...7k.....?....=B.:-K........&.m.....V.|.c..m.!...f
<<< skipped >>>

GET /js/s/tracing_3.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vj0.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Fri, 27 Jun 2014 21:48:03 GMT

Date: Wed, 28 May 2014 21:48:03 GMT

Server: ngx_openresty

Content-Type: application/x-javascript

Content-Length: 1531

Last-Modified: Mon, 28 Apr 2014 02:16:30 GMT

Cache-Control: max-age=2592000

Content-Encoding: gzip

Accept-Ranges: bytes

X-HITS: 12

Age: 1

X-Via: 1.1 zw11:88 (Cdn Cache Server V2.0), 1.1 yfdx34:3 (Cdn Cache Server V2.0)

Connection: keep-alive
...........V.o.6..W4np....v...l.......I....P.%....m........i;..8"y<
.>~...h.....s..m?rb..v.....D.....U."...0.....mnZ.P.1..vSB..!...6.}9
_...B.e..U^M.mR.....s..*A.....p....C0......e%.*..w;.......f..w.z"..C..
.V<.{..VRW...Zp#...m.`x.f.p.O8..d...g..|......F..W\..........,u^.,M
(......<.....2....J.;..bi...ryY......I.`.1..... ....nP.....Tr.....c
B.}D..\...x'W.S..2.M..Fj:........_.Q8..l.....A..$*r)x.".....NZX|...j:s
.T..Z[...>#..,_...h..~.Vj]h..\.......R.{.....'H}...j.....p...Si...P
......\..U.4...lR.(.Ve.7^..w.........H...*N.7...."k>t(...^>".}@7
R.2W.T.E7..!..]F.....C........<l.B~R...K....[v..h..Q!Cg..&.3...p;..
........I.)%C.{.2.B.=.W}>.GM>:k..9.d..D........G.....k.99....X).
....FOn4:.]gEx.5......B...>.{...OL.|...Q.K!dU./..5............*u...
.........Z._......h..u.............&q!...0.y"'.......<...%m..1}a...
...........?..5......L..Q..I..T.h8..n...,.......|.....J (.?$..9.;/T...
T....1.nsG~.;.P..#X......}s.........k5...0...Od...p..{.....@ .2_.J.zT7
>...T.-..|4.9Hww%X..`..`^.y......R.Ve.RP...P.......T..G.l...<...
i.%..K.y..I|.Y..&....HTTP/1.1 200 OK..Expires: Tue, 24 Jun 2014 08:23:
24 GMT..Date: Sun, 25 May 2014 08:23:24 GMT..Server: ngx_openresty..Co
ntent-Type: application/x-javascript..Content-Length: 1388..Last-Modif
ied: Fri, 07 Feb 2014 08:57:50 GMT..Cache-Control: max-age=2592000..Co
ntent-Encoding: gzip..Accept-Ranges: bytes..X-HITS: 8..Age: 1..X-Via: 
1.1 zw12:80 (Cdn Cache Server V2.0), 1.1 yfdx32:3 (Cdn Cache Server V2
.0)..Connection: keep-alive.............Vms.6..._....).....#.\.N.s
<<< skipped >>>

GET /js/z_MIN_14.72.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vj0.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 29 Jun 2014 11:02:51 GMT

Date: Fri, 30 May 2014 11:02:51 GMT

Server: ngx_openresty

Content-Type: application/x-javascript

Content-Length: 59861

Last-Modified: Fri, 30 May 2014 10:58:50 GMT

Cache-Control: max-age=2592000

Content-Encoding: gzip

Accept-Ranges: bytes

X-HITS: 3

Age: 1

X-Via: 1.1 bjzw90:8080 (Cdn Cache Server V2.0), 1.1 yfdx32:6 (Cdn Cache Server V2.0)

Connection: keep-alive
............iw.9...y...]cS-.".dr.i.....f\.............I..Z....X...3..z
f.}}.E2. [email protected]..[|.6...j;[....*o..v..6..]....f..'...v...]
._.V.Z-B.c.2.....M.t>.Z...jy...v.nv...&.L..n......{(...q=9.!x..75O.
^D.....l\......e..H.T...[.~...p.......x:......s.[.Ow....C.y.....O.G..?
...gxB.>.;n...i..eC.V..........&]...O..0I..y."}eFr.n6..w....l......
[email protected]?5......z...Q...[.<...^..f........m..g...?...H..2.
....q.YOMG....j.2[-.^;hz..&\ng|./....6...i#....W........ ..w.d7.fx4_..
.....o.P}.....z..;.....-..........J.i.1.....wiT.Z...f.....2,9.ie.6..].
o6..9q....o...fyd.k......<q{......i..w.2..t....o.S..aF.Q=o..p7m....
.._.....k.it.:>...q.....x5[.........j..5..j...r...).{g.l.p..n...0..
......_^..~..U..$..6[/.:......?..N...~.._^....o...Ov.....&..|..mu...l.
...5...ny........A=...w.fh?.......wF..l.^o. ..t.x6.A....l.]D.p....v.p.
....^Hpv;...2P. .m0..%.m....i>....1_Y.k....k.r`..u...)(_.......K?O.
W......@?.Z.nb....8....=V..*..O...I-d..o...._b...........y...$..z.^..h
.._{....,..i.{.Y..K.H....m#\.i-...<7l.,.i....p.......z..n..a9..^..s
[email protected]!Q.......`..NB...1?K....e........a........|.h.
.9j..........<@.qF5............bF5.N.eC.S..'....u.JtT`...c...0...6C
....d._~..SzT.p.....g4.'l."...O.E.U.....R.........gh....AA.6...u..Z1..
U.p@.(...5...El.:.]..,.W..Jvf...x...P.f.....ZH.&[.:..._I.&-_.......W_S
...A..p .<Y_.l..U...........n....y..h....X....J...;[email protected]...
[email protected].^..:..P......8...bH9..d..fP.;)...z}:...*.C.........".....
^h%. .H.\7.f.3n...s...E.:..)..(.f)D.7..j^o...!j).o9V.v.y.*x}.d9...
<<< skipped >>>

GET /js/jquery-1.8.2_v4.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vj0.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sat, 28 Jun 2014 22:36:04 GMT

Date: Thu, 29 May 2014 22:36:04 GMT

Server: ngx_openresty

Content-Type: application/x-javascript

Content-Length: 41683

Last-Modified: Fri, 16 May 2014 03:02:09 GMT

Cache-Control: max-age=2592000

Content-Encoding: gzip

Accept-Ranges: bytes

X-HITS: 16

Age: 1

X-Via: 1.1 zw11:88 (Cdn Cache Server V2.0), 1.1 yfdx32:0 (Cdn Cache Server V2.0)

Connection: keep-alive
............kw.G...~...@.=2 .!.v.3...c...=.MK.v7I..R.A.......|...#2..@
H.<.g..ETU.32............w{......d.........&>,..G.............9.
......./........~..u..7.>?..uo.....f9..n...y..^].....U.J41l..N.g...
w.bp....E..Q.v:n.......~{.../.].<.yge.1......a{Y^.....M.8....j.....
..g.U.l......\..^/...u.,[.4....x.>. ..'...z..v.U.....l...w.i....x..
..........A.A.Q.`.....W.....n_....//~.....n._......u[#... i.>.wwa.F
.Z.gZ...b...M.{,6..h.j....u{....z....E9\7.'..V.v.......N..5..F.,CG.G.O
6!m.....T.....<;\U.o6.}.....g.6.....GY.S...........Oge..o>s8jE..
g./T...;.l.ks.&.#..X.......qZ.....ew.....g3. .. A...e..&.{-.....^....x
S....u..........A..tP..m<..K.....[w.Z.^."...Jk.Vh:.|.......v.......
\&...f.l76.V1....e.]~...\.......r...a........o..= ...9 [/.......V ..0.
.g6.8l;......^.'[email protected]/.q...._5./.......D...}._}iG9
...v..U......Oz....A1n...q.|......|T..u.7...hV...Y.TG...O9..u..e......
x..<....n..j......a.B'.3..nbX.....`<..5K....7..6..|.6...>..-w
..Y._&..z....&..}U.'e... ....~.wu,.'...0\.'.H(.9.........}...........^
,........f.y).2...*...........eM.G.L.[...d:..Y.|......:.-.lT..7....rxY
.........X....M. ...uh......Z4....W..pM......&..fc.[...P_..........5W.
...f.d..mX.a...j..6rY^-^W;..-.^.....<.HB.y...~.q3g|.y9j.v.i6.6Z....
*>.....l....^..,;...l..sM....mX>..T.!...9.~.m.u$........8...P.U.
.U.....O..;*,..a.x}R.....m...x.&..YG...}@..Z..1.....5Z:[email protected].::
..eK.Q.....'g`.. .~..p.....x,...8..i....j.nV..."%..&....l.FW.z.}.x. Tl
.oi..............gs....>.....\......v.|.dh....F.._>.\...S...
<<< skipped >>>

GET /js/im_new_MIN_0.36.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vj0.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 29 Jun 2014 03:46:04 GMT

Date: Fri, 30 May 2014 03:46:04 GMT

Server: ngx_openresty

Content-Type: application/x-javascript

Content-Length: 15807

Last-Modified: Fri, 30 May 2014 03:39:21 GMT

Cache-Control: max-age=2592000

Content-Encoding: gzip

Accept-Ranges: bytes

X-HITS: 3

Age: 1

X-Via: 1.1 zw13:88 (Cdn Cache Server V2.0), 1.1 yfdx34:6 (Cdn Cache Server V2.0)

Connection: keep-alive
...........}kw#.....s.?@%.... .. ...c..q.X.....Z}p...G7...lq...{oD..P`
S...x=.&P......wF.....m.....r..._..U.>..Q...l9Z}l._....x.....v.Z...
...w..........o..l=..........n4?&.m=h.................y?:y.9....l1..hN
..y...6..t.....V..M..~.1..6.~4.no.''.q}........d.7.p.._..h..5...f....^
.o.......6..*.m..x.o..........& i...T.^..u<_$..0]."...f...#i...}..1
...!:[email protected]."e4........q6.zo.1.z.p?_...n.|..n..&.}...x...x.?x.?.v..m.
[email protected]....<^..O.l<h..w.f2..}..=... .......W..7...P...b..
...u...K|.....W...4.8.vI%.....7......1....O..j..r..*.G......(~ ...m...
..x...6..y....6...|.O.....6_.~\.G.."_n.X...s~.|s.c2.3h..M.d.5...5..f.&
gt;...0J...n.(...}....ovY.o...... k...y............nd}..~q$7H.Y...jt/.
'...z..*00..5..M..],'...V.....Gm..:..V.]....j.;rP.M&9.4.Dw.V.4z.......
s...)...b<.V....6.d..J.B3].>[email protected]....~..7.=....x......'.P.1.M..|
3,.=...;..|M.......8..l.l....Cl...f.l.Z..h?^[email protected]......
2.;6.f8_MfK.9.[....x.;....x...Z{[email protected]#C.b.l`.....w.!P..
.u..|......m.E....mdP.........B.W..~...t6._...nR..d>.l.."S..6.&.Q..
.#."}{....1/.....#. '.&..z..^-......Wv.d.....w[`..h..W.n.7.OR...6....l
...........W=.,...bi..Bz.F!7....(1...H.w....1f.l>....g.C.]......l..
v[....N.e~ja.x.....x}..d?..HO~...v..6....................u....y....d..
.c......A.&.......l.......q.7 .....?a.'G.is..u|..]N....Y8.....N.......
....WG....l1.m.. b;.Cz.^.=.d.}.<E!*...s....Z......<.T...2].2....
[email protected];.A...D..k..:..3...i-..q.!1in.5$.p.q.v...G..(...{...
...._'.....I.@T....$.qs.l^s...6.c..u..........pka....d7'Vd/...D...
<<< skipped >>>

GET /showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/2013.11.261.gif&gourl=http://z.myzwqwe12.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A6085337B3F658C8AAB4734339BDB1BEF4A78245679B95E357C&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: p.tuigoo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Wed, 31 Jul 2013 15:22:38 GMT

Accept-Ranges: bytes

ETag: "0b345ca18ece1:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:47 GMT

Content-Length: 2942
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...O.<y...<M...L_~....I..
.....wr...7O....o.x...w.7u.l....Yy........m.zt........../..yu..`..e.u.
......GG.q.._......,.g......4...~..6#\..v.....g..T.6_..o.W.G.T....6...
....t..M.~.n...>J..L[.e~.........&..:m..2...EV_..G;.w..D3..U{....eV
...U1k..g.E...M...9}........(.I.../....v...</..m..|N..........V[]T.
....lW?YTM.*......}..-.y.f..g..*}.....1A.C.o..F.....E/...e%s.._....q..
)....*.....g~&....;....u.L...G...=J...../9.%. hG......'.........0&.We.
<?o...W...R....3..M.J.`.W........p._T.9............^..Yu5./..CK^.._
..E`i...j.-....F........e..2[.....f/.:[4...ZV..o...q..4m..{g........~.
D~.........0-............'.p7^?....|.......wR....<........>...U3
..e.L.Un..~.. ...,.Wu...r..............GP.....W.X.K.n...........~.1>
;......|...x.M..\.9..c.!u~..G.......j]..............?)..........}...E.
.......~.6..j..n........Z.]....*........Q:..Y^..Cz)...=.x...%.......J[
.w..~:......n*....fok.]..Y[..l....n..c&...[.}........Y..{.4L[.sR'.Y.. 
......BX.........V.`y.............9..VJ.N....1 z]e5..{..?..Y~.........
W....vF{.....z....3b.k4..T...o/........=..._3....J..U..;$'........>
%.a..;..5...O#=..w.?].....~F..=......M....w......loCJ...~z{...|..g.}..
.W..u8.YsU..y.._..R?..4k..cC..i.....uO"KzaR..[.i.k...;....'....?n|Cg..
....^YU .........*............A._7..*37$.q...<k..............."..c.
....D.......b.i_..n|g.j..$....%7.o..7..c./._7.3%-..w....)f..........=.
....T.....wf9.^......c-No8..O..Ue.>.UE...i.c@/}..o.........O..6
<<< skipped >>>

GET /app.gif?&cna=niARDPK2920CAbhrJiZfzYxx HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pcookie.cnzz.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx

HTTP/1.1 200 OK

Server: Tengine

Date: Sat, 31 May 2014 19:50:59 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=niARDPK2920CAbhrJiZfzYxx; expires=Tue, 28-May-24 19:50:59 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;....


GET /app.gif?&cna=niARDPK2920CAbhrJiZfzYxx HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pcookie.cnzz.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx

HTTP/1.1 200 OK

Server: Tengine

Date: Sat, 31 May 2014 19:50:59 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=niARDPK2920CAbhrJiZfzYxx; expires=Tue, 28-May-24 19:50:59 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;..

GET /css/level_MIN_12.04.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vj1.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 29 Jun 2014 16:14:16 GMT

Date: Fri, 30 May 2014 16:14:16 GMT

Server: ngx_openresty

Content-Type: text/css

Content-Length: 15898

Last-Modified: Thu, 29 May 2014 03:00:49 GMT

Cache-Control: max-age=2592000

Content-Encoding: gzip

Accept-Ranges: bytes

X-HITS: 18

Age: 1

X-Via: 1.1 bjzw90:88 (Cdn Cache Server V2.0), 1.1 yfdx33:1 (Cdn Cache Server V2.0)

Connection: keep-alive
...........}ko.K.._10_..F..[/;.....fq...,v?............../....HV.....9
Q.."..b.....u.{....|.\......O.7......d....]=noo.6.n./O...W...v..|y..|.
............~.c..n............c.....f.~.....B..<...5..&.w....r.ZnC.
.,...m......^...B{]h...]....t....7...B{..7.p..7.p........e.`.8XF...*..
...B.VA.. .U...4V..*......f...B..<.i.. v...6...N..v..h..n...m"l4.v.
.b.....2.]..n.D.E...C7.}.b..h.]...EK.".]d....5..]4...v...k.P.h.]....3.
Rf..N.h.]..n.....Au.l.h..".."g......2.w...O....t.$...q|...C..|......v.
....^.=?..........?O?,.!..|..?~.>.m^>>l.o>.........1.}.m~\
....x.~.......g..vw.v..O.7O.....b..:..l..w...].o.......v7y.?]M...>]
...O.P........}..j[...l.._......2d0AqO..Hm|Q....y..u.|.*c...R...._..].
1.D..t...,...x..o P..A...Z.Jr.1P J. ..(..K..a(G.p$^IV!&.(.=. .%Y..:...
!^I.`..P."...J2..S@I. ..P.P. ..D.....x%..<!...U..}..A@)mI. ....\.WR
..n.(i&0R.(.=.$.Jr.IJ.u);.iK..@.".A"#.AF#.)...G.......G....<H.)..3#
.......ST.....4J...ab..a.%.i.R~.|.\%.b:&..}b.&..^ e.p./J..lN.BZ'.I[.DO
.)2..#...W.i...8%.a.(..~@.(...J...R.Bv).)...M...g..3......KLxd...d..J6
..T ../o.....>?C...V_..!m...)O.../...~w5.C...s.kt0.G...py{.....[rYO
"{m...h...[.t.07J...........3.....5....-u......."k.-...B0..h..l..R....
. R....._)...Ao.)lk......Pio"....L....u..J.ng.Mi.1..m&m.#..Eo9)t;.a.d.
)..0...qg.O.J.'.egh..O8.....fF...a...e.pg...V..KC!.0..- .x^.f.L3k.....
.xi...3.n.....L..!.g.i. .ig...a.Nt.O0.U..R`.6.!...5{CJ..@..).6...R...H
.[[email protected].&....,..mC.N ..5.9...e........A[..........W.mH..W.}iAk.l/
..8.K.....y.tjSV..f.A..vnC..&...tF._0...$7....6..<'o....I...*..
<<< skipped >>>

GET /z_stat.php?id=1000386919&show=pic HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: v1.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Sat, 31 May 2014 19:50:55 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Sat, 31 May 2014 19:50:55 GMT

Expires: Sat, 31 May 2014 21:20:55 GMT
ef2..(function(){function l(){this.c="1000386919";this.R="z";this.N="p
ic";this.K="";this.M="";this.o="1401565855";this.P="z6.cnzz.com";this.
L="";this.s="CNZZDATA" this.c;this.r="_CNZZDbridge_" this.c;this.G="_c
nzz_CV" this.c;this.u="0";this.B={};this.a={};this.la()}function g(a,b
){try{var c=[];c.push("siteid=1000386919");.c.push("name=" d(a.name));
c.push("msg=" d(a.message));c.push("r=" d(h.referrer));c.push("page=" 
d(f.location.href));c.push("agent=" d(f.navigator.userAgent));c.push("
ex=" d(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Im
age).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(e){}}var h
=document,f=window,d=encodeURIComponent,k=decodeURIComponent,p=unescap
e,r=escape,m="https:"===f.location.protocol?"https:":"http:",s=m "//c.
cnzz.com/core.php";l.prototype={la:function(){try{this.U(),.this.J(),t
his.ia(),this.H(),this.m(),this.ga(),this.fa(),this.ja(),this.j(),this
.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),f[th
is.r]=f[this.r]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:
function(){try{var a=this;f._czc={push:function(){return a.C.apply(a,a
rguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=f._czc
;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b
  ){var c=a[b];switch(c[0]){case "_setAccount":f._cz_account="[object 
String]"===.{}.toString.call(c[1])?c[1]:String(c[1]);break;case "_setA
utoPageview":"boolean"===typeof c[1]&&(f._cz_autoPageview=c[1])}}}catc
h(e){g(e,"cS failed")}},qa:function(){try{if("undefined"===typeof 
<<< skipped >>>

GET /live/2014/05/26/14/1013v1401084571894271838.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vi4.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Mon, 26 May 2014 06:09:43 GMT

Content-Type: image/jpeg

Content-Length: 17047

Expires: Thu, 21 May 2015 06:09:43 GMT

Cache-Control: max-age=31104000

ETag: "3394904447"

Last-Modified: Mon, 26 May 2014 06:09:31 GMT

Powered-By-ChinaCache: HIT from 06047113L7

Age: 481288

Powered-By-ChinaCache: HIT from 06043343SA
......JFIF.....H.H......Exif..II*................ohXXp://ns.adobe.com/
xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> &
lt;x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011
 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="ht
tp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf
:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="h
ttp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.ad
obe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:73E6526B69B6E01191
83F6332DACD560" xmpMM:DocumentID="xmp.did:295920C7E15D11E3B88FE4744A94
8A33" xmpMM:InstanceID="xmp.iid:295920C6E15D11E3B88FE4744A948A33" xmp:
CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom 
stRef:instanceID="xmp.iid:96B53BFE54E1E3118CA0A943DBABB4D7" stRef:docu
mentID="xmp.did:93EEF2C6B66B11E087A8C6BE9A0D9698"/> </rdf:Descri
ption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
;...C.....................................%...#... , #&')*)..-0-(0%()(
...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((.
....................................................T.................
........!..1.AQ.."a....#2Bq...$3Ur....6RT....&45Cb.%DW..SVct..........
...........................9.......................!.1A...QRa....."23q
4...B.#..$b..............?..k.c~.j...N.....#.mX.i'r.z.^o.......*C-...k
.:wWUi.q......aj......j...,..o........0.G.O...4.%.c...._..............
.;_.....y.q........B....\...>n.....O.Yv<.....^K.o..T~.....O.
<<< skipped >>>

GET /68503.html?sid=10352 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: VVV.gm2468.com

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 31 May 2014 19:50:59 GMT

Content-Type: text/html; charset=utf8

Last-Modified: Mon, 26 May 2014 02:25:14 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Sun, 31 May 2015 19:50:59 GMT

Cache-Control: max-age=31536000

Content-Encoding: gzip
546............}VO..D..#.............3.... .........=.M....&.m$z.V.Pz.
....T..H..R..e.Yq.W....fi...3o.{.{.y......sW>.....U..4A7o.xmg...m..
.m.Wv..O?..~..,..r......&.}..F8..h..x<..kV.C{..=..Z..^6......w...t.
..4.J..Qkkk.........E..'/.......O............x1{.........<.j......y
}.....g?<;>.......cW.$...........}...L.L4w...._...l"l..E~Dy....a
s.#[AJ....,[email protected]<.\4..4..<..t_*Y.o....A....*.A.........
,h..8....=..Q..<...s.q....r.....a$.5...4....Cx...........i......b..
p,.I7..S.<..H.)G..;D...qHS...^./...a....{..../^.)...R..,t.8....#.r.
.P.5%......$.q...Q.Z..B.....J....w.....q...I.<z>.p..x`U ...z6.3.
h....Q....</...T..T.H!.d'..u*"K..T7..{....-. ...h.....J.O.\..d..P..
..Q.....x.`S..=..]W.M.Ay.1.y.3.x..`..*...,.....z...Jp...........].C..H
.]...t.V..[....K.......L....d8.|.......R.d....r..Bv[I.S.bU......>#.
..[,.:)t....`S.1q...;[email protected]).~.8<......z..R..KK...D....#..q(..a.
.0?...[;[email protected].^k`@*A.~.C.ou.d.dR.zz.N.S...gH...9.Q^.SFG<...%..
.<...j.}.o.E}.=8o.A.0/...//..;eI.j.....D...(..Z<.........h...P..
r......"...5.i..,@(.[E.<.z.>.....3.....iJ...r...C.O| L.:9.V...}.
....SkHt...ld......q.*A3..7..7..C.t....)'l...ol....dm......a.C..XrN),-
U?.8...........\...P*-X.&...*...H...y.U.....y...$8..U...=.y.#5|....]..
............C...j..N..,.z...vV....,...z...Um....J..i..G..N......\.Y.u.
D...F.t.....ZL.tW...4 .|.9......w.L~W.&.r.r.....|(....f.....?..g.>?
~........^.......0..
<<< skipped >>>

GET /stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=1&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17582&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=1274859904 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hzs9.cnzz.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Sat, 31 May 2014 19:50:57 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..

GET /9.gif?abc=1&rnd=1411165327 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cnzz.mmstat.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx; sca=92468b6a; atpsida=b5663bce737b7299fca14b7a_1401565854

HTTP/1.1 302 Found

Server: Tengine

Date: Sat, 31 May 2014 19:50:57 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: atpsida=b5663bce737b7299fca14b7a_1401565857; expires=Tue, 28-May-24 19:50:57 GMT; path=/; domain=.cnzz.mmstat.com

Location: hXXp://pcookie.cnzz.com/app.gif?&cna=niARDPK2920CAbhrJiZfzYxx

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;..

GET /imges/pixel.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr0.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.3

Content-Length: 43

Cache-Control: max-age=31104000

Date: Fri, 23 May 2014 18:03:58 GMT

Content-Type: image/gif

Expires: Mon, 18 May 2015 18:03:58 GMT

Last-Modified: Tue, 07 Aug 2007 15:01:15 GMT

ETag: "3490394714"

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697624

Powered-By-ChinaCache: HIT from 06010923Sl
GIF89a.............!.......,...........D..;....


GET /imges/live2013/idx_share_mood_v1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr0.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.3

Date: Fri, 23 May 2014 18:04:33 GMT

Content-Type: image/jpeg

Content-Length: 9123

Expires: Mon, 18 May 2015 18:04:33 GMT

Cache-Control: max-age=31104000

ETag: "451315935"

Last-Modified: Thu, 12 Sep 2013 08:58:03 GMT

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697590

Powered-By-ChinaCache: HIT from 06010923Sl
......JFIF.....d.d......Ducky.......P......Adobe.d....................
......................................................................
.........................................................J............
......................................................................
..........!..1".AQa#.q2B.R3........................!..1AQ.aq"...2...B.
...#..b...Rr...3s.T............?...... ...5...m..t...x.....2Fd.)......
.O.N.....0NBr.I...O!.19a....]..v..u.....u.....U.. ..O..^.H...]..Y.)(..
c Z`...<.>........O.|~g..\q.rT.2.x)<[email protected].....
..D..D'... #$C.....9....%.....s...[....!.".?I*f8.G...<.a...VQ..]1..
......u..J%..U........R.....Qe.R.*.. .9.8...K2.U<[&...n.&....0..u1.
..l.c....R5.........b.6..R..B4.yz.....:.81.0&5.|!..aKhl_a.L.SO)0..8..r
.$......t..X.Qa.....)1....z......s..6....)._z3.4HB/Gp.y.T.. 1!$...>
z.R8..P....H.>..). .:.8.....[.i......n..,y.l:..7.R..=...AU..(.E.E.~
.i...._.....)..2.3*.........#.D`.i1.Gf\G...H....Hm......TTT...D....em[
.pC....=..H.g#k.......k,.R..2.~{$.8. }.*.{..:...7RG.?...d.g^.s{,H...m?
.s..;s.......]D.fti.,F4..O..0.....-..Qk...$.?..*}..........N6......j{R
.*."....B.f.......} ....'...0.by.2...#jH..|T.)..UO...A..lP.T.`.....1..
n..a._.jZ..=w....lY....Dn.3....p.u.p8..x*.."...n..a.p.?._.....n.gps..e
U.63...*.Kf5B......dI.2..\.E.../C...c....n<...-........T.W."'^.q.R.
.$.#.{.Y.}c. ..*.wL....,...1....g~...pH*..ITR.6..9..Q.........u..kj..h
z.....}.Y.X4....0pD.$04B...*/tTT..$ ....7-..J....G..xbSU.....F...j..."
"..*.......WQKZ.>'..>xi..=...n...N.HE...'.P3f!T.F4.....ZG...
<<< skipped >>>

GET /aa.php?cid=68503&sid=10352&ref= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gm2468.com/68503.html?sid=10352

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: clc.gmhuowan.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 31 May 2014 19:50:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: huowan_aasw=1; expires=Sun, 01-Jun-2014 15:59:59 GMT; path=/; domain=.gmhuowan.com

Content-Encoding: gzip
14........................0..

GET /imges/live/index/firstpay.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr6.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.3

Content-Length: 5084

Cache-Control: max-age=31104000

Date: Fri, 23 May 2014 18:03:45 GMT

Content-Type: image/jpeg

Expires: Mon, 18 May 2015 18:03:45 GMT

Last-Modified: Fri, 24 May 2013 06:57:11 GMT

ETag: "3721085655"

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697637

Powered-By-ChinaCache: HIT from 060105g3S5
......Exif..II*.................Ducky.......F..... hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmp
MM:InstanceID="xmp.iid:162404BBC43C11E2AF6EBF574F926D9C" xmpMM:Documen
tID="xmp.did:162404BCC43C11E2AF6EBF574F926D9C"> <xmpMM:DerivedFr
om stRef:instanceID="xmp.iid:162404B9C43C11E2AF6EBF574F926D9C" stRef:d
ocumentID="xmp.did:162404BAC43C11E2AF6EBF574F926D9C"/> </rdf:Des
cription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?
>....Adobe.d.......................................................
......................................................................
....................#.n...............................................
............................................!..1AQ".a2#3..BR4q...b5...
CSc6.....................!..1A.Qa"q...2B.......Rr3bc....#..4..........
..?.....N."c.-..8..S.%.)....q<MMu..[q..;..?W.5..Z...#vT6..X|T....{.
...E.....!L<8.)Wr..F..RB...j..A..|...Oz{...n.M.e..6.)F...nd...:....
N..Q.k.'T]y......u.{...q.y..5}.......].\.`&C.6.Q.u.....J}..T}. yx..I..
o..[U..A.II.~2...`.)!...D........yS}S..Sm........*t:.A. D.......P.
<<< skipped >>>

GET /live/2014/05/19/17/1013v1400493293416348850.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vi4.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 23 May 2014 18:04:54 GMT

Content-Type: image/jpeg

Content-Length: 18011

Expires: Mon, 18 May 2015 18:04:54 GMT

Cache-Control: max-age=31104000

ETag: "3440112431"

Last-Modified: Mon, 19 May 2014 09:54:53 GMT

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697577

Powered-By-ChinaCache: HIT from 06043343SA
......JFIF.....H.H......Exif..II*................ohXXp://ns.adobe.com/
xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> &
lt;x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011
 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="ht
tp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf
:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="h
ttp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.ad
obe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:B507581E34DFE31188
7281BBC4BC42FC" xmpMM:DocumentID="xmp.did:1E67784EDF3911E39375874D1093
0E21" xmpMM:InstanceID="xmp.iid:1E67784DDF3911E39375874D10930E21" xmp:
CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom 
stRef:instanceID="xmp.iid:B507581E34DFE311887281BBC4BC42FC" stRef:docu
mentID="xmp.did:B507581E34DFE311887281BBC4BC42FC"/> </rdf:Descri
ption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
;...C.....................................%...#... , #&')*)..-0-(0%()(
...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((.
....................................................V.................
.........!1..AQ.."aq......24RTUst......#356BSr....$&...%CWb...7Du.....
..............................A........................!..1AQRaq......
."234S...r..Bb...5C..#T.............?...D.TP.P.P.P.P.P.P....l..P.F...M
...l..9...^{*9..~......;S'$..,t<.......&.N.....Z...co.j...g.g....F!
.$....y....(.8.j.....~..QF!....g.G.O....L.....n<.\qF...I.M."...
<<< skipped >>>

GET /core.php?web_id=4693566&show=pic1&t=z HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Sat, 31 May 2014 19:50:53 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Sat, 31 May 2014 19:50:53 GMT

Expires: Sat, 31 May 2014 20:05:53 GMT
322..!function(){var a,b,c,d=encodeURIComponent,e="4693566",f="pic1",g
="",h="online_v3.php",i="hzs9.cnzz.com",j="1",k="pic",l="z",m="站
;长统计",n=window["_CNZZDbridge_" e].bobject,o="http
s:"==document.location.protocol?"https:":"http:",p="0",q=o "//online.c
nzz.com/online/" h,r=[];r.push("id=" e),r.push("h=" i),r.push("on=" d(
g)),r.push("s=" d(f)),q ="?" r.join("&"),"0"===p&&n.callRequest([o "//
cnzz.mmstat.com/9.gif?abc=1"]),j&&(""!==g?n.createScriptIcon(q,"utf-8"
):(b="z"==l?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" e:"hXXp://q
uanjing.cnzz.com","pic"===k?(c=o "//icon.cnzz.com/img/" f ".gif",a="&l
t;a href='" b "' target=_blank title='" m "'><img border=0 hspac
e=0 vspace=0 src='" c "'></a>"):a="<a href='" b "' target=
_blank title='" m "'>" m "</a>",n.createIcon([a])))}();...0..
....


GET /core.php?web_id=1000386919&show=pic&t=z HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Sat, 31 May 2014 19:50:56 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Sat, 31 May 2014 19:50:56 GMT

Expires: Sat, 31 May 2014 20:05:56 GMT
322..!function(){var a,b,c,d=encodeURIComponent,e="1000386919",f="pic"
,g="",h="online_v3.php",i="z6.cnzz.com",j="1",k="pic",l="z",m="站
;长统计",n=window["_CNZZDbridge_" e].bobject,o="http
s:"==document.location.protocol?"https:":"http:",p="0",q=o "//online.c
nzz.com/online/" h,r=[];r.push("id=" e),r.push("h=" i),r.push("on=" d(
g)),r.push("s=" d(f)),q ="?" r.join("&"),"0"===p&&n.callRequest([o "//
cnzz.mmstat.com/9.gif?abc=1"]),j&&(""!==g?n.createScriptIcon(q,"utf-8"
):(b="z"==l?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" e:"hXXp://q
uanjing.cnzz.com","pic"===k?(c=o "//icon.cnzz.com/img/" f ".gif",a="&l
t;a href='" b "' target=_blank title='" m "'><img border=0 hspac
e=0 vspace=0 src='" c "'></a>"):a="<a href='" b "' target=
_blank title='" m "'>" m "</a>",n.createIcon([a])))}();...0..
HTTP/1.1 200 OK..Server: Tengine..Date: Sat, 31 May 2014 19:51:05 GMT.
.Content-Type: application/javascript..Transfer-Encoding: chunked..Con
nection: keep-alive..Last-Modified: Sat, 31 May 2014 19:51:05 GMT..Exp
ires: Sat, 31 May 2014 20:06:05 GMT..31f..!function(){var a,b,c,d=enco
deURIComponent,e="1360447",f="",g="",h="online_v3.php",i="hzs7.cnzz.co
m",j="1",k="text",l="z",m="站长统计",n=window[
"_CNZZDbridge_" e].bobject,o="https:"==document.location.protocol?"htt
ps:":"http:",p="1",q=o "//online.cnzz.com/online/" h,r=[];r.push("id="
 e),r.push("h=" i),r.push("on=" d(g)),r.push("s=" d(f)),q ="?" r.join(
"&"),"0"===p&&n.callRequest([o "//cnzz.mmstat.com/9.gif?abc=1"]),j
<<< skipped >>>

GET /live/33/84/bd5463690a93c57a1039c47e11ab0f97.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vi5.6rooms.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 23 May 2014 18:04:31 GMT

Content-Type: image/jpeg

Content-Length: 40582

Expires: Mon, 18 May 2015 18:04:31 GMT

Cache-Control: max-age=31104000

ETag: "3219167622"

Last-Modified: Fri, 20 Dec 2013 09:19:14 GMT

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697591

Powered-By-ChinaCache: HIT from 060105g3SH
......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62),
 quality = 100....C...................................................
.................C....................................................
...................f....".............................................
...............}........!1A..Qa."q.2....#B...R..$3br........%&'()*4567
89:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...................................
......................................................................
.....................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&
'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
........................................................?........&/...
...rls..%.>.7..i...o...1......y..i../LW....n..._.S. ..p.Q/)BO....K.
g...hM7....mm8..5...u<Z..)..>.~...B.%.J....k.....?...r`7.... .w{
.....Y.Z......HT......T.....g,..B...:..w.=.M8..e....7. .`....'.l|G.@|O
.|...........|a.Sl.........^k7.B.c.....&.GD.......~....{..c...........
....!.jy.8.o.{.W...._.....j....O....W.....A.A..=..kO.x......x[H.f1...^
. i!.o.5)....sy3.....G... .iR..Y.J......B..M..^.eN.D.V.).R..).s..2...O
._..x...*..FYJ.L\.:K.....H...i..J4.....^T.(F.a.NUUJ......-..........g.
W....MJ. ./P....K.^....A.. .O...N..;*.q.]iV....Q...]....jV..-..g..8...
.yi<....`rd.H&..H..O.H....8..)..k'.7.........R.`A.....;.....<U..
.n...[.:......go..r.......jV...<oc..i.....u5.....[..ZO..K...Q..kt..
...q.M.G"........S.....8Nt):.(W.Ru......V......'.u..&xK...O.#......J.z
Y.....V.).j..G...B..\..T.N....n......%.!Yx.....7c-..#.d..Go....5.G
<<< skipped >>>

GET /imges/live/index/firstpay.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.6.cn/?src=tuiga834

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: vr6.6.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.3

Content-Length: 5084

Cache-Control: max-age=31104000

Date: Fri, 23 May 2014 18:03:45 GMT

Content-Type: image/jpeg

Expires: Mon, 18 May 2015 18:03:45 GMT

Last-Modified: Fri, 24 May 2013 06:57:11 GMT

ETag: "3721085655"

Powered-By-ChinaCache: HIT from 06047113L7

Age: 697637

Powered-By-ChinaCache: HIT from 060105g3SY
......Exif..II*.................Ducky.......F..... hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
1 64.140949, 2010/12/07-10:57:01        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Windows" xmp
MM:InstanceID="xmp.iid:162404BBC43C11E2AF6EBF574F926D9C" xmpMM:Documen
tID="xmp.did:162404BCC43C11E2AF6EBF574F926D9C"> <xmpMM:DerivedFr
om stRef:instanceID="xmp.iid:162404B9C43C11E2AF6EBF574F926D9C" stRef:d
ocumentID="xmp.did:162404BAC43C11E2AF6EBF574F926D9C"/> </rdf:Des
cription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?
>....Adobe.d.......................................................
......................................................................
....................#.n...............................................
............................................!..1AQ".a2#3..BR4q...b5...
CSc6.....................!..1A.Qa"q...2B.......Rr3bc....#..4..........
..?.....N."c.-..8..S.%.)....q<MMu..[q..;..?W.5..Z...#vT6..X|T....{.
...E.....!L<8.)Wr..F..RB...j..A..|...Oz{...n.M.e..6.)F...nd...:....
N..Q.k.'T]y......u.{...q.y..5}.......].\.`&C.6.Q.u.....J}..T}. yx..I..
o..[U..A.II.~2...`.)!...D........yS}S..Sm........*t:.A. D.......P.
<<< skipped >>>

GET /AShow.aspx?AID=9842 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|2033; expires=Sat, 31-May-2014 22:50:37 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:37 GMT

Content-Length: 4135
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:...Y...W...~.:.E...|.....:_.
.m..?..s..'....-.e...................S...^~..a...5cz................w.
......-.F.......O../9......:'.w~1.k.....7.]..Yu5n..xVM..|...j.........
.>[email protected];.;.$/.\...._.K..~....f...... Ej4........~!u.
Q|..'.......U.4k.......~.....i..y..HLM....%^....?...E..........zT....U
~q.n......3...>A.O>.l.{.....ug..g~.;Dq.>.c.......G...I...R.C.
....;. ..r...C..&Dot...|....w....8b.4@|2.Wx...F...I?I..[..;...........
.-rj..QMg0.....G.....v....uN.A....6....u[.....p.S....]..U....~...C.T..
......]U..?gY.......!...o.....>[f..E.V.x........'.....~,._.........
_.>;.;n.........>.].....;.._.._(.~.~.M...>.?e.U93.......T>
.zu..=0..}t.M.......e^..m.3?s.'~.I]].....Vq...Gw....._......n>...6.
n:..E....]................$Fx^]..I...1....(......n.l7...........k.....
.(....o.u.>J.3..;..A.~..=a..{.IsN_........V...............^;B./...h
.4{.....f.-.A.u.!...6[.....o;t.....t..bE.Xb...6..V..osAr..h.&.........
..._../....0..../w.}....t>m.b..G..j.........).......bF......y^\.[.u
ZfM..'._.=}...g.?......{.............{.Ov.......q....~< .{..GG..J.G
. 6{.......u.....j...G....5..2?o..........7.&x......~<.{J......n?.j
..o.......S........C............Yq.h..Y.W ...h...~..y;$..U.H3V....EN.K
/..........4.......j.A.....o.@.\....^Q.f=Y..^...M.g..W>b.....YS{.|.
F.~.....c.. x.b..q.....o-.Kk....L.|A......=.P..6....|..=z.0....gl.....
.........o.....F.......9.....R.e...?..bY......`.........b<.f..j
<<< skipped >>>

GET /AShow.aspx?AID=9842 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899|505

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|505|1955; expires=Sat, 31-May-2014 22:50:40 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:39 GMT

Content-Length: 4106
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:...Y...W...~.:.E...|.....:_.
.m..?..s..'....-.e...................S...^~..a...5cz................w.
......-.F.......O../9......:'.w~1.k.....7.]..Yu5n..xVM..|...j.........
.>[email protected];.;.$/.\...._.K..~....f...... Ej4........~!u.
Q|..'.......U.4k.......~.....i..y..HLM....%^....?...E..........zT....U
~q.n......3...>A.O>.l.{.....ug..g~.;Dq.>.c.......G...I...R.C.
....;. ..r...C..&Dot...|....w....8b.4@|2.Wx...F...I?I..[..;...........
.-rj..QMg0.....G.....v....uN.A....6....u[.....p.S....]..U....~...C.T..
......]U..?gY.......!...o.....>[f..E.V.x........'.....~,._.........
_.>;.;n.........>.].....;.._.._(.~.~.M...>.?e.U93.......T>
.zu..=0..}t.M.......e^..m.3?s.'~.I]].....Vq...Gw....._......n>...6.
n:..E....]................$Fx^]..I...1....(......n.l7...........k.....
.(....o.u.>J.3..;..A.~..=a..{.IsN_........V...............^;B./...h
.4{.....f.-.A.u.!...6[.....o;t.....t..bE.Xb...6..V..osAr..h.&.........
..._../....0..../w.}....t>m.b..G..j.........).......bF......y^\.[.u
ZfM..'._.=}...g.?......{.............{.Ov.......q....~< .{..GG..J.G
. 6{.......u.....j...G....5..2?o..........7.&x......~<.{J......n?.j
..o.......S........C............Yq.h..Y.W ...h...~..y;$..U.H3V....EN.K
/..........4.......j.A.....o.@.\....^Q.f=Y..^...M.g..W>b.....YS{.|.
F.~.....c.. x.b..q.....o-.Kk....L.|A......=.P..6....|..=z.0....gl.....
.........o.....F.......9.....R.e...?..bY......`.........b<.f..j
<<< skipped >>>

GET /AShow.aspx?AID=9756 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899|1955

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|1955|1805; expires=Sat, 31-May-2014 22:50:44 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:44 GMT

Content-Length: 2549
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:m.u.....]=.{ww..x.........w.
-..........>.._.......^....~0^\....]..{.i..{..'O.b.v.5.w......v.v..
.......?....v..........{..}z.....{..<......'...O.....w....Ov..>.
?~p........<..z...._..a..~.{...wN....:.....2_..sUW.bqA......z......
.....{f M[..yN......zAo..j..E..6....4...X..O.....O...j..K......_x..a..
...O..h...|..p.......~...O..<..........ON....Bd88..twg........?.a2|
......A....|9.f.W..N...Z....a..Q.....~.E> .......{.v...............
.i...WL.f^]MW...].........&.H. ....)}..D....u~..(?...W.AO.....2?o?...k
0........&m..l.S.Q..[..*...~....5.......g.}.^...b..>N../L..eq..UM..
....2....N.....p.|........?.^.z.E../.%...9...X7y}|Ac....h.O......D.Y.\
....YYe...2...:[...n.|V....o.E^G?.@.^]T.].....}..G.....*./'?M......x..
....lr|.../..A.. .Gw.x}vzw..M.5.3.O?}.......w.c....p ..?.?..........Za
....O...J.M.?8x(..=.?.3.s..}...c.t.YA.\..}.>...=........|...{....~.
....N..<...h?.Yvp.~...o....w.N..^K..^K;.0]!CVa..Ye-..w...'..-.?k?..
...?...!?~L....u....yQ.y....E1{...>[d...:[6.$../.b..:o...j.....l..[
du.Huu....-...jy1j...U."o.....o.9.(........iN..F....)....T.&)#.}R...g;
w.`....qn...y.~@\.........h.....HM...>..............O..F.T_UM..z.@.
..l..B.=J.v........C..Q.r...|.zw(Xv..O...j.j.h...G.....a,.X..v6i.r..q.
mG.......b@.>.s.N.uS.....(E......!L..~K....<..G...5..d......B.G.
..Gdt..Y....%.\..j...g..tv.5..X...P..1w.u....u.....H8Q.7.?....2`....w.
..Kc..u!8.$>..vi)...t>...d..............Q.....p.8K.........h
<<< skipped >>>

GET /AShow.aspx?AID=9756 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.myzwqwe12.com

Connection: Keep-Alive

Cookie: UnionADShow=1899|1955|1805

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Expires: -1

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

X-AspNet-Version: 2.0.50727

Set-Cookie: UnionADShow=1899|1955|1805; expires=Sat, 31-May-2014 22:50:47 GMT; path=/

X-Powered-By: ASP.NET

Date: Sat, 31 May 2014 19:50:47 GMT

Content-Length: 2546
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"..:m.u.....]=.{ww..x.........w.
-..........>.._.......^....~0^\....]..{.i..{..'O.b.v.5.w......v.v..
.......?....v..........{..}z.....{..<......'...O.<{x.........F..
<..;xv.s.s............ ....~..s......tI.........Z.....w.w......l.(.
....3.i....s...lVM..zs\V..-....f.........|._...~...V..X...........;.w.
.|.l...{;...>.{x......>....'.wvN.N....<........;Ov.~.{.{|..).
.d.....!..F..'.rZ...^..T.U...my....j..EU...|Vd..U1#\......o.yq1o?.....
..f5...0.......y..=...?...M..PW..o.S.....16....5Q~.5......U...e~.~vo?.
`..'-..I.M.j......8O...U^.o....<k...]....>.x.....2.}..._....."k.
.HU.-..e6)...........z9..n..?...~....._.K...s....n....../.y........D..
.t..K........e..gu.....b...........~..........g..........uU._N~.>.Z
..y......Y....T._...L?V...~........vkvg$.~..w......x.~....V*.....3?#..
.?L...8.?..>.?.n.".p.P0.{N..g.....8..........z...}`..{..O.>.?...
.....I..^Ek?#...y..e.~.......$...i3.....m...9..v^a.B...&m..Z0....GO..[
...~4.7....-.C~..,....2.....l......b....}....7u.l.I6._...Mu.....<.o
.W.,.........U1.[Rg...b..? ..E....g...s.Q.W?.z.Ye...2..G) RRQ.w.hMRF..
.....v....)1.............!..7UWu..[.?...(f.}..................\.......
....?..H..{....? .............?.x..P..~/.r.I......a....GG..X(.>..l.
T.......n.........}..0........%Q....]..C........3y....)$kJ..L?.....\.v
.....fE.*..GK2........>...2k.u.j...pwc.n..a...z)R...p..o....&Ve...G
..........Bp.H| T..Rp...|.!&..{...}...E........-f..q..I...suu..*m.
<<< skipped >>>

GET /images/main1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.wgrdr.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Sat, 15 Mar 2014 08:57:48 GMT

Accept-Ranges: bytes

ETag: "50267a32c40cf1:0"

Server: Microsoft-IIS/7.5

Date: Sat, 31 May 2014 19:51:06 GMT

Content-Length: 205786
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................!.x.........
......................................................................
...........!..1AQ"..aq2...B#....Rb..r..3.U....CSs.$T.......4t.%V7c.6D.
..5u.d.'...&e.fv.......................!..1AQ.aq".......2R...B#...br..
..3..CS..s.$45...T...%ct.Dd.............?..5.>.(......P..@(......P.
.(.P..@(..$4[RjJ.-.5%M.<.y.[.Wu.Y.....&.5..z5XM........eAm.]*...BPn
2...v.....XP...a@,(...)...l..>.]..[..c.,}........8..Z.X)ZM...k.FQ..
...u<.T$R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R
.R.R.R.R.R.R.R.R.R.R.R.R...B*)AQJ..../.YV).....0...JH$v........E.AQm)A
QcJ...{M(*R..)BE(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.
(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.
(.(.(.(.(.(.(.(.(.(.(.(.(....)..-.Cm..;.;}........k.k_.EDI. .."..XP...
a@,(.....Y..J.G ..g..$w{.....o<...p.,...6E.....P..@([email protected]..@
(.......z..-.5%m........>.-..........I.~.B.............eAm,]*...'88
7....r...P..@(.Fs.%...-%.....}uyv..ye.?A}..p{.......Ez..o....P..@(....
..P..@(......P..@(......P..@(......P..@(........=X.}.(A..n!....|{...x.
n..'D.F.....bo....J0X.c.?*C..Jc.A.Q..R=....{..c.]...ZR...gE........x..
..;.<..-............[U..z...p...*..C..q....w...p...mk.\t....&a.&...
..P....').QL.o.P...[._...Q.{...Wf..'.~.K.e...S..?...c...........Q.k.n.
.......A.....7.P..@(........n.ge8:..).k.H51.{.M.M.J.%......s.r..V.
<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

If-Modified-Since: Sun, 25 May 2014 06:49:36 GMT

Connection: Keep-Alive

Host: VVV.wgrdr.com

If-None-Match: "f422597ee577cf1:0"

Cookie: CNZZDATA1000386919=448490370-1401565855-|1401565855

HTTP/1.1 304 Not Modified

Last-Modified: Sun, 25 May 2014 06:49:36 GMT

Accept-Ranges: bytes

ETag: "f422597ee577cf1:0"

Server: Microsoft-IIS/7.5

Date: Sat, 31 May 2014 19:51:28 GMT
....


GET /images/xw.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.wgrdr.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Sat, 15 Mar 2014 08:57:48 GMT

Accept-Ranges: bytes

ETag: "a4806ca32c40cf1:0"

Server: Microsoft-IIS/7.5

Date: Sat, 31 May 2014 19:51:28 GMT

Content-Length: 20129
.PNG........IHDR...l...d.......C.....gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....PLTE`n...) ..r..........s..h...................
eioos....q........tb.................................LLM$"*...........
................0E`...PQphH1..................<U.............Vet...
...D3(......qfX............iWMnSx..................fq....=.k.,H.......
.........7:......98.-$...........^=............. !......y}..<V5C...
.......:5..IJ\^]..)..............................~................-...
.....tRNS.............................................................
...................................................................8.K
g..L.IDATx..}.C...7W@ ..&..H.."`....|....v...6.h...}.....E[d...=.....m
w...u....dB...9g....? ........._......n.._...........K..}..n.._...`...
..................v..."O................?.l.O......~z.i.7.S......~^._.
....-..*O..m.....V6'.51.6.ies.....N{...6..zz...}z.l...).O=............
....O.....M....w..Tz.M..D."2E...Y...S..=........G.....2&.?..</...IU
ik..........m....n.W..g<.w...9./D.....lm............`.k.........f3j
.LL......rSn7EYl.S.(.$.XS...4~...$Y:|/N......-. i..........Q%]..N*.-D.
.X`..iD....bQ..b.( o2.......vt..>...$I.%K...m.....=k.[k..<....o.
..l.,..~zo..Th.....t..bk=.....V..H......4....j.r.b$E~..2.f-.j....3.Zj.
.zZNv..  .3.<.......>.....x.Q|...... ~.^8..B....8#....c.;6..C."O
.u...H.........E...E4.......7<Fi.v.....c.H....$=&..k.2.-0Q%.m...e..
L.....(/..X. ..l.Y..y..n-.h&O%..ld...@Hrmemu*...o..b.K.m.Z..lNoN......
....x..............G....7R|..S..W.x)....7x.......U...........8...6
<<< skipped >>>

GET /images/main1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.wgrdr.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.wgrdr.com

Connection: Keep-Alive

Cookie: CNZZDATA1000386919=448490370-1401565855-|1401565855

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Sat, 15 Mar 2014 08:57:48 GMT

Accept-Ranges: bytes

ETag: "50267a32c40cf1:0"

Server: Microsoft-IIS/7.5

Date: Sat, 31 May 2014 19:51:30 GMT

Content-Length: 205786
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................!.x.........
......................................................................
...........!..1AQ"..aq2...B#....Rb..r..3.U....CSs.$T.......4t.%V7c.6D.
..5u.d.'...&e.fv.......................!..1AQ.aq".......2R...B#...br..
..3..CS..s.$45...T...%ct.Dd.............?..5.>.(......P..@(......P.
.(.P..@(..$4[RjJ.-.5%M.<.y.[.Wu.Y.....&.5..z5XM........eAm.]*...BPn
2...v.....XP...a@,(...)...l..>.]..[..c.,}........8..Z.X)ZM...k.FQ..
...u<.T$R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R.R
.R.R.R.R.R.R.R.R.R.R.R.R...B*)AQJ..../.YV).....0...JH$v........E.AQm)A
QcJ...{M(*R..)BE(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.
(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.
(.(.(.(.(.(.(.(.(.(.(.(.(....)..-.Cm..;.;}........k.k_.EDI. .."..XP...
a@,(.....Y..J.G ..g..$w{.....o<...p.,...6E.....P..@([email protected]..@
(.......z..-.5%m........>.-..........I.~.B.............eAm,]*...'88
7....r...P..@(.Fs.%...-%.....}uyv..ye.?A}..p{.......Ez..o....P..@(....
..P..@(......P..@(......P..@(......P..@(........=X.}.(A..n!....|*;O.R.
o.....W.{..a{..h.$X..).jE.Arg......S.[R..(Ct=))o...'R..M..<...@(...
...P..@(......P..@(......P..@(......P..@(......P..@(......P..@(......P
..@(......P..@(......P..@(.......Z0.....s...f4^.*.w*.&(B.....H........
9...P......P.NC.L&.vM.,u..{}..........%..\HZ..(.F.&.....$...C!@(..
<<< skipped >>>

GET /15/index.html?ida=AHSG_126_29_26&idu= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: adm.qule.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Last-Modified: Thu, 15 May 2014 04:25:56 GMT

Accept-Ranges: bytes

Content-Encoding: gzip

Content-Length: 2403

Content-Type: text/html

Date: Sat, 31 May 2014 18:15:11 GMT

Server: Apache/2.2.10 (Unix) DAV/2 PHP/5.2.8p1

ETag: "bdb8439-196c-4f968b1751d00"

Expires: Sat, 31 May 2014 18:30:11 GMT

Cache-Control: max-age=900

Vary: Accept-Encoding

X-Cache: HIT from CTS-GD-212-18.fastcdn.com

F-In-Cache: father-in-cache

Age: 693

X-Cache: HIT from CT-ZJWZ-251-71.fastcdn.com

Connection: keep-alive
...........X.o.......?.....c.g...m....PB. ..As.s.k..cv.g.,9(I....Ph...
.....(_...)......}3...w>.iE.V..w.3..{o>...73.e..c..px?r.....;...
.AeX#.&z....3.....`..6..Xy.n....2..4..Y}~...Yc~..../>l>..?...r.5
n..K k...].t........2..T~.}2.M..zH.HCV.0..>9.%..V...~.4..../_^....o
}..n,|..}.q.^......(..-.o>..~............".d..IdQ...0....{.*...4a..
/...R.?......._^\[.._...^}...j!^........?m.... .q.y|.z<......j,..vk
g..N2.../o...v.i.Y...6...P.]}.d0...y9R..f.B..E|.u..{.......6s.3B].e.]x
.mG..........K.... 6S.A.L3s.Oa. 8z.0E.j........"..m....>..c...~_#t.
(.nP.....`..X..:7-_.^N..A.....R.RGGHe.tU......4.M.....~.......}g~...Hs
..0...[.i5...:...Y....|(.....J.....n`......W.m [email protected],.e.x.i..ey.....
.`j9.\}3..#.NS...V.......Jt.X.M.........\Qqpv)o6..............  ...wp`
{.*.9..........At......zVB......Lx...#...a..<%..R.ahs.i...k.Tl..7..
W..L.9nd...5......-Y.?S..:.k\{.~....GJ....x..I.....'B... 8..).%..b....
/wW_.n|.@....^.$....j.p|.<[email protected]..^....:.c8.S.J....nn7 .n4.&
lt;m...M.&...}[email protected].'....#|[email protected].;..:...n.U..]....eM..
#]...t.=..9.,.b...~..:.6..}.N..]..4.<m.pV......\.....:..J .|#b3.1l7
._......nm..%.Z.c..gJ.=c.*`b.9.g..2........f.. [email protected]
7.6.n.`...0V.4.z.np...}......I..<.M.QS.I..........6WV.......A.@d...
'.K.....^X..|#ig.\........ }<..K...$T..v,...).Wz'.1.8Z1.{.g..T._ah.
.32.).3vFX.......1/W1.......<..XPa.o...` ....f......|b...5.........
_.....a....kg...\..A../.w...\k.-...W('R.Or...Z...gq*v........m...9.6dQ
BH.d.....m.XT.Q...y.{^.[..$2M.xt7....*.s....t.-m...NDaP5i.....R..6
<<< skipped >>>

GET /stat.htm?id=4693566&r=&lg=en-us&ntime=1401565851&repeatip=3&rtime=0&cnzz_eid=964028690-1401565851-&showp=1024x768&st=-17581&sin=&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&rnd=115457607 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.cfmogu.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hzs9.cnzz.com

Connection: Keep-Alive

Cookie: cna=niARDPK2920CAbhrJiZfzYxx

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Sat, 31 May 2014 19:50:59 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..