MD5: 7d175bebe848447d913c89b693398444
SHA1: 8106cc410737ab490043bed29a9c8a5489547171
SHA256: ae44d3fb0b6a91f5bfca23befbb5df5a94da9c2ccb41737d48b443228d16cb18
SSDeep: 3072:L22ihA0m3BJP0v1I8P PIMg6FZfuXSPB74urHGzEvEEoNzrNYNW:kA0m3D0vQPImZ9Z71PvHGnmNW
Size: 162080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-17 11:14:12
Analyzed on: WindowsXP SP3 32-bit

Summary:

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

%original file name%.exe:388

The Application injects its code into the following process(es):

biclient.exe:204

File activity

The process biclient.exe:204 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe (33827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[1].png (6743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe (1482965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.6 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\tokyoLightGrayStripesBG[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.0 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.0 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe (69286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[2].png (3856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[3].png (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.5 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\search[1].png (1941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.4 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\eula[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.7 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.0 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.1 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.1 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.3 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[2].png (3856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.2 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.7 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe (12251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.6 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe (37231 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\eula-couponalerts[1].htm (2739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.2 (173869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.4 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\deals[1].png (3242 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\eula[1].html (535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\comparison[1].png (2902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.3 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\title[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.3 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.6 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\vuulogo[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.4 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.7 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\vlc_48[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tokyo_sprite_full[2].png (3164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.0 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.7 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.5 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[3].png (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.5 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\vlc_48[1].png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.7 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.6 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.1 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\eula-vuupc[1].html (3323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.3 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.2 (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.4 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.5 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.6 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\eula-couponalerts[1].html (1756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.0 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.1 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.2 (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\eula-vuupc[1].htm (1187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.1 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[1].png (6430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.3 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.2 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.5 (9496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\intext[1].png (3032 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tokyo_sprite_full[1].png (7067 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.4 (4152 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\eula-vuupc[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[2].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[3].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[2].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\eula-couponalerts[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\vlc_48[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tokyo_sprite_full[2].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[3].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\vlc-2.0.2-win32[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\vlc_48[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tokyo_sprite_full[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.4 (0 bytes)

The process %original file name%.exe:388 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (8002 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (113 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\config.ini (0 bytes)

Registry activity

The process biclient.exe:204 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "biclient.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1337851866"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 DD 4A A4 FE 5A E5 13 F1 2E 72 B8 11 9A D2 6A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:388 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 6C BE 5B 03 3B 50 70 C4 2B 18 36 6D 6E D5 D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\biclient.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.0.0
File Description: Powered by BetterInstaller
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2730
7f6d030a23f210ff0f767468fe3edd48
fa7e5a8f6509f2efbb01ac5a236034b8
53a5297877cbdca899ffa6745035aeed
f3f1b4b521bdcbe4ccbc328e6129c098
1d4fef6e13cfb2ddfef0c6113176ceac
1f7b0a4e643cfb301bce3849aac4c8ee
55dab0936ca99046a454f13f990ee64a
61db9280d7487329fdf0bf213f40a1e9
ccd2b097f248033699638bf3d290cf6b
33d087e5f0ea0990f7637c53301425fa
d91d1e82ff2527b4a733c2bc445cb0d9
ece1a6bced5a8ff1bdd2293b0529a55c
26d1a544efceb81568651e783375f9ed
e20e1e08f1d4f20c6eebe696ae6f40ad
c31c526f2e00a8efba4a2da6be5192a1
2006de16f00e43bcc6158c589d4933c2
e9c96115f560873d2bac22333d77367d
a8ecc965fc7aa4e5c2fa13655ebdec5f
3ccc4db9bf6a452fd20028b26b3d33d3
ef08faf65d8005015005c9d92c9bb8e6
57b1b7298d4a3ea152d88f4ea26eaf2e
3651a12a829565506e1db929c9214a06
1f8395f819025f7d82c7fef9715be99b
333491618f653f08cacaf9094a606fd0
4b9e5b04e53f004bd49120872e3af146

URLs

URL	IP
hxxp://d3rs1f9x4ymprm.cloudfront.net/mirror/vuupc/qms.exe	216.137.41.87
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/okiitan/Okiitan_bs.exe	54.230.21.146
hxxp://d2baajcqvc8bxx.cloudfront.net/mirror/couponalert/ie_ff/CouponAlerts_new.exe	54.230.21.146
hxxp://212.7.212.137/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe
hxxp://download.filesfrog.com/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=118442-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 355326

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 118442-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 124cc6d5f89f4e23d6f8b1fa17f323c4.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 66kZ9joJBw4pUHd9iPu52yu8BTuTNAMSdMXNaEBsA5414szFhTCCVw==
...,.....q..d...f.:..?!.vbpU.W.~...O50M.E.`...r..|..e.?....^.......<
;..\.N2<.6.U......>...a..=.....Y,...8.....b.5.!..3.X..n.Y.....&l
t;.6<.?....G\....A..x.c.....g.J.p7...aV..e.V....{};}.G....y..F.....
y..G.!5..@.&....ft.."G...(t...Li.l74.~.Cw/....Sg............Q?....J.'.
....th.. . {....2xy.N.%..." .......1.....9......w....t....P|a,c......;
2S.#z.c.qs.jR.%Xe.....{.M.S..fG@..... ......-..wV..1.......%... ..f...
......z.M..(..94p...M*h#.b.u..jT.~s...I....H..(...B.m...(.T.gC..NQ....
..V..t...n..e..7.HH.......L.9...8?.......o.7;......q..0.#..`.m.z....}.
..o.....0.....l...f.V..._ruNl.G.....?..y....:.%...h.[.s....X._..l$..O.
7.s....7...{W....k....q....Sc..Ge@..[.......x...:U.....\z.......~y....
%......\]..x..R.}...........yV...c./~...g..U....}Y......-ouE.0b....iG.
..!...........N...6..ItI.F8....M.]....Q........3.6g.r..y0.l8.....X....
....sGV...!..<.u.|.E.kQ.>.....i[..`[ ..1P.,..U.=<.a..D*.e.,K.
......:..Lk.........~.o.... %.]#7W..H~...........Z.&.E...b|....{.S..K.
.&....iy.=xD.HL.).x9}F.../J;....L..../s.....b.....2=....s...j.{.?V|...
([email protected]...?...j.........7..........H..A
k..J3N...Y...^D.Qz`\.b.u(....l..........l.wwVO...}}|_.]1..(......... .
.\j........j^[.U|..X9\l..;jk.(iF..h...f.!..!..UH}.Z.WLt......^..<:4
p.....D...F2..JO...j.-g(.._......R....&.=7. xI.. J.Q.H.e..8P=...p..w.-
..a7...;...GK..\......./....3D...4........K|w..G..*JI.I.$......M&j..*A
.`DqH[.....%....r.e7..-.=...7$..u....Q...~...1IHC$.D..9..FMl...`....d.
.}..*.&..`Zw.g.J%?dMk).q,.l...#..& ....................0.........P
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=276218-552436

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 276219

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

Content-Range: bytes 276218-552436/1104872

X-Cache: Hit from cloudfront

Via: 1.1 2dbf18ad71f066e2daa68b9880ae31be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 8hqKIejNQRGxLZ6I1EslO2e9jzgJECH1B4QISass_bBlWwOlJOf8Dw==
]..#-.h.So.p@.!...=m......T&...[p..bb/.H..,.5!.j!..G....R'v].3.....ANn
Y.[.x....F.U^....8.(v...6.*.....Y..&%._.K%\.E.j%j.{.Lg9qw1..`.e./..]6.
0..|.L..P.... .."?..Gf..^.N4......b ....S.\....RL......R....\......PW.
F.`....=T.J....'2MF..j#....w......Ee.....<Cs?TwZ...n...L.i....$p].F
.%..5..\s-;&.Y.....O...~/..r1.n.q.2.G~.7.VGc..;`........h.;..6n...W%..
a_x........[.....8Z(..q.1#[?.#v. ..f]....G:...W.6.......gP...f)H....|f
zV.....$......i>.F...!!.W9t.X... .g..]..E}....B.JV.....X.}..2i..~..
..Z...c.o*.M&U.w..........Z..ci..l.....N....nW.]O'.....:......I8/....z
..i..%.fu@./.Be...o.|...?.z...B...,u7z...&I........>..4.3G........n
....D...'#.._R.7*..2............OP.y.j....i...K....<........b.*....
N..._...#.rQ....7...6.N v....fv..W...3....RM~..W.!.../.T..V........jtn
G...;..J.0. ..m.*...f.(N.=..`...o./k Rf.n.. ....\[email protected]..\Yg.}.
f....E....P.D........z.....F..*. .R ..W..u<......1,f.#.w}Iu(..3..,.
....Mq~........nn....z.}...Z`.z....5..G'.*Y.%:....]...Q.....X.I.../.3U
}.A.1d.Yd<.<../..@9.....:.K......0..X...{...z. .p..<T.p?.}'&l
t;|....C.g.>x.......2..N%.d^.....-.O......<..`b....>.k.#)...t
.sn.....{s..`:U.\..h..d...u......>......:.3[`...F.s".Y?.4oUz...5...
.xJuiK.CM...U.......2c..Z....F....W(.......L..^.c=.Q.e.K...xyM=,....}I
m1..E....Q..f....L[.H...I.`.'noo.gP.. [email protected].. ....2.},.~..f;0.)E
c`...?H.K.zdKK.M.......{._............Z...CB.K3....tgy..D....1.~66.<
;<....J.ky=3.9.A.W.W].{-..6.>...0.j..x\0Q..uF...(..Nn.E$.B..Yl:.
B.y.E.~.w.>Sq..o.s..l.aG....=.&...T.H .l.'.hW....,.i..4..2hb...
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=236884-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 236884

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 236884-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 72fd608f3ffc532751c11add20a55631.cloudfront.net (CloudFront)

X-Amz-Cf-Id: VyIbHlc7fQWMdmf7PgMoaHtvak0ncVZGgO_cIVRgWaUMcmYA1IgmaA==
.N#.f*..c.A...........K...JNv...q../...&..}X(C...,.......fwrL........2
3[.`...e.:....f/..][email protected]@......$ .EK.5k..}.H..B....o..c..m..>
.?..v.p.....\`..:.bu...9.BXP.q_.p...J..9........o...v.i......\7..E....
..d..$7.|.;t.&t.B.R....4O...l).^3}..Txy...c...D.9ur...a.Z.[.^.cc.@.`v#
.q........W..A...G..4]%).f{.CS.5.. ......2....hZ.R.b}.....{J..\.n&....
RO.y.Dkh..I.lF.....M...u...p"qH....S..8.d9.....4....`.c...[C.@<.r.%
...-......[]........Q..a0m...........~...z........=.A)..A.z.7........\
.>X../)G.8..F..e.o.[...R......:...........^.(&Y.:m...*1.z.Q.X...;q.
.=u4!..}..f....=..m....H8,.|.....e.##.,....... ROY..c.`......F.u.E.o..
.......Df7.$J.W....z..0Ynp.8h.DT....#.nJ...EQ..g..8f\5.&.la...e..T.D..
9.>.2.....2..K:..~.O<..)..............\.....$.^>..n.....;....
.=A...6=.....|y..5.\......wm4".M<.....G\.Q...T...#.UwPt...4./../..A
N....dPL.b..-...;..j:......#;..........6L.....BvHK.g/-..$e...6$..Y>
BB..ob4SX...S..b..e....`X.&..jc....;.'.;f.y..._.SH......7eeM..H.n.....
q..Nq8.......h.! ..%I~.. ./..qL...HC:..Hg .....p..D.*......*z.P...[yr.
.{b.2....:g./.`.f.......B...4s9|..s.&.....r0...'7...\..;QO_..Lv..S...8
2il..gJ\s8.n....<.......X..|.F..a..M<...ZK........~....]...l...D
...T..=O..D.).'....~.a.D...).6S.Z..S.j.N.h.Y..D#h$.t=..Z`Y$...)}...90.
T@.......!#.y&.S)f[&...L..c.........D.|..`@7.9.H.F.^.H..d<.r..V..X.
..G..~(..a.F.^..(..N(...u....`....V...J...(.OE[31...yM.....".x.?.V....
...........&.......;..&.(....P...I..w..Z.....^|...c\i..(,[email protected].
..4....k2t...v]@.UP......D.f....?[..M8.....(.....oG8..:.`.Q.......
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=57589-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 403123

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 57589-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 f8b39675eac44b97a6b28ef50d3d59db.cloudfront.net (CloudFront)

X-Amz-Cf-Id: dguL9d08yrdUja2co5DzK0BKqdGMpCmqG-xAEkocbna2ZVlIZfJY2g==
.a.&....H:.....%`..c....N{&..?..r]q.`.v....nQ..../..W..3y)...D;.j?.e.C
 ..V.....j..t../...K....`...m.....bM(...V..11....yb.%...w..... ...`t.%
g.(Fa..Thh.EE..,,D.c&.CO...#..t.(. l....\'.Z....:._*`P...u.1...4gD..l.
^.(..O..*.........y.G.)Yr.lB..Q..1.w...$=.n=...Y`.....<.>.F..Y._
c*d..:..ZL`[email protected]....,K.}V.....B...O.z..\vz{..6..T7.d..g.K.
Ce9...([email protected]....}%.2..P..6.....'..I.K.|g....}0r.*Xs2...b.I.u.
................A.4`H..h.`Y..Da.f*I.....'..H..Sg;#..A.]-vs..KL..(.....
DK^b;G.%.bJ. ..#...WR.........U.;._.R.|./j.X..tS.....cJ.2.......4.$.N.
....|$.-..#.`5S.ES!89....Z... ...'..8&...Xy.x....q..`W..#B.D..Srt.#H..
.? ...\...A.... Jf.Z"Yr....P...V.....<DuiN.Q.....Uk"......`....^...
.p...'...=Tz~&._\.Q...1.}'A..7q.a>......t.gA.R..........B..>d..W
.rx\jr...C/$....ot.X295.<>&B,..&...DEIF.....a.`.l......Z..Us..K.
..Z......&...ufl#.)....R..T`.0.{`y.....$.......ü..VnQ.^.^j..q.......
M..v.)bQl..S.bV.....,>[email protected]...`L.k..^..GR...1...._U.
q.....x..5.X.U..PW._.kl....b1-}.7$. &...2.....]Z..$........k.t.5.,.f.o
...CPN.%P.5...zH/"..L....P,C.y.Q..V..>.7..z.1&.....Z.....h..8J.T.~.
...D...... ........J..HQ...P...Hh.m.!.X........I.'.o'.X...)wgR].%)].."
Maq,.`'.)..V=@w p...r>N.E...z...w@.....[.L`..6.$<.*.s....P.I....
.OB.YG.C.^[email protected][email protected]$.{.Q...(Z..m....M.b.i.h....zd..!/.j.11{.....
.'-....Llf\...@......./.....R....Q.x....$.0E.. i.>...b.X=.{U...nf."
R...@c.,...r..........(...NU#.s.M..fHO...FU.!..@)v:nv*MD,(..d.>....
h.%.....y...ZSkx..A...%1.*..P(..".....J.tDmWr...{.....a.3....e0`.r
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 460712

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 cc6ca0e3e6cb30bf44e25b4521fb51eb.cloudfront.net (CloudFront)

X-Amz-Cf-Id: UTu6m_6EWnLJqF45eM7GBA8PrX_AmN1xdicb-74HK1a_9gpdTGm0Ww==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............ ............@.................................@..........
......................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
[email protected]......
.........................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=8486386-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 14143975

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 8486386-22630360/22630361
BVX...P1......"....K....x..gc.).I....L....%M../.G...Gh-...RQ.6.....M.a
....#.{BY.x...\.8.:...].&...).94ip.p...=z.#....p... .O..c....=..9.....
|....&&......P[..........r.3..[*.....m .(..".b...'....}.$)...=..![..&.
_.h.......XXe.~.Y.......L..... ..x..Q.....i......d..-...y).N....R(a../
Gx...0Fr..~.AG.w.c.Gr..^....=.....g...VB.O.5=.&<...y.ua.(....T.!Dh.
... .......g}.1.c..]..9...H..E.5q.C.......C...sy.F.W....Mj5......@?j..
Qe.E..K........O.'...a."X.Q4..>.6..?.%`..o.B..K.._u.1F...G......[.;
..x.....r.G.&#..f.i....'.....!..u.:)..&...'.j.V...8.2......C.....fFO*-
[email protected]....._....|...{<....b/."..GF.I...3.OH>,y\... .....
{[.P.Q[..o.F.QC...%..l....... ...sQVk..o9........4..8.....g`o...sG..9b
u....]x...i.X &.;.6.9;.....Ha..F....".>.r.ti.b^..).y..!..p....|...6
).._BoY.3D...".....Y. .t1'[email protected]...=..r...ny.3....)&..
P..#q......<..b...X..LB..I.T\..e'a.06...XdD.h.Al...8Ir$..S#E8.....T
a&..v..vs-.Z_.X.:....B.........XA..F.@._$.....j&^ ..9m..d.W_.>.k{b.
..B.._..nO.8%>....H.(Q.E...j...Q....;Fa..4.c..ik\....{../.>$Rj..
...#......KLB4Ql.:6.q.T|.Ea........;......~.1H.,...,...p...#.?........
X2JRn...Re...(.a`.....f.....F.(5-n.fN..d..._.x.F..i..._....]y.d...{R..
.J".0vh.:.B.."..y.....#.i.o.N...CNC.!..{.R....8.G#.2..S.vH)C;~..>.B
....R.Q.p..;...F=..ry...........=..z..<i..JpT..... =....5._...H....
B.."......K ..8.0":...!...q.......;....].A.I...Ry......U;..9......&.32
T..t....X.q.....t..w$.mv....~.b9...e...7].....3...wm.G"#...... ._...n0
`3....]..B.Qf..\...._4...c.9.ae.U.r..M.m*.....X.T...N.wyu!.sD.~...
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 22630361

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 0-22630360/22630361
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
..........^...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected]...@[email protected]
rc....^.......`...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 22630361

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
..........^...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected]...@[email protected]
rc....^.......`...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=296105-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 177663

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 296105-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 2d1e8c33c3b76cd1ba00c1fae27b1dd1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 4m1uuhrQic7s8qfDmXrCUygN_CL2nm-FQnlHp_9OIGbRVqwK-U5aNA==
......W.yG....Ma...QL%f.......Is..x........F.W....I.....-..`.._...o...
....6-.&....`/.=.."8..)...&..0.WX..|.......`._......j.._5R...O.3..2^..
i..........)M.....4.%...>..D.<j...v..[....0.......B........0rn..
..^1....L..gq.F.s.O.(...?.....R.......W..\i..!..=..HwB)...QB..........
lf.....kI].0.N.....1.1....j!@...,..K..x'zL=P.L......P.T.Q.....SU.\.={.
....0. c.-..Y#.H...Qg'&.1.*...(....L.;F?.$>........V..}...0~.6.=.w.
..!Vn...m.].....%u...R.=...F..hz....M.!...] r../.'.....ng.......c.g.,.
..E..*....<.[c..A......~.....xw...H....1...')..1.*.....dAH.......OM
.O...[......i.j)q.B..#...&xQ'D)EE.K..`...DQ.x.k..._.Y.X...:{<..!...
!..L(1.X...29R.w.*......o....g!....d#..{n....~=]v.l...e...a..I...R....
,C....}........7.....4...D.. >..h...*.).......T......bk..A.:.]...u\
[email protected]....}.C..o....*...W.Xm.Z
..)*......j....?..@q..<...ZTlT...5v......9!G~~`........Q$....X.....
.....?.g...X........u.v..-..^Wa....L...6Z....8..w<c..........E.*...
..........`k]....x..O....r..U......;...A...0C)so7.....X.4$.Nh....\EN..
... dU.....t...i..?.....w..:.......e..........O$..b7.@f.=.&...E...A.0k
b|......=....N..L.........]...q..........qW.0.{...z..B.....j.I.=f.8.6.
.T.......Tg...T...c3.j.mQp.9.S...............V.....N.B..!....;&g......
5.....e.5$.l._..%'O.]....k.Ka.D.|....QV.f.YQD..bF...r3.b_.....s$...../
..!.y..G..[......vvi....bj...m....^./^.C.....n0%|.oz.d6...G.xF>.^..
.7.....]:....H.....$ny.......~=......R..N......E>#...}.v...R.Wu..6.
..~5\S...q....\..k...B..r0y.HH...(s.>....f.-(.E8.C..2M...`..fO.
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=828654-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 276218

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 828654-1104871/1104872

Age: 1241

X-Cache: Hit from cloudfront

Via: 1.1 5f563e9cc429ae122dea88398bde34e7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: al1-o7gPggpkuWDnKj25fqdJ95Ct6HLmzj79fo7_Pdc_3Zqpqs90sQ==
..a...[...>.&=..................T..{..~s......C..X........75..h...6
..0.[[email protected]..?...'...p...y.D..S#....d....k.........LN`.QAW..&
.....D.>.... .CW:xI...kB..i...G...N..r..~........V....h|[email protected]
.:..S..p3...@,..Wm.Lo..F..Z8....#|."..O...4}N.O....q....'.O..j..T..[]H
z/U.C6..T..z..M.....q..........>....1.%j.B4...o...*.K.......ox..~C.
?...#Zt..N...:e#.K6[xz......\.....8..X...2H.F....... .h|...\..~...Ew..
......qUb.I92..u.HB..C.....t.5.....:......|.w.s*...Hc_c....a/........;
*......'.|.o....e%.... ........Z&IW2..LQfJ..E...AUb.x..D/&...:..D-...&
gt;.H......J..;[email protected].#.....0...B.JpZr....T.. nI.
.....`....^=.....h.H...eZ..d....y ..z..3....AYo.....~....p.:=....'#.`)
n.\.|...g.[M.......Z.URJ.t7o)........v.....(.. [email protected].`]a..*.H
9.E......`J....m......u.bY.(y.j.u.u....Z..^.b/}h..i..2x.=8.]..}..^....
...d......6.^.m._N...4.......)./..k.....?Z.v.jW...........#PC...-89..N
.T...... I.`...)7.,......f....LR.M.f..mN].....d$B.)...........gO._.l.v
t&..)#.h.$.G$.Q...8b0].).L$].3...i....XB..%.. ^`..-..Z..m......,.L=...
..2m..4.&..T.J.:@q.|....Qc....0......{.S...%[email protected].>.....Z......3
g-.4..,..:b.i.yO.T..<..}...o...mikGo...k...n#R....o.... ..s.f.e7../
...{'...-.VA...E...;...c.t./.#(\......e.0c.....`.^.~.U}1-...=...<..
_z"..)....a.......q.1.6..9Z.C.<...r&...t...71fff..UaQ.;u,.....u.m..
C0r".i...x.....a.Y...M.3.{...;......yv..4..Y..C0n.....-.UV".c......lk.
....s.n.K....i..A..? ....[...RN....>.{.B.p..Z..\.A$.....j...M.p....
]H._.b.X..UV..,.p...........^{.?Z..C.......3.H..3W.....}R...!%....
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 1104872

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-1104871/1104872

Age: 1241

X-Cache: Hit from cloudfront

Via: 1.1 2d1e8c33c3b76cd1ba00c1fae27b1dd1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KjKW-mG_vPOUDeJ69wit_S9YpDBgcMzNW1ags-htJQdmFUCGvOvQfA==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L.....AO
.....................P......'C............@..........................@
......*_........ .........................................8...........
....0.................................................................
...........................text...D........................... .0`.dat
[email protected]...#.......$................
[email protected]@.bss..................................0..idata..................
[email protected][email protected].....
[email protected].............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..WVS.......U..E....t...F
.........{B..H...H.......M..E..5H{B..D$...$....B..M..E.....SS...E...$.
D$... .B..M..E......M.WW......M.)..M..NT....NP........E.....}...VT....
....FP..E........}..VP........U.......FT.............}..........E..M..
.$..|.B..E..R...D$..E..D$...$....B.....<$....B..E..Q.}.;}...Q....~X
........F4..$....B...W..........$.E......E......D$.........B.RR.FX..$.
D$.....B..5..B.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$..{B.
....B...|.......T$...$..QQ.<$....B.S.M..E..D$...$....B.PP1....D
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=552436-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 552436

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

Content-Range: bytes 552436-1104871/1104872

X-Cache: Hit from cloudfront

Via: 1.1 2dbf18ad71f066e2daa68b9880ae31be.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 1ZgsB6E-Y3_3Rknlqf82HGNsm8qtFL8fjAzoocfRzvswwpdm6C5d_Q==
.2..... .?LU.H...........(......_..h.....h1..]...5.....%.].9.6.6.....l
...^[email protected]..;o...>][email protected]._...`.m.;ca.s....Y..Ti.q
...Y......I.._]?....3...j........V..Z...Ey......%.\.is(...@../.i/....T
x6..."Pd...n.l....2.>..a.|...V}.(...:[email protected]
[email protected] ..Fx..X.".X.$.Lw..I.D../........Ho..4.....{....w../..."._^...
...q....W..]Fx..1*....#.^.|...*M:<Dh^..)...a..~.G..Ms.XX.".7%F...@.
..[aUUn.,.......n....:....Z.$..l&..7u..V.sF8........)...f.6..3.G..5c.U
%[email protected]~.J.... .L.v~....(*SP....)P......R.....W.._..8..l..m...m.v.5.S0
 Ri.i|.O.u....b.......\......'0T..(c....~....a...e._7.c.&..k...o.H*r..
.D.j..&..X. P/!2.....2......3M.F...|xz...v...:E\ ..F...=.....LY..V=.#.
.1}...P..a..\.m#..Ey.7.S.i.<.?z.q1....x......gz........S.Qu....,...
...,[email protected]......@V
!..q....m..\....'..|'N>...Z..y.qiD..oI;oL..p.gc..t....M...~..-O...l
......K.=..NH..S6w.;.E....h4../...%/.G...-...|..'Y....>..6F.}.@X...
iu.H8Xwz.....`.G....F..m].a.... ;(.x.l.....,..^.........-.XH.."..*.CT.
AL=t]...}..88V....5.S....vaL .t..#...j.RY..u-@........&Q..D...\..=....
...q.F....5.5.Z..\F:.....pw........F...s...3m.|U..&....E..ih..T....._d
lf.`.m.$GJ1..)\....?....6.......P~.M.{R....KtSF.p$...".....V......!.F.
..H.....Ft%..r2..nb%u&.t..PgZ!(q..(..B.r...^.5.Rw.........$... ...xdt.
qd.Bu.i.Y..hN.~.......Z......ME_....4....^1Z.n..X.\l..?.....I..:..H...
..|.J1Q...%f..`....1.'(.f...n.$..<a...b.....9..D..........*...2..bK
.....(?....d..M...(.q.....y.Z!.M,p...]...X=.?u.._.e....{....1~..1#
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 22630361

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 0-22630360/22630361
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
..........^...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected]...@[email protected]
rc....^.......`...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=345534-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 115178

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 345534-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 b9583b279b437ba8b13c8b687aba6394.cloudfront.net (CloudFront)

X-Amz-Cf-Id: zaGnAXdqcedioQ0Ku0wkgc7wf6AS68eECubC-IhDazhW4MRsBrUEBA==
[email protected]..?U*.,.g.M..ua......*.........s.Rwd....{..C....
}... .F.Y<U...1.[..>.m..3..L..OI..rqrR...^...b.fv...icA...-.....
...:O.......{.'.Q#...V.~..*.81..z........O......c.............'$<..
I.4..3.s~s.K.cr>..... .........7..O^.(.xs....Nnj....9S.5.P......c..
.LyA.4V......R...,..,.j~....W.N`.W6.\Ky..........:....O.<&.A....(._
q....h...FZ...r).[=.,...T../:*c...-.]X.....x....I.7g..... ....D...KfQv
.i!.$....I.]W..x.?.Y\.u...=..:..D............2.. ...h...bo.......h4...
...{<o...4......2...B.#GiC....={..>.3.^M.................q....t.
>.v8.S..1.........s.~.'..h.........Z....n.N..l.?i.8..8K...0onr0...z
..`.z.s...A......Q.,.......[.........`...H..E.m.......ty..^........W^.
......sr_......H....:9?..0..r?}..y..SA.X.....J......wL/.T.@7t.|*......
.-. ...UmzI....j.K..E>.?!5....=Z./..d..h.fpQ.\2....P./|...d d.Q~..9
.5?w....hq.c....&..m..\G1..W.'F..w.[.uX........z....Rr.........QJ]..n.
..... jO.[D*...P..8..*.[[email protected]!-&..EO........b.}"V...0.........
.S..p.X<..O*.N....y...,#j..K.....D......u>.hwRk.....z...`.>..
....\.gI..1C\ ....Ad.D..?..[.Fw-.\..........R.do.UX{j.?.RD..#|.......]
....k........H..9...Jq_...j.V....X.[d.......wD. .x.L..k~........4.?.p.
.M.].d;..TGq...q....{&.....l.....$...\.\.............3Y.N.r.........l.
...e...........T...Rv.I..|....~.......#.....VHV......$~>5PS].C...h.
...{..r..S ......G.m.G7p}.:.".|.\./. r....$|.ML.....J..).L-.*....q...v
...p.j.aL...-..z.O.?..Nv7o......,8...t.r......P.K?..3 ,\ML.T.........*
*.[...0'..R. .....^.sH...U([email protected]...,.?H:|.~.......3z* .....
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=172767-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 287945

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 172767-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 b9583b279b437ba8b13c8b687aba6394.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DOvmiR0g_svDdK6qLjPRr7mDhGI7aFhC5mKSF349PaT075UqvhDraw==
../......b......Z.D....w.S..4-...m.u.|.....6..1.*.).T..-.N..FL..cp....
...'...JQ...`....u.8k...G_{..h....N...YK./..b..(......<9...I.p.V}..
...EQ[.....Fd`r.zc..1. Y.(l.....H#O..m.`...U.g.s..xH..).QI0.G.......s|
$xE0...v......d>..J(q...I..a:...S..g.K..6......%.".4l.x9.......{%,.
...n`.^..1.u...[..S..wi.7">.G.h|.D....?..B......Q\\....e.......Z._.
S.Dqe.....L..j..MV....b_=*xu.X. |}.'?.$...!M"y>........=F.U..1.&...
..!.:.............L....^....f....\l.r.................r..F.W.9...9....
...=..n...,j5.x....y0.^...2 ....(Yg.*Ya.:i..ve....IYRQ.)v.c.!6.#.<D
>h...oA\.W.u....|c.....6...W...C.....:t$...M$.Y<...z.4. ........
cEZ.!.sH.....y......(........4........W.A..!_...JK3.t...F...Q...|..H.D
z.X....l..w'...:%.v.?I....~.<...?...........T...)|.v....D*....Au...
.....&...S...p.S..{S.G0.?)S........M..........L.g..'..%..a.h.....`c\!o
..q....q)`..K..7}).......K....R^.....&(..x...".GR...V. VP......6.P...y
...{.B.....X8,}\..#.:e.? y z8!Q.]..2A..)T..>-.....dV.C.*....f..}4..
A.1.,5p.%\...A7.LF....m.3....m...}[email protected]..
~...}................-1Cq....$C.<..x.....O;...{.f..!...8o.8....<
....qH....0&z....Z..y.s);.}[email protected]..$m..F..)....X...E.. ..8....}z[.
(T....s...e..\J.45...q.].u....^.;HX.>H..q..~8p.M;.. *......lkU#.C.C
..'&8..J.;.&.P....=....L..u..."y...=..."..Y......i.....<.8.6x.....`
.R..].U..x^..Q.f....(..M.....|....C...t$".....<...L.g...A..y...0..#
..'..u8{.^......!.#..3.....1ay(..y.S......N"... .D...g.K$..F...$.....&
gt;..g.s~.H..U....Xt......$x.w........2.@2I;..}..K."r..9}..{j.=a.!
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=59221-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 414547

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 59221-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 124cc6d5f89f4e23d6f8b1fa17f323c4.cloudfront.net (CloudFront)

X-Amz-Cf-Id: u9PIsDpMGt7WE6TDS1ZiKsphJLeFchmwDmW2xah9X8dlbxFjLR-wWA==
.`.z...I4H..l.*B..C.O..ZB...l...,.w./....!D.Y....<N.....0*.|.R.....
bY.......I.....UYm:.....)V....r....o)>...b..8.P.vM.w...5"....P.J.V.
.......\.V..P....:Xo'.o...:.A....N.......fN.9..h9G.^j.>/YN.... p@.&
lt;r...#....R..4([email protected][email protected]....'
v|./z.P...-...A..F......C.ae..<y.......l.i.Z.N...b.R.;....%..g...w.
...LE.......(F....c.Jy.V[.'.}k ..:....{..|.C.'. ..<...'." u...z`...
.y. .n.{.~&..V.?s..$i...s.$_......3.A..)~r..TN.v........7.RVq.s5z.y.5.
a6<...1.....b.T...2......6*.mx6.........3.f qX...~I/...F.....(:P!.)
.(.qe....Il.3...*Za.eBb....\..f.$).`.}......z.Vn...|..L..b..3..wn..!..
......iu.^........n..U........0l.!.......([email protected].*...[c!..$..w.v[_~.^
.".."Hz...j.>.c>....{ T..j..|.Z.6y..Y.0S....3..2*......G..Is....
.....rX.l..M.2.W.b/.f.u.M.T...cn.0).6(.......~.."5t....ly...e.Oj...y..
..)......f. .m.....aW...R.......!\..`p....L... ........J........u...:.
R&.u.j...s...~.......3<^#&c....N.....j....;.^-.p....<......Hk__.
.'.....?....%i"_<.#........Z..dh.^"p...B..|ROd.. ..r.t].G..u. ._.F.
..<....}..ms.L<LT.r\..... ........C....a..r..N.=,z....h:E.6.....
......4...6..\...0..&..b8..A.%........N.G2s...}.|..B.Q.L..2...r.H.u...
....w..T..._...e.....oS.T..b...}...I.Xw...U..I)j....v.-.r...q .....w.F
......$N.n.W .........~..i....R0c..0...s.*.....45E.@.....{i...........
i6...U.*[email protected]....^{.Z...K....(P'<.4.S-6.........(r.m.M...
Q8.e..!.$..E.......M..a....z^Y.*kt.......... N.&...6G..qw"*[email protected].]
......(.D..Z;.. b....y...U.=.z......oD....mT\...l...y...q...1K...!
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 1104872

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

Content-Range: bytes 0-1104871/1104872

X-Cache: Hit from cloudfront

Via: 1.1 5f563e9cc429ae122dea88398bde34e7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RSZy7DII2o-2MuAjxxFfu4DdlflJFZghW4EoGPaH4Ed8RbIZAyZjew==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L.....AO
.....................P......'C............@..........................@
......*_........ .........................................8...........
....0.................................................................
...........................text...D........................... .0`.dat
[email protected]...#.......$................
[email protected]@.bss..................................0..idata..................
[email protected][email protected].....
[email protected].............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..WVS.......U..E....t...F
.........{B..H...H.......M..E..5H{B..D$...$....B..M..E.....SS...E...$.
D$... .B..M..E......M.WW......M.)..M..NT....NP........E.....}...VT....
....FP..E........}..VP........U.......FT.............}..........E..M..
.$..|.B..E..R...D$..E..D$...$....B.....<$....B..E..Q.}.;}...Q....~X
........F4..$....B...W..........$.E......E......D$.........B.RR.FX..$.
D$.....B..5..B.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$..{B.
....B...|.......T$...$..QQ.<$....B.S.M..E..D$...$....B.PP1....D
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=5657591-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 16972770

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 5657591-22630360/22630361
][email protected]...$...........Z.j.v..U.l.....KR......l....EYM...[....#.Ca..~'
...O^.M..Z.h8*......vV|.X.......{m.....!Q... ...Yth.<....:......r.O
[email protected]......,.Jq.-`...O...F.=......~...g...;.....|m.*A`.
PN.2....l...c.J.8v.*.[.....3.Z....f...x`J(.....;..~{...:...$Qb.J..P...
..I....6d......&. .<...4......c..l.. ...3.z.9M..H.Ow...l#..l.....1.
.C.OM..h......s{T1EqZ$..7;...V....'<\.(qn[tq.........MrT".{...Qq..Y
...k6...7....Yqnae.G.spY.dh....y.gq\....K....L.......*..i.&...:5B)...}
J....y..?.|.....s;.R..N..?.1.t1*...H../.../..[..{a.VM...o.........'..|
.LQ...cq.......Q.}?.w...iQ..R.{i.[..D.9.N..x....(v...j,c..:.\...$V....
.-..V....P'C6... .b..9.Q/.....w..4.{..}.0.`. .L..j>5(...].P9..N.<
;.Z..J..Y).T.k|..............~.S.,._v.....]...h.~_W.B..z.U..C..e..}Wt.
......Kz.....w.ZF.......X2V..s..........D.Dd.4..0Au......W.$..z.n....l
w.$R....1.....B?..z...TB.....|8......S..U.a.bG..o.&q.=.9...Gk....!#s !
.1%..g...,....v..Cn.8.!..B.......m.......Z...8bK.b..O.........N..?....
.Q....tb..._.........K.B..v1.^..Y:...i.z.p...G..l.&.....\y.b2q...$.w..
a{.0..U:?7k.0...&sb........t9..i.......}T.... '.1..>p......JM...U\.
!....&V..i..}....2.....1of....._.{.Fr]3.. K.'........-. .A....Z.......
h....='....l..[.h.%W..).......&....eO. \,{..e;z....)[email protected]
.(k..y......pi*.-.n..Tw..Bi.............I.L..@.....@].v.[.U.".Y}n.../.
.>.EE%...V...:..g..."b.W...J..........BN.....:......)$.."...>.f4
.u.$.zt-......9..Jx1(w......l......`...y.......i..N..O.E4_..Z..:.....7
].Q..m.../...Lk.=9nlh.g.-....'.]09....285.Q.r.*;....e..\:L..m.|...
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=115178-230356

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 115179

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 115178-230356/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 19d54739b3d4f58bfc76ccf7da5e790e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: u3ka7wWTLLLI8BGZTgT-X2irIwAfedsBOzT-ieOqCM6lixxjImGugA==
D|...Z.K..G.V^A...i.av=.O.....h9.H.[.(.%...6k.'.\[email protected]...|....'.&.. ..
{[.kz..u5....X. ......V..g..).`..%x.....g.....X6F.&..s..&...Rc]..`.cs1
;..n&.[4U...M.d.S..V`.K..4H!...`...,W5..SA......... ...&...5._...z..r*
. .Z"!...=I*..&&....!.....}.Pk....i..Y..rzP.0...N..Eg...I...w..y...!.V
I..MK..,...Y..O.......h..y.. p!6.M........!W.......... ..n..Uq.....m:{
.!............[O.....8/...>...*./..A...............l....m../Z[..Z.\
.........'....i.i.P...A.w..........p.uS...jW.f$.L..N.<4..mx.i..w.F.
..v[.o.c:K.6.....:.?.I..7..%....@e>jb.y...4..].....,.=.(.<.)O..I
....b$...{..!....n...Xkc.{.3.....Z.f....^k[C.1B?..>....a6.......f.=
ej....]..V.A. ...I.!......!.r....l-.U...,2......4V.UU.!,r.....7....F.f
....<jX.............m..R...o........[.....b....z;).........;....a..
...I....k.kR.yp...-...`W.:.4.wA....c.<.....}.J.[P<...XP.....].E.
.oy..0.b.W`j.]wVXC]i{....... ......=5T. .9...u.O.s..[?.ne89..-pMo...uk
......v3b....61....JR{.}A.p..v,....9.AKV./.T.....q.?..u/.....e....c..2
4.iBf.......6..`..h.h:...ER.Cx.8.......Y]...RBR..*....v.a.....tc.Q..[.
o"#...r...T..g.F8..l.Y%....(.z...........'.R}.@...(..K.."]..'...1) ...
.a. g~...p.....r........'.v..&.....|BA......}.A..Xb..whLwh.E.K.. o...D
......$.&,........B..,..|..0{.h...(..7.G.../"!..;52....wh..5.5..(.O...
w.lpA..Z.".S.[.V.W....=..J....U.......f.O.&7 ..^[.OD........Ds.......E
G~........|l).h......C4..u .u..o_....?g.i4...n.Z...%...Eh.......9..YPa
...,*.......GI..z.QX.`.c.5ZA.kH...C....9m2?$.....(....(9.C.t.....a....
m;z.)..pi......%D..Y...4..:d......B...wJn:.m.\.~t.>.0....F-.:O.
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=276218-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 828654

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

Content-Range: bytes 276218-1104871/1104872

X-Cache: Hit from cloudfront

Via: 1.1 2d1e8c33c3b76cd1ba00c1fae27b1dd1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lX9mU6UmABcIQDIT9Bu93H4n8c-TTI_rHvLa6iJlDAgFIkjc6Ku7Gw==
]..#-.h.So.p@.!...=m......T&...[p..bb/.H..,.5!.j!..G....R'v].3.....ANn
Y.[.x....F.U^....8.(v...6.*.....Y..&%._.K%\.E.j%j.{.Lg9qw1..`.e./..]6.
0..|.L..P.... .."?..Gf..^.N4......b ....S.\....RL......R....\......PW.
F.`....=T.J....'2MF..j#....w......Ee.....<Cs?TwZ...n...L.i....$p].F
.%..5..\s-;&.Y.....O...~/..r1.n.q.2.G~.7.VGc..;`........h.;..6n...W%..
a_x........[.....8Z(..q.1#[?.#v. ..f]....G:...W.6.......gP...f)H....|f
zV.....$......i>.F...!!.W9t.X... .g..]..E}....B.JV.....X.}..2i..~..
..Z...c.o*.M&U.w..........Z..ci..l.....N....nW.]O'.....:......I8/....z
..i..%.fu@./.Be...o.|...?.z...B...,u7z...&I........>..4.3G........n
....D...'#.._R.7*..2............OP.y.j....i...K....<........b.*....
N..._...#.rQ....7...6.N v....fv..W...3....RM~..W.!.../.T..V........jtn
G...;..J.0. ..m.*...f.(N.=..`...o./k Rf.n.. ....\[email protected]..\Yg.}.
f....E....P.D........z.....F..*. .R ..W..u<......1,f.#.w}Iu(..3..,.
....Mq~........nn....z.}...Z`.z....5..G'.*Y.%:....]...Q.....X.I.../.3U
}.A.1d.Yd<.<../..@9.....:.K......0..X...{...z. .p..<T.p?.}'&l
t;|....C.g.>x.......2..N%.d^.....-.O......<..`b....>.k.#)...t
.sn.....{s..`:U.\..h..d...u......>......:.3[`...F.s".Y?.4oUz...5...
.xJuiK.CM...U.......2c..Z....F....W(.......L..^.c=.Q.e.K...xyM=,....}I
m1..E....Q..f....L[.H...I.`.'noo.gP.. [email protected].. ....2.},.~..f;0.)E
c`...?H.K.zdKK.M.......{._............Z...CB.K3....tgy..D....1.~66.<
;<....J.ky=3.9.A.W.W].{-..6.>...0.j..x\0Q..uF...(..Nn.E$.B..Yl:.
B.y.E.~.w.>Sq..o.s..l.aG....=.&...T.H .l.'.hW....,.i..4..2hb...
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=11315181-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 11315180

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 11315181-22630360/22630361
]....XA).'WWGpMO.a.9..>.^..3..~.....&........qK.......0.M]a.n......
D.Z.......l..?m...W...........=2..2..y=..3T.C..OZ..............[.... .
..jc-._....X}.Q...K.Ii..=9....wKy.....I..Mk.}?.Up....?.....7..V.|g,.d.
......U..\....ka....G%......w.. ..I...P.l..................8.....}.g..
....B...ri>/1G.eZ.....T...>....W.....x5NQ9.Lq.....I...?.k.......
...!N..G..kD. .....Q...#........|[[email protected]^...
[.....!3!....z...Y........S........3*....Y$}..4M..G...r.A. BYVUv......
lf.....`.._....M91.|SQ."m.X.i......|.~q..R1iD...z..b(..u.LBC...m.n~...
...TZ.`.%zb/nB.83...X.}.k.......%...b ..g.v..s..lK.v^..4~2........o5T.
<..k.7..p.{...........$.....)].Mbg...L6.E.Z.R.].B.v.l<.&L...sVpw
P..I% ..&...../..M&{.F6...7.y.Mn[...#......x...pR..ZT.1....9.V.N..mW..
!r...JO....fZ..]...-..:.N7r.Opa.y. mAr.$.,.1..tm...KS.%[email protected].^I.
..rM...%.at.b.-..T......H...b.........K.UJk|....e..@.$..zS..*`..."Z&..
G.{L.......N..p.>~.z...5(................;..W.#.=.....*.j..|..y....
..Z.L......."......p`.c.@$.... .H5........F.h.G0Y. ...t@,...cZ...&j..&
lt;..3S.3.......!..i."..$..h......e?.O.Y.,J.^T.q........rA...b..Z.....
...F.zW4....*H...C.g....F..P..o.D.Uv.....?.4{.bB...Z~8 .].*W9...-...._
x.G.W.'{...........R.-.X.XF....06l<x8CO?.>......>. #~_1 JN...
....=...i.....q...d.F...$.g......BSQn,P..G.. fI.....hJ...]....>....
.!.....&aHpMV..g..#%|P..\.?....5.j..7.........K.x.....w.";..pv..,'.(..
...A.>....J?....0...&a...imA..S..~..6...#....]..$8#$.&N..[..W.E...!
oMQ.......q.....FV.....B*.. |./..u._#....|..r.f..F..X....,..L&..Q.
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=5657590-11315180

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 5657591

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 5657590-11315180/22630361
B][email protected]...$...........Z.j.v..U.l.....KR......l....EYM...[....#.Ca..~
'...O^.M..Z.h8*......vV|.X.......{m.....!Q... ...Yth.<....:......r.
[email protected]......,.Jq.-`...O...F.=......~...g...;.....|m.*A`
.PN.2....l...c.J.8v.*.[.....3.Z....f...x`J(.....;..~{...:...$Qb.J..P..
...I....6d......&. .<...4......c..l.. ...3.z.9M..H.Ow...l#..l.....1
..C.OM..h......s{T1EqZ$..7;...V....'<\.(qn[tq.........MrT".{...Qq..
Y...k6...7....Yqnae.G.spY.dh....y.gq\....K....L.......*..i.&...:5B)...
}J....y..?.|.....s;.R..N..?.1.t1*...H../.../..[..{a.VM...o.........'..
|.LQ...cq.......Q.}?.w...iQ..R.{i.[..D.9.N..x....(v...j,c..:.\...$V...
..-..V....P'C6... .b..9.Q/.....w..4.{..}.0.`. .L..j>5(...].P9..N.&l
t;.Z..J..Y).T.k|..............~.S.,._v.....]...h.~_W.B..z.U..C..e..}Wt
.......Kz.....w.ZF.......X2V..s..........D.Dd.4..0Au......W.$..z.n....
lw.$R....1.....B?..z...TB.....|8......S..U.a.bG..o.&q.=.9...Gk....!#s 
!.1%..g...,....v..Cn.8.!..B.......m.......Z...8bK.b..O.........N..?...
..Q....tb..._.........K.B..v1.^..Y:...i.z.p...G..l.&.....\y.b2q...$.w.
.a{.0..U:?7k.0...&sb........t9..i.......}T.... '.1..>p......JM...U\
.!....&V..i..}....2.....1of....._.{.Fr]3.. K.'........-. .A....Z......
.h....='....l..[.h.%W..).......&....eO. \,{..e;z....)[email protected]
n.(k..y......pi*.-.n..Tw..Bi.............I.L..@.....@].v.[.U.".Y}n.../
..>.EE%...V...:..g..."b.W...J..........BN.....:......)$.."...>.f
4.u.$.zt-......9..Jx1(w......l......`...y.......i..N..O.E4_..Z..:.....
7].Q..m.../...Lk.=9nlh.g.-....'.]09....285.Q.r.*;....e..\:L..m.|..
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 473768

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 124cc6d5f89f4e23d6f8b1fa17f323c4.cloudfront.net (CloudFront)

X-Amz-Cf-Id: OKaqrBJMjtE_BSp0_OFBW9gVNFnEOof5VGoe-NddfzpWTtjINmJqqw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z....... ...0.......p....@.........
.................`...............................................s....
...P...............!..................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
.....p..............@....ndata.......p...........................rsrc.
.......P.......t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h [email protected]...\r@._^3.
[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=138109-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 966763

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

Content-Range: bytes 138109-1104871/1104872

X-Cache: Hit from cloudfront

Via: 1.1 3d099fcba54211c8608d0183ae162267.cloudfront.net (CloudFront)

X-Amz-Cf-Id: nfsQ5Wb4cgAOUHcawx-lH9RWm8jsUPrO0AabEIQsBCyZXOsDumODGQ==
o........DW^.U.~uq..E.oX.....d..(8..ZZ...9.P...p.[!.............0..j..
K_.~3........,MO._..............l..;{L..G.kT.)....X...,..F.f.l..*.{.=]
...=q..%...T....j."}.5...X2"..;D..[&...av.C..z8h.....P....<.2.r.. .
.a..w.......H8X'..Y.r|.6.'ghPr.6.e.n.....8..D.K..D*A.^...dN#.t.9?.&...
 ...Q.k~._C.._.31..<y.vn.NuW..g...v"....$......j.....j..9...5z..t=!
.O.2kx9.UT5ev|'n......C.2f..7..9}............=.Z.`...k..uJEA.%G..N%...
.....~.".=.dj......g..:`.e...k......#.Y'..&...M...<..5...LLC..{.zg'
....U.e.%.....g..=.....z.B.7......2E...b...9..i.....J%.B......]..y.h..
M...!....f..V..?.A......p.....X..h.R..D.....;....~.!.{....j..*..x.e...
..O...A.n|K..1..u.-...'....q.......L...)...r.0.3..M?.....Q2.N.....gL%&
..U..)...z...bgB.6...9..g}....)[5.%_h.A.../.Pq...*O.du/1.,....(...Z...
^T.R...r."..D$.F0\t.z.PA.<..2orn.....k.y$...C..g.-.z..*w.-......h..
.e ..#....^..7.D.)...m?...2.Ft..)...3gP..........c...25...5\#..vw.....
4..0....2..CnA..V.-C.8G.y.T.b..G....Q.F....}...x.=.w.e....<.tO..../
.*[email protected].^...'3.....SKg'q.r?.....s{..#...q.Gn......N.uxT.>...#R.
..pv.yc,t...._..1"...?......A.....a.a..K..=>Zbk.....@./..E.~...B...
..(....4".G.R...R8Y..%.....mG.D.;>.........k?.|.G..!........m.emL.K
......?..^O.;.$[.(.........'..Lo*...@.."...%...s..l.O.T/Hy>.B.A.=V0
....H..$....L......|].x.:"... "...".Un.....%.|.y.t...zaW..>.a..m/1I
y.\[email protected]@... .../...AL.r.......6....\.rs....I._]A....Z
U..X.>iF.7.. .N.P..>.d...E..F0Pv.5I..I1..M:Q..5FI.. f.=........)
r....p%..n....&..q....%.n.<...V..D.*....9....UYH-4|...h.e..}X.&
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=690545-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 414327

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

Content-Range: bytes 690545-1104871/1104872

X-Cache: Hit from cloudfront

Via: 1.1 72fd608f3ffc532751c11add20a55631.cloudfront.net (CloudFront)

X-Amz-Cf-Id: I1xzHt-fcjLB0oAFZsN-6fUstroFkp3xy_mrHXPk3lVkRs4CnwdiEQ==
..ka....N.}...s....e..P...gOm...hY....mEi.s.....^\z..A....$D...F.^w..r
...l7.....s.;...V.l^&....m*U..,..J...^6..{...........o.V.0D4B=x......"
.6F...h#...,..~ ..I.l.z..Q..eD..^j$.....|/..x... ..G.|..q..&ZA..9;...9
.....8..=...{.....<.M....Q.......y.!E".....}.......b..)...v|....F.]
.....)...s.....VOD.....R.C2 iH.5..8C>.M.}..f..:.[..g....c.{........
...o...........:o...a9....p.......... . n.....xj...>..P..y]_....83.
Z6..)G...!.4.j.g..F..B..]v.y.."X!#..........N.U...dv....x. Z..S..E.5..
.K..u...s ...$4..f5.b..x.q.Nk.#,o........wt.m...x..l...hcu..5T..-.\1%.
.........1]......hT>.....nX\[email protected]...!....`.(..k.....4wF.....T
..."j.>..T.E...Q.....;.au.d....|..d.V.x~....E.o*.P..hKZ...F...9...]
.1G. ..............?}..[..tY.....).^..>'.2.G...e\.Vw.....V.7....u..
[email protected]/<N.........mX.BgX._sL.......|..W..]/hr,.Zvpy.....=6?Av5
...i......=.C.-._! Q.;>@.a...A..........:k.....00...([email protected]..{...
..<.....|.........IN..[....W..7m.q-.C.w.....)..k..9..`s.>...;..K
....8BR...V\.].....}. ..L....QzI..V =v..#...9N.~.k....A.....B..T..1e.~
7VM...F]..&..D...>R.I...n.oW(.k.^..t..7.c...b..W.;.U...8......Y..8B
....K..Y...o..m.....}....i..Tpe.2...).... 2..l.O...3.~.W.l.....U.Y.*.m
1".z.|..}.6.xc5T(...%P..!X......}...k....z(...1M...M/.`....[%.hYR..'.v
.|.R...l...3....Os`.x..(.|.;.P.../..;E;l8r.<9?N.d{.-...H..&J.^.{Z$.
..4.....(."w...^.....h}..N....x.O..%.x.....!..!.D.X......F>..>L.
.....c..|K..@2..&D/....6.|....r^.,...I6ui.,J..u.E6..2..\h.K..)#....q;.
%G......w..u4.R.).y../.(.6v."J.H{n..7OD.^..4.. ...a..6..z..{....#.
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=230356-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 230356

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 230356-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 5eec5d7bcefadbc28f9620a23db3b194.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RhV4tF0O2GIt061GRyYApV7N9d-CBQ72wIs2mROHRfEYP3uVZb7USw==
.R...jJ#]F.#.%.r%.E.!........ze.8M.....k.{..........|..%.h....qu_..C..
..[..1g.....4.]^.K.H...2..c|.s..w..B7F......Oa...7.8..{..[ q..0T.". .V
....#....u..^.|.Dn-.*..hN.....1.l..]..L.>...B.."}.t:.Z.K{.:.*82....
P..;.a... .W...p.......:....m.....;`.../._.......-.u..\.pJ.h...J..../.
.9z.....wa!....%tW..?T ....BzG7....6._.BC...7T.D.N..7..Y.d{....U.D...4
[email protected] ........-..G....:.......M...X.[.......Y...
.q.FlU.....5.j:...Px.....d^uQ..|..7G.0...H.*{........_......M.....OI..
.Tg...f.}....]f.....s..'.)>.H.S.V....\......2..........Z0y.=.t.....
.\..Dp...>aR"..,Ad...t.v..t...u.q.o....X..--...C1n}.....{X.ieUT....
..$..fA.~.7nk....W..a..Z\..k.A..b.z...`.......=..^..8..8..[... L..=.=.
...m..X.... P..9.2/.X...".....z...a..?".J...1.%.#.....8.7..V..........
-@...<..^/v......%7.......fk......p.....*.A...5e..)...b].....Z..e.,
..P>..X...S..$..C*a....\..-`....E......#.t.c.&.../..3...h3..LX.....
....t&.*...!...$.. .Mw.....wEq.....?.4s....`2i...F..8:....oX\.UB.T.Z.W
.b.......VQ.0RR....YD.E....m.p< (..'....|T..Q..K.sD....^M..,?..(.V.
.u8Li..^v...1i{..)|...[..S...,..4<..i.xZ.....p6.}.......xa .:.OO...
.O. ..;T..n...Ju..>..q..GX=-...-...vn..S\.}.O.=.......yJ......G4.}.
^(yC..]-uA..U....#~vA'.....c.B.Q...T...o........H.a..N..g...ut[...uEV_
.2...z~a.P..D....D..u8.%W.....~..........=......./...u...p..{.....o.3.
.Jb}.;...t....<.$...Y.....-.>..G....oB..?^..J..o.....O...>?..
X._..:.$./..&....._.`9..O......N.....[....}.C....k6.....7>&Txm'...i
..C.........~/}~....y.........W..:........8......},....O..o...I"..
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=19801566-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

.Z..p..x.r..N..g!Ht~.B..T....r...R.4K..{x..)".p.......$..n..../..:...c
....M........sX.|cyNp..Q.C....B.:H..(.Rs.U*.@..%.N.7...Q.r4B..".[....%
....1PSyZ o.....l...~E.....G.I..9..A.J.R._s...q..K(..R...j.t...:.Ci.&l
t;W..M/e.(.Z..hJu.(.. .........D j.^;l....B..].....h.9xM......'$.:|.. 
.eI....6..Q..A.>.{`....5.S.j.p....OMg..\....z...$.eF!.P.b<.DF.i.
.I.x.J.....].8].?.WM.X.y.:..8(....q...K|....Nx....V.o..u.4.......5.f..
.pR..mX..9Q.J...Ko.f`[email protected]......>.[.r.......b...sB.
..?..K.....".......RH..(gA...tJ."..8.F..<.q...O..R\b......X....P...
|......cj.F:..q...}[email protected]...].[.<...t..u.7.../ljx..{..K.>..
o5R........mcR... Xt.......{u.F...!...5.xL,.........$2..R. ..|.v..}.#2
........z5..w.(.H...G....#...F.........T...>...ht_..'^.>.......(
.H.L......B........Jt..]s.O..~...1G............uh..:....%D.../Ov.....v
.q.i...:]L.w.....D... ....<6.G].<......i.,Z.M1...(w..D..f...J.Fy
a.9."W.......|f#.8r..dI49I....6.n<lE.Pi.Q#X.\.....CF.....g.........
......7.J<.#.K)..'.C.(w..4...K..B....WI..w=h.....>h.d...........
..e.._p.G.. ..D..`.;..lNj._M..h?........_....D....nA.....~.....f.6:.Dt
.Xc .......R&6.Y..f9.....kr...G.5H..l*....b....-<'.=W.k.m..jj..Y.f.
.J......8.o.K.&#CN.......n...Tyv....6.........".....!u.....3k.1O..M...
.kA..g.s:^...%....[...u....?...?.(]....n...QH_RK.t....OX..K-.[.y..a..x
.]IP.k..z..7..j-..[...8.;..]....b$.&....*....L4.......3. ......c.(N..9
...N0.7 ..~Q#E.....2..l[&......k....3.5......l.;z.M.dS...H.82.J,0.....
p.....QZ.2......?..p|#|rU..O.... 55y]=.....R.(.....?..Y.W....t7o..
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=287945-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 172767

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 287945-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 5eec5d7bcefadbc28f9620a23db3b194.cloudfront.net (CloudFront)

X-Amz-Cf-Id: CDKUnBdmGdfXa9kpjZZfQkD__BsznnuM8BCb-PJhnH7cbRVw6Uy3HQ==
.>s3Ed..............n].V.....t....>>........s~e&n... ?...E#&g
t;.i.#.X.i.......P...Q...!..V..C.S...S......?.......-......%..*......n
A....a...l{?.?........7.......,6}F.Bb...BP.s...y.w....8...m*.Q.......)
......M..-D..|....y.@[.s h..e.%...."[email protected])6tl,.ri.
.95].....\v...7.:.=..9...{q......y...! p......?Pj.b.Xs..Q....]. z....S
.vm|e..J....5.r..u..#FAiU~.....Yr.o=..FGl.|[email protected]..
._}...2.|\.SM...{..LOC.X..#.&>..o.EJ..E.9bn.....{>@f'..x...s..xv
..#[email protected]..$x.3.x..gI..rF`t.7..!T.J.
C|.^|....N....l[...n..".$.^.AY.<.........=..\........-.....r.......
hm?...8...(......Qw<[email protected].>}...b71C.D..D
(X......4"[email protected]...._..}.j*yk.......T..........XM....M..t....
v..\[}m}..CR 9i"......F.w....t...t|.7Wk......]l{..]|..3..m..NE...,..i.
8.....]..N.=..J...?A...D.=.....0.2.ic.p<.....r....j......f...'... v
scl._F.b..0....v.nr,.D....V.}.8..rN....J).N.!.;.3w."%...q8..T..!.0v.k.
.aFC..I.....Z.:...h.ui.uI..m......:!...........!.L.-.(.1...7z..D0.8OG@
..%....x.#./.D....M.K........d.;sL...' ...4j..c...;.Y............o,;IQ
Z...{g#..).. ..*rUc..s..o-.e|-.'M.3......9...sW....DH...-...u....x.I..
Xv...G.G......C"&........G.....q..Ba....k....Vi./....7.H.c..W..f...Ppk
(.<.....R.....d....G......'....n.7..#...o.~......!...h=..T.}...L.':
z.B.;.>xy....CJT)91R.%O.'....C].q..QB)R...J.b.-..<.pn."KS.......
.6..*.....(..2.....Z.S...v.h%..}S..Er.(.0..N..&b...g..=...}<..&....
........X...............k...1.VCP...5A....L.l...u.94....@...e.V..l
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=403123-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 57589

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 403123-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 0223039cfb94be46e85418f4c761553d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: EPwxdaIwIDwylhX-01GD5trRIgAvP-sxETIKJ3Z0Qiq6S3fBmAnp8g==
......jD..F....zd..m.>F.............R.9..S.Ay...%.]...Vm......s..Pc
.....S..I..1y.....q.s...>w................L......#f......}..G.`-...
..,^[email protected].%..3.x..l..u..8.I]"~cC.e6...Q?...i4..LQ?...b.nH
m....(....I.......W..{{.....<..@.'..|K'............z.....E...t.....
A.}..x....g.GA..O..ta=......b-...k3.y..j....%..4...X...... .U}&.W.&.X.
..O._n...B......^............).....}.^..6...&..........%>P,B0v..t..
9K..q........W$..>.xum...'..C7jM~._|..>)$...z.ei.,.R.. L.%i.....
..........^..^...k.Gn.] ..g..JNG.4.........|fw....k..Y....wW.?.....>
;.8...T..!tk%..B..m0hxB&.-.8;p..e-.Y>...U... i`..`g...[..u..f...=..
}X.Y. [email protected]..;......m......o4h .9`d.S.C&.j.5!...
.6.."....w....wd/..Jo.d/..L9.q9....\.3..{Ii.L..u.}z.&.$.........w_x..L
9.......!......^R..L.........@.)......m...2....a.?d.r.....KJ}eJ..d@/.'
..=...{.......A.)..h?."..P..G......[.4...{.^&...{H/...{(..^..Ws9b...r9
b.4.....B..a..m:...W...^.wK....~.r.@{..q...\N..C...A....^..).q......^W
^.5.^#.5......{..`t...]...c..Cw`...W1'......$|..9.H.&{N..'..g..s... .#
..^.k ..)r....s...x}.../....o..M./.|...a...Ef .jP....$..D|.....&......
x_).....Z..?.A......q...>......w.xo......^..%.O...e...b4.s..b4.....
.ix....&.M....m..g.}.2.....8Z.9-4irZ.......rJ? ...x.^z......J........^
.G.=.]o..^..".:..s.x.K...>...Az_.........wt.s:\..bt......(...Ex]...
taE'.:C.g/.....;=@'.........5..}({.5.."...... {.WzK|.K].wp].....{...'p
O......$.[.(..;...|....^...LH\f2?u.G'....&so...b..9~...^..V&t.2..|.G'.
.|...[1..Vu......q...^..5_f2.....|..n...bL.b......q......Zh>..}
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=118442-236884

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 118443

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 118442-236884/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 3d099fcba54211c8608d0183ae162267.cloudfront.net (CloudFront)

X-Amz-Cf-Id: L3Tb3EfBhOW5-D3CTptodEWho78SMykWnh_fJXGQrmhEhhn-ZAUWWA==
...,.....q..d...f.:..?!.vbpU.W.~...O50M.E.`...r..|..e.?....^.......<
;..\.N2<.6.U......>...a..=.....Y,...8.....b.5.!..3.X..n.Y.....&l
t;.6<.?....G\....A..x.c.....g.J.p7...aV..e.V....{};}.G....y..F.....
y..G.!5..@.&....ft.."G...(t...Li.l74.~.Cw/....Sg............Q?....J.'.
....th.. . {....2xy.N.%..." .......1.....9......w....t....P|a,c......;
2S.#z.c.qs.jR.%Xe.....{.M.S..fG@..... ......-..wV..1.......%... ..f...
......z.M..(..94p...M*h#.b.u..jT.~s...I....H..(...B.m...(.T.gC..NQ....
..V..t...n..e..7.HH.......L.9...8?.......o.7;......q..0.#..`.m.z....}.
..o.....0.....l...f.V..._ruNl.G.....?..y....:.%...h.[.s....X._..l$..O.
7.s....7...{W....k....q....Sc..Ge@..[.......x...:U.....\z.......~y....
%......\]..x..R.}...........yV...c./~...g..U....}Y......-ouE.0b....iG.
..!...........N...6..ItI.F8....M.]....Q........3.6g.r..y0.l8.....X....
....sGV...!..<.u.|.E.kQ.>.....i[..`[ ..1P.,..U.=<.a..D*.e.,K.
......:..Lk.........~.o.... %.]#7W..H~...........Z.&.E...b|....{.S..K.
.&....iy.=xD.HL.).x9}F.../J;....L..../s.....b.....2=....s...j.{.?V|...
([email protected]...?...j.........7..........H..A
k..J3N...Y...^D.Qz`\.b.u(....l..........l.wwVO...}}|_.]1..(......... .
.\j........j^[.U|..X9\l..;jk.(iF..h...f.!..!..UH}.Z.WLt......^..<:4
p.....D...F2..JO...j.-g(.._......R....&.=7. xI.. J.Q.H.e..8P=...p..w.-
..a7...;...GK..\......./....3D...4........K|w..G..*JI.I.$......M&j..*A
.`DqH[.....%....r.e7..-.=...7$..u....Q...~...1IHC$.D..9..FMl...`....d.
.}..*.&..`Zw.g.J%?dMk).q,.l...#..& ....................0.........P
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=115178-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 345534

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 115178-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 afcee990943d57abc1399b7045f930f1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DXROqtAh8mVbGtq17ufUSJQOcO0PRXrBaRCkORCryX7XF3QxJW6Qxg==
D|...Z.K..G.V^A...i.av=.O.....h9.H.[.(.%...6k.'.\[email protected]...|....'.&.. ..
{[.kz..u5....X. ......V..g..).`..%x.....g.....X6F.&..s..&...Rc]..`.cs1
;..n&.[4U...M.d.S..V`.K..4H!...`...,W5..SA......... ...&...5._...z..r*
. .Z"!...=I*..&&....!.....}.Pk....i..Y..rzP.0...N..Eg...I...w..y...!.V
I..MK..,...Y..O.......h..y.. p!6.M........!W.......... ..n..Uq.....m:{
.!............[O.....8/...>...*./..A...............l....m../Z[..Z.\
.........'....i.i.P...A.w..........p.uS...jW.f$.L..N.<4..mx.i..w.F.
..v[.o.c:K.6.....:.?.I..7..%....@e>jb.y...4..].....,.=.(.<.)O..I
....b$...{..!....n...Xkc.{.3.....Z.f....^k[C.1B?..>....a6.......f.=
ej....]..V.A. ...I.!......!.r....l-.U...,2......4V.UU.!,r.....7....F.f
....<jX.............m..R...o........[.....b....z;).........;....a..
...I....k.kR.yp...-...`W.:.4.wA....c.<.....}.J.[P<...XP.....].E.
.oy..0.b.W`j.]wVXC]i{....... ......=5T. .9...u.O.s..[?.ne89..-pMo...uk
......v3b....61....JR{.}A.p..v,....9.AKV./.T.....q.?..u/.....e....c..2
4.iBf.......6..`..h.h:...ER.Cx.8.......Y]...RBR..*....v.a.....tc.Q..[.
o"#...r...T..g.F8..l.Y%....(.z...........'.R}.@...(..K.."]..'...1) ...
.a. g~...p.....r........'.v..&.....|BA......}.A..Xb..whLwh.E.K.. o...D
......$.&,........B..,..|..0{.h...(..7.G.../"!..;52....wh..5.5..(.O...
w.lpA..Z.".S.[.V.W....=..J....U.......f.O.&7 ..^[.OD........Ds.......E
G~........|l).h......C4..u .u..o_....?g.i4...n.Z...%...Eh.......9..YPa
...,*.......GI..z.QX.`.c.5ZA.kH...C....9m2?$.....(....(9.C.t.....a....
m;z.)..pi......%D..Y...4..:d......B...wJn:.m.\.~t.>.0....F-.:O.
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 460712

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 0223039cfb94be46e85418f4c761553d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: AFYbQTzk5HL3PA4B1-ZkJ0d-MILE9Uro4Qk3TCB-qtfFKHBrGPGuow==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............ ............@.................................@..........
......................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
[email protected]......
.........................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=2828796-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 19801565

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 2828796-22630360/22630361
...1Iyr][email protected].=..[..[.....C.....O._..[W.,~.j.B..
....%.&!.=qC<.Mi9..1.Bej..w.B...=.\....&.?..p.....-,i.9^.......x...
...[1...hT.*....,.;.....nb..S....~Vn...G.|..I...d:5..M<Q.x8P..Q.k..
.D..:.;.J......X.....^[email protected]..>..l..CG.MH4..M......
M....*a.@..;.J|7A.....(!-d.w-....".H.q".fmC.......8.|[email protected]&
i.....0.;....h......d...w.....,o..c..:h.4):.h.5..}1.........j..=....."
.s...S...eex..2..a..e4b.P...Q.1..........^b7y. .^.OZ.E..&9...wI...b:..
.v...(..u.-w.B..i..y......BX.Y..2.s.\....[w..t.2..aR.^..e...A.7.f.u(.*
..G..$..Iu4...1.....4C.{......%Xh'.[.......B.G.8 (.o.w..?.i.....`Y..)u
...B...7V....9\.!....2N...k....1,.....{[email protected]
%.......'...n...]..\&./@..&U[...([email protected].....<Zn.y../.=;.....
$._GU7..._.W..:..3.........T...'.......U=.G..".[..~'`......4.e/....S..
.e..........e......z..a..l.$<..~0...b..%!K..K...0Q._x..z.x9en....p.
.D.G..7....*.........pn/p"&........Dr*...t...rW...y..kI.%....".>.8.
..3.L.t..)....5....Mr...f-R.Y...*.....4..m....3..9a..F0.j.W..w.n.{Q?.^
F.n.{......G.........V.....%.D: ../...!......=.......H...W/$.....e9..*
rI.OMvz~.I.....J.9..C.|j..W....!.X.:...C..h...-.ktM....S......~...ab..
[email protected][email protected]|^.G..V"...._..K..$O.h..%
..3Q.....VP....=......b.Kk....<V._S...F.L.vY.q...j... .P.{..|...c..
ee.r.....o7.S..Q..ES...P.{......~.9.>_.... ..&....1.(..D.W9[y.V...!
.k.g.\7q..P.jg..k....>..$.r...g.4|..9m..q..4........6@Q\.p;o.....dI
)...=...e|{..-t....c.|..`B....RvK.0.R...'..3.W.........4.9.....[..
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 473768

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 2d1e8c33c3b76cd1ba00c1fae27b1dd1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: KCMNnLww4cJiMAZW7_iIvuFDqaAdAsJzPEWLE0nZwprJ0mHMF-KygQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z....... ...0.......p....@.........
.................`...............................................s....
...P...............!..................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
.....p..............@....ndata.......p...........................rsrc.
.......P.......t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h [email protected]...\r@._^3.
[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=966763-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 138109

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 966763-1104871/1104872

Age: 1241

X-Cache: Hit from cloudfront

Via: 1.1 72fd608f3ffc532751c11add20a55631.cloudfront.net (CloudFront)

X-Amz-Cf-Id: QopVh-zG23LGqYt4lmaTrmWELvWbONmmhx8_e3y4lk_MqZKqwdt4DQ==
...{...Z.N.#[email protected].!>..4.c..#..&d>..aP ........J.*q5l..-1.O.@.(
`..'j>..z...OM..,Z..:...@t%..|..0....M..v]?.=2Y.\P.K(GB.ds....f....
..J........U>......j2l.!H.E...I...I........=...B...%.z%.[....,d../.
..*..W....K.B...^..... .P.....&.......*..:.%....:/.zF*......L..N<..
.[...._.....Fy.....1p .."..;..=9../...j_..S.J.b>..)......#1..Ni.r}c
4S.V..S.s.*C..7%OZ....8*.d{.<."..j....[S.=..X..n`..".....c...D.....
../1.$........T...?..Mdg..^)..w .Kg8[.s*..^.J.X?..wi...bd......ge...&.
.N......i..=..t...fYgLU[.e....R._.6P...d$2....q'.c...X.......9........
..h.....4PR.\.;.S....~..m..(IF...(.K...lH.f..Y...Q.X......X.I8&k/=^..'
.-....%...?.5(3..eX.:...V0..R.u..Kv....}y0..C. .viV?..5(......!;....M?
l.'.:.n..n....iA....-...42S......r.O......4/~=.Lv.....~ *~..T.(C...l.}
..jbTa.44 ..).p.v.....?....w.u... .c.\,...C...2.I..!8..\...=U..R2v1...
."'Ik..W....N),.....&......}4=.]`\.N .......6.3}[email protected]#............
.Kg.9....A...... ....2.2.Z{..nbAE..e...?...e[..)....e...C.Q..2.p.....x
.........I@&...}...o ........r.L,!.M..k.Q....8.o./y..~..C`...$.......M
~..bh.}~...P.../q...[....vt..CC..B%$z.}...I5.k.....r.P.9...S...F....'2
...Ok....l}..?A. ...sp..9./.}5&...P_c..!H.EC.L."..^6...L.:.>.H.....
C28....c.V....!..H....F..J.....<.........!o.,`2K....E. .....u..$.o.
\.T7....5n|7....unUV.OA.....Dr.. ............N..V..H.C.....FHn.9..G...
i<.....: ....2..X.~.3t.4gA..N..C.fI.(JA...eQ.l$..&....!.?....:<.
/y .R......6`.....i.&tP.c.....kcG..HH..,.. ...R....Q6.....fD...cD%.d..
..o.^...!J....h...j.......^.[...=.pmg...._lr...7......o<..G....
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=414547-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 59221

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 414547-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 72fd608f3ffc532751c11add20a55631.cloudfront.net (CloudFront)

X-Amz-Cf-Id: PIptxP1hDLLZtY7RPoTEiNU_oZnW1LGjZBQ8CfFUBAqF9Ce7F4FbxA==
fV...`A.....V..4l.V.J...F.$...g.<..L.{[email protected]@,......s..V"Kqj
J.V...\.HY.8!....2......F...t..Qa....g.1...pk...2D|....F>.....<y
%2.QX..D.........QO.9..v...(h............. L....Z.=..\n..|z....&......
.z.l.=..C.J?..*.k_u......4...9.7......K(.t..=.U.....K...........d@ .s.
~..P...wR2.k<z.?v9.J...kq............\.lG...o.:8M..W..v<ar.....a
.5.......RH..4.W........Lju^..#.p.*i>[email protected]..\...F.'.<....M.
l.....L. c.f.Or%..)...F._.7.A...A.....a.U....^..eG...Ca&w.q0.qi..E...F
.c...c.t....Q..A6d7....H......%(..5{W.........E..o.V.THh.....l1....P#.
m.5...93bo..]....4K.....&{......}.W........mf/g{....F):d9....t.....>
;.l......(.B.EA....4.(.../k........./Dq...{........[.....U8.N.<H.!.
.?..6..<...%..O.#.......p#tdq...h.P.....T.y/...<[email protected].
...&..#....s..8..mI...%....|...m0bd.R.u;e...H.1tnD..SW.....,$D&..^U...
y.^|..o.............M' .E.4*Mu.t...*.g....G...([email protected]...
d1..-.7.a.2../N....]W...3...B....,DE.2.N@.#.....!?.#..t...V.2.n.d..n..
Xi.....--.... ~<.=....O.)Nx|4D..99..........j{...d.[J..J...pn.d.7A.
../........!....Z..sp....zd..0....X{...d........L...w\...V.........d..
...v..K.....D..*JJ.H...z..........G...g\...uDc....c..t..........z.Z.3.
..3.9..Z..,...c4....H..x.z.~}[email protected]..........._...z.z.K..G.....(.\
!ec.....t.9B!...iE.....*...N^.u.JP..sTO...^...`.......'..........[6s".
.p..{Z......X....s.T.)>.uZ.G}or..p.>.......<..VS..E.%{...g.O.
.8..:^jH.:..:<..?|.]..C.(.Q.g.".r}.DS.0...T....z(R...y..T.......M6&
lt;S@(....~..U.I..?Db.o.....}.B...t2.0...v...D..8.j..4..'.ex.,K.*.
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 1104872

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

X-Cache: Hit from cloudfront

Via: 1.1 72fd608f3ffc532751c11add20a55631.cloudfront.net (CloudFront)

X-Amz-Cf-Id: m8BSMvAgW-ly-8RMANSqAm0LcwZR_Tqb_HPZORi410CYLGXRmuXGpw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L.....AO
.....................P......'C............@..........................@
......*_........ .........................................8...........
....0.................................................................
...........................text...D........................... .0`.dat
[email protected]...#.......$................
[email protected]@.bss..................................0..idata..................
[email protected][email protected].....
[email protected].............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..WVS.......U..E....t...F
.........{B..H...H.......M..E..5H{B..D$...$....B..M..E.....SS...E...$.
D$... .B..M..E......M.WW......M.)..M..NT....NP........E.....}...VT....
....FP..E........}..VP........U.......FT.............}..........E..M..
.$..|.B..E..R...D$..E..D$...$....B.....<$....B..E..Q.}.;}...Q....~X
........F4..$....B...W..........$.E......E......D$.........B.RR.FX..$.
D$.....B..5..B.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$..{B.
....B...|.......T$...$..QQ.<$....B.S.M..E..D$...$....B.PP1....D
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=14143976-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 8486385

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 14143976-22630360/22630361
...c..}.....).......c...g....B....J......5|C...}.E.b..."}.81.........&
gt;...&._V. |6..`...R...k..R.......7.OR..r.L5...tnY.e)F....QS..Y...U.v
.M...IcN....\...R;{.P>.....ci..-3.Z.......j2....s... e~...R.<T..
-....Z.3H.|q..5,.Q.V.......;P K.{...9....R?Q....|fe.R...lX...2.g...-.8
....a..2.&......l...4|.P.M*.Yl.q...1lp.Y.3..."4~...%.........aNM.E....
..3: ...vK..#h...R...9..- .B...b.Mfm..C`.L'^..P...NJ ......."T I......
9.'....S.>..Vr...J..e`Y^......4.....c....]_..W.9.r,....n....5..5F..
....4...a.1......M#u.w>I...=v......Z..Z|.....A...(etXHN..R.d]......
....7...k..t...9Ko..b......"......G...=<.p...D."'.,........A..k.^.L
......^>.C.....x.a........O.BN..&...^..j*..:.g..I.rQ:.SR#E.UH.....4
......iN":..m........T .....N....,.!~.....y......,..d.f.e.'.p......k..
..L..6....MY.."P\.e..ck.~5JU.I.A. N....J)p:...f..j...s........Jub=....
MpL.S.[SRH.......8^[email protected].].H....=i.Z.D..<,.A.\rm....'.
.._:>.!p.7fJ}......;9....*3..wy...B.....&.k?......m#..z.....X.=.[..
i..c.=2..P....C.t.0&.o.._'6..).U.1....gP...k....l.Vj.Y..'A"o......d.xS
Y.d..p..g}W.....{\WG#..@...!...u.[C..#V..r..j.,.fc.%....X~ru..B..G...Q
......p.U.gr4......e...k=V_v..q...a.P..ZR.W}_......2.9<.]V.k...2J.Z
.J....Y...b...6.......-r.JxDR.X/T...(w.0...^.}.,..nz..h.}..!Y.........
~....S..aK.<ox.....:..N>O..>P.bf..t....Y.....Dd\.........9...
Q3..u...#.2.v.>&n.*..._..'J'>..r...@"u..b!d..Kc.$g...X..?1;.9.C&
gt;....1zo...y.a.........9J...'.C.3.i=..&e.}'.}3M...l.V40<s2.w>%
j{..i..../...0Z...................R....}........y...H.=]....I!o...
<<< skipped >>>

GET /mirror/vuupc/qms.exe HTTP/1.1

Range: bytes=0-

User-Agent: Better Installer(Mozilla)

Host: d3rs1f9x4ymprm.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 460712

Connection: keep-alive

Date: Sun, 11 May 2014 06:34:20 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396259970/atime:1396259976/ctime:1396259971

Cache-Control: max-age=3600

Last-Modified: Mon, 31 Mar 2014 09:59:54 GMT

x-amz-version-id: t.vIOwYeEoIdOVyap9pI17aVNHZ3OpiH

ETag: "715592242fc40c8a33e7af2fedc49712"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-460711/460712

Age: 1026

X-Cache: Hit from cloudfront

Via: 1.1 f8b39675eac44b97a6b28ef50d3d59db.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xM4YaVy1un4fTD17ylIp3YlXMkGzPjaq9uzphBZFvdQBuGyrY70cag==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............ ............@.................................@..........
......................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
[email protected]......
.........................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 473768

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 5f563e9cc429ae122dea88398bde34e7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HJgGWk1cAFj4nhTFobf8nhas5f3B_hu88jYL61CkLHZ5vH6HA87iQg==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z....... ...0.......p....@.........
.................`...............................................s....
...P...............!..................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
.....p..............@....ndata.......p...........................rsrc.
.......P.......t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h [email protected]...\r@._^3.
[.....L$...nD...Si.. ..VW.T.....tO.q.3.;5.nD.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5.nD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=177663-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 296105

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 177663-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 8209450c44724e2d3c05191a54698ae8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kACUiqaXsgBTqNP5L4Skc52aMRT9y1BFENGEgprCDNPMdugj3BRd1w==
.......dE..AQ&6z....L [email protected]....
.bd6.%..._..F..D...4x.0.X.Y8.!t.&....B..........b.....ed.s.Wo......./.
...af.......h.V.....m..(.8.......mr.... ...iWO4... .....}..iE.b..#@..p
..#.3.......D.&uE..,.8.Q.1r...y..].5......Sv./.D......a..$.x...tLTZ.=.
.....w.....D2..05....(.......bK.O{...qE.m..@?.}f.UR ..H..6........h..A
..r.0.....yD..!<..R.m...b}%.'&.TF..(.....LIr.]..P.._..l..9..% ;;L..
ivV}9....To,<..|.{.......M.H.9AP..&c......:..K..2w?..[.ma.=......K;
....g......l...b....m1.M)D....7T.....!J;.j...8 `./}....t.g...B..zO....
.Tf..Z#:.;...........?.pH.!...k.........,...Y..3.L..By..N.V.....4.\ ..
W.d..T.bKL.c.u...H..v..O.....)l...r.S#HC.U....l..yF......V..Q6...S....
r,.....B4.!u:...t.9.....3.>..f...^..*.[.V!...f..09S@..=.....^\p..B0
AL-J.}.)..}.*........Q..CL....;..t.E..I.17Y.h.........I..(\....K.g....
..&!N..v...J..]..C.`oC. (....>pg*..X......6..E..2...!s.....`....Qy 
..C!N.X...;R....o..e.k..K..V...bmW d...8.4f~..d1du..3fO.=..d.f.K....|e
..30./2....K^.?O.o....C..p.$..j.pBNE..qF......;.R......v..0L...c.->
....[qC...a.;.w6...<.F..$V.A....)N....].....\......@........".]....
.3..S......f.!k..M...`T........KQ../x.EQ2...#....K.kO..t...O^..D..YMk.
.Cxv..J.<,...eC..F}9S|bj....'..Z.....Y..j..|@......_8...n.l....|H..
..........EC.Ft...qV.....d...GS/..g|.b..... z.o.x..`.....<%....m...
92................0^..)....a.i.J......<O....Dw......[&. .m...HA.{.@
..b...:...Z.....p...5jj.gK.r ...J.3......._<..(.MJ..~....1A.G..S...
....Q\.....|..d.<NB.U...#.V... ..6..K).k.N.....B%Y..^.j.K.9....
<<< skipped >>>

GET /mirror/okiitan/Okiitan_bs.exe HTTP/1.1

Range: bytes=355326-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 118442

Connection: keep-alive

Date: Thu, 15 May 2014 09:26:03 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1400059973/atime:1400059987/ctime:1400059974

Cache-Control: max-age=3600

Last-Modified: Wed, 14 May 2014 09:33:25 GMT

x-amz-version-id: 7RRP8tDTWPNQ1PLDoiptIylEJle_BV_C

ETag: "b0126ee2fecea8b43453bc4263a4a4da"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 355326-473767/473768

Age: 1240

X-Cache: Hit from cloudfront

Via: 1.1 72fd608f3ffc532751c11add20a55631.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ycLniBWPdqG4KpNJrTGA9pTTpBs6CU4IlkpqhXhZYRSePz9jvVGRiA==
..I.\.y..........@jI;u..hd..'........8#_.8z.D.`..a.M..;.=..m..x.......
,..."N.._.]iP.#..\..18.. -....a&{...R/%}..qj.....Yu.......Q...0..Q....
.O.......:B1;/..B,..%aOv..T.......tZ.....e.....`H.M.....8/..e..O^8....
.A,..1.1...............~.b.b!(4oF..p......re~...T.6S.W....j.Y.....)..v
k...E..s..uq. .L.........S.g.!y.bs_H.......;,._...$w7J....Y$....1..%.Z
..;X|.....\k>SJ'xE......#.....j..6..Phc....;s..:.....H~\..d...(.I..
....|.Hia..ar......H).Q.X...!Q..........H.W...f.1..!0.o....M....}..7..
N.vaI......-*K.R....a.&.......(i=..}[email protected]{.....L....5. .I....)
.3...w-9..Oq..3.(%.:.{....:...j..&^...SS1>.%.hh...:.^.H....k....0..
....sz...y?....H.I.>##....#[r.......$..c....A..$.e*...wy.Heq.k...FG
.>.....b....~P?.#B..z..4.....32...{W..n\..#9......a(.....~..1.j.u.6
..L....H...I>.<og.q.....K ..>....>%.....AC.".....q.[......
..A*[email protected]%m...4a!.)[email protected].._.z.
lKY8...y...T[J7.3)-.5.2...h........G.-ZQU%[email protected]>\M..*.:...
..........w*.*......Y..h..LH..[......n.S\...0...i..E..;.FY.,.....\....
.#...C.a..P.n.=-..[....=*.?.K:......!r..._.TQ...{....g.I.V..P0Z.p\./&.
0.c.8e$....8.<...o.l....X..'.{...9,'..R.6O>..X..J..7b....o."x.O.
6C.C:.~.[...u..x..Y~.[....!...Z..a..Av...b..1*.w...0.XO.'....D....0.u*
.5n.1.$Yr;......C..o.....p.a.%.0.&im...Q..m......jy..R... ..[M..5D...Q
.>J.....6ZnLlW....1.e..."x......Q~E...X.R..t'.....]%.Z.]..L......3y
m^..B...2_.kf.A.o...s'....?i......nH.....P.n2.k...f.c..z....XZtw......
.......L:...2.#.2..........B..|.Gt.G........%6..$.38.p.....1'w.<
<<< skipped >>>

GET /software_files/vlc/2_0_2/vlc-2.0.2-win32.exe HTTP/1.1

Range: bytes=16972771-

User-Agent: Better Installer(Mozilla)

Host: download.filesfrog.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Server: nginx

Date: Fri, 16 May 2014 02:48:09 GMT

Content-Type: application/octet-stream

Content-Length: 5657590

Last-Modified: Thu, 11 Oct 2012 11:07:06 GMT

Connection: keep-alive

Content-Range: bytes 16972771-22630360/22630361
.....N......A....r.....]...w. ,.>..,.U.....2m..p.p^i.c..v.0....lIB.
......nk....j{E.....d..1..:z....hx....:n.Z5..$.E.....X\.u.~....o.>o
@.D..k.UF_.S..M......."...R.,h{g|..E}.....?h.......|...Z..j#6...Z...e.
.z.....3...Vy(!......|4...[...S e.....]."W:...|........nk....A..1..e.&
gt;=^.....\.......4i. Y'b.....7...3H2.S..5.v..A.....m..4.AQw..%..E..98
. f.* .;......*.Y....y.E[.Fj..x._...y....7...K!Jk.......?2..S.m[....XC
E..g&V......iP..(.zf......=....)k.qq,[email protected]......... ..7.$
.u$...`...k.......c.M..^...*....A.1d9....L..6.......S...&.o..9.....9..
*.R.k..^.. ..\!...[..:..6<(..=.&.....Y.....<3D.......b.....|."R.
............t.Q.bD.?W......e:..\z.z..D..V...5eL\.6.!/....U..Y9.U[.....
..1..Mf.^.<.0....B...L..a. [email protected]....!..(.
Pb..0^....[...I&k.w.UT.!x.4../.R2b.q8..gvc0.....-..][email protected]....~. .
`....p...\N.....~..k...-..A....f.)d..).X...}...X....V..YB....Y.^..K...
#[email protected]....,C.rXut3f...R.......,.$.....Z...5....?e@..~J2.z*k.
....n.. .<4/M.m..{.P|......R../..F_.......o...........1,.....:..Vw.
?...o87.V.....>(.....M..E&.]E...y(u~MA5.......2...!....{L....AK.<
; .Z.~7........HS..UZ...M.....4`~.........IE-.".pL.I. .2RR.}...(......
...3.....fl..g..[...i....(..c.Bj.Xv...T. ....\./.o......d........P7...
B......i H^....W.jt.U....r..r.......V<....8.'w....fE.s.R.}.(.....(0
..y..T.m$.j..y%....~..|.O1$5....zy:..:....v_ .......o\-.2l.S..7y..[.(b
.=.....p%.......`..M]....QM...4..h...7x.-.X ..?Z_8Yy3a.D"...Z..'(A .
..}G..zS......i.h..I.2....;.gDI^[email protected])....Y..g5[j.....}
<<< skipped >>>

GET /mirror/couponalert/ie_ff/CouponAlerts_new.exe HTTP/1.1

Range: bytes=414327-

User-Agent: Better Installer(Mozilla)

Host: d2baajcqvc8bxx.cloudfront.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 690545

Connection: keep-alive

Date: Thu, 15 May 2014 16:13:10 GMT

x-amz-meta-s3cmd-attrs: uid:500/gname:www/uname:www/gid:500/mode:33204/mtime:1396959015/atime:1396959187/ctime:1396959178

Cache-Control: max-age=3600

Last-Modified: Tue, 08 Apr 2014 12:13:25 GMT

x-amz-version-id: W_L7PPS7No5BJEsge9jhdYlGlTyCAJzg

ETag: "c3005b351b2e277655f779362803430d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 1241

Content-Range: bytes 414327-1104871/1104872

X-Cache: Hit from cloudfront

Via: 1.1 8209450c44724e2d3c05191a54698ae8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: EP_FZmusS4mbniWwQ_dBNqXfFFHX_Xi_pGgMXgry0z-h8Ld7MVDx2Q==
.[....g4.M........x.{...b=..I........|.}......i..y...._....r....oqO.K.
.c..B/.q..dj.P../..!.j.d...kN~O.l...c,.I.)..K...a4t.....d.}c../.....j.
]....E.~...t.S..Q.m.8c.*...mW0.#G.6~...'~#e.L.O_..nDx...r.r.E`CS......
.....r.K[]...1k....,.5..b....l.c.#k>O.)#CV...=(.D.!).*4...j..0g....
.j..\.j....;.bf.....e...Y.$E.}.y...Z...*..ZS{sho.>.A.>ye.6......
...%.."m....a.._.peo.H.Ol..../l.K...&IW&8.t\.F"i...i T.GJ.0[.(NEZw:zn.
..........._X...I_,.j...Jm....F......<W..l........vF..bg.(xi.~.a...
*.I...Gh......w.c...q..o.f=...!!..x...S..;.B..v.0>..y.~...|.A2t..}.
p.Y..w.:h.....F.Y%[email protected]..?..d8r.'"K-^F....P....7d.....
[.....J.......S.N!)[.Q4.........".}..s.........8......b;..J....lB.....
........;.\z..w..i.....p..K.z...l ....7. ..l4.Sf.u%......].....y..f..O
.h..p..:Tv.....e...........r............R..."..WYF.~J...5.J.<......
E7.....<...:.............}W....N.:..s.vb.#.#1i....2...$.*h..7.d.E.B
:.8.....~Q.i..1;........EW.......c{. ..f....s}.F\L.[ByFk.E.R....^.$m..
..V.0...Zf...r..PW.........9..j}t.*....,.i....h....\bX...!Ue[.XfB....R
..._..uG..S.{i<..c...X....D.a...H9.K..B.k.T.g8ga".\[email protected]....
..n......[..y...q~=.8.pIC.!0.v./.F......~..dD...........N....|.cS..Om.
T.;."~YRo5 .....6......B.....7.>(..R.."LM......f..\..k...J....G3..[
T.... .............M....X...<p..?.9=S.TYO..?...Q.}.E.P5...M...?...-
.....D.X............8....0.]......7.y..s......"#.3....a..]5..7p.iF.jh`
..%~2..$yVX.........j..XT9k=.."..=...."..|.f5.?D..-.v...............&l
t;.~D..&..p.....-.......Q!3...{...\......?h.!YI..G.1,.y.t.q...o.._
<<< skipped >>>

The Application connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

PSShP

SSSSh

RegDeleteKeyExW

FtpCommandW

XXXXXXXXXXXX

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

d:\mTech\somoto\new_svn\BetterInstaller\BetterInstaller\Release\BetterInstaller.pdb

HttpSendRequestW

HttpQueryInfoW

HttpAddRequestHeadersW

HttpOpenRequestW

InternetCrackUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

GetProcessHeap

KERNEL32.dll

CreateDialogIndirectParamW

USER32.dll

GDI32.dll

COMDLG32.dll

CryptSetKeyParam

CryptImportKey

CryptDestroyKey

RegDeleteKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

USERENV.dll

GetCPInfo

GetConsoleOutputCP

.?AUIHTMLOMWindowServices@@

.?AV?$CAtlExeModuleT@VCBetterInstallerModule@@@ATL@@

'BetterInstaller.EXE'

Created by MIDL version 7.00.0500 at Tue Nov 08 16:10:48 2011

1"2-2:2]2

:!:&:0:>:~:

: <'<-<`<

{C85A8C97-E040-4924-8E1D-693560EE116E}

WAdvapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

@Mscoree.dll

OLEAUT32.DLL

A%u kB

%u bytes

Range: bytes=%d-%d

Range: bytes=%d-

%d:d:d

%s - %s

Wwininet.dll

r%s.%d

@"%s" %s

@%s (%d)%s

*.TXT

%d.%d.%d %s %sbit

%d

%DOCUMENTS%

ÞSKTOP%

http://installer.filebulldog.com

%s\Mozilla\Firefox\%s\prefs.js

%s\Mozilla\Firefox\profiles.ini

biDeleteRegistryKey

biGetExecutionArguments

biCreateRegistryKey

biExistRegistryKey

Better Installer(Mozilla)

%s/%s/%s/%s?v=%s&muid=%s

%s/downloader/%s/%s/%s?v=%s&muid=%s

Preparing %s...

ekernel32.dll

mscoree.dll

KERNEL32.DLL

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

bi.bisrv.com

ler.filebulldog.com

http://download.filesfrog.com/software_files/vlc/2_0_2/vlc-2.0.2-win32.exe

new.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vlc-2.0.2-win32.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\biclient.exe

{8856F961-340A-11D0-A96B-00C04FD705A2}

2.0.0.0

BetterInstaller.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:388

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe (33827 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[1].png (6743 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe (1482965 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.6 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\tokyoLightGrayStripesBG[1].jpg (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.0 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.0 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[2].png (3856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\tokyo_sprite_full[3].png (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.5 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\search[1].png (1941 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.4 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\eula[1].htm (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.7 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.0 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.1 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.1 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.3 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[2].png (3856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.2 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.7 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.6 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\eula-couponalerts[1].htm (2739 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\vlc-2.0.2-win32.exe.2 (173869 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.4 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\deals[1].png (3242 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\eula[1].html (535 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\comparison[1].png (2902 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.3 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\title[1].png (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.3 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.6 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\vuulogo[1].png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.4 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.7 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\vlc_48[1].png (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tokyo_sprite_full[2].png (3164 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.0 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.7 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Okiitan_bs.exe.5 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[3].png (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.5 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\vlc_48[1].png (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.7 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.6 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.1 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\eula-vuupc[1].html (3323 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.3 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.2 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.4 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.5 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.6 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\eula-couponalerts[1].html (1756 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.0 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.1 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UpdateCheckerSetup.exe.2 (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\eula-vuupc[1].htm (1187 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.1 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\tokyo_sprite_full[1].png (6430 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.3 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.2 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CouponAlerts_new.exe.5 (9496 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\intext[1].png (3032 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\tokyo_sprite_full[1].png (7067 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qms.exe.4 (4152 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\biclient.exe (8184 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (8002 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\config.ini (113 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.