MD5: 3c7b448d2f06e0601b20b43a0800eb5e
SHA1: 6730f85f48d36d7d76447ea29101847bc83a7ff3
SHA256: 1f0721ee2bac8b8cab0076d53c75b1443f9211fddf05e51f1c4bf41146cd6eb6
SSDeep: 12288:AQFag/0TuKo5 w05DIN0tqCWEP4FGlvxQQhmmBzethhy7:AQFN/0TuBsw05DIN0PWECGl8mhet
Size: 652200 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):

%original file name%.exe:1388
wuauclt.exe:304

The Installer injects its code into the following process(es):

%original file name%.exe:1476

File activity

The process %original file name%.exe:1476 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\LOGO[1].png (3719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Quick_Specs.png (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\KO.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Color_Button.png (863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\CS.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\JA.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\logo[1].png (7491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\bg2_us[1].jpg (7569 bytes)
%Documents and Settings%\%current user%\Desktop\Continue Flash Player 11 Installation.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\ProgressBar.png (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004C531.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\bootstrap_15771.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\logo_new[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\bg3_ru[1].jpg (3756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Close_Hover.png (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\IT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\Rodedowo[1].png (3521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\NL.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\FF_logo[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312728_stp\sqlite3.dll (1706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\BG.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\EN.locale (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\Beginogo[1].jpg (2816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\SV.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\bg4_us[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\IE_logo[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\isf_312821.flat (1707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004D676.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\PL.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\FI.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004D6C5.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (3725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\default_tb.png (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\bg1_ru[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004C158.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\Rerarapepe3[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Close.png (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\bg3_us[1].jpg (4963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\bg4_ru[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312728_stp.CIS.part (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312728_stp.CIS (4940 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\ZH.locale (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\Beginogo_N[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Progress.png (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\logo[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\bg2_ru[1].jpg (3056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\NO.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\Beginogo_BR[1].jpg (4816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000476F1.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\TR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312702_stp.EXE.part (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Color_Button_Hover.png (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\DA.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Icon_Generic.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312702_stp.EXE (7860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\EL.locale (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\default_wi.png (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\ID.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\install[1].png (639 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\CH_logo[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Grey_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\Rorawaker_Logo[1].png (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\bg1_us[1].jpg (5101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\RU.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004E115.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Grey_Button_Hover.png (1 bytes)

The Installer deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\isf_312821.flat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\install[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004C158.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000476F1.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004C531.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004D676.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004E115.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish292609\bootstrap_15771.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0004D6C5.log (0 bytes)

The process wuauclt.exe:304 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Installer deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

Registry activity

The process %original file name%.exe:1388 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 1C 35 E4 7E AB 73 DD 98 3C 93 A2 98 A6 B1 91"

The process %original file name%.exe:1476 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC E5 9A 65 3C 20 A9 68 AA 9D C9 72 7F 3C 36 1C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 8
5385f3be4840e1d49eaf2d9b0bd468f7
b1e3ab31c18edfdab516ecf116ba9d48
7ff080381702261148822ac6a39b53a2
3025d04823063889cf2e8c11396d86e8
9c0112df9976a6df0305f43d19103fc7
69fd34b6ee439cfad15610b8e8918034
5d8ece51fbfc191a2c707a2b5a6ae536
68f32255c4f4efd1b6ed82d15ac3ceee

URLs

URL	IP
hxxp://os-slv-1323817372.us-west-2.elb.amazonaws.com/Ecommfactory/?v=3.0&c=454163425
hxxp://districdn.com/flash-ie/install_flashplayer11x32ax_mssd_aih_ie.exe
hxxp://districdn.com/flash-ie/install.png
hxxp://geosrvlb-629133695.us-east-1.elb.amazonaws.com/details
hxxp://img.tatomayey.com/img/Rodedowo/Rodedowo.png	146.185.27.45
hxxp://img.tatomayey.com/img/Rulilap/bg1_us.jpg
hxxp://img.tatomayey.com/ofr/sqlite3.cis
hxxp://img.tatomayey.com/img/Rulilap/bg2_us.jpg
hxxp://img.tatomayey.com/img/Rulilap/logo.png
hxxp://img.tatomayey.com/img/Rulilap/bg3_us.jpg
hxxp://img.tatomayey.com/img/Rulilap/bg4_us.jpg
hxxp://img.tatomayey.com/img/Rulilap/bg1_ru.jpg
hxxp://img.tatomayey.com/img/Rulilap/bg2_ru.jpg
hxxp://img.tatomayey.com/img/Rulilap/bg3_ru.jpg
hxxp://img.tatomayey.com/img/Rulilap/bg4_ru.jpg
hxxp://img.tatomayey.com/img/Beginogo/Beginogo.jpg
hxxp://img.tatomayey.com/img/Beginogo/Beginogo_BR.jpg
hxxp://img.tatomayey.com/img/Beginogo/Beginogo_N.jpg
hxxp://img.tatomayey.com/img/Rerarapepe/logo.png
hxxp://img.tatomayey.com/img/Rerarapepe/logo_new.png
hxxp://img.tatomayey.com/img/Rerarapepe/Rerarapepe3.jpg
hxxp://img.tatomayey.com/img/Mapayuy/LOGO.png
hxxp://img.tatomayey.com/img/IE_logo.png
hxxp://img.tatomayey.com/img/CH_logo.png
hxxp://img.tatomayey.com/img/FF_logo.png
hxxp://img.tatomayey.com/img/Rorawaker/Rorawaker_Logo.png
cdneu.tatomayey.com	146.185.27.53
geoip.infra-team.com	174.129.249.174
cdn.neoinstaladores.com	91.121.203.233
os.tatomayey.com	54.203.246.77
cdnus.tatomayey.com	74.81.69.244

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /flash-ie/install.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.neoinstaladores.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Content-Type: image/png

Last-Modified: Thu, 21 Nov 2013 12:53:49 GMT

ETag: "a5c1535-6f3-4ebaf638f9140"

MyServer: powah2

MyServer: CDN001

X-UA: cdn

Vary: X-UA

Content-Length: 1779

Accept-Ranges: bytes

Date: Wed, 09 Apr 2014 00:42:48 GMT

X-Varnish: 2097491103

Age: 0

Via: 1.1 varnish

Connection: keep-alive

MyCache: vCDN001

X-Cache: MISS
.PNG........IHDR... ... .....szz.....bKGD..............pHYs...H...H.F.
k>....vpAg... ... .........IDATX...].$W....VUWwU..|..q6...8.L$...E.
.."..D.y. .."y..W....`.....n|......]p6.Bl5....d'.=...u?|..........(...
...9.{..*.................vV..]..4q..Sv[.D....g.K....>S..]...}.t...
...A...}..{../.... ....w...v.....4l.....]..nL........`....Vr`..:W.K..V
}..Z.r.|...l..w.J...n.7.D.9.D..M.j.M.h.Kw.O.s..WO...b.}.Y{sc.#n.FAl...
.B'...... Ms<7.H.%)..s(.../=e.........s...O...n.VY5."....".$.I.C...
..!..d..F8..o.............0....9.k...%,..%..xC..g.....r.Ge7)..e20.{N..
...Pi..3.d.HKS..H...`......A....... ..mG`I.l.....8.....s.,...,..E..t..
.|.Jf..d.>.;.......v.HA_ze......b..|..*.*p$.#...........6.....S..(.
)3((.K.... >.)...y...`.....u....g2.W/.Z#j4[dI\:)tMYlI...D.\.;|..._3
.. 1...8..8.......;....G.2P..!U.<,.m......}....... {..JZ=..-... ...
`.......7c......#....{....../.....Co..[R[...lk.#%...B..x#Q............
.a..h..}......y....)...- ..aL.H.. ...h1...,...l...L......z>VH.k...V
9.h......9...G.....?.(.hr.......6...!..C.@[[]........%.zD.....|.3.g..J
7{...............%...bt...M.i........D4..........>.DA..7........*g.
9z....eq..........F.E3,|.{.=.iT......l^....H......B.....:..lJ.DQ..].$.
...6.Y........cn.~.V...^..ep=....."....d.p .....:].......:..Z......2.t
?.f..^...>.C.<..r7..c..R....k._?.{.d..0......9...^.=....kW.z.ox.
....w.....M0.....H.L9..vG....2.k.z...|..<....5...'.. ..N....0......
......C.l.(.F:F.u..~.Yj,...#d........c.......4....v.px.^B)...6.j~..Zf.
)[email protected].[~...M.0.&iE...e....;
<<< skipped >>>

GET /flash-ie/install_flashplayer11x32ax_mssd_aih_ie.exe HTTP/1.1

Range: bytes=0-1004887

Accept: */*

Host: cdn.neoinstaladores.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx

Content-Type: application/x-msdos-program

Last-Modified: Tue, 19 Feb 2013 17:44:02 GMT

ETag: "a5c0e89-f5558-4d6176318bc80"

MyServer: powah2

MyServer: CDN001

X-UA: cdn

Vary: X-UA

Accept-Ranges: bytes

Date: Wed, 09 Apr 2014 00:42:48 GMT

X-Varnish: 2097491104 2097491102

Age: 0

Via: 1.1 varnish

Connection: keep-alive

MyCache: vCDN001

X-Cache: HIT

Content-Range: bytes 0-1004887/1004888

Content-Length: 1004888
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......6...r..Ar..A
r..Al.HAp..AUK.A|..AUK.Aq..A..ZAs..A{.HAB..A{.YAo..A{.OA...Ar..A...A{.
EA8..Al.XAs..A{.]As..ARichr..A................PE..L......P............
.........p...P..P0...`...@[email protected]....
@..........................................@...c...........6..h...D...
....................................,2..H....................9........
..............UPX0.....P..............................UPX1.........`..
[email protected][email protected]..................@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.08.UPX!......I3n.C!....G.......&../....h...,[email protected].
u.Wj.Y.*_n.f....t."!...E...... ...@....:...V.P.*.0@...._^]......W.|$..
'......o4t.....rFVj..G........u....-.....W.t$........F...........u.q..
..^.._.....0t.1...= ..".3(j...W:...4...L.).,0....as30..$.z...5G.x.....
%..-6..D7x.......Pb..........1.`[email protected]_ ..........
7..SV....8Z..=j3...C......%..~.....z....q .0v[pN......-.`....C[P-..,..
[email protected]{N,. .M.....vs.<!.g..*...xxi.[[][email protected]..#
hw.v.J."i3...D..}.~*..I*HTP....#.Y....B...a....U.R&..P....u...9..4
<<< skipped >>>

POST /details HTTP/1.1

Accept: */*

Host: geoip.infra-team.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 7

Cache-Control: no-cache

foo=bar
HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: application/json

Date: Wed, 09 Apr 2014 00:37:25 GMT

Server: TornadoServer/3.2

Content-Length: 327

Connection: keep-alive
{"city": "Kharkov", "region_code": "07", "ip": "193.138.244.231", "are
a_code": 0, "time_zone": "Europe/Zaporozhye", "dma_code": 0, "metro_co
de": null, "country_code3": "UKR", "latitude": 49.98079999999999, "pos
tal_code": null, "longitude": 36.252700000000004, "country_code": "UA"
, "country_name": "Ukraine", "continent": "EU"}HTTP/1.1 200 OK..Access
-Control-Allow-Origin: *..Content-Type: application/json..Date: Wed, 0
9 Apr 2014 00:37:25 GMT..Server: TornadoServer/3.2..Content-Length: 32
7..Connection: keep-alive..{"city": "Kharkov", "region_code": "07", "i
p": "193.138.244.231", "area_code": 0, "time_zone": "Europe/Zaporozhye
", "dma_code": 0, "metro_code": null, "country_code3": "UKR", "latitud
e": 49.98079999999999, "postal_code": null, "longitude": 36.2527000000
00004, "country_code": "UA", "country_name": "Ukraine", "continent": "
EU"}..

POST /Ecommfactory/?v=3.0&c=454163425 HTTP/1.1

Accept: */*

Host: os.tatomayey.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 818

Cache-Control: no-cache

0A0CzutD0EtC0RtC0FtC0HtC0HtC0OtC0TtC0RtB0ZtC0FtC0CtB0UtN0U0I0DzutDtDtD0CtBzytA0F0CzytAtDyB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAtByDyBtBtAyEtDyCtN1L1B0A1Q1H1L1GzutCtN0T0KzutAtCtCyEtBtCtN0U0I0DzutDtDtD0CtBzytA0F0CzytAtDyB0AtByDtN0S0D0TzutBtDtCyEtDyEtDzytDtAtAyCtCtBtByCzytN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0M0A0C1V0LzutDtDtD0CtBzytA0F0CzytAtDtN0P0E1V0M0O0D0Ezu0D0L0LtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CtA1RyB1SyEyEzz1QtB1OtDyC1PtDyCtDtC1StBtD1SyEtA1TtDzztDtD1P1SyD1PtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutBzyzztN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutCzyyCyBtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1O1I1T1B1M1V1E1I1T2U1P1C1VtCtC
HTTP/1.1 200 OK

Content-Type: text/html

Date: Wed, 09 Apr 2014 00:36:35 GMT

Server: nginx

X-ADS-CC: UA

X-ADS-TIMESTAMP: 20140408203633097

X-ADS-VERSION: 1.2.2

transfer-encoding: chunked

Connection: keep-alive
1f88....|..]t..^...&...C|...~.I2...I...;....X.._........0...t.... Z...
=&.i...CHnj.3..R4`..x.{.r`......F".J`.V..%b....*.(c.N...m.......r*S.D.
...*[email protected].;.t8.[izS....j. k.a.6.xS.p.k..........TB..4*SXv..L...d.r.#
.h......`.o.S.1Y....e.2....\:..KV...r<.*.A.l.k.... ..0.%...B.. .T..
..f.9....fk#..B..!H.1..J.c.O.xI..B.u^..G.x...1~..Y...".....l.0...37..t
%9([email protected]<#..).c...A..R.1....Wr...c....~Z.. [email protected].......
_).lU......x>...2C2.f..........aU......~vKsHY.YC.....&a...4.,..4H..
..1..........|..yA..w..!.LPGsz.Ny.#v..F.....5...%...TOQC.6..&....dk.0.
.GIpe.X........w.{Hw.[........<.......<.!....S.s.c.t.SQ....q..H.
O..D..j.5. .........6/..{9h...H....2.......M...p.....JNg. ..;.L...8p.K
[email protected].;... .j..8p._H.......hp....".X1...u.S.y...{....n..L...~
6......hb.Lp...(...q....#.h.........fL.j..$I. .....jN......7..H.......
n..H.R..d...KI..T.n.5^.....}....k>.x.:.a.e..(p.K2...........0....`.
T.........q.........[.p...~.\[email protected].(.<zf..l...e(.~b..c.
..z..*(P..?...^...N.6.C.a.4........8...4..lb'.....Jx..0.K.n..3(......l
.z...GkK"`1...... .......4.L5..k........b.F..(fR.R..X....Z...a...8*...
9p......(z."....WC,.N.(..._..=.....v4.*x ..2.J.....i......x....t......
..^.j...1..*....5. ._Z.2{D.D.S.......4..y.7.z~lb.4....g.2......B......
...0....D~..Uf....]..*..E.N...ft......>...l@`...f.......G.53..v..B.
....T...IFF...F4.5.....&d....nG.xN)....i..,.<a.....9AG..~Y..7Se....
.i.._....B.p...0.rV.Fq.?...bg...Jvw..|...........L...h.......t.....{KF
'.Y.8.[.`......(#......,.d....m.;[email protected]..].M...NA.eS.~.|7!.y.[.
<<< skipped >>>

GET /img/Rulilap/bg1_us.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:37 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: mAdxVYv07pgYJGm4vWtr z7xvtau2LeT8Z2qA 0in7eEhqUSMB4FsqF55  gt9AS

x-amz-request-id: 8F03397238478783

x-amz-meta-s3fox-filesize: 19940

x-amz-meta-s3fox-modifiedtime: 1389781511512

Last-Modified: Wed, 15 Jan 2014 10:25:22 GMT

x-amz-version-id: W8DUE0VZh4ccBw51SEKej3toLFi409KJ

ETag: "00ce656543967661514ce4f214e842f3"

Content-Length: 19940

Accept-Ranges: bytes
......JFIF.....`.`.....hExif..MM.*.................>...........F.(.
..........1.........N.......`.......`....Paint.NET v3.5.10....C.......
..............................'!..%..."."%() , . /3/*2'* *...C........
...*...**************************************************........0..".
...........................................................}........!1
A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghi
jstuvwxyz.............................................................
.................................................................w....
...!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZ
cdefghijstuvwxyz......................................................
..............................?....(....(...(...(...(...(...(...(...(.
..(...(...(...(...(...(...(...(...h.......iR2......e/.x..cC.....\.....
6.~..3.............#...(.. z.......|.,sF.w-x.......u=|.V.9..TB.d.,....
n.....[{.X.nv,..].....Q......F..0vP.1n.....|....N_.......4K.O#....3Q..
R!..J....s.=.t..t........./.....4.lK4r..n.....H..>.....R..N._C....f
W..)b. .>S..Nx....$VsKw.*<C..FD..7...[...,.P....,.?&s.......r\(.
.H.?..=p3.Q.9...~f=..m...^.....1.^[email protected]...... .(...XH.(..t...-.
.F...O...'s$.`[email protected]........:....M...'.;.*..^............ .O.. ..`
`HfA....C...U...\.f<g...A..R[...Fx........<.G..2<.-.M..m.. .R
.it4..n`]hB.TI.~.`.L..j...f..Hl...............E}.=...p....&s.^.b......
.v.b..p.\|...L.%Q[n...f-....:h#...O..,....<UK....l.k.a.|.......5...
[email protected]$[..E...?.._j....x.F.I....X..I...C....PI...Y>....p
<<< skipped >>>

GET /img/Rulilap/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:37 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: G9oXdp187xt0qkHtjW/xrfJGLk6j/TS1QjEbjFImZVr6G sYmlHofjdvJwP 4ZVZ

x-amz-request-id: 532D9E7BF3BF98C0

x-amz-meta-s3fox-filesize: 35910

x-amz-meta-s3fox-modifiedtime: 1386506285075

Last-Modified: Sun, 08 Dec 2013 13:19:55 GMT

x-amz-version-id: XU0WkwE9xr9ndySKMI0rjIuy3nQX8jSj

ETag: "c890f13acf547eeff337e67f3883d08a"

Content-Length: 35910

Accept-Ranges: bytes
.PNG........IHDR.......i.....U..z....tEXtSoftware.Adobe ImageReadyq.e&
lt;....IDATx..}.|UU..w{.M..!!...7..&...W..;:..........*..."... .......
.[.....3....ks.mr.9......U..:..8....;.v...%l.l:.:6'.u......=.l...z..m5
[.. [.......k...Z...-......5..:.u..f.,l9l'..<.-S.3_..6....q..[.[.[H
..G......l..........E.....b.....l..%h.....f.....4n\..'`*...@.....{w~..
.>k..`.E....DKk....i'L......(.k.,.W..a.o..v.8.m................hf..
...Q=n....h..].q..Y(..Ab.....M./.[<h.l.........\..[N>...".o.J ..
ksa...X.v......S.......0Y..3j(6~..f........hnhAQV.R..E[...!..w...`.'^x
......z....t.....F.....".a..dDR..F.V..X...K?.....HHO.......3g...8.m..p
$...j...S..!.i.t...[^.l...F..u..;.....8\.......QT48q....../..3/....?..
Z.A..z...}.I.|...?r8.J. ..!f4...........Q....a....D.b.x<p.5.b.8.8..
U ...X8......6\9...9a*....A.QU...v/......R.2'....Y'....f...0lH?.-6T..@
zf&........wT"...R.x.z...$%&r....~7.R..........{R2.:3B.NT..#==.}.....f
Kf3..d...I..[...l7..../../...Sk.....i....l_.G..p...%...5.\.Z.$.._z.n..
.$.....1......t..u..|.l.Z[[email protected](..[9[i........r.[...}_..._
>.......K......i.O.a.1>X..,.Z.........."..t$&a..Q.4._....I....}.
}../\.Q...*....C,.5.....m...:k...a$'..w..HJO.#..,.......s. U.....,....
...Q_s..6o...J......)......9b-G.U.*5..5.z..o...wY....o~...g.)..,@[....
:.m..$....~<....5.J..*..y.X.p...x=...].`..9X.j%v..}.\.ii8P...X.!...
..D.....i.;m.GfSN~...B.f.UW.p<..0[...._...y.f...i._.......p.\m....1
....[....}.YZ.d........#.l...'..S'(6....s{,Y]{.mh...(9.-=T.....Q...u..
v......"...Y3g...'.;.?..m.......J..F5 ....o.W.n.Pm......R.94.t...l
<<< skipped >>>

GET /img/Rulilap/bg4_us.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:37 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: 6WuC0zL14z9GBhIQVoRlJF7V8kdLMnH3Jgdup/5eOuy3hmFEXdCyeHFoVeiM5dzN

x-amz-request-id: 067EFF2EA44CFC4F

x-amz-meta-s3fox-filesize: 30486

x-amz-meta-s3fox-modifiedtime: 1389785709303

Last-Modified: Wed, 15 Jan 2014 11:35:20 GMT

x-amz-version-id: 66GflDTA_Z7DCv7RokWjIBGxEHMH19Oj

ETag: "b2e66aa870c501c5f6e3dfb166ad71d5"

Content-Length: 30486

Accept-Ranges: bytes
......JFIF.....`.`......Exif..MM.*.................b...........j.(....
.......1.........rQ...........Q...........Q..................`.......`
....Paint.NET v3.5.10....C.....................................'!..%..
."."%() , . /3/*2'* *...C...........*...******************************
********************........0.."......................................
......................}........!1A..Qa."q.2....#B...R..$3br........%&'
()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
......................................................................
............................w.......!1..AQ.aq."2...B.....#3R..br...$4.
%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.....................
...............................................................?......
zO.,..uk.(..{Go;"......\L~,.d...".....v....W..c..?........7..#...}>
[email protected]*.......z...?.............Kx...fEf .H.5'....O..P..~ .T..\x
.S..`$x.......d..}Eu)...^........b.[..N....|u..1^{....<....5....p.Z
I"E.ZX..,.uV.PFG..N.....o|1.....[..0.....p.p.....'...h..#.3...,.).=W".
.. .l.E.Y........:..B.?...A....^...k..]....?-#. ..B.g..DEL..;.c.....[.
d.6..x..c.......T.y.....g./.. .o.j'n3...3.j..|k....O..........JRS..,%,
..U..>`..VR......u MR......("{F......!H.*.....).w.)I<U....._....
O.......^zx......_..U.....~....s..<..>.s2........v3!...p?.Q.....
:..;..H._..C&..../....H._..C&..../.....Q..]...q......=..B...o.. .x..=.
......$~/....P......eG.$~/....P......e\..W..E.......q..N...$b.N}Xc.ET.
.P....R.X....3q..._.$~/....P......eG.$~/....P......e\.jZk.......|2
<<< skipped >>>

GET /img/Rulilap/bg2_ru.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: vZ1vwkqzIFbDVKraiO3h24h36rn/xULogD Nqu5fUBEbHOZTU/QIjURaano5XZOk

x-amz-request-id: 3F4F0EE225F2D167

x-amz-meta-s3fox-filesize: 35726

x-amz-meta-s3fox-modifiedtime: 1386508731893

Last-Modified: Sun, 08 Dec 2013 13:19:54 GMT

x-amz-version-id: laCzrLAMyWcgPN41w4AS4g.L22RoU5lg

ETag: "d91679c5bd4129d808a9fb38a3edb4d3"

Content-Length: 35726

Accept-Ranges: bytes
......JFIF.....F.F......Exif..MM.*.................V...........^.(....
.......1.........f.2.........x.i...............F.......F......Paint.NE
T v3.5.10.2013:01:03 10:49:21.........................................
...................(.................H.......H.......XICC_PROFILE.....
.HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB................
.......-HP  ................................................cprt...P..
.3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@
....dmnd...T...pdmdd........vued...L....view.......$lumi........meas..
.....$tech...0....rTRC...<....gTRC...<....bTRC...<....text...
.Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966
-2.1............sRGB IEC61966-2.1.....................................
.............XYZ .......Q........XYZ ................XYZ ......o...8..
...XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.
iec.ch............IEC hXXp://VVV.iec.ch...............................
...............desc........IEC 61966-2.1 Default RGB colour space - sR
GB............IEC 61966-2.1 Default RGB colour space - sRGB...........
...........desc.......,Reference Viewing Condition in IEC61966-2.1....
.......,Reference Viewing Condition in IEC61966-2.1...................
.......view.........._...............\.....XYZ .....L.V.P...W..meas...
.............................sig ....CRT curv.......................#.
(.-.2.7.;[email protected].^.c.h.m.r.w.|...................................
............................%. .2.8.>.E.L.R.Y.`.g.n.u.|........
<<< skipped >>>

GET /img/Rulilap/bg4_ru.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: 628wt3whJLjTbbVx9ByZ0rrd42kXoEIzE neWK/u28fdf7t3f AQPkuYfmx7okxY

x-amz-request-id: 5D5850847EFD7EE9

x-amz-meta-s3fox-filesize: 35270

x-amz-meta-s3fox-modifiedtime: 1386508766758

Last-Modified: Sun, 08 Dec 2013 13:19:55 GMT

x-amz-version-id: 0Qs2DJsPEq2EvoEIq4wV4WPPUdJXl7W_

ETag: "f066ab9757be0f73a0bfeed39ce66178"

Content-Length: 35270

Accept-Ranges: bytes
......JFIF.....F.F......Exif..MM.*.................V...........^.(....
.......1.........f.2.........x.i...............F.......F......Paint.NE
T v3.5.10.2013:01:03 11:37:11.........................................
...................(.................H.......H.......XICC_PROFILE.....
.HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB................
.......-HP  ................................................cprt...P..
.3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@
....dmnd...T...pdmdd........vued...L....view.......$lumi........meas..
.....$tech...0....rTRC...<....gTRC...<....bTRC...<....text...
.Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966
-2.1............sRGB IEC61966-2.1.....................................
.............XYZ .......Q........XYZ ................XYZ ......o...8..
...XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.
iec.ch............IEC hXXp://VVV.iec.ch...............................
...............desc........IEC 61966-2.1 Default RGB colour space - sR
GB............IEC 61966-2.1 Default RGB colour space - sRGB...........
...........desc.......,Reference Viewing Condition in IEC61966-2.1....
.......,Reference Viewing Condition in IEC61966-2.1...................
.......view.........._...............\.....XYZ .....L.V.P...W..meas...
.............................sig ....CRT curv.......................#.
(.-.2.7.;[email protected].^.c.h.m.r.w.|...................................
............................%. .2.8.>.E.L.R.Y.`.g.n.u.|........
<<< skipped >>>

GET /img/Beginogo/Beginogo_BR.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: qXuHGox4NQZaFlXgiCzB ZkcGMtIwr07EMrMvKJufR oTenFCjCwW2e gzafAbls

x-amz-request-id: A4A135272D6EE863

x-amz-meta-s3fox-filesize: 43160

x-amz-meta-s3fox-modifiedtime: 1384437539506

Last-Modified: Thu, 14 Nov 2013 14:01:25 GMT

x-amz-version-id: M6JEwdzsilvzVsINdsWWpi8JEVwt1nbK

ETag: "c9bec9d091ab8402ec856da80eede14c"

Content-Length: 43160

Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:33EF7B7B3E24E3
11927FBCF44F044CBF" xmpMM:DocumentID="xmp.did:AE4D09524D2611E39950E309
313A7E5D" xmpMM:InstanceID="xmp.iid:AE4D09514D2611E39950E309313A7E5D" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:3933C4A2183FE3119EBADE52D0CCAE41" stRef:
documentID="xmp.did:BE7256AC244A11E3A018FD60ACFE8DE2"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.......................0..............................................
.......................................!....1...Aa".Q..q.2#....B.&....
.Rr.3..$.b...C.Scs..4D...T^6........................!1..AQaq"....2..
B.....R.rb.#[email protected]/[email protected]
[email protected]..:............[:".*.._s..l....*1}..%.. r....:............
[:".*.._s..l....*1}..%.. r....:............[:".*.._s..R#. r.....*%
<<< skipped >>>

GET /img/Rerarapepe/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: DqbruMuBPc4PW2oao60VwcnVboJEDLrAcKiEb2Nb1uaI9AQ63tvah6TJnTJoabJ0

x-amz-request-id: DB82A4C34D62E506

x-amz-meta-s3fox-filesize: 10944

x-amz-meta-s3fox-modifiedtime: 1384099835051

Last-Modified: Tue, 12 Nov 2013 11:05:48 GMT

x-amz-version-id: bDPFTNRsfueKXbAbmeVgRbPvzBoRvTw2

ETag: "0440e25b659207aaea00512d9a0a9924"

Content-Length: 10944

Accept-Ranges: bytes
.PNG........IHDR...L...^...........*.IDATx....T.....M...F."b.....F.Q..
..{.%..{E.........{.H....J.~*.....gN..j....._.Z..g..ff.....9C."..t:]'.
F3-55uOjZz.......o....\...'....&J4[O*.=i.`%Y...................E."....
.Z.>.69%;6.....HNIEFf&.J.,..r~..}.p).....e..V...3./)....A\|........
......   k,Q...M..B..h....../..N........#..!V.P.y'X4J...v...Z...o.{ ''
....L9....M.....7...l....Ml..SS..........$..C!.3.\...........A.'......
.m_..%x...."@....)V%.?|WX...Y\.C.c.r.V..R....g...:.\2....4..M.R9X..b..
.b......,.U..t.b...Z...P..Q*......7.......t.B.{....@jY!.....Q......Tdk
...3;...s..0... ....@.&..m.ktE.f. I.M..1...`..V..d[.9..qG.&".U..C..u..
.W.C{..4'..v?.....\..>......h<.C{.(4...u...G..E=Gvj..7[.?.:.?.K.
9...e..s........,--=....[W'...v......R....^<...!..]........>..j.
.......].v.....j.v..l.j.V.wn.j.&(I.][.r...Q.x..>....Hay...99f..;.%.
.R..Q_...h4Sy...a]....J.dQ..o........... 9...8.2Br..)...a)w..]...h.f.K
.}#i.T[.......u..(.;.....d=....,..{....Z..._.Q..t:... ..H.R..Wt.f^...'
6.Xu.\.DU*...u.oAK....&KQ.# .%.Q..f......{34.-.>.M............6'(.8
@.y..Z.......$.UP:...i.../..5....V:..\[email protected]'@B.:..f.\..,......17.....
..&.Qn..t..DJ.~w..z.j..........e.Q......&..tX...s.5s*..OA...HY......c.
..d@. .\[email protected][)...!h..P..r..,A...A..b......O.Oyr.i..".*....
m.EA8...r....T.6H.DP.....n.y=4.LG..1m2N.n.G.rX..........?.....5%mp.A=.
[email protected]/....J.r!..W.t..r.#Y..J.g.c...{.H,N...>r..lY.'.4....
.m.....D.t..YT.d. hN..P.K`.....%\..a-..~....l..s....?...5....8..P... .
.....5.............3u"...#s..(....7@R,.....Es.9..(...m#k.8...tiP..
<<< skipped >>>

GET /img/Rerarapepe/logo_new.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: s9Pbid683I bLXCdgFIQMns4aeNczfz IoURyfEySnoQyRDiyb1hRNcGRzIr0eeP

x-amz-request-id: 2463B02AC48341CD

x-amz-meta-s3fox-filesize: 4569

x-amz-meta-s3fox-modifiedtime: 1388397217065

Last-Modified: Mon, 30 Dec 2013 09:53:59 GMT

x-amz-version-id: FBdIFQNqjG8fAIwxlMklzjPUXqz3Asib

ETag: "3263ff057b8e7380f7579d5aaab2bfdc"

Content-Length: 4569

Accept-Ranges: bytes
.PNG........IHDR...2...2......?......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2A43320D713811E3B459B11F
BD9400CD" xmpMM:DocumentID="xmp.did:2A43320E713811E3B459B11FBD9400CD"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2A43320B713811E3B4
59B11FBD9400CD" stRef:documentID="xmp.did:2A43320C713811E3B459B11FBD94
00CD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>v.Gr...MIDATx..Z{p\U......$.l.6M.jc..P....T
.N.*3.80`...:#.......3>...F..|...3>..hE..(...P-i..y7.$....{.=..w
......6)...~.....~..;.PJ.....ur.n.......O|.&...hj&.H.e2$l..y.T*...D.3E
.#.A -^t.....TzA-....P.N..i.'.........T..z>.GT.%r........"..H9....R
...I......}..@.^../..?o.U...F..c.qA.H.?A.(a.....k....,.!Vb.......:58.K
...@z>K[.......S_....T.......... lr......GU..~.....C......t24;f.M.R
%...4......`............%..aZ`.... [email protected].&0^.`v. u.
...?Y....e..%.."ik..^....s.}.~.8Iu..?........m...{ix.KM..........,4R..
[email protected]]p!%Z..f.$k......hB.......DK...R.&..k..%#e.
<<< skipped >>>

GET /img/Mapayuy/LOGO.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: lZtoa4n Dbnfri5SYRfKWy 971CEtU 8ZfUk8yIq3FYJw6tYe2d0dfX7 rbU8UGA

x-amz-request-id: 295E407F946DC6E7

x-amz-meta-cb-modifiedtime: Mon, 10 Feb 2014 08:51:03 GMT

Last-Modified: Mon, 10 Feb 2014 09:24:37 GMT

x-amz-version-id: 5u3JQZ1GPK62zlrEEfaN7rrrBMh6wKoK

ETag: "14f5d50e6a8628e97604c97e4735fe7d"

Content-Length: 16671

Accept-Ranges: bytes
.PNG........IHDR...,... ........y....pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /img/CH_logo.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: zp1PULbiC5hUvxy0Dymh5T457D/rZ5zN8ajMpAguAxyar02iEIIDd98fSlBvb3oR

x-amz-request-id: A991D3B5E2D84417

x-amz-meta-cb-modifiedtime: Thu, 21 Nov 2013 15:31:44 GMT

Last-Modified: Thu, 21 Nov 2013 15:40:01 GMT

x-amz-version-id: osjur0cYkvY0gJkbPOZZ_tbD.fAnrMVX

ETag: "ad8ed967a43ae4d7d6c28ff2ed3c8550"

Content-Length: 4577

Accept-Ranges: bytes
.PNG........IHDR.............Rf.2....pHYs..........o.d...OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /img/Rorawaker/Rorawaker_Logo.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:39 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: /Q6othGwKxNdKUYFFi2DJj6bE4vop7h0GZRK qerNSOC6Rs2irTNaC5DPtM7Zi j

x-amz-request-id: DE597F2871C35391

x-amz-meta-cb-modifiedtime: Sun, 16 Mar 2014 15:15:43 GMT

Last-Modified: Sun, 16 Mar 2014 15:16:12 GMT

x-amz-version-id: gZHkojfQQbPQRO6L43o4Qv0_5LboQGm5

ETag: "5ea806f38dd30529aed6e9c467ab7fb3"

Content-Length: 7685

Accept-Ranges: bytes
.PNG........IHDR.......(......}VB....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:6DADCFC9ACE211E3A5B1F522
388DA20B" xmpMM:DocumentID="xmp.did:6DADCFCAACE211E3A5B1F522388DA20B"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6DADCFC7ACE211E3A5
B1F522388DA20B" stRef:documentID="xmp.did:6DADCFC8ACE211E3A5B1F522388D
A20B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..du...yIDATx..].X.g..\.V9l.%g....D...E .b.
u[k......n...|...S.vw...k...D.j......"[......H.*I8...$...d..L&L...H.y.
g. .yg........;..z=.n..n....C.n.6q.s,;.Y...X....n....HLH.J|(..=.?.vQ..
........../%........O.t.L..}.g.T..v.-..Y......;.. .t..F.e9./Ha...m=X..
a._._....?v.........~-...l....."...q..I.........WR...".<y".A...5B.*
......'.....H&.9L.;.r....t.,.Z.......= X.8..=.."....d.?.?dL.{.....r.-{
].kW-t..F..^.....iy.4......Z............../b.h.B...?...JL..f...cH...fr
..g.O..t......4/..a.1H...!{]..k....O..7..4...X..v.................]J..
[email protected]#@....'.....d4..m.vu.....]_T....i.!i..9...&...
<<< skipped >>>

HEAD /flash-ie/install_flashplayer11x32ax_mssd_aih_ie.exe HTTP/1.1

Accept: */*

Host: cdn.neoinstaladores.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/x-msdos-program

Last-Modified: Tue, 19 Feb 2013 17:44:02 GMT

ETag: "a5c0e89-f5558-4d6176318bc80"

MyServer: powah2

MyServer: CDN001

X-UA: cdn

Vary: X-UA

Content-Length: 1004888

Accept-Ranges: bytes

Date: Wed, 09 Apr 2014 00:42:48 GMT

X-Varnish: 2097491102

Age: 0

Via: 1.1 varnish

Connection: keep-alive

MyCache: vCDN001

X-Cache: MISS

GET /img/Rodedowo/Rodedowo.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:37 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: UNiVDmYblbMK2V0zf42yr6wGR7HjHaOQTpNTyrgzNNMLM1fSPe13AsuTZdd6 T3J

x-amz-request-id: 9680BAE4ACE66F7C

x-amz-meta-cb-modifiedtime: Sun, 30 Mar 2014 14:27:53 GMT

Last-Modified: Sun, 30 Mar 2014 14:28:44 GMT

x-amz-version-id: PmI6WLH3gY4TjiVC6NwxRIKM1yOR1Nu8

ETag: "263072b8bd388c4c7e43d56565d36a0e"

Content-Length: 7825

Accept-Ranges: bytes
.PNG........IHDR...0.........0.......sRGB.........gAMA......a.....pHYs
..........o.d....tEXtSoftware.Paint.NET v3.5.11G.B7....IDATx^...[.....
....}./s........Af..d.A.Q.......&.ep..1...c4..1z^..w.....u...T|jU....7
...U.......H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#
.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#
.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#
.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#
.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#
.H..#.H..#.H..#.H..#.H..#.H..#.H..#.H..#l...O.>z..n.....O?.d7.h....
.....{.U..qq......^..../..6...]^^.{|..exx.........ibb.....gA.....t.v{.
.7o......C.\.r....k./]...c..E.v..U......m.t../oS ........?n.{...v.Ojj.
.S..../_.LJJ*..nmm=....#...w...{{.....o_[[....1.....ddd..o..B=SRR.....
....[ZZt.......v.@.]......~..no....{zzjkk.....p_}...mnn..j...3..^.....
x.RWW766fw.....@z....={..A............rD .W.*..T.....[...}..y..eeeepp0
&&f~~.^.G9.r..w....k....v..gqqQ'..H.tRqqq!JI. .... $...tE.....^:;;U...
............Kt......E_0..fff...e...{..yc..h_QQQ..B)......v{....._..511
q .T__.".n..B........R........~.}.vaa...KeeeYY...b..'[email protected]!Y~..w...;w
................Z......._~..UM....H---v....o ........nox...remm.......
S.011a7..).t......(.....F ..\8y.....@..?.o ....\..k..s...:d.......X...
..;.../_.m/a....i.......O....K.d...@..?.o ."....vc..#G...........k...#
XQ...3]..rv{..H.o....),U..={.n......./jkk...;.H:........)@ ....8p.nl((
(.z..5.<.U..;........nl....h ........n.=.......r1;;;--....v. ..
<<< skipped >>>

GET /img/Rulilap/bg2_us.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:37 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: I/UKC10gdJp7xXk7ULm9XGXZyJNoIL hVU5jEwkVTC35k1001LxJm aADOzBP52 

x-amz-request-id: 46CFDB551B799300

x-amz-meta-s3fox-filesize: 38100

x-amz-meta-s3fox-modifiedtime: 1389785576439

Last-Modified: Wed, 15 Jan 2014 11:35:17 GMT

x-amz-version-id: w0UWnIbQ_UBdAc0gCrQmsS8rQmaX02Ja

ETag: "5a7e847f6c6f35396fc3451bb0fe2973"

Content-Length: 38100

Accept-Ranges: bytes
......JFIF.....`.`......Exif..MM.*.................b...........j.(....
.......1.........rQ...........Q...........Q..................`.......`
....Paint.NET v3.5.10....C.....................................'!..%..
."."%() , . /3/*2'* *...C...........*...******************************
********************........0.."......................................
......................}........!1A..Qa."q.2....#B...R..$3br........%&'
()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
......................................................................
............................w.......!1..AQ.aq."2...B.....#3R..br...$4.
%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.....................
...............................................................?...;Y.
g..`.i..'5.h.....7.oc..1..pOM.6...?C."...[.0...'.X...n..U[...v...5..N.
.w<.<EirEYw1.m.O..g..(\.L......~.......`...=:...y/%Qn....I....HC
(o9..V9E.@>..V.-#..x.>[email protected]....~|*..}..D.p...*
8.Q.Q.()-D.m.....;..(.......#1n..w.r~....(G..k*.....}.n.B..0..i.".....
......F....'..M5.[.4.....K?..}[email protected][X.'..'.?Zl.....Z@q.:c...s....]j.9.
.)$;%.X.P..t...O....6......&I.*.....b..I.....d^c'.GR..g[B.*....._\v...
.,.V....yZ0N..'..T...l.4........9=....... (-.qoi....F7......S..I....^C
o4.."i.8c..=._..u.*nt.1|.MFZ.:.:t..,Z.>.!...&..Qg.Yh61io$..........
.K...~0. .......63..PX.....{. ...n.B.@..>.1.x.m:..I.n...d..9.&i`.I`
..%$.E.7/z.].O...[."72...c.....*{.y%..C.Hv........s.Z.>....C...<
...Y.`s..........J..m-.o.M<kg...[FetL.Q..Z..F.7...........}q]41
<<< skipped >>>

GET /img/Rulilap/bg3_us.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:37 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: aobmH4YAkVEcQmZN5RXsmcjlBrcTgLfNX4Eo xJjBq1qRlSLuSiTxyiq8uu4JwIw

x-amz-request-id: FE2E9DC596DDAE9F

x-amz-meta-s3fox-filesize: 36525

x-amz-meta-s3fox-modifiedtime: 1389785629555

Last-Modified: Wed, 15 Jan 2014 11:35:18 GMT

x-amz-version-id: jYTTA8v_SMd1faiNeab09_IHAXeiDqV3

ETag: "0df5d68537b1b7fee918c0faef9cace2"

Content-Length: 36525

Accept-Ranges: bytes
......JFIF.....`.`......Exif..MM.*.................b...........j.(....
.......1.........rQ...........Q...........Q..................`.......`
....Paint.NET v3.5.10....C.....................................'!..%..
."."%() , . /3/*2'* *...C...........*...******************************
********************........0.."......................................
......................}........!1A..Qa."q.2....#B...R..$3br........%&'
()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
......................................................................
............................w.......!1..AQ.aq."2...B.....#3R..br...$4.
%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.....................
...............................................................?..S...
....[[email protected]...........{g.PKvD.Z-..bX..~a..O...sW9..|
}[email protected]{g..]......?.._..l.3...4.ob=.....]...=...(......*...C
..VG.K..lX.....|J..........>VG..dT...c[b7h...n...Cxg\....q.m.'...~.
]!.d,Fs....Z.w.j.....P.8.....~.}..<3...G.#.......k...............R`
q....R............j\../k..`........:......O.\..5..ylP. [email protected]_.......
.....dm...V...]5(..{;h.UTG.O.bz..Z.s...R........c.W.n..\F%.f}..~x.. ..
.&.l...2..M....[._z...u2T....>.,Eq..U.v.m..?...U2^B....J....FE.....
..P.u.).,.......\[email protected]=y...x.....t%.d..K..R1....k.....m</"x...K.
....I...\.....ug.>{.......... [email protected].<.a.i..h.g*}
..w~.....Z.O..".,w\...-fQ.\6~|.1.?.Z.....g].i.{.h..\j.g....N.#...:.0..
.!R.....p..sWy./...f;q..'?Nj....oI..t....[w....S.".......$...1I.i.
<<< skipped >>>

GET /img/Rulilap/bg1_ru.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: SCP7Pv hqlOdruc9xq1mXK3fuGs9FNLD3K032XdkTrzchoU8MRDCDua55g9WtdF6

x-amz-request-id: CB05761740552F58

x-amz-meta-s3fox-filesize: 35554

x-amz-meta-s3fox-modifiedtime: 1386508713985

Last-Modified: Sun, 08 Dec 2013 13:19:54 GMT

x-amz-version-id: 2bjbhqOBmzpdJ.nRXR0gOs11MRgY3c8F

ETag: "dd14964fdf02d6f23a7508f5c22eba5e"

Content-Length: 35554

Accept-Ranges: bytes
......JFIF.....F.F......Exif..MM.*.................V...........^.(....
.......1.........f.2.........x.i...............F.......F......Paint.NE
T v3.5.10.2013:01:03 10:50:49.........................................
...................(.................H.......H.......XICC_PROFILE.....
.HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB................
.......-HP  ................................................cprt...P..
.3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@
....dmnd...T...pdmdd........vued...L....view.......$lumi........meas..
.....$tech...0....rTRC...<....gTRC...<....bTRC...<....text...
.Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966
-2.1............sRGB IEC61966-2.1.....................................
.............XYZ .......Q........XYZ ................XYZ ......o...8..
...XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.
iec.ch............IEC hXXp://VVV.iec.ch...............................
...............desc........IEC 61966-2.1 Default RGB colour space - sR
GB............IEC 61966-2.1 Default RGB colour space - sRGB...........
...........desc.......,Reference Viewing Condition in IEC61966-2.1....
.......,Reference Viewing Condition in IEC61966-2.1...................
.......view.........._...............\.....XYZ .....L.V.P...W..meas...
.............................sig ....CRT curv.......................#.
(.-.2.7.;[email protected].^.c.h.m.r.w.|...................................
............................%. .2.8.>.E.L.R.Y.`.g.n.u.|........
<<< skipped >>>

GET /img/Rulilap/bg3_ru.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: 2WmDYJFWfC/kt7z0n7T79xuWz3SeMua1sSQ7jrgv5QR9wGIZuGX41S 1yMRUiMD5

x-amz-request-id: DBF045DE1F39AB1A

x-amz-meta-s3fox-filesize: 34365

x-amz-meta-s3fox-modifiedtime: 1386508755717

Last-Modified: Sun, 08 Dec 2013 13:19:54 GMT

x-amz-version-id: QETb6tdpD79RZgAimPMj2WtlXGZuYSmS

ETag: "2d59c5aa5865298c284e730094c347e5"

Content-Length: 34365

Accept-Ranges: bytes
......JFIF.....F.F......Exif..MM.*.................V...........^.(....
.......1.........f.2.........x.i...............F.......F......Paint.NE
T v3.5.10.2013:01:03 11:34:53.........................................
...................(.................H.......H.......XICC_PROFILE.....
.HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB................
.......-HP  ................................................cprt...P..
.3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@
....dmnd...T...pdmdd........vued...L....view.......$lumi........meas..
.....$tech...0....rTRC...<....gTRC...<....bTRC...<....text...
.Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966
-2.1............sRGB IEC61966-2.1.....................................
.............XYZ .......Q........XYZ ................XYZ ......o...8..
...XYZ ......b.........XYZ ......$.........desc........IEC hXXp://VVV.
iec.ch............IEC hXXp://VVV.iec.ch...............................
...............desc........IEC 61966-2.1 Default RGB colour space - sR
GB............IEC 61966-2.1 Default RGB colour space - sRGB...........
...........desc.......,Reference Viewing Condition in IEC61966-2.1....
.......,Reference Viewing Condition in IEC61966-2.1...................
.......view.........._...............\.....XYZ .....L.V.P...W..meas...
.............................sig ....CRT curv.......................#.
(.-.2.7.;[email protected].^.c.h.m.r.w.|...................................
............................%. .2.8.>.E.L.R.Y.`.g.n.u.|........
<<< skipped >>>

GET /img/Beginogo/Beginogo.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: NqQeHZi7FJ/sug7bwrPjwztGRqKIjFhsiyuvQDt5adV6wIyqQf3QMy0zuJjLZunR

x-amz-request-id: 7862DBF0E0627593

x-amz-meta-s3fox-filesize: 37929

x-amz-meta-s3fox-modifiedtime: 1382011633155

Last-Modified: Thu, 17 Oct 2013 12:07:26 GMT

x-amz-version-id: 4auxrXdrV3WtxExGpU52yT107qO6gef5

ETag: "b553972dbe94b80271fa862af06388cc"

Content-Length: 37929

Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:33EF7B7B3E24E3
11927FBCF44F044CBF" xmpMM:DocumentID="xmp.did:211C4C9C372411E3B45185D3
B2B5D9C4" xmpMM:InstanceID="xmp.iid:211C4C9B372411E3B45185D3B2B5D9C4" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:5E941781F724E311B036C0E7691E1950" stRef:
documentID="xmp.did:BE7256AC244A11E3A018FD60ACFE8DE2"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.......................0..............................................
............................................!1..AQa."2R..q...B#......r
.S$..b.3.T5Uu6...Ccs4.......t.%.D.e&F7(8......................!1..AQ..
aq"..2......B..Rb.#..r.3CS................?...T....R|G.@...>.......
...O.....'.}t.j.....S.G.@...>..............R|G.B.T......>#...O..
]..O..].j..>........5?.}t...#...R|G.@...>................<
<<< skipped >>>

GET /img/Beginogo/Beginogo_N.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: q6oYehOoI13uD2b0nClF2TZcrVOXvXr9QHDqqznmxOmzy1C 1M3SZOvwOBC5Ou4S

x-amz-request-id: EE5EA1EAD13D9AE8

x-amz-meta-s3fox-filesize: 23761

x-amz-meta-s3fox-modifiedtime: 1388991951660

Last-Modified: Mon, 06 Jan 2014 07:09:20 GMT

x-amz-version-id: sKWpUx.WhbZC1jjnYPCb8EOxx4iQ83Ua

ETag: "4de9e0eb19e81527d908efa2fe4434a1"

Content-Length: 23761

Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9B9064F37F5AE3
11BB22B1908A565EB5" xmpMM:DocumentID="xmp.did:62257EC2762811E39C5AB3EB
CF48639C" xmpMM:InstanceID="xmp.iid:62257EC1762811E39C5AB3EBCF48639C" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:8DF15B4E0D76E3118CF1DDC511CDA77D" stRef:
documentID="xmp.did:9B9064F37F5AE311BB22B1908A565EB5"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.......................0..............................................
............................................!1.AQa....q."2R...Uu......
B.3S..4T..6V.#..br$..C...7.c%..DEe&......................!Q..1Aa.R....
"3.q.2Bb.....#Sr....C............?................. u..x....T2.2g;;ts 
.}7.9.n ..9..f......MgKu.OT.......mN...L..v.E.!.......n"..K...qq4..F.F
.b...mJM.H.V..1....i..t.F..W.$...f/M..&]...'.....*.......t.M..-D..
<<< skipped >>>

GET /img/Rerarapepe/Rerarapepe3.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/jpeg

Connection: keep-alive

x-amz-id-2: 1iWAdnXTLi4LFhr/yjaElZPveYHgK4mh3DnYGQ0kErju21X6Wf9H9nt4MxZadGgX

x-amz-request-id: 6FFF113497E643FA

x-amz-meta-s3fox-filesize: 15799

x-amz-meta-s3fox-modifiedtime: 1394538949746

Last-Modified: Tue, 11 Mar 2014 11:56:45 GMT

x-amz-version-id: zPl9IpmeaG3ff3qZpgvUQzMtoydG8QKH

ETag: "3e2809731062d36b6ae81e70aef3b785"

Content-Length: 15799

Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F7DDEC055CA8E3
11B43CF856625B69D6" xmpMM:DocumentID="xmp.did:08AEC486A91411E3A978EB31
6F7617DC" xmpMM:InstanceID="xmp.iid:08AEC485A91411E3A978EB316F7617DC" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:B1126B7673A8E311B43CF856625B69D6" stRef:
documentID="xmp.did:F7DDEC055CA8E311B43CF856625B69D6"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.......................0..............................................
..........................................!..1A..Qaq"..2R.......r.#S.T
.B.$4..3s...bCdt%U....c......................!1..AQ...aq..."2R......b3
..B.r................?..J. ..U.@@@@@@@A...."...            .a.....    
  ..U.@@@A.A.]A....Dq.....p:QS...C.u.....|OZ...D<[email protected].#.....E_
....:......:.<GZ...A..Z*...C.u.x.......:.e..27...EwQ..z........
<<< skipped >>>

GET /img/IE_logo.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2: NxAquGDqQ/X4j 7qOQ5BOUIDaIX5GHvH8cLGooMfBPdAO3oyHGRNujr/q4xE fvq

x-amz-request-id: C0D1AD3D17666FF0

x-amz-meta-cb-modifiedtime: Thu, 21 Nov 2013 15:31:46 GMT

Last-Modified: Thu, 21 Nov 2013 15:40:00 GMT

x-amz-version-id: ULP9X2D2g9vGJo_NefwroanEdNt0Bt7c

ETag: "0866b0f3be00fd96d58f7fba54d6700d"

Content-Length: 5406

Accept-Ranges: bytes
.PNG........IHDR.............Rf.2....pHYs..........o.d...OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /img/FF_logo.png HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.tatomayey.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: image/png

Connection: keep-alive

x-amz-id-2:  hIVRWCn 4KtFQ7BM8L81Fw CYNAE0Qb3ym6SU5upu9gxhaJWVEj3fLTRVjYBCNV

x-amz-request-id: A11C9AF0299E6595

x-amz-meta-cb-modifiedtime: Thu, 21 Nov 2013 15:31:45 GMT

Last-Modified: Thu, 21 Nov 2013 15:40:00 GMT

x-amz-version-id: g_t3b7eiRe5f7z2B5bSNHqt0MOq9rM5O

ETag: "6bcecb3debf7e4a0569b6a9d6e62adab"

Content-Length: 5025

Accept-Ranges: bytes
.PNG........IHDR.............Rf.2....pHYs..........o.d...OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /ofr/sqlite3.cis HTTP/1.1

Range: bytes=0-197985

Accept: */*

Host: cdnus.tatomayey.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.4.5

Date: Wed, 09 Apr 2014 00:38:46 GMT

Content-Type: application/octet-stream

Content-Length: 197986

Connection: keep-alive

x-amz-id-2: 95jfNvqTgocjBeGm0cY1HdazEvHxPUDRrdV2DQKvxWF8x/LHP gENX18Bv0tOWIY

x-amz-request-id: D8A51A7FD03A0DEA

x-amz-meta-cb-modifiedtime: Tue, 08 Oct 2013 15:00:06 GMT

Last-Modified: Tue, 08 Oct 2013 15:04:47 GMT

x-amz-version-id: jQbkbrqtWmyTycsly3BWYbGSjaPAJVP1

ETag: "f01a40014ab59b35deb83677787e6a33"

Content-Range: bytes 0-197985/197986
CIS................C.......b.......P.........YK.....|3 ...r.g..D.AV]..
...........#a!....2...sS.I.*k...n.J.8..y.u...8. ..[...TR...y4cv..?.MP.
9-........Y.]........%..}^.g.1.n..w\...x|,....#]"f}.........J:..I..y..
xPm..a&.HM...aN...".....]5Nt... ..NF..$....\|[email protected]$...D.<6{.W-
gt..J.D.g&....y.......i...?.]..l..?.m..qE...x...0.4Y/./<?P..<...
V...pw..a.Fs5..?{h....Gy]"...Lb..Sl...S..##n....T<%]H.=S.O.U/....H.
A.Fu'.?zc_.......V.BAd'"...XU...W0.....-.................C.c.V..4.....
r...|S3.)...<.]......"S{...........CoE...h...U......._.G"o....G.F\&
lt;6............Y.b.-.V.;......h....?}`..y?5.a....l6C..B..z..h..ZW....
...<.C.M... .T.%[email protected]..#.....!.L}...^fU.6.qC......C...5.
\....l$...?..EF...cH.S...7Z.!g$...RG..}.?g.D.r.. ...|'.Sh..."....E.[..
W.5...r..!z.....~c'.......$t....X&*..r.#......=...sa..R...XGa.....7...
=..."....@#m_..o.J..j..{..O.......l. ..:....G..zI..e..@{.0..L....2`X..
9..8...y...M>.tq>D.."...H5..V.l~^e5h.6:.Wu.Y....f)Ln.y..ZoM.,b~.
r.p.]c..>`..f..?.t...]\..4.p....WJS(x..3.Zp...%`f..bO.v.(s.F_ .5.`.
.O...)6z..d.PrpI.8sMsP.aM. ]c.#.w=o#....Z.#.%,....h..<...i.)..9n...
.W..s{i.......i?.(?.....TP".1..`~u....sF)./'...#.Xu.....Rp.x.u...=..F.
k....O..%[email protected]...,..Yr...{/..~A.?.... ....._2......."o_>..J.6
[email protected].$. ...Nw.~."..T.f.a...B...:....R.6....l.V]..! .Bt....cY.-.,....
.. W(..o?>.B..7..j.0.....Vb..Db....G.pa.E.9.>..q....R....E....v.
X.....R.....W<.c..].. ......w.z..eq...$./.\_>r.5".... I._n\O".t.
."....F.....S.'.K.Z..-C.{.&<sM......O...Y....9..c....9;..)&6eC.
<<< skipped >>>

HEAD /ofr/sqlite3.cis HTTP/1.1

Accept: */*

Host: cdneu.tatomayey.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:37 GMT

Content-Type: application/octet-stream

Connection: keep-alive

x-amz-id-2: yGuRl4hzCY vJFRqopdFIVFE8fxxW52PDjuhdNJJaPBgviiZOoqbOWShBe1DZdLb

x-amz-request-id: 0C1DFD26007CE165

x-amz-meta-cb-modifiedtime: Tue, 08 Oct 2013 15:00:06 GMT

Last-Modified: Tue, 08 Oct 2013 15:04:47 GMT

x-amz-version-id: jQbkbrqtWmyTycsly3BWYbGSjaPAJVP1

ETag: "f01a40014ab59b35deb83677787e6a33"

Content-Length: 197986

Accept-Ranges: bytes

GET /ofr/sqlite3.cis HTTP/1.1

Range: bytes=102400-197985

Accept: */*

Host: cdneu.tatomayey.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.0.10

Date: Wed, 09 Apr 2014 00:36:38 GMT

Content-Type: application/octet-stream

Content-Length: 95586

Connection: keep-alive

x-amz-id-2: yGuRl4hzCY vJFRqopdFIVFE8fxxW52PDjuhdNJJaPBgviiZOoqbOWShBe1DZdLb

x-amz-request-id: 0C1DFD26007CE165

x-amz-meta-cb-modifiedtime: Tue, 08 Oct 2013 15:00:06 GMT

Last-Modified: Tue, 08 Oct 2013 15:04:47 GMT

x-amz-version-id: jQbkbrqtWmyTycsly3BWYbGSjaPAJVP1

ETag: "f01a40014ab59b35deb83677787e6a33"

Content-Range: bytes 102400-197985/197986
..."jM~1{..1J...T..q.R......F.hx.}.....W...o..u...d..C .q.'T..?@N._.z~
....:.I...n..p*....9O&..s.|o..g...%...$.U..n-..}......./.....\..#..y..
.7Y<g...(#.....w].[.3....$f.C......MF.w..&.... ..;.u.g.VC..~6...J%{
.}.t...Df....{k. .(..].9c...Y.Q.<.T.^..\.I.-.../..>..!p.........
M..e..R....m...F..........:.E...S..."..J...v3)...z.f..T......1...G.0..
....zH.E. [email protected]..[..\.E..o.h..u..N %.m.h.../X.!.7
K[.h...1...jh....U..... G}-1......XV(.....q*.t..b...P&X.xg.......Xd...
.*..r`..T..=..(...4Dr....,.2..`~..Qz..N.Z.p.s.....L.......u.gz5=../.T.
J..q..9...}.='O....x...........(.g....T4C.........v....9,^_.......4m.7
_..<h.wB|!$....<..l.b.>.b... -.]...?...Jl...%W.4.. ..Q.......
.....f.....l.06......J.(K..4.X.n5.8E.{.g.H.....Z5..>...4..'Q5V.).._
o..:.CJ.E.....W.....6.._..(......K.O..J...L...b.w.9..4...}...kE.xL....
........U..7$.f.....R)..;Vl.AL2..C.j...e.MA.u...Wk........?..1C..F...v
,i..../.......*D....e&:.0.[.Q5..........:.....:1..D.Y..U.?-.e.2X{v...p
c..K.$k.....:t.....l....rP.J4I.....Pr1.Q.~[.qT...A.-.psy..Rd....9.7...
.....$..U.7K......g..D..U..m....n. ......}.58.T*...!.F.I.k...R...a..w.
.z..h.p.3i..w.....K...<..aJ.h..W.<$8.... ..3s.P..:j..K... .}@...
./[email protected].../..[/..7..(:d.;....G!.:..3.z...$v...\.=.(.q.....)a.!
q....Xm...;..#.L.Z...].Q2W.....7........"...."wgM.U.#v.....*...g.5X..R
.-Gk.O.]....My..* .d..\.r*..?..Y....c.'.Ie...T...go.R..q..G)...}.... .
~.Cu~n..O.~S....."`[email protected].., .,.=..?.$ .5
2. Z........I.kA...#4...x..Bs..@..?..........S.."..1.x.L.J.$G.D...
<<< skipped >>>

.idata

.rdata

P.reloc

P.rsrc

.dll3

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.0)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

%original file name%.exe_1476_rwx_00401000_00001000:

.dll3

%original file name%.exe_1476_rwx_00900000_000A0000:

.rsrc

6|%x=n~0

kernel32.dllw)

a.aUCNM

l.Tc_It.

<8999940,(9999$

Keyw

3%Cp)

r%DnI

.FDiag

Ha=.hnY`

?7E(AL("%s",4),"

#}%c!

u..Qi

4'.Yt

-i.aN&,

keysK<

.jw@]

2301654879'

a.thz

Ht.HAG

tLcibD.ZPo

%uhrskNr

*.*2XE

.dwcnh

nmhpjhc03.fcclJLO

1.2.3'

THttpR

pM.DJ?

}.EOtJ

bVsqlz3_

T.lLp|

H.NOr0

,zH-S.Gg

.IV`F

w'|%C

.FJn`

.H.VZ

Mozilla

\O.Rhn

.cjjm0).S"'b

.rdf'.fksd'

fe..js

nt_urlzi`

Q$.Xp'Q

HURL

`_Key=c

Da.Agt&(-

%dnZC

Uix.obk

_%tCp

msGu

|%F~E

.ke;o

M".rv

Cfg.Fw

.LqW]E).rG

I.hlpkI

I.dd\

B.ssrsko-!

Íd4

[hx.XuRR

HTTP_CbBXR

'ExeChkSum=

'%s' i

tkA.CH

OycC.Ej

2.1.0

%XoUa<19

8b8%SO

mGOPIPE

j0Ø#

.iGF>'

qah`k,.nlvcbqff,-U>o

z`o1caig2,.hf5b

J?.DD@

.Rh_w

c.cl/

%dh{'

Yi.iK

X.Qpv

.YpDEE

)).fy

:u.bW

[u.bu

*0)X/%x

@.GGG

"$ %),'8

"$"!(&&$' )#

- /*-( ,'.-

*/.)*72-7)

#-**(-#,

&",,/- '

P.reU

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

wininet.dll

HtmlUIInstallerSADLL.dll

"GhhWurln

GhhWurln

&GhhWurln

rljunurln

GhhWurlnBbnjutisYGIvvn

]Y.Iv

LWJGhhWurlnSxejyn]YG

49022180-1

%original file name%.exe_1476_rwx_009A1000_0013C000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

EVariantBadIndexError

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword8

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeysHb

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview
WindowStatetd
OnKeyDown
OnKeyPressP=
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
2301654879
A`bng`@ikc-4,uUxlxs-4,Ht.HA
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
TThreadExecuter
TScanAllWindowsCallBackData
Portuguese
i\*.*2XE
i.dwcnhE
nmhpjhc03.fcclJL
i.ulzn1E
1.2.3
THttpTimeOutThread
THttpCallBackShell
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code
sqlite3.dll
ESQLiteException
TSQLiteDatabase
TSQLiteTable
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
select [sql] from sqlite_master where [type] = 'table' and lower(name) = '
Could not prepare SQL statement
SQLite is Busy
https
t%f;u
SOFTWARE\Mozilla\Mozilla Firefox
8SQLit
install.rdf
DoSetChromeHomePage AL=
SELECT value FROM meta WHERE key='Default Search Provider ID'
SELECT short_name FROM keywords WHERE id='
Exception in InstallChromeExtensionRegistry:
manifest.json
UPDATE keywords SET sync_guid='
UPDATE keywords SET instant_url='' WHERE id=
keywords_backup
DROP TABLE keywords_backup
CREATE TABLE keywords_backup AS SELECT * FROM keywords ORDER BY id ASC
autogenerate_keyword ||
SELECT id || short_name || keyword || favicon_url || url || safe_for_autoreplace || originating_url || date_created || usage_count || input_encodings || show_in_default_list || suggest_url || prepopulate_id ||
created_by_policy || instant_url || last_modified || sync_guid
FROM keywords ORDER BY id ASC
RemoveChromeSearchProvider - cannot remove
DELETE from keywords WHERE short_name='
RemoveChromeSearchProvider - exception:
SELECT id FROM keywords WHERE short_name='
Home URL
Amazon.com
eBay.com
Merriam-Webster
Suggest URL
Opera Preferences version 2.0
; Do not edit this file while Opera is running
Key=c
Suggest URL=
Protocol is unsupported
Retrieved Filename from Url:
Restart attempts surpassed the maximum (
http://
New Source created, url:
, httpCode:
, url:
https://
, Url:
, old Url:
, new Url:
Switching suspended Server back to use; Url:
, HttpCode:
TDownloadConnection.Destroy() was called from not authorized thread (
HttpCode:
Unsupported 3xx redirect response, code:
HNetCfg.FwMgr
HNetCfg.FwAuthorizedApplication
]DKizHi-4,exc-1,Hc`hk-3.GI
6?0N2=.Lq
;768>1-80
005345000000
000000000000
000000000010
000000000030
cabinet.dll
Reporting failed on first attempt, second attempt is cancelled (finallizing)! Url:
First report attempt failed, going for second! Url:
The report failed! Url:
Successfull report, Url:
TUninstallExecuter
TUninstallExecuter can be created only once.
RootKey:
RegDelKey:
(FF) TUninstallExecuter.RestoreBrwAddrSearch: OpCode=
(FF) TUninstallExecuter.RestoreBrwSearchProvider: OpCode=
TUninstallExecuter.DoRun: Key=
CJ[hx.Xu
Downloading Bundles data from adServer on url:
BND_HTTP_CODE
&ExeChkSum=
Report main param:
Exclusive Execution mode is switched to:
Report param (pkg:
), exeName:
dwa.Err
dwa.State
dwa.ErrHistory
dwa.MaxSpd
dwa.AvgSpd
dwa.Time
dwa.HttpCode
dwa.PrtclCodeHistory
dwa.ConnCnt
dwa.Opt
dwa.Size
dwa.Progress
dwa.IsProxy
dwa.Restart
dwa.Heur
dwa.IsAcc
dwa.SrcNo
dwa.Url
GENERIC_WINDOWS
NO_JAR_SUPPORT
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser24J
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidthDP
OnWindowSetHeight
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec(g
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown|
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. %s (%s).
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyPress
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
JS function sync-execution failed with message:
] execution failed with message:
.html
MAPI32.DLL
LeftPopup
TPipeServer
TPipeObject
TPipeServerListener|
TPipeClientU
2.1.0.0
This exe was created with an old version of HtmlAppMaker.
LOG_URL
Log server Url is invalid:
Sending Log to the following Url:
Log Http request has failed, res:
irsoMsgDialog
irsoGetCurExePath
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoIsMutexExists
irsoCreatePipeServer
irsoStopPipeServer
irsoSendDataToPipeServer
irsoGetCurExeCheckSum
irsoSetSQLiteDll
irsoGetSQLiteDll
TExecArgsX
H-4,njBdi-2,o-4,r.vY
iexplore.exe
firefox.exe
chrome.exe
safari.exe
opera.exe
PIPE_DATA
PIPE
THtmlUIExeApp
logurl
irsoExecutePackage
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoReportPackageInfo
irsoGetPackageFilenameFromHttp
irsoGetPackageExecExitCode
irsoGetPackageExecResult
irsoSetPackageRelProgressShare
irsoIsFireFoxInstalled
irsoIsChromeInstalled
irsoIsOperaInstalled
irsoGetFireFoxHomePage
irsoGetChromeHomePage
irsoGetOperaHomePage
irsoSetFireFoxHomePage
irsoSetChromeHomePage
irsoSetOperaHomePage
irsoSetChromeOnStartup
irsoAddChromeUrlToStartupPages
irsoGetFireFoxDefaultSP
irsoGetChromeDefaultSP
irsoGetOperaDefaultSP
irsoAddFireFoxDefaultSPFromXML
irsoAddFireFoxDefaultSP
irsoSetFireFoxAddressBar
irsoAddOperaDefaultSP
irsoAddChromeDefaultSP
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoLocateSQLite
irsoGetFireFoxCookie
irsoGetChromeCookie
irsoIsFireFoxExtensionInstalled
irsoInstallFireFoxAddon
irsoInstallChromeAddon
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoReportStart
irsoReportInfo
irsoSetExclusiveExec
isroSetReportUrl
An attempt to download bundle data was denied: adServer domain name must remain the same! Url:
Report Url changed dynamically from:
RepUrlChanged
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
TcUlue.PL
/UnExeFile:
UnExeFile
z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1
1.2.1
inflate 1.2.1 Copyright 1995-2003 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
.Rh_w
c.cl/
%dh{'
Yi.iK
X.Qpv
.YpDEE
g.Tdy
.MJCw L
)).fy
e.eVS{
KWindows
XisrWindowsEx
YisrUrl
kisrSQLiteTable3
isrSQLite3
isrSQLiteUtils
hisrPipes
HtmlUIExeApp
WaitNamedPipeA
PeekNamedPipe
GetWindowsDirectoryW
GetCPInfo
DisconnectNamedPipe
CreatePipe
CreateNamedPipeA
ConnectNamedPipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegFlushKey
RegEnumKeyW
RegEnumKeyExA
RegDeleteKeyW
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
ShellExecuteExW
ShellExecuteA
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
GetKeyboardType
"$ %),'8
38000=344
&W!%C-7
%/  *(2'-=
1 0 .'7(2':
- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)
&)"%&$&'&",,/- '
SSSHHHK`````````````````q}
#)'%%'%'%
.idata
.edata
P.reloc
P.rsrc
P.reU
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
PathToExe
mozsqlite3.dll
No sqlite3.dll
cookies.sqlite
"urls_to_restore_on_startup": [ ],
"urls_to_restore_on_startup": [ ]
"urls_to_restore_on_startup": [ ]
GetChromeDefaultSearchProviderFromDb - failed to get spid, returning default!
sqlGetQueryResultEx failed!
Opera\Opera
Opera
\operaprefs.ini
\profile\operaprefs.ini
\profile\opera6.ini
\opera6.ini
Software\Opera Software
locale\en\en.lng
\profile\search.ini
\search.ini
search.ini
\defaults\search.ini
DoRemoveOperaSearchProvider - cannot remove
" was sucessfully removed but references to its HexKey: "
TopResultURLFallback
FaviconURL
FaviconURLFallback
*.txt
.part
TDownloadAccelerator.Run() was ignored, since another download is currently in progress.
Urls:
Pause request ignored, servers without HTTP Range support will cause download restart.
The source dropped range support.
Uninstall\__Uninstall_.exe
Uninstall\uninst.dat
uninst.dat
regsvr32.exe
Waiting for all the ongoing reports to complete...
_EXEXE_
errorUrl
Registry entry removed: HtmlUI Browser object's IE7 fallback support is now enabled.
Failed to launch htmlUI from the following url:
main.html
Log server Url is not provided.
Log Http request has timed out.
Remote mask loading is currently not supported. mask:
Please login as administrator and try again.
Installer Account Name altered after at least one report already sent.
isroSetReportUrl() was ignored due to lack of Privelege Mode.
Installer Report Url changed after at least one report already sent.
.Uninstall\
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
!Control '%s' has no parent window
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s
Invalid stream format$''%s'' is not a valid component name
Ancestor for '%s' not found
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation!Invalid variant operation ($%.8x)
Variant is not an array5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value"'%s' is not a valid currency value!'%g' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1388
   wuauclt.exe:304
   

2. Delete the original Installer file.
   
3. Delete or disinfect the following files created/modified by the Installer:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\LOGO[1].png (3719 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Loader.gif (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Quick_Specs.png (221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\KO.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Color_Button.png (863 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\CS.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\JA.locale (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\logo[1].png (7491 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\bg2_us[1].jpg (7569 bytes)
   %Documents and Settings%\%current user%\Desktop\Continue Flash Player 11 Installation.lnk (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\ProgressBar.png (812 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0004C531.log (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\bootstrap_15771.html (156 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\form.bmp.Mask (244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\logo_new[1].png (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\FR.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\bg3_ru[1].jpg (3756 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Close_Hover.png (240 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\IT.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\Rodedowo[1].png (3521 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\checkbox.css (190 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\NL.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\FF_logo[1].png (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312728_stp\sqlite3.dll (1706 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\BG.png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\DE.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\csshover3.htc (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\EN.locale (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\Beginogo[1].jpg (2816 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\button-bg.png (131 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\SV.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\bg4_us[1].jpg (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\IE_logo[1].png (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\isf_312821.flat (1707 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0004D676.log (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\PL.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\FI.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0004D6C5.log (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (3725 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\default_tb.png (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\bg1_ru[1].jpg (2696 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\PT.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\main.css (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0004C158.log (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\Rerarapepe3[1].jpg (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Close.png (207 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\bg3_us[1].jpg (4963 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\bg4_ru[1].jpg (2696 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312728_stp.CIS.part (42 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\ES.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Pause_Button.png (577 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\ZH.locale (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\Beginogo_N[1].jpg (776 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\progress-bg.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\images\progress-bg2.png (978 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Progress.png (104 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\logo[1].png (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\bg2_ru[1].jpg (3056 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\NO.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M56PQRET\Beginogo_BR[1].jpg (4816 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\browse.css (337 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000476F1.log (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\TR.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\is943016861\312702_stp.EXE.part (68 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Color_Button_Hover.png (846 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\DA.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Icon_Generic.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Resume_Button.png (718 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2L856785\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\EL.locale (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\default_wi.png (28 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\ID.locale (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\button.css (417 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\install[1].png (639 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\sponsored.png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\CH_logo[1].png (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Grey_Button.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\ie6_main.css (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\Rorawaker_Logo[1].png (1145 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\bg1_us[1].jpg (5101 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\css\sdk-ui\progress-bar.css (506 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\locale\RU.locale (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GV0TYL01\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\0004E115.log (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OK7C0W6U\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ish292609\images\Grey_Button_Hover.png (1 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
   %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
   %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.