MD5: 97612a67f623b18ca1bb743ae02783ef
SHA1: fcbeeb0f0645f7c68760aee7f6869ac9bb39a2f6
SHA256: c96aac13aec0916b2c324e64d086321457591c9f6f6e8b6a6e89215582a242c3
SSDeep: 12288:7kPaXbA9EsmIWwRMI7jzG1ZjyoBMqzBt9YLU56o97z5GyBTPzR43HPf8tr5qCed:7kPKLskw2IrG1QoBM8tyQ5FH5R4ff8tr
Size: 726720 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

TPAutoConnSvc.exe:1776
%original file name%.exe:3524
cscript.exe:1552
cscript.exe:3008
1360DBCA_stp.EXE:3292
idmsq.exe:964

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3524 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A736A.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Seniser[1].png (3740 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A278C.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Close.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Logo.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\DE.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A7232.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg1[1].jpg (16940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Progress.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\main.css (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\ProgressBar.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A24FD.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
%Program Files% (x86)\is665359.log (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button_Hover[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A7676.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\declineBG[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\ie6_main.css (2 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Continue Download Manager 2 Installation.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A255B.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_%original file name%.exe (1455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Neyayeneda_TopImg[1].png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\bootstrap_5221.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\bg2[1].jpg (13577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Close_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\BG.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is857433578\1360DBCA_stp.EXE.part (1080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is857433578\1360DBCA_stp.EXE (93701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A275D.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale (4 bytes)

The process cscript.exe:1552 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\MININT\SMSOSD\OSDLOGS\BDD.log (5034 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\IDMSQ.lnk (1 bytes)
C:\MININT\SMSOSD\OSDLOGS\Pin.log (5034 bytes)
C:\MININT\SMSOSD\OSDLOGS\VARIABLES.DAT (765 bytes)

The process cscript.exe:3008 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\MININT\SMSOSD\OSDLOGS\BDD.log (8641 bytes)
C:\MININT\SMSOSD\OSDLOGS\Pin.log (8641 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\IDMSQ.lnk (1 bytes)
C:\MININT\SMSOSD\OSDLOGS\VARIABLES.DAT (644 bytes)

The process 1360DBCA_stp.EXE:3292 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDMSQ\Website.lnk (1 bytes)
%Program Files% (x86)\IDMSQ\mplayer\avformat-54.dll (34365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\unknown.xul (222 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\browser.js (3 bytes)
C:\Windows\Fonts\Lato-Light.ttf (4992 bytes)
%Program Files% (x86)\IDMSQ\idmsq.exe (76224 bytes)
%Program Files% (x86)\IDMSQ\tag.dll (53394 bytes)
C:\Windows\Fonts\Lato-Italic.ttf (4992 bytes)
C:\Windows\Fonts\Lato-LightItalic.ttf (3312 bytes)
%Program Files% (x86)\IDMSQ\mplayer\avfilter-2.dll (20416 bytes)
%Program Files% (x86)\IDMSQ\mplayer\mplayer.exe (131772 bytes)
C:\Windows\Fonts\Lato-Bold.ttf (4992 bytes)
%Program Files% (x86)\IDMSQ\mplayer\avutil-51.dll (8184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\idmsq.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\META-INF\MANIFEST.MF (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\ZTIUtility.vbs (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\ListVerbs.vbs (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\PinItem.vbs (12 bytes)
%Program Files% (x86)\IDMSQ\mplayer\avcodec-54.dll (231159 bytes)
%Program Files% (x86)\IDMSQ\mplayer\swresample-0.dll (1856 bytes)
%Program Files% (x86)\IDMSQ\uninst.exe (4741 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\UnPin.wsf (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\WinShell.dll (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\Pin.wsf (6 bytes)
%Program Files% (x86)\IDMSQ\imageformats\qgif4.dll (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\FindProcDLL.dll (816 bytes)
%Program Files% (x86)\IDMSQ\Internet Download Manager².url (47 bytes)
%Program Files% (x86)\IDMSQ\mplayer\swscale-2.dll (10136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\IDMSQ.crx (2392 bytes)
%Program Files% (x86)\IDMSQ\imageformats\qjpeg4.dll (7192 bytes)
%Program Files% (x86)\IDMSQ\imageformats\qtiff4.dll (10136 bytes)
%Program Files% (x86)\IDMSQ\mplayer\libiconv-2.dll (33455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\defaults\preferences\prefs.js (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\Pin.cmd (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\UnPin.cmd (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome.manifest (315 bytes)
%Program Files% (x86)\IDMSQ\sqldrivers\qsqlite4.dll (15168 bytes)
C:\Windows\Fonts\Lato-Hairline.ttf (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected] (945 bytes)
%Program Files% (x86)\IDMSQ\IdmsqPlayer.exe (33391 bytes)
%Program Files% (x86)\IDMSQ\QtGui4.dll (266044 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\ZTI-SpecialFolderLib.vbs (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E27.tmp (814378 bytes)
%Program Files% (x86)\IDMSQ\mplayer\avdevice-53.dll (784 bytes)
%Program Files% (x86)\IDMSQ\mplayer\mplayer\config (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDMSQ\Uninstall.lnk (986 bytes)
%Program Files% (x86)\IDMSQ\QtCore4.dll (74461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\FontName.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsqext.dll (9573 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\modules\registry.jsm (1 bytes)
C:\Windows\Fonts\Lato-BlackItalic.ttf (3616 bytes)
C:\Windows\Fonts\Lato-Black.ttf (3616 bytes)
%Program Files% (x86)\IDMSQ\mplayer\libmp3lame-0.dll (12088 bytes)
%Program Files% (x86)\IDMSQ\mplayer\postproc-52.dll (4992 bytes)
C:\Windows\Fonts\Lato-BoldItalic.ttf (4992 bytes)
%Program Files% (x86)\IDMSQ\mplayer\libx264-122.dll (35784 bytes)
%Program Files% (x86)\IDMSQ\mplayer\libpthread-2.dll (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\browser.xul (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\nsExec.dll (14 bytes)
%Program Files% (x86)\IDMSQ\mplayer\ffmpeg.exe (8184 bytes)
%Program Files% (x86)\IDMSQ\QtSql4.dll (6584 bytes)
C:\Windows\Fonts\Lato-Regular.ttf (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDMSQ\IDMSQ.lnk (980 bytes)
C:\Windows\Fonts\Lato-HairlineItalic.ttf (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\unknown.js (5 bytes)
%Program Files% (x86)\IDMSQ\mplayer\xvidcore.dll (25776 bytes)

The process idmsq.exe:964 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files% (x86)\IDMSQ\sqldrivers\qsqlite4.dll (442 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsq.db (58 bytes)
%Program Files% (x86)\IDMSQ\imageformats\qgif4.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsq.db-journal (3302 bytes)
%Program Files% (x86)\IDMSQ\imageformats\qjpeg4.dll (200 bytes)
%Program Files% (x86)\IDMSQ\imageformats\qtiff4.dll (286 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process %original file name%.exe:3524 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "9B B3 03 9F 5F 29 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer]
"GlobalAssocChangedCounter" = "35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "9B B3 03 9F 5F 29 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "9B B3 03 9F 5F 29 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process cscript.exe:1552 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
"@zipfldr.dll,-10148" = "Compressed (zipped) folder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2]
"FavoritesVersion" = "2"
"FavoritesResolve" = "24 02 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"@sendmail.dll,-21" = "Desktop (create shortcut)"

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@C:\Windows\system32]
"FXSRESM.dll,-120" = "Fax recipient"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2]
"Favorites" = "00 DE 00 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"
"FavoritesChanges" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{BD84B380-8CA2-1069-AB1D-08000948F534} {000214E6-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 5C 7E BC A7 5F 29 D0 01"

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"@sendmail.dll,-4" = "Mail recipient"

The process cscript.exe:3008 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
"FavoritesChanges" = "7"
"Favorites" = "00 7C 01 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"
"FavoritesResolve" = "CC 02 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"
"FavoritesVersion" = "2"

The process 1360DBCA_stp.EXE:3292 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ohenffmfbnoidogjgebadealdkecjdal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\IDMSQ.crx"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}]
"(Default)" = ""

[HKCU\Software\Microsoft\Internet Explorer]
"DownloadUI" = "{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}"

[HKCR\Idmsq.Extension.1]
"(Default)" = "Idmsq Extension"

[HKCR\TypeLib\{C49A03AB-0097-47E2-95A2-2294FAC6C3E0}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IDMSQ]
"URLInfoAbout" = "http://www.idmsq.com/"

[HKCR\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}]
"(Default)" = "IIdmsqBHO"

[HKCU\Software\IDMSQ]
"location" = "%Program Files% (x86)\IDMSQ\idmsq.exe"

[HKCR\Wow6432Node\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\TypeLib]
"(Default)" = "{C49A03AB-0097-47E2-95A2-2294FAC6C3E0}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D494EEA-FF23-42dc-AE6A-12239800B2D1}]
"Policy" = "3"

[HKCR\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\RLBHO.DLL]
"AppID" = "{161B22FE-870E-45B1-8020-0D6494DD5D3A}"

[HKCR\Wow6432Node\CLSID\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsqext.dll"

[HKCR\Wow6432Node\CLSID\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}]
"(Default)" = "Idmsq Extension"

[HKCR\AppID\{161B22FE-870E-45B1-8020-0D6494DD5D3A}]
"(Default)" = "RLBHO"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Black Italic (TrueType)" = "Lato-BlackItalic.ttf"

[HKCR\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\TypeLib]
"Version" = "1.0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.24.15, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\python.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\327c54aa\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\,"

[HKCR\Wow6432Node\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Idmsq.Extension\CLSID]
"(Default)" = "{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Black (TrueType)" = "Lato-Black.ttf"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IDMSQ]
"DisplayVersion" = "1.0"
"DisplayIcon" = "%Program Files% (x86)\IDMSQ\uninst.exe"

[HKCR\Idmsq.Extension.1\CLSID]
"(Default)" = "{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IDMSQ]
"DisplayName" = "Internet Download Manager² 1.0"

[HKCR\TypeLib\{C49A03AB-0097-47E2-95A2-2294FAC6C3E0}\1.0]
"(Default)" = "IdmsqBHO 1.0 Type Library"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}]
"(Default)" = "Idmsq Extension"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Light Italic (TrueType)" = "Lato-LightItalic.ttf"

[HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D494EEA-FF23-42dc-AE6A-12239800B2D1}]
"AppName" = "idmsq.exe"

[HKCR\Wow6432Node\CLSID\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IDMSQ]
"Publisher" = "OR Interactive Ltd"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Italic (TrueType)" = "Lato-Italic.ttf"

[HKCR\Wow6432Node\CLSID\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}\VersionIndependentProgID]
"(Default)" = "Idmsq.Extension"

[HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ohenffmfbnoidogjgebadealdkecjdal]
"Version" = "1.0"

[HKCU\Software\IDMSQ]
"BrowserIntegration" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Light (TrueType)" = "Lato-Light.ttf"

[HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D494EEA-FF23-42dc-AE6A-12239800B2D1}]
"Policy" = "3"

[HKCR\Wow6432Node\CLSID\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}\ProgID]
"(Default)" = "Idmsq.Extension.1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}]
"Policy" = "3"

[HKCR\TypeLib\{C49A03AB-0097-47E2-95A2-2294FAC6C3E0}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D494EEA-FF23-42dc-AE6A-12239800B2D1}]
"AppName" = "idmsq.exe"

[HKCR\TypeLib\{C49A03AB-0097-47E2-95A2-2294FAC6C3E0}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsqext.dll"

[HKCR\Idmsq.Extension\CurVer]
"(Default)" = "Idmsq.Extension.1"

[HKCR\Wow6432Node\CLSID\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Hairline Italic (TrueType)" = "Lato-HairlineItalic.ttf"
"Lato Bold Italic (TrueType)" = "Lato-BoldItalic.ttf"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ"

[HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D494EEA-FF23-42dc-AE6A-12239800B2D1}]
"AppPath" = "%Program Files% (x86)\IDMSQ"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}]
"AppName" = "Idmsq Extension"

[HKCR\Wow6432Node\CLSID\{4E63331F-BEED-4BD8-828F-72F18D73BE92}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Wow6432Node\IDMSQ]
"InstallPath" = "%Program Files% (x86)\IDMSQ"

[HKCR\Idmsq.Extension]
"(Default)" = "Idmsq Extension"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Bold (TrueType)" = "Lato-Bold.ttf"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IDMSQ]
"UninstallString" = "%Program Files% (x86)\IDMSQ\uninst.exe"

[HKCR\Wow6432Node\CLSID\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\InProcServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsqext.dll"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D494EEA-FF23-42dc-AE6A-12239800B2D1}]
"AppPath" = "%Program Files% (x86)\IDMSQ"

[HKCR\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\TypeLib]
"(Default)" = "{C49A03AB-0097-47E2-95A2-2294FAC6C3E0}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Regular (TrueType)" = "Lato-Regular.ttf"

[HKCR\Wow6432Node\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}\NumMethods]
"(Default)" = "7"

[HKCU\Software\IDMSQ]
"extid" = "1.0.1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Hairline (TrueType)" = "Lato-Hairline.ttf"

[HKCR\Wow6432Node\CLSID\{3AA4FC9D-FB51-44a2-B09F-0457857CA7C2}\TypeLib]
"(Default)" = "{C49A03AB-0097-47e2-95A2-2294FAC6C3E0}"

[HKCR\Wow6432Node\Interface\{4E63331F-BEED-4BD8-828F-72F18D73BE92}]
"(Default)" = "IIdmsqBHO"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"IDMSQ" = "%Program Files% (x86)\IDMSQ\idmsq.exe /startup"

The process idmsq.exe:964 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\%Program Files% (x86)\IDMSQ\imageformats]
"qtiff4.dll" = "40801, 0, Windows msvc release full-config, 2013-07-14T09:32:56"

[HKCU\Software\IDMSQ]
"LastServerTime" = "1420514431"

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\%Program Files% (x86)\IDMSQ\imageformats]
"qgif4.dll" = "40801, 0, Windows msvc release full-config, 2013-07-14T09:32:56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\%Program Files% (x86)\IDMSQ\imageformats]
"qtiff4.dll" = "2013-07-14T09:32:56, tiff, tif"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "9B B3 03 9F 5F 29 D0 01"

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\%Program Files% (x86)\IDMSQ\imageformats]
"qjpeg4.dll" = "2013-07-14T09:32:56, jpeg, jpg"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF" = "01 00 00 00 00 00 00 00 55 76 DF AE 5F 29 D0 01"

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\%Program Files% (x86)\IDMSQ\sqldrivers]
"qsqlite4.dll" = "40801, 0, Windows msvc release full-config, 2013-07-14T09:32:56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "3C CE 00 AE 5F 29 D0 01"

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QSqlDriverFactoryInterface:\%Program Files% (x86)\IDMSQ\sqldrivers]
"qsqlite4.dll" = "2013-07-14T09:32:56, QSQLITE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.8\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\%Program Files% (x86)\IDMSQ\imageformats]
"qgif4.dll" = "2013-07-14T09:32:56, gif"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.8.false\%Program Files% (x86)\IDMSQ\imageformats]
"qjpeg4.dll" = "40801, 0, Windows msvc release full-config, 2013-07-14T09:32:56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\IDMSQ]
"LastUpdateCheck" = "1420514408"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "3C CE 00 AE 5F 29 D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
"ProxyOverride"
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 907 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Generic
Product Version: 1.3
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Generic Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://rp.mediacodeccdn.com/?pcrc=1626022615&v=2.0	46.137.168.245
hxxp://securefilesetup.com/distribution/?product=IDM2&channel=A004
hxxp://os.mediacodeccdn.com/IDM2/?v=5.0&c=203781116	54.77.76.227
hxxp://d27jwl8eflbzdd.cloudfront.net/IDMSQSetup.exe	54.192.46.214
hxxp://img.mediacodeccdn.com/img/Global/Yes_Button.png	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Global/Yes_Button_Hover.png	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Global/declineBG.png	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Global/No_Button.png	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Global/No_Button_Hover.png	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Seniser/Seniser.png	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Neyayeneda/Neyayeneda_TopImg.png	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Malaromoro/bg1.jpg	50.115.122.45
hxxp://img.mediacodeccdn.com/img/Malaromoro/bg2.jpg	50.115.122.45
hxxp://rp.mediacodeccdn.com/?pcrc=433075020&v=2.0	46.137.168.245
hxxp://rp.mediacodeccdn.com/?pcrc=936244440&v=2.0	46.137.168.245
hxxp://idmsq.com/?lt=0&uid=c0322acd-5e5d-42f0-b163-c591ee6ff5b9&ver=1.0&st=0
hxxp://tenderapp.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox
hxxp://tenderapp.com/help/theme.css?1411153786
hxxp://tenderapp.com/help/assets/bd864201dc8228151a1ff655edaffcb7721b9d5d/ff-1_normal.png
hxxp://bootstrapcdn.jdorfman.netdna-cdn.com/font-awesome/4.1.0/css/font-awesome.min.css
hxxp://tenderapp.com/help/assets/52fa87b96a71a04a0d80b7343f44d46602cc1de0/ff-2_normal.png
hxxp://asset-1.tenderapp.com/pkg/frontend.js?1418315495	192.228.96.21
hxxp://asset-1.tenderapp.com/stylesheets/browsers/safari.css?1403743349	192.228.96.21
hxxp://asset-1.tenderapp.com/pkg/frontend-datauri.css?1418315495	192.228.96.21
hxxp://s3-1.amazonaws.com/entp-tender-production/assets/bd864201dc8228151a1ff655edaffcb7721b9d5d/ff-1_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=ouX2S0I7SUs1Os2e2G20xF8N0YY=
hxxp://s3-1.amazonaws.com/entp-tender-production/assets/52fa87b96a71a04a0d80b7343f44d46602cc1de0/ff-2_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=s65dw4M8YP0K3ce3BTsFQyJrvng=
hxxp://asset-1.tenderapp.com/help/images/btn-shader.png?1406414609	192.228.96.21
hxxp://bootstrapcdn.jdorfman.netdna-cdn.com/font-awesome/4.1.0/fonts/fontawesome-webfont.eot?
hxxp://asset-1.tenderapp.com/help/images/icon_post-standalone.gif?1406414609	192.228.96.21
hxxp://asset-1.tenderapp.com/help/images/icon_folder.gif?1406414609	192.228.96.21
hxxp://asset-1.tenderapp.com/help/images/icon_question.gif?1406414609	192.228.96.21
hxxp://asset-1.tenderapp.com/help/images/icon_problem.gif?1406414609	192.228.96.21
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j31&a=1060989401&t=pageview&_s=1&dl=http://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox&ul=en-us&de=utf-8&dt=How to enable Browser integration on Firefox / Browser Integration / Knowledge Base - Internet Download Manager² Support&sd=24-bit&sr=1716x901&vp=1700x804&je=1&_u=MEAAAEQAI~&jid=1951994937&cid=2028287059.1420514416&tid=UA-3465274-5&_r=1&z=126887211
hxxp://www-google-analytics.l.google.com/r/__utm.gif?utmwv=5.6.1&utms=1&utmn=748611471&utmhn=help.idmsq.com&utmcs=utf-8&utmsr=1716x901&utmvp=1700x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=How to enable Browser integration on Firefox / Browser Integration / Knowledge Base - Internet Download Manager² Support&utmhid=1060989401&utmr=-&utmp=/kb/browser-integration/how-to-enable-browser-integration-on-firefox&utmht=1420514415690&utmac=UA-44325255-1&utmcc=__utma=137078376.2028287059.1420514416.1420514416.1420514416.1;+__utmz=137078376.1420514416.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=1026289769&utmredir=1&utmu=qhAgAAAAAAAAAAAAAAABAAAE~
hxxp://tenderapp.com/favicon.ico
hxxp://c.global-ssl.fastly.net/nr-476.min.js
hxxp://beacon-5.newrelic.com.cdn.cloudflare.net/1/97c4857d94?a=16193&pl=1420514413608&v=476.c73f3a6&to=cF8IQBcMXlgEQ0lRBUJDSUcNDEU=&ap=79&be=31&fe=2116&dc=1592&f=["err","xhr"]&perf={"timing":{"of":1420514413608,"n":0,"dl":0,"di":23,"ds":1624,"de":1676,"dc":2105,"l":2149,"le":2150,"f":0,"dn":0,"dne":0,"c":0,"ce":0,"rq":0,"rp":0,"rpe":17},"navigation":{}}&jsonp=NREUM.setToken	50.31.164.188
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?589be4e8d8a31037
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?adc9910f119f41ff
hxxp://gs1.wac.v2cdn.net/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=
hxxp://hostedocsp.globalsign.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1de102552581d208
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGxZ76nhAOEO4wa6j+ApJVk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEDNX07ZjrJhmfq+DEaFNlEE=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://maxcdn.bootstrapcdn.com/font-awesome/4.1.0/css/font-awesome.min.css	94.31.29.154
hxxp://help.idmsq.com/help/theme.css?1411153786	192.228.96.20
hxxp://www.google-analytics.com/ga.js	216.58.209.174
hxxp://asset-2.tenderapp.com/help/images/icon_question.gif?1406414609	192.228.96.21
hxxp://help.idmsq.com/help/assets/bd864201dc8228151a1ff655edaffcb7721b9d5d/ff-1_normal.png	192.228.96.20
hxxp://help.idmsq.com/favicon.ico	192.228.96.20
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://beacon-5.newrelic.com/1/97c4857d94?a=16193&pl=1420514413608&v=476.c73f3a6&to=cF8IQBcMXlgEQ0lRBUJDSUcNDEU=&ap=79&be=31&fe=2116&dc=1592&f=["err","xhr"]&perf={"timing":{"of":1420514413608,"n":0,"dl":0,"di":23,"ds":1624,"de":1676,"dc":2105,"l":2149,"le":2150,"f":0,"dn":0,"dne":0,"c":0,"ce":0,"rq":0,"rp":0,"rpe":17},"navigation":{}}&jsonp=NREUM.setToken	50.31.164.188
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?adc9910f119f41ff	88.221.132.177
hxxp://help.idmsq.com/help/assets/52fa87b96a71a04a0d80b7343f44d46602cc1de0/ff-2_normal.png	192.228.96.20
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?589be4e8d8a31037	88.221.132.177
hxxp://www.google-analytics.com/r/collect?v=1&_v=j31&a=1060989401&t=pageview&_s=1&dl=http://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox&ul=en-us&de=utf-8&dt=How to enable Browser integration on Firefox / Browser Integration / Knowledge Base - Internet Download Manager² Support&sd=24-bit&sr=1716x901&vp=1700x804&je=1&_u=MEAAAEQAI~&jid=1951994937&cid=2028287059.1420514416&tid=UA-3465274-5&_r=1&z=126887211	216.58.209.174
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://s3.amazonaws.com/entp-tender-production/assets/bd864201dc8228151a1ff655edaffcb7721b9d5d/ff-1_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=ouX2S0I7SUs1Os2e2G20xF8N0YY=	54.231.8.8
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://s3.amazonaws.com/entp-tender-production/assets/52fa87b96a71a04a0d80b7343f44d46602cc1de0/ff-2_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=s65dw4M8YP0K3ce3BTsFQyJrvng=	54.231.8.8
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.175
hxxp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox	192.228.96.20
hxxp://evcs-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEDNX07ZjrJhmfq+DEaFNlEE=	23.43.139.27
hxxp://maxcdn.bootstrapcdn.com/font-awesome/4.1.0/fonts/fontawesome-webfont.eot?	94.31.29.154
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.175
hxxp://asset-2.tenderapp.com/help/images/icon_post-standalone.gif?1406414609	192.228.96.21
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.175
hxxp://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68=	108.162.232.196
hxxp://asset-2.tenderapp.com/help/images/icon_problem.gif?1406414609	192.228.96.21
hxxp://update.idmsq.com/?lt=0&uid=c0322acd-5e5d-42f0-b163-c591ee6ff5b9&ver=1.0&st=0	209.239.115.60
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://asset-2.tenderapp.com/help/images/icon_folder.gif?1406414609	192.228.96.21
hxxp://asset-0.tenderapp.com/stylesheets/browsers/safari.css?1403743349	192.228.96.21
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1de102552581d208	88.221.132.177
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://www.google-analytics.com/r/__utm.gif?utmwv=5.6.1&utms=1&utmn=748611471&utmhn=help.idmsq.com&utmcs=utf-8&utmsr=1716x901&utmvp=1700x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=How to enable Browser integration on Firefox / Browser Integration / Knowledge Base - Internet Download Manager² Support&utmhid=1060989401&utmr=-&utmp=/kb/browser-integration/how-to-enable-browser-integration-on-firefox&utmht=1420514415690&utmac=UA-44325255-1&utmcc=__utma=137078376.2028287059.1420514416.1420514416.1420514416.1;+__utmz=137078376.1420514416.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=1026289769&utmredir=1&utmu=qhAgAAAAAAAAAAAAAAABAAAE~	216.58.209.174
hxxp://www.google-analytics.com/analytics.js	216.58.209.174
hxxp://asset-2.tenderapp.com/help/images/btn-shader.png?1406414609	192.228.96.21
hxxp://js-agent.newrelic.com/nr-476.min.js	185.31.17.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGxZ76nhAOEO4wa6j+ApJVk=	23.43.139.27
hxxp://asset-2.tenderapp.com/pkg/frontend-datauri.css?1418315495	192.228.96.21
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.175
hxxp://ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc=	93.184.220.20
ieonline.microsoft.com	204.79.197.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY Executable served from Amazon S3

Traffic

GET /pkg/frontend-datauri.css?1418315495 HTTP/1.1

Accept: text/css

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-2.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: text/css

Content-Length: 18770

Last-Modified: Thu, 11 Dec 2014 16:32:53 GMT

Connection: keep-alive

ETag: "5489c735-4952"

Content-Encoding: gzip
....h..T...}...F...`........6.....-.k........H.$,.....3.._....,.l.f..[
..H.* .....#....|u...U4.d...s....j.EOg.,_.k... ...-.1.....\n...u...n./
......2....<Y|X..a.^.Es....d..wW.t..7uV^%..:.L<.b.=..):7e.?....@
q.7......._...(.dW...l.!....2Yd.u^..|C..=.8,.]......n. ....."...UK..*6
.:s.'..].'i..VW.7..*<....../.E.f%}2.....W.S...y.,..H.......Y.W.Mrw.
[email protected]..&..c3Re.I..:[email protected]%....i...
.>.....bCF..x....'...#.......0I....yz.o.e.*...o.,[email protected].[Ox .6Y.Xm.
*...T.Z.}.:....j.............z&~.......>F...N..-..........S_.>P.
...CE.k.m.E.V._..S..o..&..}_.............cHv....l.X ;....,..6..(.._.tg
\.Q8..|...]..E...:6P......jMi.(q..k..*(.$.....cQ....c".b.C].;0.....cC.
..$..Xo...e...IIZ.q.D....d...R`.)rC.8...Z.J8t..b........E...Z_..CE.PB.
.J..J.D`<&3&."..I.x`/.>....U.f..LX1...t..p...!..d.x..4..}.$..T..
..Q.M6.I.gv5....\&.|sw......eR}...|...m. ..,2.a..|....Q"6.e..%..L..o..
`^...jt....ht.F.x...L.([email protected]..^..Q..^.A.......@..`h..:?.`..P.
..#.!'.b.1]N...x_Fj...:...N(u[.7.]..-W....g.g.-9aZsc.s8...:...?.a.dYk.
....'....M.;...F....(....:...a....fi~.z...j....N...`.H..XG..0.<..l.
.... ...#c........$.........{j.......,d\....J.?.I. ................~ x
V.(v.....{l..5...K.S... .}.AwuB.Z.\a.s..=-&.=.wR;q,C...;[..J.....M....
 .[.Dm)%..8..x.....$..B......p.....=. U.'. .1.....v%....0hj.` ....>
.. .5......[..(s.9X....o.H=[.#k.,8...........V08q>.....X{.aN6.....c
..v.6G............._...6....Mv4.I...........^[email protected]./P^zE
.  .\..X&:.}....K.jQf..Kv....=.t...Z.9i.s......}..7 ...X...[d...Mf
<<< skipped >>>

GET /help/images/btn-shader.png?1406414609 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-2.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:38 GMT

Content-Type: image/png

Content-Length: 142

Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT

Connection: keep-alive

ETag: "53d42f11-8e"

Accept-Ranges: bytes
.PNG........IHDR.............;.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...0IDATx.b````d..L ..D...v...".A./....a.E0...s......<.w..(.....
IEND.B`.....


GET /help/images/icon_post-standalone.gif?1406414609 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-2.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:38 GMT

Content-Type: image/gif

Content-Length: 54

Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT

Connection: keep-alive

ETag: "53d42f11-36"

Accept-Ranges: bytes
GIF89a.............!.......,...............k~T....s-.;HTTP/1.1 200 OK.
.Server: nginx/1.6.0..Date: Tue, 06 Jan 2015 03:20:38 GMT..Content-Typ
e: image/gif..Content-Length: 54..Last-Modified: Sat, 26 Jul 2014 22:4
3:29 GMT..Connection: keep-alive..ETag: "53d42f11-36"..Accept-Ranges: 
bytes..GIF89a.............!.......,...............k~T....s-.;..

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Tue, 06 Jan 2015 03:21:41 GMT

Last-Modified: Thu, 01 Jan 2015 15:18:48 GMT

Server: ECS (frf/8799)

X-Cache: HIT

Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..2015010
1064605Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
..'.G....20141203203331Z....20150331203831Z0...*.H.............H...y5p
...Z...%...y.......w.>1......XZ.5(.X....D......~.....G...."1...8J.g
.y..5.. }[email protected][email protected]..(..!..c.....r....&,|....G3...[.F..
(...;A<.{;Bs.%Q....M:8........G.nKu}.97.......p..?.n_.#..d.. [email protected].
.IF[...X.lP.;.5'...v...-.....*l.8. ...e.?.q\.....0...0...0...........'
..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTr
ust1"0 ..U....Baltimore CyberTrust Root0...140122184236Z..150122184140
Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-
20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...0
4..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8........
..h8GM..*.4.MP..../[email protected]
.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j
.\.>.O....G.A........0..0... .....0......0...U.......0.0...U.......
....0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`
;.l.uZ..k.F..^|A.Tb0...*.H.............. .p.)...09W..Z.......]....}.:.
.Vr.....c..U..:V^.O.....<...b*5.c.\.fF./....5'.>./ iS..R0..)..*.
!..q.h.T..ul.}&.......`.1".~.U....rB.BR.s..x..o..Y.......).4:.[.9.=...
.x...'.f..\ [email protected]:J!.hRH..!z2DtL.s2.r.....Yi~..E..AzO..i.."N
.$j...b...o..i."{(3....
<<< skipped >>>

GET /IDMSQSetup.exe HTTP/1.1

Range: bytes=6041600-11588087

Accept: */*

Host: d27jwl8eflbzdd.cloudfront.net

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 5546488

Connection: keep-alive

Date: Mon, 27 Oct 2014 08:44:48 GMT

x-amz-meta-cb-modifiedtime: Wed, 30 Oct 2013 06:25:15 GMT

Cache-Control: public,max-age=31536000

Expires: Tue, 31 Dec 2019 20:00:00 GMT

Last-Modified: Sun, 08 Dec 2013 08:59:07 GMT

ETag: "a5db064b5a4b9af4b0dc812b59206859"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 6041600-11588087/11588088

Age: 6114922

X-Cache: Hit from cloudfront

Via: 1.1 1191d5253eb958287113db8884fac7fe.cloudfront.net (CloudFront)

X-Amz-Cf-Id: -Tjp9qYHmCzeUwxo04nvhMWQNiQ2YECnGpFjinFuFTAvFV_VvvbNPA==
Ne.5..2 T....$K...........'..9..w.):.H.5. .......<M....|s~...>..
N..<...D.........G..r..G..&.'......q y.*..%$..j...$.....j. ......Z.
W.\.......z..#`6-..yW..V.L...Dd..f.....C../..`*.r...}JZ.@C...|..Z$e..t
O..A.....r..:....?E9.p..t,..%..QSA..m4.a....$....Y.>...8..1@v......
(?.8....{_....y...L}.\....1....L-6.>?}.>\3Di.z:H.1cU._.9m ....k.
.}%.jU.Z./.o'......N...........0........m..US{"l...Kj7.D.D....F8.F5...
..tw. .A.I.O...daruX..fBq(....&.....Ub.......m.......LD.7J...m.D{q..4.
....80..FO.7...v...l....P.US....nBcc.u.N..d..b:H%......._..q....Lq$..W
d......f..Q.JT?".u....u_..]. .....jJ~i,.........u...cd...4Y..N.'b .../
......~F&K..M..la%L...q.F\h!..[.;..%...ze...z....C...$`x...2_.._...E.7
n.....u.z75..i&....RS...Wz...L..L..J..*.E.]..s.A'!* XW,..:jS..il...9n.
.Q..c$..}j.?h...G....e(.}Q..T...S&~Sr8...7....T..,....1X...v..-pH.<
......Q$....r...)=............p.l..o/..A.......JQ;.........Z......A..}
......VDW.(..|..%..s......H.E.z/...wMs.s....\.....Y..;..s.........KLn.
.........0Z.....#.V.cx&....LpV;.M...~1Za.d...m.R...J~.o.8.q.-C..f..,..
.:ADL..pY<V..........s...#J.s.......9UO.m.c..).....K..@...>...8$
.,..%. :.QN4`..p. ..*2cK.6.h"1.....~hVe.]........)">E.^)...i...G..7
....&...2.,=d..v\..E........(........d..P.3..8..P ..>.h.o.s......3.
7. ....?..._.'...dh.......`.W..f.|.......^.o"\..3qW....i..!..5j...$...
.|......d..b...Po...\t.7.3..5..w~.....j?v.I.ud...Y6C.r.\.(A....$.. .M.
.-]....gK...o.n.jex...g..1....P..OH..$QL....V...}..p..B..Y........$..]
..)J..b.......e...ojEP...Gd...Vs.4..,..T..}A..a....k.^2_......:?.&
<<< skipped >>>

GET /IDMSQSetup.exe HTTP/1.1

Range: bytes=5222400-6041599

Accept: */*

Host: d27jwl8eflbzdd.cloudfront.net

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 819200

Connection: keep-alive

Date: Mon, 27 Oct 2014 08:44:48 GMT

x-amz-meta-cb-modifiedtime: Wed, 30 Oct 2013 06:25:15 GMT

Cache-Control: public,max-age=31536000

Expires: Tue, 31 Dec 2019 20:00:00 GMT

Last-Modified: Sun, 08 Dec 2013 08:59:07 GMT

ETag: "a5db064b5a4b9af4b0dc812b59206859"

Accept-Ranges: bytes

Server: AmazonS3

Age: 6114930

Content-Range: bytes 5222400-6041599/11588088

X-Cache: Hit from cloudfront

Via: 1.1 1191d5253eb958287113db8884fac7fe.cloudfront.net (CloudFront)

X-Amz-Cf-Id: wpmv_ygKhoAgBa0Jjqdl9ta64z5ZPbIc-COaqY1pKsQlxUsBpBwdjg==
x-..E.-..o..........;J.X.i..o.....N.....3m)..8../...T?...(........../.
q.&C.j|.@....'....o..Nk0vy..G<....qW......R4T%>.h."r....p....k..
C.wC..w'.67..Zf.......ji....Bn......1....?......}|h....'.41c..n..Og.*.
@c..d........8./@..^q..z...M.......B..#.KyV.L.?.........cHQ\..dC2S..EB
j....8s.b5c..B..i..h... .p ./.N0.\J1.{n.G.^8..Os.6\..r.......#.x.....U
..V..c.\..2k.^..l?fDl.9....j....F..bM..`..I.y.2.cICm.g.5.. E.....3.b..
f?.~..G{Z.nzZ...DrQ..q.....p.`.hX..n.T7.Ev.....6.V.U>.P.....^... %.
[email protected]!8.......|h.......*...>y...Z...9.Ld..q..qZl'.d.
.0Ucy'.]....L...wkA.T.Y.._.!...d...u...B.B.Z..y..N.T.Q..H%..a....,..*.
...1....uI.5\....&.fCn,.....-C...)..6......a.O5\;.D-..%*.E..[..F..@P..
.C...;[email protected]....)..[O.]."..\7.r.._1.2..ge....!B
{............w...d.~Y....MT..2..E..'......;%......w8.y......m}.."3.LJ.
<.....$/..>H...O.......J6q....O.I..%........>....Qfy..:z~.).4
;'"....~..O/Vl5...q.3." ...c.jmY.)l..u.. 3...-~..N.~..y6.....$../..z..
.........b.G...x....ytW..o....w...Z)...H....=....-W5...A....|.4,y..'..
.8....g%9U...XlP.%..^..Y....-.QG.........O.x....5..z.i\..-..X..}v.'.k0
.`.xy..3..kv.GO.V..".p.8:.k.m........#5..../....^...T......}.E.gXb..L.
...\._.......3...#`;}K?z`...D...I......K...{.....O..d8...q~V.....9...i
....zv......d.y.{J...'....|...wK{.8..........L.....g..j.C&......R.5|ig
2y.P..D=?.?..2..U5....../.xg$E.q.$..B.X..L8y...I.x....K.?<.....,.%.
.V......S.R#..J2.c-./.|..(.k{..../.....9:..Y.#6......X:$......}...4o.U
..d..q.Q.k.f...R)....M..Y....(...S%Yb.)..x;.R.R....O....#.....F..?
<<< skipped >>>

GET /img/Global/Yes_Button.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:11 GMT

Content-Type: image/png

Content-Length: 1091

Connection: keep-alive

x-amz-id-2: 5We06j1ob3UKoCrb6McVbqwhRlZsj0Fw80hBejHQ8QhqF6om86FS1RvT5ytzHrTe

x-amz-request-id: CE35DBF36D852432

x-amz-meta-s3fox-filesize: 1091

x-amz-meta-s3fox-modifiedtime: 1380713503006

Last-Modified: Wed, 13 Nov 2013 16:12:48 GMT

x-amz-version-id: .ffwqW.8iCK2_zdeBNvgWdy.OnUDjeHF

ETag: "3f27a393967d84f83a317f40351c0065"

Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0924EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0A24EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2D2B0E0724EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:2D2B0E0824EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>..&X....IDATx...1..0.E.......... .d.6\.&.ND
H.v....9.{....)...D$k...O...T.[Sl.I....K.....S3..fB...2?w.....2...../=
#.3.E(B...E(B...E( ...E(..Z..f..)U..l9.....7...........I..w...).u*..P#
G...?...%....\.l....IEND.B`.....
<<< skipped >>>

GET /img/Global/declineBG.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:11 GMT

Content-Type: image/png

Content-Length: 1527

Connection: keep-alive

x-amz-id-2: DdegFWyDMNrzp2lfXYttiaZ7rWY9T0bVQm0Ha69aCIJ9fA4n7uJ0aeZy5fyOwMFA

x-amz-request-id: BA7667690535D5F6

x-amz-meta-s3fox-filesize: 1527

x-amz-meta-s3fox-modifiedtime: 1385033566667

Last-Modified: Thu, 21 Nov 2013 11:43:23 GMT

x-amz-version-id: TJNGNP9J.pYgtH1WelxAjMHRSvYRyHyQ

ETag: "c3671f6a6b3932da75a4c6b57cd45614"

Accept-Ranges: bytes
[email protected] ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:7496059F5C24E31185CEB55A04ED8505" xmpMM:DocumentID="xmp.did:9957
4DB952A011E39674B18426DE0A96" xmpMM:InstanceID="xmp.iid:99574DB852A011
E39674B18426DE0A96" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7EDADDF8E724E311B036
C0E7691E1950" stRef:documentID="xmp.did:7496059F5C24E31185CEB55A04ED85
05"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>...C...'[email protected]<..9i...RJi.v......
!.l..W.n....=.#.....~.;......%H.q8.0.. . .....u...4..... Hp*/.@#. . .v
$.H H H...4.....`G...R..uuy..m[.u}..g.%...i.!.a.S..}{...ww^k..#B.C^...
b.*..26a}._..-....8......F:?K.E...f...R.......t..RDh...S.x....)f.|8.O.
.'O.8......F.q./:...#..:N9.........\w.K\o#...k.o3...RykW.......LQyh...
{...#U{...^w..wS......A...h$@.@[email protected]$.$0..F....v..
@[email protected][email protected][email protected].......
...@#. ....H H`..........@#...F;.H H. ...4... H`G.....
<<< skipped >>>

GET /img/Global/No_Button_Hover.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:12 GMT

Content-Type: image/png

Content-Length: 1091

Connection: keep-alive

x-amz-id-2: PDQYo3q5pKhrhfrnXYbLfg/f341vA55By7ILbgZaQB4bIpG8tRjQ4iTEXVyIbqAK

x-amz-request-id: 10F6E3A777F7CC32

x-amz-meta-s3fox-filesize: 1091

x-amz-meta-s3fox-modifiedtime: 1380713503004

Last-Modified: Wed, 13 Nov 2013 16:12:47 GMT

x-amz-version-id: wNmfJwpUmazhRatL.BZxBG0x.XZldhEV

ETag: "6d55a62314755c1454569b2b098a3a9f"

Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2324EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2424EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2124EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2224EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>........IDATx...1..0.E........8A9?=..h'.NDH
.v..b $.{....)...D$j...O;.v...I6....../.s.....f....2.>.......1..?..
...... ...E( ....."...P."..PWhFC1...R.N...g......~.9h..~*.\.Q..3l'....
.B.\.W...`.............IEND.B`.....
<<< skipped >>>

GET /img/Neyayeneda/Neyayeneda_TopImg.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:12 GMT

Content-Type: image/png

Content-Length: 5294

Connection: keep-alive

x-amz-id-2: Mjt3lxHbzo7Inm8EMUlBg4791NpDF1ILx9JWGcII22OjZqVY OKMGaIXOzn3x8Nl

x-amz-request-id: B31D47A5BED9AD47

x-amz-meta-cb-modifiedtime: Mon, 08 Dec 2014 15:35:18 GMT

Last-Modified: Mon, 08 Dec 2014 15:35:58 GMT

x-amz-version-id: FMo4KeFIwAQ6andjQM0juyaehifWTmdO

ETag: "e0b022bf564a4220d87633d0b4563314"

Accept-Ranges: bytes
.PNG........IHDR...|..........X}B....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:1B681A367EED11E48669EED6
BBF0A632" xmpMM:DocumentID="xmp.did:1B681A377EED11E48669EED6BBF0A632"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1B681A347EED11E486
69EED6BBF0A632" stRef:documentID="xmp.did:1B681A357EED11E48669EED6BBF0
A632"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>...[..."[email protected]..
.......iP.l<#.MVA..U.W.#..#^ [email protected].....  ...p...[.L.f....\..zMw..].
.....0. @w..i..D..W..\&.W.d.W..;/O...e.dt...5VG"..=....l...yi)`;...;j.
......o.zl .uk$..........7..t7..Q.._..%.....\@.....w......$.d*.h..Cxq.
..........9%.42jc..yb............;i..w.h}D.}e....4U...V"...2.G^:...../
...,M.\!..e.q..l.2.......3.f..Y./..K...*=.a........H...]i...t.UAC.\.3.
.!`...y#.....h...|../.:c....V..UO.....we....-ka2.x.........q.8T.@.....
._<?.M...?..b....%.....m=;......#.m.A.5... o...=c].6..>...... .?
..F7.;1.. ..f....5R..........V'......%.F.......qvH.yO..&u'...<=
<<< skipped >>>

GET /img/Malaromoro/bg1.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:12 GMT

Content-Type: image/jpeg

Content-Length: 190754

Connection: keep-alive

x-amz-id-2: g7e4vGzmqyPPLbUHVHpNcVRCNNwOauGWBWZBHFKJicG3ZcKhJPxdVqtcH7hYCd82

x-amz-request-id: 1E42698893857F26

x-amz-meta-cb-modifiedtime: Sun, 16 Mar 2014 10:17:54 GMT

Last-Modified: Sun, 16 Mar 2014 10:45:33 GMT

x-amz-version-id: EqXw9hQ1szW0X1KVab90EKpMdqK_JEeL

ETag: "04007b142892c379ac83bd75ac617cf6"

Accept-Ranges: bytes
......Exif..II*.................Ducky.......d.....ohXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c01
1 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:A49514ECFC9DE3118
7F4F8E0F4860236" xmpMM:DocumentID="xmp.did:0699FCAEAA0111E389E68AC7CC9
63200" xmpMM:InstanceID="xmp.iid:0699FCADAA0111E389E68AC7CC963200" xmp
:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:069AD74DE0A9E311B383BEF54B638275" stRef:doc
umentID="xmp.did:A49514ECFC9DE31187F4F8E0F4860236"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....Adobe.d.........................................................
......................................................................
....................0.................................................
..................................................!.1".A..Q2#.aq$..B3%
...4.....R..Ue&........................!.1..A"Qa.q.2#....B....R...br3.
..$.CScs.4.T%....Dt.U&............?..../*z..E].c..H..S..^g*...B....a.&
lt;.Q.....A ...$..M.>..M..........i6l{..p..rMdu..A1$...........r5W.
.S.......mmk......}u.......=#<...Dh...;.V.....N.r#;Q~...us..EO.
<<< skipped >>>

GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACBAcnqkc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.omniroot.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/ocsp-response

Date: Tue, 06 Jan 2015 03:21:41 GMT

Last-Modified: Thu, 01 Jan 2015 15:18:48 GMT

Server: ECS (frf/8799)

X-Cache: HIT

Content-Length: 1406
0..z......s0..o.. .....0.....`0..\0......`;.l.uZ..k.F..^|A.Tb..2015010
1064605Z0g0e0=0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
..'.G....20141203203331Z....20150331203831Z0...*.H.............H...y5p
...Z...%...y.......w.>1......XZ.5(.X....D......~.....G...."1...8J.g
.y..5.. }[email protected][email protected]..(..!..c.....r....&,|....G3...[.F..
(...;A<.{;Bs.%Q....M:8........G.nKu}.97.......p..?.n_.#..d.. [email protected].
.IF[...X.lP.;.5'...v...-.....*l.8. ...e.?.q\.....0...0...0...........'
..0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTr
ust1"0 ..U....Baltimore CyberTrust Root0...140122184236Z..150122184140
Z0G1.0...U....US1.0...U....Cybertrust1#0!..U....Cybertrust-Validation-
20110.."0...*.H.............0.........?....(Fb....G... ..=..(L..wK...0
4..I......C...1.Z......U.$b.f..Pa.....S...#..B.........^T..IP8........
..h8GM..*.4.MP..../[email protected]
.x....$..@@....q2...Uby.e......D....lf...C....ZP}O......7...mM..c.g..j
.\.>.O....G.A........0..0... .....0......0...U.......0.0...U.......
....0...U.%..0... .......0...U.#..0.....Y0.GX....T6.{:..M.0...U......`
;.l.uZ..k.F..^|A.Tb0...*.H.............. .p.)...09W..Z.......]....}.:.
.Vr.....c..U..:V^.O.....<...b*5.c.\.fF./....5'.>./ iS..R0..)..*.
!..q.h.T..ul.}&.......`.1".~.U....rB.BR.s..x..o..Y.......).4:.[.9.=...
.x...'.f..\ [email protected]:J!.hRH..!z2DtL.s2.r.....Yi~..E..AzO..i.."N
.$j...b...o..i."{(3....
<<< skipped >>>

GET /1/97c4857d94?a=16193&pl=1420514413608&v=476.c73f3a6&to=cF8IQBcMXlgEQ0lRBUJDSUcNDEU=&ap=79&be=31&fe=2116&dc=1592&f=["err","xhr"]&perf={"timing":{"of":1420514413608,"n":0,"dl":0,"di":23,"ds":1624,"de":1676,"dc":2105,"l":2149,"le":2150,"f":0,"dn":0,"dne":0,"c":0,"ce":0,"rq":0,"rp":0,"rpe":17},"navigation":{}}&jsonp=NREUM.setToken HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: beacon-5.newrelic.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Set-Cookie: JSESSIONID=2475b1b7cf09f7e9;Path=/

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: text/javascript;charset=ISO-8859-1

Content-Length: 25
NREUM.setToken({'stn':1})HTTP/1.1 200 OK..Set-Cookie: JSESSIONID=2475b
1b7cf09f7e9;Path=/..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Content-Ty
pe: text/javascript;charset=ISO-8859-1..Content-Length: 25..NREUM.setT
oken({'stn':1})..

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"

Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT

Date: Tue, 06 Jan 2015 03:25:00 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..141210000000Z..150
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ..
..>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r
../[email protected]?....0.A.HTTP/1.1 200 OK..Server: Apache.
.ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: F
ri, 19 Dec 2014 01:00:19 GMT..Date: Tue, 06 Jan 2015 03:25:00 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1412100000
00Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com

HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 03:21:41 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=d3e4d66a64abaef43c4c8c2b866067c0c1420514501; expires=Wed, 06-Jan-16 03:21:41 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Mon, 05 Jan 2015 22:11:24 GMT

Expires: Sat, 10 Jan 2015 03:21:40 GMT

ETag: "6d85bb88c2d029b09b56acf4f73d710f2a5372c7"

Cache-Control: public, max-age=345599

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1a44c971d8ac1577-FRA
0..........0..... .....0......0...0..........<.|[email protected]|..2015
0105221124Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z..w...d..\.-....w.....20150105221124Z....20150109221124Z."0 0..
. .....0......20140105221124Z0...*.H..............F......]..&zR.Tb....
.. [email protected].....%. ...e...2%..A.H(F.....F.#...W$.`&.././G
...=..<.X'A.}.....k..h.X.. .kR....._...{.....N.&3.X..e.!tD.Cp......
..M....iR.$Fv.e..&....`@.b1.....5\._g?>[email protected]..>.....H.;..2..
.-.f.'PSB.MI.^.f'o4.W..7..q.^.:.b.....0...0...0..........Z..~..M..<
ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0...U..
..Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...
U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0...U...
.Should be ignore by CA0.."0...*.H.............0...........&!(..$.K...
."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q.
..........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.
x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ..
.6.M.O.....<5:......r.....]..A.5........0..0...U..........<.|7..
[email protected]|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0.
.. .......0... .....7....0.0... .......0... .....0......0...*.H.......
...........sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J......
*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P.....z
.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN..PP...
.<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....c...._
<<< skipped >>>

GET /kb/browser-integration/how-to-enable-browser-integration-on-firefox HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: help.idmsq.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Status: 200 OK

Set-Cookie: anon_token=0ba501628; path=/; expires=Wed, 06-Jan-2016 03:20:36 GMT

Set-Cookie: _tender_session=BAh7BzoQX2NzcmZfdG9rZW4iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1ZmUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9; path=/

X-Runtime: 73

X-XSS-Protection: 1; mode=block

P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"

Cache-Control: private, max-age=0, must-revalidate

Content-Encoding: gzip
252f.............].v.Hv..........vR."[v.{l.b;3stt|@.@."...-k$....Q..y.
<I.[...(...I2..cb......[....OO....g..............Yb..Y....!].r...-.
E.}\..<.i..,).o.....q....\ti...L.,g..,...mu1G.d......M?..|..>...
0.......W..-....9#~...(.n..K.do.9..=..'......6..$.*c.8.....d.....<N
:.r....%9...F...`.`w?<....ei...X.^..y.}C..1`..c.._.w ....X`t...D...
Xy...........@}.^...d9..vQ|..C4.."....h..>........I../..._z._......
.....w.}w....".[.0.tf....=.......".......{....._N1.hUo...${..ad......U
..M..uoe-..Qk..'...'?.R.....y.fE>.....xr.....l.J;....e. o..8g.....,
...I:d......s'..Tj.;.a.!m.#.L#.\.#...FQ.....Qz.tf,...Q...`y....a.k...c
......(1....w..t..sSll......>..5s..-..K/......|.8s.......(.<.yx.
!..nE...Wt.7..-rn.....-..L....e.z~#1A.oo./..AK.L...f.p.d7i2.]6..!s....
...,.!9X..s.=..N....r.L..r....._....^...eO..vFL......7x:......S...e...
.....cSG4.6.V......9.&...N....f-...{...B.X....dZ<...........L[K...b
.q.......t&. ..r.....9@..~...'...b..n....rN.t..z...*.n._g..... nom....
..........1-..Y$..9.s.....2...__zL<.....rzN..]E...d....v.'......n..
.....I...~...{.}7.....a...@h.......{n.....$I...g4...hg.i.^Y.'.i.ov^...
.'.rc.U.v..hm;..a..(...ij".#&.;j...z.......,..W.;.,-R.A..t.S....0.s...
...%[email protected]}...T.8.V$u&Z...xH.uI s....>...gc#8......_...@<
;m.i....$;4..`....p.....................n......... .bh...........<.
...h......0....{......Xu./\.mC.......4..b......H.#.a...=pZ)...l.O..J..
..@r..? r.)"..i....J.r..0.. .a........J.k....u.e...=1.."c.V.. ...*h...
[email protected]...*..e!o..
<<< skipped >>>

GET /help/theme.css?1411153786 HTTP/1.1

Accept: text/css

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: help.idmsq.com

DNT: 1

Connection: Keep-Alive

Cookie: anon_token=0ba501628; _tender_session=BAh7BzoQX2NzcmZfdG9rZW4iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1ZmUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: text/css; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Status: 200 OK

Cache-control: public, max-age=29030400

Content-Encoding: gzip
f0f.............[.n...~..s...1I6....y.^...<6....I6].....)..d{P..X.$
&)..........\...._.2-...O.....A......f......x..K...2.}w'..#'.X..=..R.i
.....%/.....\................7f.....g.sN.Z.......?.....?<=.......?.
v......]:.`.....>&_../_....c.B..bn.8..@v{8..:.-.Y).y\..FVy<....f
........?>......T(..nX.lZ.K3.m...&.\..U.qc:_.....0.../9].....v..(..
.[...Fm...G.N..3m...z./-...#o......d5.p.v..........&Y........g.z....r.
C..R...\rKnf4dx..4.;.S2...L..Y.Vi.>.qY...][email protected].?4.....*.
......N.....}...r.F....%...c.].4.r...m?y..g....;r..]..G$....:.!m.....z
d...$.....|4..n....-.....,..:..U &wV6|..2E..q....7..T..P'..c.R......r.
a.......H;*...}z.....)....*...Q...,mv..[.6.Q8.|...OU3N....--#..S.w.z0.
......L...C..)...sb.}.ph.s.-.Q..7|.Y..H=%.....Z).9..d.Dg.(..P.g[..^H..
t......#..n|.x...D..D%.....,.3....Y.Ls...H.x.g.#....N.6_V..[.}....p..q
.f....l........r....a5.\2.kQ..,..&e......Fd.`("..%....;].F. .E...7..lR
...E..Yy..,......1e.le1.2........DS.....P..W...s...c.....ca[.....4....
[B.uL.'4 ...@..(yY.;......,.~..tcx.%....;...M....}[...G#...Su@`.Y.L...
...D-..l<..-Gy.L-..iv..^6..3....p.._.,X.....K....po.X.fNO/.S..k.R7.
....8I.H...L'..?....c......!......R..3..T[.0..:.v*......(/`dJ...?.c!..
PQ..U.....>..V...g..../....K...E.g....S.fK#..G.l.xn....X..v..e.....
..3\&...IV5.L.........u ../.......=.b.\nFr.X...W.)...4].tU.......|....
....n..Hr......./.....HF...4!.Ka.JQ.c..r..(....F.y.1L...g.5xt....N....
..(V.d....M=...Vb......CNDG9......(..A%m.....d..X.......q.y.,T`....b.G
>d.h....N....*.e.....8h...E...QX3...F.}7.\. ..Db..%.`l.f3.qK..w
<<< skipped >>>

GET /help/assets/52fa87b96a71a04a0d80b7343f44d46602cc1de0/ff-2_normal.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: help.idmsq.com

DNT: 1

Connection: Keep-Alive

Cookie: anon_token=0ba501628; _tender_session=BAh7BzoQX2NzcmZfdG9rZW4iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1ZmUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9

HTTP/1.1 302 Found

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 280

Connection: keep-alive

Status: 302 Found

Set-Cookie: anon_token=0ba501628; path=/; expires=Wed, 06-Jan-2016 03:20:36 GMT

Set-Cookie: _tender_session=BAh7BzoQX2NzcmZfdG9rZW4iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1ZmUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9; path=/

Location: hXXp://s3.amazonaws.com/entp-tender-production/assets/52fa87b96a71a04a0d80b7343f44d46602cc1de0/ff-2_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=s65dw4M8YP0K3ce3BTsFQyJrvng=

X-Runtime: 16

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"

Cache-Control: no-cache
<html><body>You are being <a href="hXXp://s3.amazonaws.
com/entp-tender-production/assets/52fa87b96a71a04a0d80b7343f44d46602cc
1de0/ff-2_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1
420514736&Signature=s65dw4M8YP0K3ce3BTsFQyJrvng=">redirected&
lt;/a>.</body></html>HTTP/1.1 302 Found..Server: nginx/
1.6.0..Date: Tue, 06 Jan 2015 03:20:36 GMT..Content-Type: text/html; c
harset=utf-8..Content-Length: 280..Connection: keep-alive..Status: 302
 Found..Set-Cookie: anon_token=0ba501628; path=/; expires=Wed, 06-Jan-
2016 03:20:36 GMT..Set-Cookie: _tender_session=BAh7BzoQX2NzcmZfdG9rZW4
iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1Z
mUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU
2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9; path=/..Location:
 hXXp://s3.amazonaws.com/entp-tender-production/assets/52fa87b96a71a04
a0d80b7343f44d46602cc1de0/ff-2_normal.png?AWSAccessKeyId=AKIAISVUXXOK3
2ATONEQ&Expires=1420514736&Signature=s65dw4M8YP0K3ce3BTsFQyJrvng=..X
-Runtime: 16..X-XSS-Protection: 1; mode=block..X-Content-Type-Options:
 nosniff..P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"..Cache-Control
: no-cache..<html><body>You are being <a href="hXXp://s
3.amazonaws.com/entp-tender-production/assets/52fa87b96a71a04a0d80b734
3f44d46602cc1de0/ff-2_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&a
mp;Expires=1420514736&Signature=s65dw4M8YP0K3ce3BTsFQyJrvng=">
;redirected</a>.</body></html>....
<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Host: help.idmsq.com

DNT: 1

Connection: Keep-Alive

Cookie: anon_token=0ba501628; _tender_session=BAh7BzoQX2NzcmZfdG9rZW4iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1ZmUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9; _ga=GA1.2.2028287059.1420514416; _gat=1; __utma=137078376.2028287059.1420514416.1420514416.1420514416.1; __utmb=137078376.1.10.1420514416; __utmc=137078376; __utmz=137078376.1420514416.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt_customer=1

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:38 GMT

Content-Type: image/x-icon

Content-Length: 0

Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT

Connection: keep-alive

ETag: "53d42f11-0"

Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.6.0..Date: Tue, 06 Jan 2015 03:20:38 
GMT..Content-Type: image/x-icon..Content-Length: 0..Last-Modified: Sat
, 26 Jul 2014 22:43:29 GMT..Connection: keep-alive..ETag: "53d42f11-0"
..Accept-Ranges: bytes..

GET /nr-476.min.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: js-agent.newrelic.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: yzHJpmv3 aYZdtWRl/CseVibsCyocmXh5WIp pIA13DJR9OXnUVb2EMjweqEJSFuprVluRp9sH0=

x-amz-request-id: B9F6FDFEB5AB3B2F

Cache-Control: public, max-age=315360000

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Last-Modified: Tue, 30 Sep 2014 18:19:08 GMT

ETag: "d131658362c40cedda15546bb81e9644"

Content-Type: application/javascript

Server: AmazonS3

Content-Encoding: gzip

Content-Length: 7069

Accept-Ranges: bytes

Date: Tue, 06 Jan 2015 03:20:38 GMT

Via: 1.1 varnish

Age: 5475071

Connection: keep-alive

X-Served-By: cache-fra1241-FRA

X-Cache: HIT

X-Cache-Hits: 76358807

X-Timer: S1420514438.553076029,VS0,VE0

Vary: Accept-Encoding
...........\.s....y...m]2.i.v..2.......c...;#....$6..... ......KV...v.
.x.......G.2.T.gN..W..J...x.n..s$&jf.2.v..^...*.........}&.K..L.8>n
.F.:9>.])T).^.......U^n..R.w.L..^K.K....,W.y...U....}.....e......1.
..u.U.ov...:...(LS'.l..',.D.@W..&b6..H'...pw<.uKwgKi.*s7.}.....<
....Jy...j9J.}. >IfnM.....I{...................P"..%Y............].
.J..R...7.....4...'qo....n......G.v...I.vS.......9s.j...[...f..h.....m
Hl.d.I.Y.2\...n...O..P2......P.k1qkuz...`..e......~..C..fk2..A..K..K..
~.n.c..{....i...O.U..gx..E^....G...OC#...?.5..$......z.g..<..k...$.
,l...v.Y..Y.x..v.}z6uK'..Y...`.....983..*...3!#......!.Db.)a..YCpy,R.D
.*.j"@b....!.l.5..SD..U...'3.o Z...M7.)be..(..7b'4A.)...J..B.w.J8.....
...kN...Xc. .k.A.......P64..d%....`<../-....;... s..O.`.0.S..`H.A.h
....5..)T.....?............v$.....[^*.^4w.7R...)|(....r6..?....h..>
[email protected].. ..[.'.}.(.."..X....^..u..Z.\O.u.F.I!q....N......l.R. a:
Hp.>..ZT.$..4A.h.z...V...5.s..N5..9...].L...q(...L. .{.E.....y...g.
.K'....."4..H....qbs..Q...1..*i....C.I8s.=.9............Ux..X:..a.....
.._......o....b.;J.-.`....q{.PI.Y....|..9{.|...7./.F......).].........
...x........vZ...q;-R..................$..."4.........../.. ~.k.bx.a..
"a.F..R.c.T.g..2OG.r....w....m../%*...B%...d.0y..cC8t..f...^...\A..H.h
...Xi.]D2Y....G[.0%.....mh ..BB;........;%..p..Y.j......;.'p........G.
.....B5....a.....T.K..[0......[......U...E1........(D...K.y...0...M..R
..<>F..n.:.}..X5...\g..4.3!......~O{.4........*.J....D...A..h..w
.8`Z..q.R..U....<S....R. ......]......... 2O.l.R.X....!.A....ZU
<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

ETag: "a2f3ff97eeecf1:0"

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 03:22:11 GMT

Connection: keep-alive
....


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.5

VTag: 4389615400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 03:22:11 GMT

Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 438346843700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 03:22:11 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modifie
d: Fri, 19 Dec 2014 06:02:00 GMT..Accept-Ranges: bytes..ETag: "9a9a44d
511bd01:0"..Server: Microsoft-IIS/8.0..VTag: 438346843700000000..P3P: 
CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR S
AMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Conte
nt-Length: 550..Cache-Control: max-age=900..Date: Tue, 06 Jan 2015 03:
22:11 GMT..Connection: keep-alive..0.."0......0...*.H........0w1.0...U
....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corp
oration1!0...U....Microsoft Time-Stamp PCA..141218221600Z..15031910360
0Z._0]0...U.#..0...#[email protected].. ..5..0... .....7.......0...U......10
... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\...
.F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D..
.......-.>...(...g.0.S.[?...T4q>[email protected].('..e.
..Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..
<<< skipped >>>

GET /analytics.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 02:32:55 GMT

Expires: Tue, 06 Jan 2015 04:32:55 GMT

Last-Modified: Thu, 13 Nov 2014 21:10:00 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11158

Cache-Control: public, max-age=7200

Age: 2863

Alternate-Protocol: 80:quic,p=0.02
...........}{w.:.........Du..p8IMV.........,.ih.....6.g..{K..4<3..w
.....[..K..L.*...~ps!.{RFz.F...~...|<..a&N...0.].XF..}[email protected].
.....".nR.M..=....$.gy...P`(.5..P..T..z<.J{.W.%2..8..s..SO\!....'~.
........S......s.....Je;Y...i......A...;.MPn....>RO"o0R......O...r.
6..u.]c..T..z.'.....v1.t...h..c...=q.1He.|..x<@[email protected]..
>M<..F..>.Y......M.Q".'r:.>......g.t...a/C...x..12....}..s
?....W&S ..O.'...0/.R.{..z..L...8.yb$...~Of....1..LQ..v.'^F..Q...C....
.N....Z..c......=.u....?..PQ..}!;q7..g&. *U<..>U.QY...R..s.m.j5.
..][...0<..PP....h..{c{[..a...L..k!F........./^..z........G.>~..
..7. `.w..y68.....I6.....]olln=x......x.:..N.Ss....e7z.y..=/.z...f..y.
..f,..H..gZ.....x..E.-........E;...V...4..]T8....n...xU;O....^0...5t.b
.O.. .\[[ol.2T.!v.Ta#T1.N.I..=4...F....HR..E&K..m.y..~.{.xr|%...m.Z...
.jz.Ld...v8.L1..9....K..Q..S.....*..Z..T.w.L..k...Ky....."L?..../.X.z.
o<.....?7}.D..d....e..^....'....}...bE.J%....2.N9.mm......h<.)".
..n0....L\....8..>.]....@}.q.A.'z...g.{q)....f.D.5...?..,*.=K..*...
... CN...G.I.J1...A....C... X..O.\...7.{E..z..t>...k...D..k...h..[k
C~<.z.y....nka.z.....`G>..[@.L\/[email protected]....,.O....q...Lh.[..m
[email protected]%Z.....,oo....?M..=..|&~/Y.F...[[.N....
u.=C3..#/...N(v.XE81I4...h.-U."..i.T...4.*:[email protected].;=.....
8.`.g3=..{.)>...6..#...|S^nf#g.z.s.K.........Y.cC...U;c^..6.:@vU...
i/..m....i..L....|s......x.....[.v1@...(.g...]...bP..Z...=.....D.D.HM.
Y.....IXk..8..j. ..ag$....n.....A'...O..._..v..,.G..`..!...rM..o.V
<<< skipped >>>

GET /r/collect?v=1&_v=j31&a=1060989401&t=pageview&_s=1&dl=http://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox&ul=en-us&de=utf-8&dt=How to enable Browser integration on Firefox / Browser Integration / Knowledge Base - Internet Download Manager² Support&sd=24-bit&sr=1716x901&vp=1700x804&je=1&_u=MEAAAEQAI~&jid=1951994937&cid=2028287059.1420514416&tid=UA-3465274-5&_r=1&z=126887211 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Tue, 06 Jan 2015 03:20:38 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.02
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 06 Jan 2015 03:20:38 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..Alternate-Protocol: 80:quic,p=0.02..GIF89a.......
......,...........D..;..

GET /help/assets/bd864201dc8228151a1ff655edaffcb7721b9d5d/ff-1_normal.png HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: help.idmsq.com

DNT: 1

Connection: Keep-Alive

Cookie: anon_token=0ba501628; _tender_session=BAh7BzoQX2NzcmZfdG9rZW4iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1ZmUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9

HTTP/1.1 302 Found

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 280

Connection: keep-alive

Status: 302 Found

Set-Cookie: anon_token=0ba501628; path=/; expires=Wed, 06-Jan-2016 03:20:36 GMT

Set-Cookie: _tender_session=BAh7BzoQX2NzcmZfdG9rZW4iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1ZmUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9; path=/

Location: hXXp://s3.amazonaws.com/entp-tender-production/assets/bd864201dc8228151a1ff655edaffcb7721b9d5d/ff-1_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=ouX2S0I7SUs1Os2e2G20xF8N0YY=

X-Runtime: 18

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"

Cache-Control: no-cache
<html><body>You are being <a href="hXXp://s3.amazonaws.
com/entp-tender-production/assets/bd864201dc8228151a1ff655edaffcb7721b
9d5d/ff-1_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1
420514736&Signature=ouX2S0I7SUs1Os2e2G20xF8N0YY=">redirected&
lt;/a>.</body></html>HTTP/1.1 302 Found..Server: nginx/
1.6.0..Date: Tue, 06 Jan 2015 03:20:36 GMT..Content-Type: text/html; c
harset=utf-8..Content-Length: 280..Connection: keep-alive..Status: 302
 Found..Set-Cookie: anon_token=0ba501628; path=/; expires=Wed, 06-Jan-
2016 03:20:36 GMT..Set-Cookie: _tender_session=BAh7BzoQX2NzcmZfdG9rZW4
iRWE0MzE2OWYxYjE4YTAyM2JmZjg5YWI3N2MxM2MxYWQ1YzBjYWZmNjFmYjMyOWI5MTA1Z
mUyMmYwOWQ2ZGU1OGU6D3Nlc3Npb25faWQiJTM4Mzk0ODE5ZDhiYTAxM2ZhYWNlNmI4YmU
2MjgzZGEw--6637acfc5323e9146158bea4fdec510dd08ab4e9; path=/..Location:
 hXXp://s3.amazonaws.com/entp-tender-production/assets/bd864201dc82281
51a1ff655edaffcb7721b9d5d/ff-1_normal.png?AWSAccessKeyId=AKIAISVUXXOK3
2ATONEQ&Expires=1420514736&Signature=ouX2S0I7SUs1Os2e2G20xF8N0YY=..X
-Runtime: 18..X-XSS-Protection: 1; mode=block..X-Content-Type-Options:
 nosniff..P3P: CP="ALL DSP COR CUR ADM DEV OUR IND UNI"..Cache-Control
: no-cache..<html><body>You are being <a href="hXXp://s
3.amazonaws.com/entp-tender-production/assets/bd864201dc8228151a1ff655
edaffcb7721b9d5d/ff-1_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&a
mp;Expires=1420514736&Signature=ouX2S0I7SUs1Os2e2G20xF8N0YY=">
;redirected</a>.</body></html>..
<<< skipped >>>

GET /help/images/icon_folder.gif?1406414609 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-2.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:38 GMT

Content-Type: image/gif

Content-Length: 71

Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT

Connection: keep-alive

ETag: "53d42f11-47"

Accept-Ranges: bytes
GIF89a.............!.......,.................c..F.*....}....8......]..
;HTTP/1.1 200 OK..Server: nginx/1.6.0..Date: Tue, 06 Jan 2015 03:20:38
 GMT..Content-Type: image/gif..Content-Length: 71..Last-Modified: Sat,
 26 Jul 2014 22:43:29 GMT..Connection: keep-alive..ETag: "53d42f11-47"
..Accept-Ranges: bytes..GIF89a.............!.......,.................c
..F.*....}....8......]..;..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQckPwgwK2Thdm9JYVwXQ4ERz3XDQQUo47PGUI9MeGrIYmEbcvZeaKysloCEDNX07ZjrJhmfq+DEaFNlEE= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: evcs-ocsp.ws.symantec.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1776

content-transfer-encoding: binary

Cache-Control: max-age=368138, public, no-transform, must-revalidate

Last-Modified: Sat, 3 Jan 2015 09:38:51 GMT

Expires: Sat, 10 Jan 2015 09:38:51 GMT

Date: Tue, 06 Jan 2015 03:25:06 GMT

Connection: keep-alive
0..........0..... .....0......0...0..........U.>K....c..Otk/...2015
0103093851Z0s0q0I0... ........... ......%.p]..G=........B=1..!..m..y..
.Z..3W..c..f~....M.A....20150103093851Z....20150110093851Z0...*.H.....
........=..h.t..o....f;..O\<..s.Au)..>..[...t...WSv0.hK........G
.Ho.9....V.J/7..N..`L.EvY|v4O..`A.7.m"..zQC}..E.YX.P.$L...z......W...t
t....|....%e.qS.Vr.S).....~H.|.......v|HoX..b.?.Z...`[email protected]
`..8.6......."..6.=4......Lo.e.....?../.q.8r..z....3.....&......0...0.
..0..........`.....rX.xR....q0...*.H........0..1.0...U....US1.0...U...
.Symantec Corporation1.0...U....Symantec Trust Network1=0;..U...4Syman
tec Class 3 Extended Validation Code Signing CA0...141016000000Z..1501
14235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Sym
antec Trust Network1I0G..U...@Symantec Class 3 Extended Validation Cod
e Signing OCSP Responder0.."0...*.H.............0............Mr......2
 .....C..).l..;.ig.n..b.b....m..}h.m.;..Y.......t....._.;4.....m......
.6n...{.c....8S.FU .x...#$....3^....h.......}G3.w.m^[..O....>'.cm..
l.?.......&.. .E...(....dRZ...C...U4...x.8a.Ubc......;.a...Sj.....|c..
....:.O...8....3l".q..N...H.,......-........[0..W0...U.......0.0....U.
 ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b
.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by referen
ce liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U...........0... 
.....0......0"..U....0...0.1.0...U....TGV-B-20650...U.#..0.......B=1..
!..m..y...Z0...U..........U.>K....c..Otk/.0...*.H.............~
<<< skipped >>>

GET /ga.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 01:37:08 GMT

Expires: Tue, 06 Jan 2015 03:37:08 GMT

Last-Modified: Thu, 13 Nov 2014 21:10:00 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 16068

Cache-Control: public, max-age=7200

Age: 6210

Alternate-Protocol: 80:quic,p=0.02
...........}kW.:..w~....c...pk..f....--..M..dY.!Wb.KK.o.gF.-'..9...vob
{t..Fs..O.".........9..@.#......?... e!...qg.I...A"..N_.').x.I........
.I.Dr6}...|$].B..X...`...Ao.. .fQ.....x8..\..8....a..0............{...
a}x.W|..:l..}.. ...u4....#.%O.AO....k.N[..a....&....tx..;.....'..:.N!y
..Gg....9..a...7....cH>.bw...0..a.a..p5.1d.o|4.=8l.1&.D..,.X.5f..`.
..s.....[....&p:.H.........x......A.9h#.^..>.  ...:...N...,H.1...;.
....b..&a.;....o;.b......v.....N.wr..... ...z.......o..,Wjj8......j.r.
/.Y..RI.6.(........T....Dq....l.0.c.[1.o..h.R....ju..........,;...i...
.^.....T....|tV.L....;..i^S...-q........[Wup...~.......}.r .W.x..{-...
Cd..k.V....A..^;.n...?.N...^.|..bc{.._...h.w=...f..}.U}...|...........
[..62...Q....Cw.EV1..>..`..Q.cC.`..0...\v.:.'.....L.$.1.\O.C.......
.B..A^2b..<..%....A%|.E...@N:I*.Y5.A.F.."h..... .^Y)|..L.2D...pqYc.
......@..#Y(...J..#w...S.....70.. .;...Y....3..k.........@....&c..J.;.
...Q....R5.M...x.=`.<.f.U....C.{..>....{...t.....i>..Yk..@e..
v.Cf5........o`.Z..V.....V)..9.....^u...X.....}.N.O....~...-......D..V
.2o.F.......,Le.."J9.....k...r...#.w.i.!.......oe...a..QA.u.......4.X.
...{5...Vs..t.0. ...n<..j.y...`-^....uBtf.Gu. S[[.YU...T.._.lP.....
(o@=1.-N....?....V>&."...'..d..:.sS..Kq....].UySz5..3..$.<.{..".
%.Iar\Y.WVt\....;[email protected])....x.7k..T..Di..T....
..q..4.5..h....N...... T;.T5SB=.f0.....k............Vh..E.b...Dz....V.
...u....5...F...A...CX7.e..R9.....Ym5..e|......5..-..]W.u..H...m..J.5k
..nT...t!...._|.{<I..!F...j{..-..........).s~g.j....$T.-!.....Z
<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.1&utms=1&utmn=748611471&utmhn=help.idmsq.com&utmcs=utf-8&utmsr=1716x901&utmvp=1700x804&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=How to enable Browser integration on Firefox / Browser Integration / Knowledge Base - Internet Download Manager² Support&utmhid=1060989401&utmr=-&utmp=/kb/browser-integration/how-to-enable-browser-integration-on-firefox&utmht=1420514415690&utmac=UA-44325255-1&utmcc=__utma=137078376.2028287059.1420514416.1420514416.1420514416.1;+__utmz=137078376.1420514416.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmjid=1026289769&utmredir=1&utmu=qhAgAAAAAAAAAAAAAAABAAAE~ HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Tue, 06 Jan 2015 03:20:38 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Alternate-Protocol: 80:quic,p=0.02
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Tue, 06 Jan 2015 03:20:38 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..Alternate-Protocol: 80:quic,p=0.02..GIF89a.......
......,...........D..;..

GET /font-awesome/4.1.0/css/font-awesome.min.css HTTP/1.1

Accept: text/css

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: maxcdn.bootstrapcdn.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 14 May 2014 20:41:32 GMT

ETag: W/"bbfef9385083d307ad2692c0cf99f611"

Server: NetDNA-cache/2.2

Expires: Fri, 01 Jan 2016 03:20:36 GMT

Cache-Control: max-age=31104000

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

X-Hello-Human: You should work for us! Email: jdorfman [email protected] or @MaxCDNDeveloper on Twitter

X-Cache: HIT

Content-Encoding: gzip
14a3.............\I..6.....i....V:..k.z.....n..}..\(..`.BTi......H~O!U
=.....R||.>...._...6..l...a....wg...RW.M.....O....u.mN...~.."J.....
.?...^?..4.Iu..F.{?.a..O?o..o?o...~....r.....l...q.!..U.0o~,......w.?.
..c..........s..3..M..^.7..._...}...........uS.......97ei.....^[.....=
.gWU.yL.........C7..=....3..o...3...........*l.....ph......^k./.^U...}
[...mj..,.]..Iql.S...4N.s.C...(.-..#.?;7.ls<.f....7.....d..........
......[.a......?s.8......<.n..3.!..!S7..<v/3.;s.....{|........G.
't....m9.hN...;u.{....e..t......~kuY..d......YwG...vW.9....i..ie.#tdM.
..........u..3.....h......`>.....8..........j...L.U\..-6#w]i:^....x
s....\)[email protected]{O...c.=.ti......c]g.G.[U;=..........~wc...]...W8.9..
.s{...yc......;.?ov..6.m.`6.o.....d..m......pK..k....7a..?...C.....C..
=.....?...I...C !....k..rO...p...e.l...G.]j.a#>........<M.......
...5..C...-...??.....O.....\....?to...>.&..U}.$.7.}...Ozj...Pn.6.M.
........\.nei...0..o&si..75........vw.p}.......]Z..M........!...m..\g.
xs..c..~.9..s......gd.z {}~..Wm......].....du.....=K..f.%Nm.....]"Z.^b
......x.V...-7hvR...H./.$.7.....-K.Ya.L.|.E[..l...X....0|H.$....6..ls2
..:.2...c..64.....v......v.k.......md[.W..........y$.*..H....N"..R...&
.!s".>R... .\c.Awb...=1.m..{.(.Z.b;....~...SF....4.L#.jn.j....#Iq2.
.....K..HPF.x"Y[..'..,.........g.e..I....<.]..@......>..(...t...
|...8..... .8..S.D.... .D.t)..L...!{Z..&4.....].'..."K.. .........E$.\
.?:.-..6.P...q...3.!.A@...:Su..e.....'.)...!.0.av.DUk.2;...e{".N....x"
?.L. .y.d.*uT;..d......].J..;.$'.."a..X;`0...j. wN.[..o'7N..1..%. 
<<< skipped >>>

GET /font-awesome/4.1.0/fonts/fontawesome-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Origin: hXXp://help.idmsq.com

Accept-Encoding: gzip, deflate

Host: maxcdn.bootstrapcdn.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 03:20:38 GMT

Content-Type: application/vnd.ms-fontobject

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 14 May 2014 20:41:33 GMT

ETag: W/"90186830c9c50a0fed932494581761d9"

Server: NetDNA-cache/2.2

Expires: Fri, 01 Jan 2016 03:20:38 GMT

Cache-Control: max-age=31104000

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

X-Hello-Human: You should work for us! Email: jdorfman [email protected] or @MaxCDNDeveloper on Twitter

X-Cache: HIT

Content-Encoding: gzip
400a............t.eP.N..w.[..w.wVVV......n.;....Bp'8...... ..........y
{....o3U.@. ......7..........S.........cP......?.. .p.......?.........
.`...S;....`........#...8..3............p..r...........2..R..........o
..o..")......U.I.....P:]....<...m.,4..ER\...ZL...).%...........!!T.
..t...0..."...<\.. .W....(.\$1ek..Z*...{Z2...q...u...e.0*<......
.WN.9\.|..{.Yu....*.d.....&....lI...o...3..9.l.c.l..\ _./...B.(..o3.F.
w^!......y.n...T.Cb..j...m~.......Q.....Yq7f...>2=.....u.j......P..
....?......6....?. r<x...1.4.2..c..$....~...[..e.v..B........`..qKq
...q.5..Z..Y..~..*I..I.....5.........s~....:.PS...9u."....2...........
f.G..O..$.A..c.....i.d.......x.6a<.x.......i.8b..1....u..p.._......
..S....3XM...8..s..q.J...J.....c......6.k"....y...5#.RB...hX.{/D b.?..
.v.(./?......"....Z4....Y&.....68....Az.,6...S._4.t7X.......6}....$O..
Y ....B.>M.@_.g^E..i.....c.w........n..?...Q.8...TK=.|\.*..........
P..~..I.....~a.W.#.N.........F.Gs........O.B .-H...@h..._B.G...m/..:T.
...%..*..m.T..^8e.}..$.!.^ .2.W..MCX..$=.].kx.......Z.@........:..?..[
.R...I.B.,.m9;Gw.....e7........?.......VG.f.......F%.p.=h...[.W.:...."
.z..p,.v./.N....C .5....]W..U*1..=F.. 1Q~.....%(...X.bM...6...l,..V.6.
e.X.5v...qyCK..^..!T...'...........-z~....O.t.lz....7r.8..8.......y.S.
8I.&B9.......\...&.j. ...9x}.........U.9...5...1.\.q84=';|..7..GY.....
......M.X*/.gk.....M.......J..W0.2%...O.FVw N.r...._.........]7.:.O...
.....JS....^e.-.....|....X............,.\;E>.DK.....=9I...1L6..S.V.
$).....xW..{Z...,.W.....[..Na.......T.. 6......rl.P..[n...)..i. l.
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?589be4e8d8a31037 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Tue, 06 Jan 2015 03:21:40 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Tue, 06 Jan 2015 03:21:40 GMT..Conn
ection: keep-alive..

GET /stylesheets/browsers/safari.css?1403743349 HTTP/1.1

Accept: text/css

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-0.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: text/css

Content-Length: 602

Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT

Connection: keep-alive

ETag: "53d42f11-25a"

Accept-Ranges: bytes
@media screen and (-webkit-min-device-pixel-ratio:0){.  .admin-functio
ns ul.actions ul { .    margin-bottom:0; .  }..  #search .searchfield 
{.    padding: 5px;.  }.  .  .form-actions ul.progressradios li input{
.    position:relative;.    top:-1px;.  }.  .  ul.gridchecks li label 
input{.    top:0;.  }.  .  ul.checkboxlist li span{.    top:0;.  }.  .
  .gbutton {.    padding: 6px 12px;.  }.  .  .inline-form dl.form .gbu
tton {.    float: none;.    display: inline-block;.  }..  .inline-form
 dl.form.fbtns {.    padding-bottom: 19px;.  }.  .  .inline-form dl.fo
rm .gbutton {.    padding: 6px 12px;.  }.}HTTP/1.1 200 OK..Server: ngi
nx/1.6.0..Date: Tue, 06 Jan 2015 03:20:36 GMT..Content-Type: text/css.
.Content-Length: 602..Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT..Co
nnection: keep-alive..ETag: "53d42f11-25a"..Accept-Ranges: bytes..@med
ia screen and (-webkit-min-device-pixel-ratio:0){.  .admin-functions u
l.actions ul { .    margin-bottom:0; .  }..  #search .searchfield {.  
  padding: 5px;.  }.  .  .form-actions ul.progressradios li input{.   
 position:relative;.    top:-1px;.  }.  .  ul.gridchecks li label inpu
t{.    top:0;.  }.  .  ul.checkboxlist li span{.    top:0;.  }.  .  .g
button {.    padding: 6px 12px;.  }.  .  .inline-form dl.form .gbutton
 {.    float: none;.    display: inline-block;.  }..  .inline-form dl.
form.fbtns {.    padding-bottom: 19px;.  }.  .  .inline-form dl.form .
gbutton {.    padding: 6px 12px;.  }.}..
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGxZ76nhAOEO4wa6j+ApJVk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=565969, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 16:34:36 GMT

Expires: Mon, 12 Jan 2015 16:34:36 GMT

Date: Tue, 06 Jan 2015 03:25:05 GMT

Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015010
5163436Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..lY...........)%Y....20150105163436Z....20150112163436Z0...*.H.....
...........5.X.UF..'..........f...3K...*....W....=zC...7..>.aa..JY.
.D....{w...n.......c..w.T/,'.vG....xL..j....{J....}...&g.....`7.......
A<";i.(............:R.1...?..@..=......jc.F...R=Z`(...0...1.R.8.eS.
W(..]R.J[/.Y.d.........\9.|......v......z......t.lk.r...i.......0...0.
..0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...141202000000Z..151216235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 30.."0...*.H.............0...............2&..PL...,..2....:..t
H...`JG.%..*...s.c%[email protected]"1.5?..s..
...3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$".
.$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.
6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E...
.0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.
symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0
!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U
.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>

GET /entp-tender-production/assets/52fa87b96a71a04a0d80b7343f44d46602cc1de0/ff-2_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=s65dw4M8YP0K3ce3BTsFQyJrvng= HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

DNT: 1

Connection: Keep-Alive

Host: s3.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: 4J9F3PzQ9GQjiVrQqWyaInW5ZW49pVdJ6LIHGROrSiVu06gImrXZm/Fb0sqHk qU

x-amz-request-id: 017AB64110DF70C0

Date: Tue, 06 Jan 2015 03:20:37 GMT

Last-Modified: Fri, 27 Sep 2013 08:52:02 GMT

ETag: "fe088463731f9089a6857311f038d342"

Accept-Ranges: bytes

Content-Type: image/png

Content-Length: 91994

Server: AmazonS3
.PNG........IHDR.............Iq<....=iCCPicc..x..SgTS..=...BK...KoR
.. RB..Ti........@......"....q....."..A...y.(..(6T....}...7o....9g...}
>.F`.D....dJ.....<6..'w..T [email protected]@..n....8..
P.....$......B....2r.2..2....t...%..[.....j..;e.O..v.$....(S*.@..@&...
....X......`.(...s....`.....`....).d....`...S......GE...3.(...x.W\!.S.
...d....T.n!...\].x.87C.P.........ee......3...FvD.....9;.:;.8.:|......
.....?........E................e..../.....B..._......T.B.fg...k ..m.._
......_......................2..r<[&..q.?......wL..'..b.P.GK...i...
..$.I...H.........k.`.~..B[P...... ...%....w.......1...w..0....h......
................4P.6h.>.....#..;x....P..8X.BH.L.C.,.UP.%...B...Z..F
8.-p.........<.^...0.o`.A.2.DX.6b.."..#.Ef!~H0...!.H."E..Rd5R..#U.^
....9..E.!=.=...F~C>[email protected]...\...B...h....G...h%Z..B.........>
G.0....3.l0...B.x,..c..b......6.....b#.{..."....;!.0. $,",'...........
B.a....$....nD>1..B.%.. .u.c...[.......!..\H..8R.i......D:C.!....d.
6...A.%...r.y;...4.:y...B..P.)..x..R@......\..R..jTS..5.*....Qk.m.....
8M.fN..E..h.h..F.y.C. :.nDw...%...J.a.Ez..=C.a..1..J...~...=. &.i..b.3
....z.9.c.;....._E..B.Z.Y....U........|.....WUG..jfj<5..r.j..jw...Y
.........../..i.5.4.4D....4.i..0.1....V.jY.Y.l....g..K.........34.5.4.
5Oj.r0.......q.pns>L...=E<e...)........%.*.j....A....N......H..c
......K....T.T.....S.L....Z.F.......;.....'...wNoD.......E......`...`.
.i.g.&..g..x.>j.k.h.4.k.m8ndn4.......1..k.l....x...$.d.I..}S.).4.t.
i..[3s....f-fC.Z.|.|.....L.O.E.5.7-I.\.t.....P '.T.j........z.u.4.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=573597, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 18:44:32 GMT

Expires: Mon, 12 Jan 2015 18:44:32 GMT

Date: Tue, 06 Jan 2015 03:25:05 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
5184432Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150105184432Z....20150112184432Z0...*.H........
.....P*........D..)..Ex/.......P?)...K...BJ..G..x. \2....6y....\..t..0
.1,y..S...{.....:..<... vn....&.$[.3...I...\ ...._.L..1@=cZ;..J....
w.o.]s.n.......F.3.....V...P..NA/......\... ..%.`[email protected]
pi..E....%w.Z:~.C............`..:...:....UE..x...x.......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=518259, public, no-transform, must-revalidate

Last-Modified: Mon, 5 Jan 2015 03:19:06 GMT

Expires: Mon, 12 Jan 2015 03:19:06 GMT

Date: Tue, 06 Jan 2015 03:25:00 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150105031906Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201501
05031906Z....20150112031906Z0...*.H..............S.X.....3d*L....._.u.
.M...U...#..kf.?yG$Z...g#..=.R.~..#...S=<.;..K..,.......G..%eUb..'.
..K.vBd..u8`..H..4..\..2.........1.....J........N.......'|....}.xq...9
Y..l.f.[..q)DfS%;.}I......tm>O;.......b.0..(DZ.....x{]..\[...%.D...
. ..NM........5..V.;t.l..2........0...0...0..{.........[..I|.....Zm..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000
000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA 
OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.
-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f
..;]s!.\"v...|....][email protected]. ..W....n..*
..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.
....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... 
.......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#
.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com
/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o
...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo.....
.E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=454286, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 09:34:14 GMT

Expires: Sun, 11 Jan 2015 09:34:14 GMT

Date: Tue, 06 Jan 2015 03:24:59 GMT

Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015010
4093414Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150104093414Z....20150111093414Z0...*.H........
.........P.OK.w3.B.R..9_*..-....][\....5'.A.jL..=.OZ...|.......?..R..#
YB.6q|...'.P..G ..h...I.H9.`G.M.}..M...3.......p.."Ug....U...7.3.?....
...$.._Q.\_./.....|.L..[......gzO'.C..6.....B.sK.D..H[......iPI.... ..
.Xp.T.]..LR....R:.m.J..T...lDP..p....J..d./D.F....2....0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=502765, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 23:04:05 GMT

Expires: Sun, 11 Jan 2015 23:04:05 GMT

Date: Tue, 06 Jan 2015 03:24:59 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
4230405Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150104230405Z....20150111230405Z0...*.H........
........G..z./....,FS?..1..H.b*.!\..U.X)._...\d.V.....a.....). ......;
..9.pD.o4.....!...........5.O*....Gt...DM'...a.S../......<{;.Q#....
*..~g...p.._WB.:1.....~T....=.1...w'.p#*q..]$.NO..!..e5.`[email protected]. ..v
....~......F.....l.........3U..T...^p3.....q..i,RMX%&....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

POST /IDM2/?v=5.0&c=203781116 HTTP/1.1

Accept: */*

Host: os.mediacodeccdn.com

User-Agent: ICAS

Content-Length: 1230

Cache-Control: no-cache

0A0Czu0O1CtG0I1G2Z1P1C1T1R2Z1L2X1PtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0W0VzuyCtFtCtN0W0S0PzutCtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuyByEtDyByCzytN1L1B0A1Q1H1L1GzutCtN0T0KzuyCyCyDtAzytCtN0U0I0DzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0U0I0D0N1P2WzutDtDyDtDyDyCtBtCtDtCyByEtCtCyD0FtN0M0G0U0I0Dzu1RtDtAtBtB1T1R1QtGyD1PyD1QtGyEtB1OtDtG1StCyCtAtG1RyDzytC1P1PyC1O1OyD1SzytN0M0S0I0DzutBzzyDzztDtBtDzytAyDtGtBtCyDyCzyzytByDyDtDtGtAyCyDzztCtAtCzztDyEtN0S0I0D0U0I0Dzu0A0AyDzy0FtDyEyBzztDzytCtCzztByC0D0AtD0A0AzyyD0C0ByEzz0AtCtCyD0FtN0M0A0C1V0LzutDtDyDtDyDyCtBtCtDtCyByEtOtA0AtCzytBtFtCyCzztFtCtAzytFtCtAyDtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyDtDtCtDyCtDyDtCzyyEtAtCtCzztN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzuyCtAyCzyyCyBtN1L1Q1B1RzutBzztN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CzyyByCtCtB1TyCyB1OyCtBtA1StCzz1R1TtC1S1SyByEtA1T1PtDtByBzztA1P1OtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyCtFtCtN0O0S0S0P0V1P1CzutCtN0O0S2VyCyEzutCtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutCtAzzyEtN0M1P1H0P1M0TzutBtDyEyBtN0M1P1H0V1L1C0AzutCzyyCyEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1Q1F2W1G1I1F1T1Q1V1H1T1G1T1N1P1C1VtB
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/html

Date: Tue, 06 Jan 2015 03:20:10 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-CITY: Kharkov

X-ICSCT-GICSET: global1367a

X-ICSCT-IP: 193.138.244.231

X-ICSCT-SERVER-NAME: ads.slave-eu-west-1a-f6897811

X-ICSCT-TIMESTAMP: 20150105222009158

X-ICSCT-VERSION: 1.2.5

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
1f30..7...(z..(yS)..$.^eG..-...{)....>pp...0c.(..2<F.d.....l....
xI....f.....s.......R....oS.`...M...CZ.....h....S...`/..P-...B'. ..m..
........c-..'..8......rs.D.....J.=p....=zWS.<[email protected](.1"
.s;.k.|B..g...U.i.Z*...Qg...!..o...C*....R.f.{[email protected].
.P.&.c..%.....s_..=..P O.... ...!.Z..c...L...... ...@R.... ...Ar.IM...
a..b....}...aR.j;,UE...L.N`..i.j./.t....Jm..KB.....O.Q.i.T.....o.E.4..
.tSx..!vu.:\|.Ak.#D ..Q^..@.. =G.O....o.4..X*..z.V........cx(.P.E..F..
......%..k.=.&........c.=1.<.t]F.~.arGSJ..l....]..~bJ}.f.k#.b..g...
....( .......i..P...^..fhg..X...M.x..*......0..*P.....!_A..E.....=..J?
7.F/R....77.P.. 9.F...ftg.......W..... )[email protected].....
.k...k.]@sW.....U.7.U....o.EA.w.W T..k..0...0k.`iS... ......*..[y....f
'.D..5.W...i..G!WW....{.....iQ.xw|.%.Z..*[.....o.VGv..ic:*?.sXY.vM ...
...I......W..M._!(.fM.f.... S"U.MQ.G,......-.....s.d,*.....ï.%A...7.
B..iU.#..........L_...8...g<...W.//...P02.vt..b..v....B...f......."
..8..[&..S.l....("..*_q........q....*.G...P...J.c....~..9.`R....i.4X..
l.)..A..../9.]dB.. ...W.......G.J.#\......!P...Pe{`.........H.9.3.....
2........D1.4.^.0......`.).2.......&...d..u..j(R....)_........`.!R...Q
..`....2K..j..|?!...!....RA...."...O......L..J.(..A......)h..u....cZ..
yQ7..bj.'.0H/.)...)[email protected]....).. 3...l...O..W...s.^.*.........I....
....$R......eV...Bz...}..%....y.P.."._..H......:.Y..w.......F.R.%],_..
.IJ........,.....r=C..~.|[email protected]\.G..".Jy...}....2)..N.2!...W
D..&..O......*o.<..-..GE.....!../h..........}J..z.... 'u..k.B..
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?1de102552581d208 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Tue, 06 Jan 2015 03:22:11 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>

HEAD /distribution/?product=IDM2&channel=A004 HTTP/1.1

Accept: */*

Host: securefilesetup.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Tue, 06 Jan 2015 03:20:07 GMT

Content-Type: text/html

Connection: keep-alive

X-Powered-By: PHP/5.5.9-1ubuntu4.3

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Tue, 06 Jan 2015 03:20:07 GMT

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

Location: hXXp://d27jwl8eflbzdd.cloudfront.net/IDMSQSetup.exe
HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Tue, 06 Jan 2015 
03:20:07 GMT..Content-Type: text/html..Connection: keep-alive..X-Power
ed-By: PHP/5.5.9-1ubuntu4.3..Expires: Mon, 26 Jul 1997 05:00:00 GMT..L
ast-Modified: Tue, 06 Jan 2015 03:20:07 GMT..Cache-Control: no-store, 
no-cache, must-revalidate, max-age=0..Location: hXXp://d27jwl8eflbzdd.
cloudfront.net/IDMSQSetup.exe..

GET /help/images/icon_question.gif?1406414609 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-2.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:38 GMT

Content-Type: image/gif

Content-Length: 68

Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT

Connection: keep-alive

ETag: "53d42f11-44"

Accept-Ranges: bytes
GIF89a.............!.......,.................O..R....fo.!G:[y.j....;HT
TP/1.1 200 OK..Server: nginx/1.6.0..Date: Tue, 06 Jan 2015 03:20:38 GM
T..Content-Type: image/gif..Content-Length: 68..Last-Modified: Sat, 26
 Jul 2014 22:43:29 GMT..Connection: keep-alive..ETag: "53d42f11-44"..A
ccept-Ranges: bytes..GIF89a.............!.......,.................O..R
....fo.!G:[y.j....;..

GET /?lt=0&uid=c0322acd-5e5d-42f0-b163-c591ee6ff5b9&ver=1.0&st=0 HTTP/1.1

Host: update.idmsq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 03:20:31 GMT

Server: Apache

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

Pragma: no-cache

Last-Modified: Tue, 06 Jan 2015 03:20:31 GMT

X-Powered-By: PleskLin

Vary: Accept-Encoding

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html
11..a=0&st=1420514431..0..

POST /?pcrc=1626022615&v=2.0 HTTP/1.1

Accept: */*

Host: rp.mediacodeccdn.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 768

Cache-Control: no-cache

...3E.Q)_l.y...Kw.t.cU..d...W..............?)...:iL
i.WpS.O_..eF#..2..pW;...=......Y....O..'........1...........#.B.yiZJNN.Q.%.9.G..g..............j.....A...7.w...Z.5..pB.o.^.R..).9{.FbQ..........x.
J.k..:....^.Cv.TV.......*nS.q8`..'......?].\..... .....&..D..7..d..R.......U......W.V..BBn&...e..0#...Ub..9....(......F'.y...x......b......K.=.x..j7>..S's.S...'ms8....!#....G0}G...N..........k.4.....py...Z?....o...U.e..P..M#..a..f.....pD.Ch...MY2vQ.',[email protected].)Yk..`C.4:....I.`.........n.'e.2KlwVm..~.._......&I.8....tSP0x..m-PxO..$..s.e..H.....p.F.Z.o....Z*... .S$SKW.
..w..~.e..m*p
.......E...<|2...X.2 ....x|.p`o.RQU.....W.....-.\.`}.i..`....g...1..t

.wt.r.."./....%Z.....Q~i....Lt.....R...

..<^....#,..N..j#;}
...bL....1-.......
..LYh
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Jan 2015 03:20:08 GMT

Server: TornadoServer/3.1.1

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Jan 2015 03:20:08 GMT..Server: TornadoServer/3.1.1..Content-Lengt
h: 4..Connection: keep-alive..DONE....


POST /?pcrc=433075020&v=2.0 HTTP/1.1

Accept: */*

Host: rp.mediacodeccdn.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 1840

Cache-Control: no-cache

.^.S...N)Tw?.G{&6...X._..C...

\...'

'

...Pw....u.agK.h.v..u1.. ....m.....P;...Ps.#?1.*.-O....g......)..&....}.g..E

}[....Y.lf..x../.X.h7e.&.<U`.le>..4...jG.Q.o....I .{;.N.>r.......C.<....K..1./..[{o..{i.
E....Y.L.j..>b..*A..6...#...-.X.f[Y..#..7.F=........u8..P1/.v.....1......N.....J.2Q....'./.q..R.1?...]]...}...2..c.T......vc>..fr.n8.H..0.K...B...Jk......u...}. .k.=.|J..Z..G..h..4.:.|^...V..~.`...
...

.{...]....<..... Nii.P.x..40..M.....]2...<.D..#.O..f.M.."<.i.q.....g....=..x...U.......z..|.z.(<.{

.... ...4............Q\.. a...5.._.G..X.J.(........x.....y......).dD.I..A.
...F.....C.._f?...5........s.6.I].T.l.......k..B.@]-T.d..~$..j..g...e......Jw*....TX ..Y.Sp1:....K.Z.\PW.....%.d...........9vD.z.^`..XFA......
.TB|..Mrv.....@b ...dqwqM..(.(.}<

p..Yv.."E.e ..........t.j^..x;:1.v[..>a...>_8.fF...?[....x.X.2.....%.6j4w..)R..[..'......'...J..t.r,m.......u.....

.......l}...?[C..}

....`....3...P......Jt..... .p'V..U...E.M.U .N..0'....I.X.[.

....s.....r...(...b...D......'[email protected]..'.P.x}.._..'...Q..K.B .?...r.H.;~yI....3..V\....1..t ..zNi. ...S.;V<..`..j.....~$.HJZ..}.....H.............p|..>.X.....-......%l...`....E?....J...^.>U9}..._.L....A...o.-c..L3.-.u..:....w......>f.7.<sPpFc.}...@. ...u. S.-..rj.g.k. Z

A.J.%.'.

.7....V|.$..7..r....HI.!l..g
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Jan 2015 03:20:25 GMT

Server: TornadoServer/3.1.1

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Jan 2015 03:20:25 GMT..Server: TornadoServer/3.1.1..Content-Lengt
h: 4..Connection: keep-alive..DONE....


POST /?pcrc=936244440&v=2.0 HTTP/1.1

Accept: */*

Host: rp.mediacodeccdn.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 1968

Cache-Control: no-cache

[email protected] k9J...~......VC...qF6.S..DZob(...T........n./.G.."._a.(..D....kR..G2.^..*..._5..Z.k?[.A.N..n..X.#.......HQ.?.{Mo..a...l.].?....U..,W..PN.:s..........-.\`.b$N...r....AzHXP......Kr.=0.\mc.|.V.9..m.......w(.D..{.. ..x....,fj.nW.La=By"~.....aAW...D...T.....d..Q>..,.S-.....}..Z..x..o.7[.b..!...x.2.E.Uk..j6.. [email protected]:P.......H:[email protected]..=(q.1....g....x...Vp..,b..^)P......u:....oy..=.\'.....-.h.....Q..$hu....3.^.

]U..y.Vnc9$...b.&g.z.u.;.z.' ..2.M*....A.....*._....StF.1....md:.....cQ....4M`{...

.m`..J...X/'v..e4........e.N..")-k..<..ny)V.S?..on.7.W3.!...X..=..$.Y/v....=l...5j....y.n.%..`.....0").jx;A?^..=.y.,.......s..(G.vj&`..K.!.Xn..J.!...C..... .b..~.q_^...)...._-~........=

V.....W.......'.).......
..gW. [email protected].*.M...w...zR.u..1.C.M...Z....fXw...U/.Lxc...!.'.N....>.3.f=L..-..J...r>.T7.4.>B....
..u)..?U.pis....,.8B.../%.L.g-.1..7...$..8.l^..j...5..`...^...Dw..\Gm.[

T.....s._.QV.

.%..u.(mz.....3R...*].j..C.x.....V.&..yh..53.t.{5..?...V.F..xtIB..Mn1pl..#.....5.8.r.......oPe~V..F...o.z. ;...7....W.1. .P.x..SRqbkG.=M..fR.F.....9>..8...'^@......K$/.W"..$.......?L.......5........L <a.F.....4.-..

..j'^ .bF......w4...o,.....u.&...y..U?.`.dd... ....h........o....w..S..[...Pa.........k\..ej.K.
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Tue, 06 Jan 2015 03:20:26 GMT

Server: TornadoServer/3.1.1

Content-Length: 4

Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue
, 06 Jan 2015 03:20:26 GMT..Server: TornadoServer/3.1.1..Content-Lengt
h: 4..Connection: keep-alive..DONE..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=496171, public, no-transform, must-revalidate

Last-Modified: Sun, 4 Jan 2015 21:14:33 GMT

Expires: Sun, 11 Jan 2015 21:14:33 GMT

Date: Tue, 06 Jan 2015 03:25:02 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
4211433Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20150104211433Z....20150111211433Z0...*.H........
.....P.<...'A.!..?... .T T..0... .K... #.Z..X.@[email protected]...)`...z.fq
........L:T.........7.I....3.}.5&.b.c..DP....O...~....K....N....ny....
.`..Z....{...........f..n....j.h..A*...7T._.. .....q....6.5$|..=.....t
.)....,..B...8...*.O....SM6....VqP.....e...i7Y....Q-.....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.5

VTag: 791163458000000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Tue, 06 Jan 2015 03:25:05 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b([email protected]... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@...

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?adc9910f119f41ff HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Tue, 06 Jan 2015 03:21:40 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Tue, 06 Jan 2015 03:21:40 GMT..Conn
ection: keep-alive..

GET /entp-tender-production/assets/bd864201dc8228151a1ff655edaffcb7721b9d5d/ff-1_normal.png?AWSAccessKeyId=AKIAISVUXXOK32ATONEQ&Expires=1420514736&Signature=ouX2S0I7SUs1Os2e2G20xF8N0YY= HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

DNT: 1

Connection: Keep-Alive

Host: s3.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: 9AXZaSlnKsefHVfUZAbIHQgf5f43Gnf1JO3jVAP492Ee0OWp8JNfa u/irqk3hWr

x-amz-request-id: 3C9AA0BAFBE64DA0

Date: Tue, 06 Jan 2015 03:20:37 GMT

Last-Modified: Fri, 27 Sep 2013 08:46:43 GMT

ETag: "b5c35d3f6f37a042358b026c145fdb05"

Accept-Ranges: bytes

Content-Type: image/png

Content-Length: 25209

Server: AmazonS3
.PNG........IHDR...>...2.....c..K...=iCCPicc..x..SgTS..=...BK...KoR
.. RB..Ti........@......"....q....."..A...y.(..(6T....}...7o....9g...}
>.F`.D....dJ.....<6..'w..T [email protected]@..n....8..
P.....$......B....2r.2..2....t...%..[.....j..;e.O..v.$....(S*.@..@&...
....X......`.(...s....`.....`....).d....`...S......GE...3.(...x.W\!.S.
...d....T.n!...\].x.87C.P.........ee......3...FvD.....9;.:;.8.:|......
.....?........E................e..../.....B..._......T.B.fg...k ..m.._
......_......................2..r<[&..q.?......wL..'..b.P.GK...i...
..$.I...H.........k.`.~..B[P...... ...%....w.......1...w..0....h......
................4P.6h.>.....#..;x....P..8X.BH.L.C.,.UP.%...B...Z..F
8.-p.........<.^...0.o`.A.2.DX.6b.."..#.Ef!~H0...!.H."E..Rd5R..#U.^
....9..E.!=.=...F~C>[email protected]...\...B...h....G...h%Z..B.........>
G.0....3.l0...B.x,..c..b......6.....b#.{..."....;!.0. $,",'...........
B.a....$....nD>1..B.%.. .u.c...[.......!..\H..8R.i......D:C.!....d.
6...A.%...r.y;...4.:y...B..P.)..x..R@......\..R..jTS..5.*....Qk.m.....
8M.fN..E..h.h..F.y.C. :.nDw...%...J.a.Ez..=C.a..1..J...~...=. &.i..b.3
....z.9.c.;....._E..B.Z.Y....U........|.....WUG..jfj<5..r.j..jw...Y
.........../..i.5.4.4D....4.i..0.1....V.jY.Y.l....g..K.........34.5.4.
5Oj.r0.......q.pns>L...=E<e...)........%.*.j....A....N......H..c
......K....T.T.....S.L....Z.F.......;.....'...wNoD.......E......`...`.
.i.g.&..g..x.>j.k.h.4.k.m8ndn4.......1..k.l....x...$.d.I..}S.).4.t.
i..[3s....f-fC.Z.|.|.....L.O.E.5.7-I.\.t.....P '.T.j........z.u.4.
<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAHevvgBk+xJc0C0AAQAAd68= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com

HTTP/1.1 200 OK

Date: Tue, 06 Jan 2015 03:21:41 GMT

Content-Type: application/ocsp-response

Content-Length: 1757

Connection: keep-alive

Set-Cookie: __cfduid=d3e4d66a64abaef43c4c8c2b866067c0c1420514501; expires=Wed, 06-Jan-16 03:21:41 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Mon, 05 Jan 2015 22:11:24 GMT

Expires: Sat, 10 Jan 2015 03:21:40 GMT

ETag: "6d85bb88c2d029b09b56acf4f73d710f2a5372c7"

Cache-Control: public, max-age=345599

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 1a44c970fac91577-FRA
0..........0..... .....0......0...0..........<.|[email protected]|..2015
0105221124Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z..w...d..\.-....w.....20150105221124Z....20150109221124Z."0 0..
. .....0......20140105221124Z0...*.H..............F......]..&zR.Tb....
.. [email protected].....%. ...e...2%..A.H(F.....F.#...W$.`&.././G
...=..<.X'A.}.....k..h.X.. .kR....._...{.....N.&3.X..e.!tD.Cp......
..M....iR.$Fv.e..&....`@.b1.....5\._g?>[email protected]..>.....H.;..2..
.-.f.'PSB.MI.^.f'o4.W..7..q.^.:.b.....0...0...0..........Z..~..M..<
ZYJ....~.0...*.H........0..1.0...U....US1.0...U....Washington1.0...U..
..Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...
U....Microsoft IT SSL SHA20...141229205745Z..150314205745Z0!1.0...U...
.Should be ignore by CA0.."0...*.H.............0...........&!(..$.K...
."=f....x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q.
..........bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.
x*.......x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ..
.6.M.O.....<5:......r.....]..A.5........0..0...U..........<.|7..
[email protected]|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0...U.%..0.
.. .......0... .....7....0.0... .......0... .....0......0...*.H.......
...........sa....^`.U.h.....(c[..j.|. ..#....3.5.?..L.....Z....J......
*.w...w.$.z..Y.d.....l.....G#.....o.\t.......(.B =..P..T....0./P.....z
.3....L.O3....z...Wxo..~.OeH....c.i.@."..?d.......=v(.....m..LN..PP...
.<.}T.X......K.&e.S...|....% ...(F.=k..~.j..C......4.....c...._
<<< skipped >>>

HEAD /IDMSQSetup.exe HTTP/1.1

Accept: */*

Host: d27jwl8eflbzdd.cloudfront.net

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 11588088

Connection: keep-alive

Date: Mon, 27 Oct 2014 08:44:48 GMT

x-amz-meta-cb-modifiedtime: Wed, 30 Oct 2013 06:25:15 GMT

Cache-Control: public,max-age=31536000

Expires: Tue, 31 Dec 2019 20:00:00 GMT

Last-Modified: Sun, 08 Dec 2013 08:59:07 GMT

ETag: "a5db064b5a4b9af4b0dc812b59206859"

Accept-Ranges: bytes

Server: AmazonS3

Age: 6114921

X-Cache: Hit from cloudfront

Via: 1.1 aeb7836a7f4320ebda5a45c21ac97728.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Y2Djz-PjRpiLCt1T--DiAZAnpvybvvydSLiufYDL8XaeGCif180TVA==
....


GET /IDMSQSetup.exe HTTP/1.1

Range: bytes=0-11588087

Accept: */*

Host: d27jwl8eflbzdd.cloudfront.net

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 11588088

Connection: keep-alive

Date: Mon, 27 Oct 2014 08:44:48 GMT

x-amz-meta-cb-modifiedtime: Wed, 30 Oct 2013 06:25:15 GMT

Cache-Control: public,max-age=31536000

Expires: Tue, 31 Dec 2019 20:00:00 GMT

Last-Modified: Sun, 08 Dec 2013 08:59:07 GMT

ETag: "a5db064b5a4b9af4b0dc812b59206859"

Accept-Ranges: bytes

Server: AmazonS3

Age: 6114921

Content-Range: bytes 0-11588087/11588088

X-Cache: Hit from cloudfront

Via: 1.1 aeb7836a7f4320ebda5a45c21ac97728.cloudfront.net (CloudFront)

X-Amz-Cf-Id: wWTf0wJ5t35zxt71W21ASFh1MaEiqbnWhji8GYGoB2lnfGjwLqMfYA==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................P......}5.......................................s.
.........P...............@............................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc...P............v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /help/images/icon_problem.gif?1406414609 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-2.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:38 GMT

Content-Type: image/gif

Content-Length: 75

Last-Modified: Sat, 26 Jul 2014 22:43:29 GMT

Connection: keep-alive

ETag: "53d42f11-4b"

Accept-Ranges: bytes
GIF89a.............!.......,.........."......Q`..Y..X..9.F).h^j(.....,
.A..;HTTP/1.1 200 OK..Server: nginx/1.6.0..Date: Tue, 06 Jan 2015 03:2
0:38 GMT..Content-Type: image/gif..Content-Length: 75..Last-Modified: 
Sat, 26 Jul 2014 22:43:29 GMT..Connection: keep-alive..ETag: "53d42f11
-4b"..Accept-Ranges: bytes..GIF89a.............!.......,.........."...
...Q`..Y..X..9.F).h^j(.....,.A..;..

GET /pkg/frontend.js?1418315495 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Accept-Encoding: gzip, deflate

Host: asset-1.tenderapp.com

DNT: 1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Tue, 06 Jan 2015 03:20:36 GMT

Content-Type: application/javascript

Content-Length: 186743

Last-Modified: Thu, 11 Dec 2014 16:32:53 GMT

Connection: keep-alive

ETag: "5489c735-2d977"

Content-Encoding: gzip
....V..T.....v...0..>.XW..."...,.,....,j_l.....(..B.$...c......G...
...LD.^U.$_...c.Y.gddl..y....Ui9...?.?..p..^w9...xd....? .^XK...R2...%
..$....m..v....:..kg... {i.O.~...  ........lT`...........U{..........C
.Y;.x0.oy......vW .z=.....<.....Rw<{u..U.u.......u........=..8..
.$.w...R/^....c.}...<K.k9.2...........~..A.1U..rkR..%$|U....;....|1
[....4.........[.~...g..ya..b....p.9.C.&~.gs..Z..*..=..X...Y..v.......
?.._..Z./.....0.......^../.R2.e-..J..0......E..c......xQ...Ui<...r.
.....;`9...d..?X..........b.kg.Tf.....V`s.m.....x...s6.G.A\.I.=...d..V
iw..]#.X...>{}...y...Dg.e<8...I.....7...d.{:^mo...?.U..vKo......
t`..!......K.....(.d..>,....'s.|BX>.{.........Jk"C....S....-@M..
..........g]C....Q.....1..>V.KMf...x"......e..N<...]..'.....Q=..
....x.\...6tEKY....B.,.....y....E1c./L.]..s ;.J'.lq....L6?..p.n.....x[
.{.k.Y...6....M.j..U,g-...:.0c.Z.$...E.3}\.9......tJs\-.#w..57...M#r..
.T...po.J4..5A...A?.o`...C.....)..Qo..M...I...6[7.I.....9..(...62...f.
.e..m.......8...Nm..#.zCu..n.....{.z....B.7....Mm....r.iGas..n.&......
*[email protected]....&../.H%[email protected] ..........).
.2...6..o..Q#.n`......I.......U..].</}......B".-.s8.TG...].......k.
..W.Y.....B.AY..: ./.,4]..k.....0..,...._.o0.k...-.HT.K..\&aP....v...Z
.k. .. .l)Z 5N.....=..9Q..?Z..M...w...;...v...D##_....]..P....\......*
[email protected]..]U.g......fr.....|.Y...A..
.* .F.Ve.q.....].j..v..ln.....i...{X._....}.byI...cw.l.c..6........noc
..l.....w...{..w....U7u....y..w...(..:P."%.....Yb..v`..*.z...N....
<<< skipped >>>

GET /img/Global/Yes_Button_Hover.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:11 GMT

Content-Type: image/png

Content-Length: 1094

Connection: keep-alive

x-amz-id-2: giNcWkffGMeBPbzqJ3A4qLoJ/3DUKq/WwnIJ TfIq/8HoVOCvZxHLLcH0c0a8idC

x-amz-request-id: 9C304ECC593BAC7B

x-amz-meta-s3fox-filesize: 1094

x-amz-meta-s3fox-modifiedtime: 1380713503000

Last-Modified: Wed, 13 Nov 2013 16:12:44 GMT

x-amz-version-id: L9RQqPthtuNtMC55hxM9o_RZqWXqZtid

ETag: "aec475b9d6280598800f3ceafea4af8c"

Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:30B2AE2724EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:30B2AE2824EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:30B2AE2524EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:30B2AE2624EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>. ,.....IDATx......0.E..D....@L.^L...!...2.
..........=.....vq?.H.l4[.v..d.S.l......x..W{=..k...L(..3.....k.s..3..
.K....B..P..B..P@(B...E(B..u.f4.3..)e..l9z.i.?o..7.7M.....%...y..$.:.t
A..K........S..^/......IEND.B`.....
<<< skipped >>>

GET /img/Global/No_Button.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:11 GMT

Content-Type: image/png

Content-Length: 1090

Connection: keep-alive

x-amz-id-2: 3FLmnXTj saFIYX7AXWeKRzu29XpVsmIRXYDA0uMdiUYfv6g7ohy15ES1znpDAdE

x-amz-request-id: A0D955BF9FB47FFD

x-amz-meta-s3fox-filesize: 1090

x-amz-meta-s3fox-modifiedtime: 1380713503002

Last-Modified: Wed, 13 Nov 2013 16:12:45 GMT

x-amz-version-id: H1gWa5fQ5azVvHrSdifdTj_fe_Q1czxc

ETag: "4462e7ebdf4a24f57b288fbca0602dea"

Accept-Ranges: bytes
.PNG........IHDR...T.........d.......tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2D2B0E0124EA11E392EFCCF1
BDECC388" xmpMM:DocumentID="xmp.did:2D2B0E0224EA11E392EFCCF1BDECC388"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2B97008A24EA11E392
EFCCF1BDECC388" stRef:documentID="xmp.did:2B97008B24EA11E392EFCCF1BDEC
C388"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>...\....IDATx...1..1.E'A...J/ .*.....ZYne..
3....jR...!.#I1?.H..5..v..T.KSl...Rz...r.W.......m\|...C.'.`.#.f......
.A(B..P@(B...E(B...E(B.....f&Y:.j..-G......3.&...i...s.G.l.a;...%].j.V
.j.....h"..5.......IEND.B`.....
<<< skipped >>>

GET /img/Seniser/Seniser.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

.IDATx...u.\.....]..U.... n1..df..c.I&....g&.dB...O...8.c'f.!..B.[R...
.....S.w..w2s'sgr........:u..o...:G.........2...P....g..L...C..#...j..
..F..Kk..- K...........d.A.G,.....R.,.o.....g...63.F.P.G...T....$~Y..d
.....G.....P...."fU...LX......w#k...e\.....{.....M-.L...a...{N.[w..M_.
"....P.....1...a(.9.O..U.!C.O~.x:...3.68......9........^(.(._.......N.
.*M.T./.lR..5h.r.C..Ft>...2.@:-.../R........{.j5.....(.!.(. .E~..`.
..x-.}..l.........@..(O....T..b.y%....U(....,...".F@....../..*.4<.,
&e.L(-x.......x}S.2....*.....\.(.**..|.....6M..#1... ................c
....Z...,...B.O...??........_....I#[email protected]....].gX.~.{...;g..U..
.O......Q..g..'...Kj.^../.i4..H.bh....._4....yg$N..X"..`EJ.W.s..TV>
...P.).W~X.......V&..Q,..\*...r....3..W.v..4".X_.....-..th.....e..L1.K
.w.^.?5....w.OL{].x2o..2.U.Y...B-........3.o......a=....Yw..ZyS:..]...
8?.....R.=....t(...^..\.!.....L..B...G..C:.T....e.3.,.....r.\.R......d
. .....G<....J!... ...c.}B .\.t:...."-.z..... :UT:..m..3c.X4[./^...
....&.j.;.....[$.......Z.#F.L..%..C.\...H.V./........W..V..S._./>..
ps{...0...;h.....l.1v|lV18....s..LN f..........-F:;>G.....Y22p....U
.hE....-...Q^(h....22[....1:.I.D.P~m.M.VS.p.. ..J....V....H....[.f....
..F.u....<(..."./....,..E.B.^..xtEf.....e......m^.........2=.......
{VL.UT...R..<[email protected].>....d..}1..11..... .\....f..b...
.4.;..Z....L..jr.....k......x..OE.{79...a.{{v...EBmr!.....e@).s....p&l
t;.x...%z.o........C.^[email protected].~.........sA...>...S.
.U.RP:. R.....'K....'.?Ja........{..a2Q(=...I..GK)J-XK..x81..ZI.'.
<<< skipped >>>

GET /img/Malaromoro/bg2.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: img.mediacodeccdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Tue, 06 Jan 2015 03:20:13 GMT

Content-Type: image/jpeg

Content-Length: 59210

Connection: keep-alive

x-amz-id-2: PtSyzXg5oIf9ujNoRTApWcZMhSnUVzaHRFNnMd 75xnvQkrWkD3UfOEcVvpEjI2p

x-amz-request-id: 61073121C1DB10B6

x-amz-meta-cb-modifiedtime: Sun, 16 Mar 2014 10:17:54 GMT

Last-Modified: Sun, 16 Mar 2014 10:45:33 GMT

x-amz-version-id: JMXnkH_Q4w85o.RRxkVvr1HHBSYxTWbA

ETag: "3ca90bdb0184dba078b0e604eb239df0"

Accept-Ranges: bytes
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:345E81DDDAA9E3
11B383BEF54B638275" xmpMM:DocumentID="xmp.did:118EE61EAA0211E3A8EABD13
5B592C02" xmpMM:InstanceID="xmp.iid:118EE61DAA0211E3A8EABD135B592C02" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:086B2D40FAA9E311A847ACF83C7EB2CA" stRef:
documentID="xmp.did:345E81DDDAA9E311B383BEF54B638275"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.......................0..............................................
...........................................!.1.A".Qa2..q...B#3..Rb...C
$45..r..cs%....S.DT....U..E&......................!1.A.Qa.q.."2......B
..Rb.#[email protected].*..b.,...]H.Z7
.|1.....v.4....M.....T.<.Q......z.....u9...\u.......M....r'.gW.hM.B
[email protected]..:.....:.s.......:...L..._..%nh6._........b)
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

[email protected]

1onSecureLogin()

1urlChanged(const QString &)

lePassword

lblPassword

chkSecureLogin

leUrl

lblUrl

border-image: url(":/idmsq/Resources/btn-close-norm.png");

border-image: url(":/idmsq/Resources/btn-close-over.png");

border-image: url(":/idmsq/Resources/btn-close-down.png");

:/idmsq/Resources/dialog-logo.png

image: url(:/idmsq/Resources/chk-unchecked.png);

image: url(:/idmsq/Resources/chk-checked.png);

Password

Login to server

lblMsg

confirmExec

proxyPort

proxyPassword

startWithWindows

1fmtWindows()

*.avi *.wmv *.mkv *.mp4 *.mov *.flv *.mpg *.mpeg *.mp3 *.wav *.flac *.aac *.ogg *.wma

background-image: url(:/idmsq/Resources/tbl-bg.png);

border-image: url(:/idmsq/Resources/btn-arrow-down.png);

border-image: url(:/idmsq/Resources/btn-arrow-up.png);

:/idmsq/Resources/btn-wizard-convert.png

border-image: url(:/idmsq/Resources/btn-fmt-custom.png);

border-image: url(:/idmsq/Resources/btn-fmt-windows.png);

btnWindows

border-image: url(:/idmsq/Resources/btn-fmt-android.png);

border-image: url(:/idmsq/Resources/btn-fmt-apple.png);

border-image: url(:/idmsq/Resources/btn-fmt-mp3.png);

border-image: url(:/idmsq/Resources/btn-step3-norm.png);

border-image: url(:/idmsq/Resources/btn-step3-sel.png);

border-image: url(:/idmsq/Resources/btn-step3-over.png);

border-image: url(:/idmsq/Resources/btn-step3-dis.png);

border-image: url(:/idmsq/Resources/btn-step2-norm.png);

border-image: url(:/idmsq/Resources/btn-step2-sel.png);

border-image: url(:/idmsq/Resources/btn-step2-over.png);

border-image: url(:/idmsq/Resources/btn-step2-dis.png);

border-image: url(:/idmsq/Resources/btn-step1-norm.png);

border-image: url(:/idmsq/Resources/btn-step1-sel.png);

border-image: url(:/idmsq/Resources/btn-step1-over.png);

border-image: url(:/idmsq/Resources/btn-step1-dis.png);

background-image: url(:/idmsq/Resources/btn-browse.png);

background-image: url(:/idmsq/Resources/cb-bg.png);

image: url(:/idmsq/Resources/cb-dropdown-arrow.png);

boost::too_few_args: format-string referred to more arguments than were passed

boost::too_many_args: format-string referred to less arguments than were passed

%1, %2x%3, %4 Kbps, %5 fps

:/idmsq/Resources/progress-blue.png

:/idmsq/Resources/progress-grey.png

:/idmsq/Resources/progress-green.png

:/idmsq/Resources/progress-red.png

QSQLITE

1wotUrlChecked(const String &, bool, const String &)

2urlChecked(const String &, bool, const String &)

1vtUrlChecked(const String &, const VirusTotal::StringPairsList &, const String &)

2urlChecked(const String &, const VirusTotal::StringPairsList &, const String &)

:/idmsq/Resources/progress-scan.png

:/idmsq/Resources/progress-orange.png

2cmdAddTask()

2cmdResume()

2cmdPause()

2cmdDelete()

2cmdRetry()

extensions.enabledAddons

[email protected]

user_pref("%s"

%d:%d:%d.%d

background-color: #x;

2cmdAdd()

1cmdAddLib()

2cmdOpen()

2cmdLocate()

2cmdProcessFile(const QString &)

1cmdOpen()

1cmdPopup()

2cmdPopup()

1cmdAddTask()

1cmdSettings()

2cmdSettings()

1cmdHelp()

2cmdHelp()

1cmdLike()

2cmdLike()

1cmdExit()

2cmdExit()

1checkMirrorUrl()

border-image: url(:/idmsq/Resources/btn-tbl-norm.png);

border-image: url(:/idmsq/Resources/btn-tbl-down.png);

border-image: url(:/idmsq/Resources/btn-tbl-over.png);

border-image: url(:/idmsq/Resources/btn-tbl-dis.png);

border-image: url(:/idmsq/Resources/btn-thumb-norm.png);

border-image: url(:/idmsq/Resources/btn-thumb-down.png);

border-image: url(:/idmsq/Resources/btn-thumb-over.png);

border-image: url(:/idmsq/Resources/btn-thumb-dis.png);

:/idmsq/Resources/ico-speed.png

border-image: url(:/idmsq/Resources/bg-statusbar.png);

:/idmsq/Resources/btn-search-clear.png

:/idmsq/Resources/ico-converter.png

:/idmsq/Resources/ico-library.png

:/idmsq/Resources/ico-downloads.png

border-image: url(:/idmsq/Resources/btn-settings-norm.png);

border-image: url(:/idmsq/Resources/btn-settings-over.png);

border-image: url(:/idmsq/Resources/btn-settings-down.png);

border-image: url(:/idmsq/Resources/btn-settings-dis.png);

border-image: url(:/idmsq/Resources/btn-help-norm.png);

border-image: url(:/idmsq/Resources/btn-help-over.png);

border-image: url(:/idmsq/Resources/btn-help-down.png);

border-image: url(:/idmsq/Resources/btn-help-dis.png);

border-image: url(:/idmsq/Resources/btn-like-norm.png);

border-image: url(:/idmsq/Resources/btn-like-over.png);

border-image: url(:/idmsq/Resources/btn-like-down.png);

border-image: url(:/idmsq/Resources/btn-like-dis.png);

border-image: url(:/idmsq/Resources/btn-fb-norm.png);

border-image: url(:/idmsq/Resources/btn-fb-over.png);

border-image: url(:/idmsq/Resources/btn-fb-down.png);

border-image: url(:/idmsq/Resources/btn-fb-dis.png);

border-image: url(:/idmsq/Resources/btn-twit-norm.png);

border-image: url(:/idmsq/Resources/btn-twit-over.png);

border-image: url(:/idmsq/Resources/btn-twit-down.png);

border-image: url(:/idmsq/Resources/btn-twit-dis.png);

border-image: url(:/idmsq/Resources/btn-locate-norm.png);

border-image: url(:/idmsq/Resources/btn-locate-over.png);

border-image: url(:/idmsq/Resources/btn-locate-down.png);

border-image: url(:/idmsq/Resources/btn-locate-dis.png);

border-image: url(:/idmsq/Resources/btn-del-norm.png);

border-image: url(:/idmsq/Resources/btn-del-over.png);

border-image: url(:/idmsq/Resources/btn-del-down.png);

border-image: url(:/idmsq/Resources/btn-del-dis.png);

border-image: url(:/idmsq/Resources/btn-retry-norm.png);

border-image: url(:/idmsq/Resources/btn-retry-over.png);

border-image: url(:/idmsq/Resources/btn-retry-down.png);

border-image: url(:/idmsq/Resources/btn-retry-dis.png);

border-image: url(:/idmsq/Resources/btn-pause-norm.png);

border-image: url(:/idmsq/Resources/btn-pause-over.png);

border-image: url(:/idmsq/Resources/btn-pause-down.png);

border-image: url(:/idmsq/Resources/btn-pause-dis.png);

border-image: url(:/idmsq/Resources/btn-play-norm.png);

border-image: url(:/idmsq/Resources/btn-play-over.png);

border-image: url(:/idmsq/Resources/btn-play-down.png);

border-image: url(:/idmsq/Resources/btn-play-dis.png);

border-image: url(:/idmsq/Resources/btn-load-norm.png);

border-image: url(:/idmsq/Resources/btn-load-over.png);

border-image: url(:/idmsq/Resources/btn-load-down.png);

border-image: url(:/idmsq/Resources/btn-load-dis.png);

border-image: url(:/idmsq/Resources/btn-add-norm.png);

border-image: url(:/idmsq/Resources/btn-add-over.png);

border-image: url(:/idmsq/Resources/btn-add-down.png);

border-image: url(:/idmsq/Resources/btn-add-dis.png);

background-image: url(:/idmsq/Resources/btn-search.png);

background-image: url(:/idmsq/Resources/btn-search-clear.png);

border-image: url(:/idmsq/Resources/btn-scroll-down.png);

border-image: url(:/idmsq/Resources/btn-scroll-down-dis.png);

border-image: url(:/idmsq/Resources/btn-scroll-up.png);

border-image: url(:/idmsq/Resources/btn-scroll-up-dis.png);

border-image: url(:/idmsq/Resources/btn-scroll-right.png);

border-image: url(:/idmsq/Resources/btn-scroll-left.png);

%d/%d/%d

%1x%2

txt;pdf;rtf;doc;docx;sql;htm;html;js;php;asp;xml;ppt;pptx;pps;xls;xlsx;mht;csv;xlt

1cmdSortByName()

1cmdSortByDate()

1cmdSortBySize()

1cmdCopy()

1cmdRename()

1cmdConvert()

1cmdShareFacebook()

1cmdShareTwitter()

readVideoInfo: srcTime="%s", duration=%d

%dx%d

:/idmsq/Resources/btn-close.png

chkStartWithWindows

lblWindowsIntegration

lePort

lblPort

chkConfirmExec

image: url(:/idmsq/Resources/chk-disabled.png);

image: url(:/idmsq/Resources/sb-arrow-down.png);

image: url(:/idmsq/Resources/sb-arrow-down-dis.png);

image: url(:/idmsq/Resources/sb-arrow-up.png);

image: url(:/idmsq/Resources/sb-arrow-up-dis.png);

Start when Windows starts

Windows integration

Port

Confirm when running executables

Append .inc to incomplete files

:/idmsq/Resources/idm-tray.png

:/idmsq/Resources/idm-animation.png

:/idmsq/Resources/bg-notify-progress.png

hXXps://VVV.virustotal.com/vtapi/v2/file/report?apikey=966c703d751996bc87e4113c8723bc4990d0658a059ce23fa501c640354b4b43&resource=%1

1urlDownloaded(long)

hXXps://VVV.virustotal.com/vtapi/v2/url/report?apikey=966c703d751996bc87e4113c8723bc4990d0658a059ce23fa501c640354b4b43&allinfo=0&resource=%1

apikey= 966c703d751996bc87e4113c8723bc4990d0658a059ce23fa501c640354b4b43&url=%1

QPushButton {min-width: 100px;min-height: 25px;color: white;background-color: #x;}QPushButton:hover {background-color: #x;}QPushButton:pressed {background-color: #x;}

filename.exe

hXXps://api.mywot.com/0.4/public_link_json2?hosts=%1/&key=bb049b8dae1680564f976af7aabbc9450237bfb0

1urlDownloaded()

hXXp://VVV.mywot.com/en/scorecard/%1

hiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:951FEBB015206811822AB3348DD09B6E" xmpMM:DocumentID="xmp.did:B43648F1CF6D11E2BD3ECE15428D4705" xmpMM:InstanceID="xmp.iid:B43648F0CF6D11E2BD3ECE15428D4705" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:951FEBB015206811822AB3348DD09B6E" stRef:documentID="xmp.did:951FEBB015206811822AB3348DD09B6E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

T*ÿf^

R,..ruu

XQ%c^

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F54E182D24206811822A8AE91D017D25" xmpMM:DocumentID="xmp.did:51D46CA7CF8D11E2BD3ECE15428D4705" xmpMM:InstanceID="xmp.iid:51D46CA6CF8D11E2BD3ECE15428D4705" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E654BB9941206811822AB3348DD09B6E" stRef:documentID="xmp.did:F54E182D24206811822A8AE91D017D25"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

rhP%x

onSecureLogin()

urlChanged(QString)

fmtWindows()

url,path

cmdAddTask()

cmdResume()

cmdPause()

cmdDelete()

cmdRetry()

url,isSafe,urlInfo

wotUrlChecked(String,bool,String)

url,vtRes,urlInfo

vtUrlChecked(String,VirusTotal::StringPairsList,String)

path,vtRes,urlInfo,level

cmdOpen()

cmdPopup()

cmdAddLib()

cmdSettings()

cmdHelp()

cmdLike()

cmdExit()

checkMirrorUrl()

cmdAdd()

cmdLocate()

cmdProcessFile(QString)

cmdCopy()

cmdRename()

cmdSortByName()

cmdSortByDate()

cmdSortBySize()

cmdShareFacebook()

cmdShareTwitter()

cmdConvert()

UrlDownloader

path,vtRes,urlInfo

urlChecked(String,VirusTotal::StringPairsList,String)

urlDownloaded(long)

urlChecked(String,bool,String)

urlDownloaded()

handle_request: uri = %s, range = %I64i-%I64i

%s: %s

startStreaming %s

asio.misc

asio.misc error

HTTP/1.0 200 OK

HTTP/1.0 201 Created

HTTP/1.0 202 Accepted

HTTP/1.0 204 No Content

HTTP/1.0 206 Partial Content

HTTP/1.0 300 Multiple Choices

HTTP/1.0 301 Moved Permanently

HTTP/1.0 302 Moved Temporarily

HTTP/1.0 304 Not Modified

HTTP/1.0 400 Bad Request

HTTP/1.0 401 Unauthorized

HTTP/1.0 403 Forbidden

HTTP/1.0 404 Not Found

HTTP/1.0 500 Internal Server Error

HTTP/1.0 501 Not Implemented

HTTP/1.0 502 Bad Gateway

HTTP/1.0 503 Service Unavailable

thread.exit_event

thread.entry_event

Line %d, Column %d

??1QUrl@@QAE@XZ

?host@QUrl@@QBE?AVQString@@XZ

??0QUrl@@QAE@ABVQString@@@Z

?toPercentEncoding@QUrl@@SA?AVQByteArray@@ABVQString@@ABV2@1@Z

QtCore4.dll

?keyPressEvent@QDialog@@MAEXPAVQKeyEvent@@@Z

?keyReleaseEvent@QWidget@@MAEXPAVQKeyEvent@@@Z

1?setVerticalStretch@QSizePolicy@@QAEXE@Z

,?setHorizontalStretch@QSizePolicy@@QAEXE@Z

?keyPressEvent@QWidget@@MAEXPAVQKeyEvent@@@Z

;?winEvent@QWidget@@MAE_NPAUtagMSG@@PAJ@Z

?keyPressEvent@QLabel@@MAEXPAVQKeyEvent@@@Z

?keyPressEvent@QPushButton@@MAEXPAVQKeyEvent@@@Z

?keyReleaseEvent@QAbstractButton@@MAEXPAVQKeyEvent@@@Z

?keyPressEvent@QLineEdit@@MAEXPAVQKeyEvent@@@Z

?keyPressEvent@QAbstractButton@@MAEXPAVQKeyEvent@@@Z

?exec@QDialog@@QAEHXZ

?keyPressEvent@QMenu@@MAEXPAVQKeyEvent@@@Z

?exec@QMenu@@QAEPAVQAction@@ABVQPoint@@PAV2@@Z

?keyPressEvent@QAbstractItemView@@MAEXPAVQKeyEvent@@@Z

(;?viewportEvent@QHeaderView@@MAE_NPAVQEvent@@@Z

?keyboardSearch@QAbstractItemView@@UAEXABVQString@@@Z

!?moveCursor@QHeaderView@@MAE?AVQModelIndex@@W4CursorAction@QAbstractItemView@@V?$QFlags@W4KeyboardModifier@Qt@@@@@Z

)?selectedIndexes@QAbstractItemView@@MBE?AV?$QList@VQModelIndex@@@@XZ

??0QPen@@QAE@ABVQBrush@@NW4PenStyle@Qt@@W4PenCapStyle@3@W4PenJoinStyle@3@@Z

?key@QKeyEvent@@QBEHXZ

?exec@QApplication@@SAHXZ

?keyPressEvent@QAbstractSpinBox@@MAEXPAVQKeyEvent@@@Z

?keyReleaseEvent@QAbstractSpinBox@@MAEXPAVQKeyEvent@@@Z

?keyPressEvent@QComboBox@@MAEXPAVQKeyEvent@@@Z

?keyReleaseEvent@QComboBox@@MAEXPAVQKeyEvent@@@Z

$;?viewportEvent@QAbstractItemView@@MAE_NPAVQEvent@@@Z

!?moveCursor@QTableView@@MAE?AVQModelIndex@@W4CursorAction@QAbstractItemView@@V?$QFlags@W4KeyboardModifier@Qt@@@@@Z

)?selectedIndexes@QTableView@@MBE?AV?$QList@VQModelIndex@@@@XZ

5?supportedDropActions@QTableWidget@@MBE?AV?$QFlags@W4DropAction@Qt@@@@XZ

!?moveCursor@QListView@@MAE?AVQModelIndex@@W4CursorAction@QAbstractItemView@@V?$QFlags@W4KeyboardModifier@Qt@@@@@Z

)?selectedIndexes@QListView@@MBE?AV?$QList@VQModelIndex@@@@XZ

5?supportedDropActions@QListWidget@@MBE?AV?$QFlags@W4DropAction@Qt@@@@XZ

??1QKeySequence@@QAE@XZ

?addAction@QMenu@@QAEPAVQAction@@ABVQString@@PBVQObject@@PBDABVQKeySequence@@@Z

??0QKeySequence@@QAE@HHHH@Z

QtGui4.dll

?open@QSqlDatabase@@QAE_NXZ

?setDatabaseName@QSqlDatabase@@QAEXABVQString@@@Z

??1QSqlDatabase@@QAE@XZ

??4QSqlDatabase@@QAEAAV0@ABV0@@Z

?addDatabase@QSqlDatabase@@SA?AV1@ABVQString@@0@Z

?defaultConnection@QSqlDatabase@@2PADA

??1QSqlQuery@@QAE@XZ

?value@QSqlQuery@@QBE?AVQVariant@@H@Z

?next@QSqlQuery@@QAE_NXZ

?exec@QSqlDatabase@@QBE?AVQSqlQuery@@ABVQString@@@Z

??0QSqlDatabase@@QAE@XZ

?commit@QSqlDatabase@@QAE_NXZ

?transaction@QSqlDatabase@@QAE_NXZ

?exec@QSqlQuery@@QAE_NABVQString@@@Z

??0QSqlQuery@@QAE@VQSqlDatabase@@@Z

??0QSqlDatabase@@QAE@ABV0@@Z

??1QSqlError@@QAE@XZ

?text@QSqlError@@QBE?AVQString@@XZ

?lastError@QSqlQuery@@QBE?AVQSqlError@@XZ

?exec@QSqlQuery@@QAE_NXZ

?bindValue@QSqlQuery@@QAEXABVQString@@ABVQVariant@@V?$QFlags@W4ParamTypeFlag@QSql@@@@@Z

?prepare@QSqlQuery@@QAE_NABVQString@@@Z

??1QSqlRecord@@QAE@XZ

?value@QSqlRecord@@QBE?AVQVariant@@H@Z

?record@QSqlQuery@@QBE?AVQSqlRecord@@XZ

QtSql4.dll

CreateNamedPipeW

SetThreadExecutionState

CreateIoCompletionPort

KERNEL32.dll

EnumWindows

USER32.dll

GDI32.dll

RegCreateKeyA

RegCloseKey

RegCreateKeyW

RegOpenKeyExW

ADVAPI32.dll

ShellExecuteA

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

MSVCP90.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

InternetCrackUrlW

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestW

HttpQueryInfoW

HttpSendRequestW

HttpAddRequestHeadersW

WININET.dll

VERSION.dll

gdiplus.dll

WINMM.dll

WS2_32.dll

MSWSOCK.dll

GetProcessHeap

.?AVHttpDownloader@@

.?AV?$sp_counted_impl_p@VHttpSection@@@detail@boost@@

.?AV?$sp_counted_impl_p@VUrlDownloader@@@detail@boost@@

.?AVUrlDownloader@@

.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AV?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@

.?AV?$service_base@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AV?$typeid_wrapper@V?$socket_acceptor_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@

.?AV?$socket_acceptor_service@Vtcp@ip@asio@boost@@@asio@boost@@

.?AV?$service_base@V?$socket_acceptor_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AV?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@

.?AV?$service_base@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@

.?AV?$sp_counted_impl_p@Vconnection@server@http@@@detail@boost@@

.?AV?$sp_counted_impl_p@V?$vector@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@V?$allocator@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@@std@@@std@@@detail@boost@@

Lavf55.11.101

kwVVV.

.IPF7

;;;"[[['

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

7?8\879,:

1 1$1(1,10141

4_5

99Z9c9w9

6m6N6

11\1i1

6!7-7:7~7

2$303=3{3

4B4d4t4

7u7f7u7

2"2*2@2}2

365C5

6 6$6(6,6

1"111@1]1

6m6h6v6

2!2U2

=&=2=>=]=

6o6g6u6~6

9'939?9^9

3 3$3(3,3034383

0 0$0(0,0004080<0

0$080@0`0

4,484\4|4

7(747<7\7

? ?(?0?<?`?

, %dx%d

-stats -i "%s" -y "%s"

-stats -i "%s" -vn -ar 22050 -ac 1 -ab 96000 -y "%s"

-stats -i "%s" -vn -ar 44100 -ac 2 -ab 128000 -y "%s"

-stats -i "%s" -vn -ar 48000 -ac 2 -ab 192000 -y "%s"

-stats -i "%s" -vn -ar 48000 -ac 2 -ab 256000 -y "%s"

-stats -i "%s" -vn -ar 48000 -ac 2 -ab 320000 -y "%s"

-stats -i "%s" -strict experimental -vcodec libx264 -s 1280x720 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg4 -s 320x240 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec libx264 -s 320x240 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec libx264 -s 480x320 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec libx264 -s 960x640 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec libx264 -s 1024x726 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg4 -s 480x320 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg4 -s 640x480 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg4 -s 800x450 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg4 -s 854x480 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg4 -s 1024x600 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg4 -s 1280x800 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec libx264 -acodec aac -y "%s"

-stats -i "%s" -strict experimental -vcodec mpeg2video -acodec mp2 -y "%s"

-stats -i "%s" -strict experimental -vcodec wmv1 -acodec wmav2 -y "%s"

-stats -i "%s" -strict experimental -vcodec libxvid -acodec libmp3lame -y "%s"

-stats -i "%s" -strict experimental -vcodec libx264 -acodec libmp3lame -y "%s"

-stats -i "%s"

-y "%s"

Eidmsq.db

urlInfosMutex

urlTrackingMutex

urlSaveableMutex

Error parsing URL using InternetCrackUrl.

hXXps://

Error sending request using HttpOpenRequest.

Error sending request using HttpSendRequest.

i wrong content type "%s"

http/1.0

http/1.1

error creating file %s

hXXp://

%s: %s

gexe

http\shell\open\command

firefox

chrome

{3AA4FC9D-FB51-44A2-B09F-0457857CA7C2}

Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\

Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

prefs.js

\Google\Chrome\User Data\Default\Preferences

\\.\Pipe\RemoteExeAnon.x.x

ffmpeg.exe

%s %s

%s%s%s (%i)%s

hXXps://VVV.facebook.com/sharer/sharer.php?u=http://VVV.idmsq.com/&t=Next generation download accelerator and manager with built-in media manager and player and unparalleled security features

hXXp://help.idmsq.com

idmsq.dat

hXXp://update.idmsq.com/?lt=%s&uid=%s&ver=1.0&st=%s

hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-internet-explorer

hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-internet-explorer-11

hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-firefox

hXXp://help.idmsq.com/kb/browser-integration/how-to-enable-browser-integration-on-google-chrome

MirrorUrl

\StringFileInfo\xx\CompanyName

\StringFileInfo\xx\FileDescription

idmsq.log

mplayer\ffmpeg.exe

%s -i "%s" -an -ss %s -an -r 1 -vframes 1 -y "%s" -v 0

"%s" -i "%s" 2> "%s"

%.mp3

%sidmsqicon.%s

Software\Microsoft\Windows\CurrentVersion\Run

%i %s

%i %s, %i minutes

%i %s, %i seconds

%%0.%if %%s

IdmsqPlayer.exe

hXXps://VVV.virustotal.com/vtapi/v2/url/scan

1Content-Type: application/x-www-form-urlencoded

btn-close-down.png

btn-clear.png

btn-load-over.png

btn-settings-over.png

btn-pause-down.png

btn-play-norm.png

btn-step3-dis.png

btn-thumb-dis.png

btn-scroll-down.png

gbtn-fmt-custom.png

gbtn-step2-norm.png

ico-downloads.png

'btn-scroll-right.png

btn-arrow-up.png

'btn-close-over.png

gbtn-help-dis.png

btn-tbl-dis.png

btn-step2-over.png

'btn-scroll-up-dis.png

btn-step1-sel.png

gbtn-thumb-norm.png

btn-play-over.png

btn-help-norm.png

'cb-dropdown-arrow.png

idm-icon.png

Gbtn-fb-dis.png

btn-search-clear.png

gbtn-pause-norm.png

btn-add-norm.png

'btn-pause-dis.png

chk-checked.png

btn-tbl-norm.png

btn-step2-dis.png

btn-pause-over.png

btn-step3-over.png

btn-scroll-left.png

'sb-arrow-down-dis.png

'btn-play-down.png

btn-tbl-over.png

btn-load-norm.png

gbg-notify-progress.png

btn-retry-norm.png

'btn-load-down.png

gbtn-del-down.png

btn-locate-norm.png

Gprogress-green.png

ico-library.png

btn-twit-over.png

btn-settings-norm.png

'btn-arrow-down.png

'idm-tray.png

btn-scroll-down-dis.png

btn-twit-down.png

btn-thumb-over.png

gbtn-step1-norm.png

btn-conv-down.png

gbtn-play-dis.png

Gbg-statusbar.png

progress-blue.png

'btn-fmt-android.png

btn-scroll-up.png

Gbtn-fb-over.png

gbtn-wizard-convert.png

'btn-fb-norm.png

btn-settings-down.png

gbtn-add-down.png

btn-step1-over.png

chk-disabled.png

ico-converter.png

btn-step1-dis.png

'chk-unchecked.png

gbtn-load-dis.png

gbtn-twit-dis.png

'btn-search.png

sb-arrow-down.png

btn-settings-dis.png

btn-fmt-mp3.png

'btn-like-down.png

btn-fb-down.png

progress-orange.png

btn-locate-dis.png

'ico-speed.png

btn-twit-norm.png

btn-retry-over.png

btn-retry-dis.png

cb-bg.png

btn-step3-sel.png

btn-like-over.png

progress-scan.png

btn-locate-over.png

progress-red.png

gbtn-tbl-down.png

btn-thumb-down.png

tbl-bg.png

btn-del-dis.png

sb-arrow-up-dis.png

btn-del-over.png

sb-arrow-up.png

gbtn-step3-norm.png

btn-like-norm.png

btn-del-norm.png

Gbtn-fmt-apple.png

'btn-retry-down.png

Gbtn-close-norm.png

gbtn-conv-dis.png

gbtn-fmt-windows.png

btn-add-over.png

btn-locate-down.png

dialog-logo.png

btn-help-down.png

btn-step2-sel.png

btn-conv-norm.png

'progress-grey.png

btn-add-dis.png

gbtn-conv-over.png

gbtn-help-over.png

btn-browse.png

idm-animation.png

gbtn-like-dis.png

video/webm

youtube.com

asio-58CCDC44-6264-4842-90C2-F3C545CB8AA7-%u-%p

STR_URL "URL"

STR_SECLOGIN "Secure Login"

STR_PASSWORD "Password"

STR_LAUNCHEXE "Running this file type can potentially harm your computer, only run software from publishers you trust. Do you want to run this file?"

STR_SETAPPENDINC "Append .inc to incomplete files"

STR_SETCONFIRMEXEC "Confirm when running executables"

STR_SETPORT "Port"

STR_SETPASSW "Password"

STR_SETWINDOWSIN "Windows integration"

STR_SETSTARTWITHWIN "Start when Windows starts"

STR_WOTMSG "The site you are trying to access has a poor reputation based on user ratings. Do you still wish to download the file?"

STR_FILENOTEXISTMSG "The file %1 does not exists."

STR_AUTHMSG "Your request requires user authentication:"

STR_VTLOWMSG "This file might be legitimate software that displays unwanted ads. Do you wish to keep this file?"

STR_VTMIDMSG "This file might steal personal information, assert control over your computer or download other malicious code."

STR_VTHIGHMSG "This file might perform harmful activity on your computer, replicate itself into other system files, or spread across the net to perform various harmful activities."

STR_VTURLMSG "Do you wish to continue downloading from this site?"

STR_UPDMSG "A new version of IDM

STR_CRITUPDMSG "A new critical update of IDM

STR_UPDFAILMSG "In order to complete the update procedure you must grant the auto-updater Admin rights."

STR_UPDATEREADYMSG "Update is ready to install. Would you like to install it now?"

STR_EXTMSG "Internet Download Manager

STR_URL "URL"

STR_SECLOGIN "Secure Login"

STR_PASSWORD "Password"

STR_LAUNCHEXE "Running this file type can potentially harm your computer, only run software from publishers you trust. Do you want to run this file?"

STR_SETAPPENDINC "Append .inc to incomplete files"

STR_SETCONFIRMEXEC "Confirm when running executables"

STR_SETPORT "Port"

STR_SETPASSW "Password"

STR_SETWINDOWSIN "Windows integration"

STR_SETSTARTWITHWIN "Start when Windows starts"

STR_WOTMSG "The site you are trying to access has a poor reputation based on user ratings. Do you still wish to download the file?"

1 1&1,12170</A.E-I,L*O)Q(R'S%S$R#P"M!J F

$ ##"& )

G.WG\LWBQ38

G.GL.=#(3(WGQL.3=BLa.\

a.azL

(3(8###(.8#3

BL.WQ

.kGWB=.=

3.BQpau=\

..BGaQkGz(

8.QBfGzB

=.WGa3=

f3\LQQL8W.GB.L.=B#.

Q.WG3W8fWkBG

=.aaa=G

8=.Ga

88.Ba

=.aBW.

8#3(3(.#(

"$&(*,,.-..,*'%!

& 158;;<;963-)$

#$%%$%'())($

#)069961)"

!-5<>><850.*'&#!

(3:??>82*"

!0:@>7-"

%-4:<:8620/*$

"16641.*'#

`%U4J77;%;

40,;,F)R)U%U%Y

R!]0d;l?lCd?`7U,J%C

0%7)?,F,N)N%U!U

J!F%C)?)7!7

U%Y)],]0Y4R4J7F?FCNNYRdUlYoYoYo]l]h]d]d]dYdU`R`RYUUYR`UhYh`hdhdd]`U`J`C];];]?]?`?d?h4h0o)o)o)o,s0s4o7o7o7l0d,`,])U%N%F!C

4!7%7!4!4

4%4)7,7)7%;!?

;%C,J0J4F4C4;04444477?7F;F;F7C0C)?!?

R!N%N,N0J7F7?4?07070;7??CFFJJNFJCF;C7C4C0F0N0N4N4N4J4F4C4F4J4J0R0R,N)J%J%F!J%R%U%]!]

F%F)C0?0704,,))!)!)!)!%%!)!,

)!,%)%)%%!!

?!C!C!F%F%F)F)C,?,;,4),%%!!!!!%%0,4074;7744404,4)7%7%;%;);%;%?%?%?%?,C0F0J0J0J)J%F!J

%!%%%)!)

F!F!F%F!F!?!7

%!,%0%7)7);,704004,4)0%0!,

,!4%7););,;);%7!7

4%;%?)F)J%F

%%),,4,4)4)4,0,0,4,4)4)4%0!,

%!!%!,!4%7);%?%?!;

%!)%,)0)0)4%4%4!4!0!,!,%)%))%%%%!%!%

0!,%)%)%)%)%,%,%,%)!%!!

,!,!0!4!7

%!%!%!)!,%,!)!%

,!0%4)7)4%0!,!%

!!!%!)!,!,!)

,!,%,%,%)%%!%!%!)!)!)

IEXPLORE.EXE_1572:

.text

`.data

.idata

.rsrc

@.reloc

u\j.Xf9

j.Xf9

USER32.dll

api-ms-win-downlevel-shell32-l1-1-0.dll

IEFRAME.dll

SHELL32.dll

iexplore.pdb

api-ms-win-downlevel-shlwapi-l1-1-0.dll

iertutil.dll

api-ms-win-downlevel-advapi32-l1-1-0.dll

KERNEL32.dll

msvcrt.dll

_wcmdln

_amsg_exit

RegOpenKeyExW

RegCloseKey

<!-- Note: This manifest needs to be kept in sync with iexplore.exe.manifest -->

<assemblyIdentity version="5.1.0.0"

name="Microsoft.InternetExplorer"

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

KEYW

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

imm32.dll

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

Kernel32.dll

"%s" %s

kernel32.dll

IEXPLORE.EXE

{00000000-0000-0000-0000-000000000000}

\\?\Volume

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Browseui_Tabs_Tearoff_BetweenWindows_TabProc

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

Shdocvw_BaseBrowser_FireEvent_BeforeScriptExecute

IMTravelLogMVC_TravelURL

10.00.9200.16521 (win8_gdr_soc_ie.130216-2100)

Windows

10.00.9200.16521

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   TPAutoConnSvc.exe:1776
   %original file name%.exe:3524
   cscript.exe:1552
   cscript.exe:3008
   1360DBCA_stp.EXE:3292
   idmsq.exe:964

2. Delete the original Malware file.
   
3. Delete or disinfect the following files created/modified by the Malware:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\FR.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\progress-bg2.png (978 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\progress-bg.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Button.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\checkbox.css (190 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A736A.log (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\Seniser[1].png (3740 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1824 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A278C.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Close.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Logo.png (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\DE.locale (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A7232.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\EN.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\bg1[1].jpg (16940 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\browse.css (337 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Progress.png (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\main.css (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\ProgressBar.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\button-bg.png (131 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A24FD.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROWYV75Q\No_Button_Hover[1].png (1 bytes)
   %Program Files% (x86)\is665359.log (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\progress-bar.css (506 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Yes_Button_Hover[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A7676.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\declineBG[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\ie6_main.css (2 bytes)
   C:\Users\"%CurrentUserName%"\Desktop\Continue Download Manager 2 Installation.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A255B.log (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ICReinstall_%original file name%.exe (1455 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\PT.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\sponsored.png (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\JA.locale (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\Neyayeneda_TopImg[1].png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\No_Button[1].png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\bootstrap_5221.html (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\783GTYVS\bg2[1].jpg (13577 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\RU.locale (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\csshover3.htc (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\locale\ES.locale (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Loader.gif (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Close_Hover.png (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\BG.png (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is857433578\1360DBCA_stp.EXE.part (1080 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\css\sdk-ui\button.css (417 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\000A275D.log (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ish664829\images\Button_Hover.png (1 bytes)
   C:\MININT\SMSOSD\OSDLOGS\BDD.log (5034 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\IDMSQ.lnk (1 bytes)
   C:\MININT\SMSOSD\OSDLOGS\Pin.log (5034 bytes)
   C:\MININT\SMSOSD\OSDLOGS\VARIABLES.DAT (765 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\IDMSQ.lnk (1 bytes)
   C:\Windows\System32\drivers\etc\hosts (43 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDMSQ\Website.lnk (1 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\avformat-54.dll (34365 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\unknown.xul (222 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\browser.js (3 bytes)
   C:\Windows\Fonts\Lato-Light.ttf (4992 bytes)
   %Program Files% (x86)\IDMSQ\idmsq.exe (76224 bytes)
   %Program Files% (x86)\IDMSQ\tag.dll (53394 bytes)
   C:\Windows\Fonts\Lato-Italic.ttf (4992 bytes)
   C:\Windows\Fonts\Lato-LightItalic.ttf (3312 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\avfilter-2.dll (20416 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\mplayer.exe (131772 bytes)
   C:\Windows\Fonts\Lato-Bold.ttf (4992 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\avutil-51.dll (8184 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\idmsq.png (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\META-INF\MANIFEST.MF (71 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\ZTIUtility.vbs (3616 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\ListVerbs.vbs (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\PinItem.vbs (12 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\avcodec-54.dll (231159 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\swresample-0.dll (1856 bytes)
   %Program Files% (x86)\IDMSQ\uninst.exe (4741 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\UnPin.wsf (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\WinShell.dll (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\Pin.wsf (6 bytes)
   %Program Files% (x86)\IDMSQ\imageformats\qgif4.dll (784 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\install.rdf (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\FindProcDLL.dll (816 bytes)
   %Program Files% (x86)\IDMSQ\Internet Download Manager².url (47 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\swscale-2.dll (10136 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\System.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\IDMSQ.crx (2392 bytes)
   %Program Files% (x86)\IDMSQ\imageformats\qjpeg4.dll (7192 bytes)
   %Program Files% (x86)\IDMSQ\imageformats\qtiff4.dll (10136 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\libiconv-2.dll (33455 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\defaults\preferences\prefs.js (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\Pin.cmd (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\UnPin.cmd (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome.manifest (315 bytes)
   %Program Files% (x86)\IDMSQ\sqldrivers\qsqlite4.dll (15168 bytes)
   C:\Windows\Fonts\Lato-Hairline.ttf (4992 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected] (945 bytes)
   %Program Files% (x86)\IDMSQ\IdmsqPlayer.exe (33391 bytes)
   %Program Files% (x86)\IDMSQ\QtGui4.dll (266044 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\ZTI-SpecialFolderLib.vbs (784 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E27.tmp (814378 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\avdevice-53.dll (784 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\mplayer\config (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDMSQ\Uninstall.lnk (986 bytes)
   %Program Files% (x86)\IDMSQ\QtCore4.dll (74461 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\FontName.dll (20 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsqext.dll (9573 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\modules\registry.jsm (1 bytes)
   C:\Windows\Fonts\Lato-BlackItalic.ttf (3616 bytes)
   C:\Windows\Fonts\Lato-Black.ttf (3616 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\libmp3lame-0.dll (12088 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\postproc-52.dll (4992 bytes)
   C:\Windows\Fonts\Lato-BoldItalic.ttf (4992 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\libx264-122.dll (35784 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\libpthread-2.dll (2392 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\browser.xul (226 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse5E28.tmp\nsExec.dll (14 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\ffmpeg.exe (8184 bytes)
   %Program Files% (x86)\IDMSQ\QtSql4.dll (6584 bytes)
   C:\Windows\Fonts\Lato-Regular.ttf (4992 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDMSQ\IDMSQ.lnk (980 bytes)
   C:\Windows\Fonts\Lato-HairlineItalic.ttf (3312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\staged\[email protected]\chrome\content\unknown.js (5 bytes)
   %Program Files% (x86)\IDMSQ\mplayer\xvidcore.dll (25776 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsq.db (58 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\IDMSQ\idmsq.db-journal (3302 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "IDMSQ" = "%Program Files% (x86)\IDMSQ\idmsq.exe /startup"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.