SearchProtectToolbar_pcap_b86c719f93 – Adaware

Backdoor.Win32.Farfli.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b86c719f93d86db71d4df0853d97214f

SHA1: 6fc83dae7b45585eb9a30ee3eb5e650e2b58bdc1

SHA256: dcebaec8d155f11d149bf6e0dff73ea22eb2f50f3164cf3eb2da3d9537278e1a

SSDeep: 6144:yz 92mhAMJ/cPl3iwbNozlx/LVXHSPF0MfK:yK2mhAMJ/cPlN 7VXL

Size: 212336 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-06-09 16:19:49

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wsmallstub.exe:472
%original file name%.exe:1560

The Backdoor injects its code into the following process(es):

DVD_Shrink_v3.2.0.15.exe:1596

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process DVD_Shrink_v3.2.0.15.exe:1596 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4357d65f-a22b-4e28-a57c-d632a6270d43[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp (45350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PS_searchprotect[1].json (32508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[2].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PCOptimumBoost[1].htm (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[2].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[2].htm (23341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PCOptimumBoost[1].html (1642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\994349[1].htm (24471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\icon.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[1].htm (27085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].htm (3611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1514591[1].htm (24993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\left_text[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AfterDawn[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\FDMClient.dll (8184 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PCOptimumBoost[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\BoxBgNew[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBG[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (0 bytes)

The process wsmallstub.exe:472 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe (3626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:1560 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_1980906 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (0 bytes)

Registry activity

The process DVD_Shrink_v3.2.0.15.exe:1596 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"WebBrowser_embedded.exe" = "6000"
"DVD_Shrink_v3.2.0.15.exe" = "6000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CachePrefix" = ":2014122320141224:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014122320141224\"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "DVD_Shrink_v3.2.0.15.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122320141224]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1330111199"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 14 22 3E 86 2C 8F 6D 34 A7 72 ED F2 93 3B 75"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wsmallstub.exe:472 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 EF B9 07 7A D3 E1 7C 95 32 4C FD 93 4A 8A B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1560 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 FE 43 F6 AE A3 FF F5 2F D3 25 98 AC A7 41 B3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"wsmallstub.exe" = "wsmallstub"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
7ce9c717ec8ff8d1c38d97d436189b53	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe
dd4b2762aa7ddc1314bbbdb42640aa20	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsaB4.tmp\FDMClient.dll
62008374a494afeea2ee2ae9eee4c8c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsaB4.tmp\System.dll
07f09c1bf361f757675b77320a08506c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsaB4.tmp\manager\scripts\WebBrowser_embedded.exe
f64b71ab811b25b1cd2fe801449af25c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsaB4.tmp\webapphost.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
wsmallstub.exe:472
%original file name%.exe:1560
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4357d65f-a22b-4e28-a57c-d632a6270d43[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nonadwords_trip[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvB3.tmp (45350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PS_searchprotect[1].json (32508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[2].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PCOptimumBoost[1].htm (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[2].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[2].htm (23341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\PCOptimumBoost[1].html (1642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\994349[1].htm (24471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\icon.png (431 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1569870[1].htm (27085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1514591[1].htm (24993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\left_text[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AfterDawn[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB4.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe (3626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\icon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\stub_settings.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\wsmallstub.exe (2665 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: 1.3.9.0.140504.0
Product Version: 1.3.9.
Legal Copyright: (c) 2014 ClientConnect Ltd
Legal Trademarks:
Original Filename: DVD_Shrink_v3.2.0.15.ex
Internal Name: DVD_Shrink_v3.2.0.15.ex
File Version: 1.3.9.
File Description: Setup.ex
Comments:
Language: English (United States)

Company Name: Product Name: 1.3.9.0.140504.0Product Version: 1.3.9.Legal Copyright: (c) 2014 ClientConnect LtdLegal Trademarks: Original Filename: DVD_Shrink_v3.2.0.15.exInternal Name: DVD_Shrink_v3.2.0.15.exFile Version: 1.3.9.File Description: Setup.exComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	74526	74752	4.54396	a8692f5ba740240ef0f9a827376f76f9
.rdata	81920	7445	7680	3.46159	d4f36accffde0bf520f52486679ccf0d
.data	90112	96036	512	2.46008	b6c7edb5b7fec47a37a622cc5d71f3f4
.CRT	188416	32	512	0.273198	439411041ee0b8261668525c5c132cd9
.rsrc	192512	13724	13824	3.13935	d556d4d28805afa6f911bbd373c4a780

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 66
20a1cc1abdac40f46d8e0aede3c84cbc
dc4891503b7a98d07319c2771e79192e
6faf9d8d9870f3d635dd5406083a17ca
0e43ed0d51af206b106693caf2745067
8b1b8144955c45b2c5e02fa5e05eb775
c4b6804fb5135658e95cd815f9ed2e04
f28e8c7e0bc01fa20d5b3e0f3c5420e7
17e19aaa661c6398e57dfab2bb1aa2d6
47d258151bdc9531528031f19ad0cfc2
c6fb01478c983cdbb2b82def26947c5c
ebe47e79344483b09d65c55638001974
054e9f941c4d06da0e43c063e98714a9
0bc038c839581166a3d7443cfc7d2cfe
b1ac555dfc0bb4d9a64d912574fa0dde
fdaaf3213c83a24c4c209fb5e65c04b6
3d4e152e1ef3195e859ccd4c5cac4a05
0f796b8ee2a25a65488813a8bc9ee06f
b34f22d88e267d6c706ca0ce202fbcf7
87916029b9d43b3d64bc3d9dbb7e6d4c
98bf6d4e3671d2cd20f238794c2b277e
54fd2905b6a4e2ff46851e3ad3231fb1
7bfef502c6cf82fc066e3cad39f9a0e0
f559287308ba44036f2c9a0381837a52
c67ea61534ef16eefc56f02b60eba05d
8cd0313290e88f773d7fa186c1a103d1

Network Activity

URLs

URL	IP
hxxp://173.223.99.12/CmsThemes/Default/Images/X.png
hxxp://173.223.99.12/CmsThemes/Default/Images/-.png
hxxp://173.223.99.12///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg
hxxp://173.223.99.12/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://173.223.99.12/CmsThemes/Default/Images/button.png
hxxp://173.223.99.12/CmsThemes/Default/Images/CancelBG.png
hxxp://173.223.99.12/CmsThemes/Default/images/SmallLoader.gif
hxxp://173.223.99.12/CmsThemes/Default/Images/InstallationSuccessful.png
hxxp://engine.va.dmccint.com/DecisionEngine.ashx
hxxp://54.243.179.23/
hxxp://173.223.99.12/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://173.223.99.12/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://173.223.99.12/Js/jquery.dotdotdot.min.js?fid=1514591
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/X.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/-.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/button.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://a1128.g1.akamai.net/customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/CancelBG.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/images/SmallLoader.gif
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/CmsThemes/Default/Images/BoxBgNew.png
hxxp://a173-223-99-12.deploy.static.akamaitechnologies.com/Js/jquery.dotdotdot.min.js?fid=994349
hxxp://a1128.g1.akamai.net/customoffers/PC optimum boost/en/1/img/left_text.png
hxxp://e6652.g.akamaiedge.net/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://a1128.g1.akamai.net/customoffers/customframeapi.js
hxxp://e6652.g.akamaiedge.net/LMS/PS_searchprotect/PS_searchprotect.json
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBG.png
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://cms.dmccint.com/CmsThemes/Default/Images/button.png
hxxp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://ude.databssint.com/
hxxp://cms.dmccint.com/CmsThemes/Default/Images/-.png
hxxp://dehosting.dmccint.com/customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie	184.84.243.32
hxxp://cms.dmccint.com/CmsThemes/Default/images/SmallLoader.gif
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=994349
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1514591
hxxp://cms.dmccint.com/CmsThemes/Default/Images/BoxBgNew.png
hxxp://engine.dmccint.com/DecisionEngine.ashx	199.101.114.147
hxxp://cms.dmccint.com/CmsThemes/Default/Images/X.png
hxxp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie	23.9.119.70
hxxp://dehosting.dmccint.com/customoffers/customframeapi.js	184.84.243.32
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None
hxxp://storage.stgbssint.com/LMS/PS_searchprotect/PS_searchprotect.json	23.9.119.70
hxxp://dehosting.dmccint.com/customoffers/PC optimum boost/en/1/img/left_text.png	184.84.243.32
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://cmsstorage.dmccint.com///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg
hxxp://cms.dmccint.com/CmsThemes/Default/Images/InstallationSuccessful.png

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 35920

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 21 Aug 2014 07:42:36 GMT

Accept-Ranges: bytes

ETag: "03ea67913bdcf1:528"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=86400

Expires: Wed, 24 Dec 2014 21:04:19 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

...............7.(._.^...Lk..".......QlY....e.%..f...H.*.d&....\......s3k......8...d".@..CI..3k..b./..........>.>.....^<.\.M:x..g_>{<..ON.{......'...x......d....2QI..........70.. ...........8/.O^}sr.@O...<V...J..3......Y)z..~..''.E.....7R...|,..%oD.8..........K....7.JO....(..;.>.#.S.J...'.....M.@..SrY..s..N....o..|.j`.'....]......!..._}..|..4........2.K..l.S<./d.c^n....".\.\]q........E.J..M\\&Y4.n..*...k.CS..W..N&.>}#..,..8N..,.\.. ..4.).......L6.w.y..E....q...D./.4..%.._S..x-.r.*...k>.......u...../U.F....z[.\....F..Jv.A.;l..........(?x....|......%...M...,.w...A0.......-.!..........b..I.(H.JV .M.. .\^)l.......j.IFE.8eB......}.\..4..L......'.......?.......A......D.dW.......5......E~.,..U.QX..?..f..A..o..a....2OwJN]b*....'.o{c.....`.Q..*6_?J.Lc`&.4.5j...x...]Q.E......alG..b0..-.<..?...BB..w....o\...~8.gza2..|...h..@... vP..G.<z.Q...NV...8.3....E..V.......S..%.....[.o...x._.p)..L..P.C.........1..u?XBm...o.......f........{..0.05C.A..NX.N.).<E..`M....'...t0~PN..V..g...m4...o.%I.I. ...A..S.N...7.....m...N.WI.3....oi....F.-..a.e|.....v...E.X.3.V ..w!.n*[..|....u....q...x....]....Uk.....~.-:...m.\..q..d....e!ev.......?H...............~]...{.xp).x..0>.".S/...u._.c.N.=b.........G..*)D...%.O@.q..t2.$.....A.......0....t.}..7N2d.n....g..N(..~.I....H....... `.[.....S.&.?lo...`=.....\.<....N{[...4...] `..}n.,.....i...6[.eE...]?.D..[....a=|..}.[(.._@!"..C.~.Q.w...\.|.t....q".o!....R'1sG....z..2..M^.n'...`...Nz'.....!..6... v....,.S\.R.}b.?&.....,.....ep..........dL.L>.{G...!...

<<< skipped >>>

GET /LMS/PS_searchprotect/PS_searchprotect.json HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie#cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept: application/json, text/javascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 250005

Content-Type: application/json

Last-Modified: Wed, 17 Dec 2014 11:45:53 GMT

Accept-Ranges: bytes

ETag: "a8cc23ef19d01:ded"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=7200

Expires: Tue, 23 Dec 2014 23:04:20 GMT

Date: Tue, 23 Dec 2014 21:04:20 GMT

Connection: keep-alive

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

{"Product":"PS_SearchProtect","LastUpdate":1345880,"Translations":{"ar":{"Keys":{"@@AcceptAndInstallButton@@":{"Text":"\u0623\u0648\u0627\u0641\u0642 & \u0648\u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\u064a\u062a"},"@@Body_text_1st_paragraph@@":{"Text":"\u064a\u064f\u0631\u062c\u0649 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637 \u0627\u0644\u0647\u0627\u0645\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u0645\u062a\u0627\u0628\u0639\u0629."},"@@Body_text_1st_paragraph_2@@":{"Text":"\u0643\u062c\u0632\u0621 \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0628\u0631\u0646\u0627\u0645\u062c\u060c \u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u064b\u0627 \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0628\u062d\u062b. \u064a\u064f\u0631\u062c\u0649 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637 \u0642\u0628\u0644 \u0627\u0644\u0627\u0633\u062a\u0645\u0631\u0627\u0631."},"@@Body_text_2nd_paragraph@@":{"Text":"\u0642\u0645 \u0628\u062a\u062b\u0628\u064a\u062a \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0628\u062d\u062b \u0644\u062a\u0639\u064a\u064a\u0646 \u0627\u0644\u0635\u0641\u062d\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0648\u0627\u0644\u0628\u062d\u062b \u0627\u0644\u0627\u

<<< skipped >>>

GET ///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Tue, 21 Jan 2014 10:18:01 GMT

If-None-Match: "9024a8109216cf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Tue, 21 Jan 2014 10:18:01 GMT

ETag: "9024a8109216cf1:0"

Cache-Control: private, max-age=10243

Expires: Tue, 23 Dec 2014 23:55:01 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "caa5998c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "caa5998c6fd01:0"

Cache-Control: private, max-age=8122

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

....

GET /DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 174709

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 02:04:18 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

....<!doctype html>............<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th

<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "d0643b44c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "ce177098c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1504

Cache-Control: private, max-age=8115

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

GIF89a.........................v.....5..d..e..........................{......................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981" xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:InstanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentID="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G..@.d. J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G

<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "0c67198c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "0c67198c6fd01:0"

Cache-Control: private, max-age=9260

Expires: Tue, 23 Dec 2014 23:38:39 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8115

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "98a6d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "98a6d98c6fd01:0"

Cache-Control: private, max-age=8769

Expires: Tue, 23 Dec 2014 23:30:28 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ce177098c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ce177098c6fd01:0"

Cache-Control: private, max-age=8115

Expires: Tue, 23 Dec 2014 23:19:34 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

....

GET /DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 174715

Cache-Control: private, max-age=18000

Expires: Wed, 24 Dec 2014 02:04:18 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1514591 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=9336

Expires: Tue, 23 Dec 2014 23:39:54 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes

<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "0c67198c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "0c67198c6fd01:0"

Cache-Control: private, max-age=8974

Expires: Tue, 23 Dec 2014 23:33:52 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8763

Expires: Tue, 23 Dec 2014 23:30:21 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8764

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6f33944c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6f33944c6fd01:0"

Cache-Control: private, max-age=9330

Expires: Tue, 23 Dec 2014 23:39:48 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "e8b65c98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6035

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:28 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

.PNG........IHDR...J...1.............sRGB.........gAMA......a.....pHYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:DocumentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stRef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...P....IDATx^...N....P...L.).A(...A."1...$<rcK...r....] .E. 8.^..[......o........ @.7.u&... @......(J..... @...'...^z....puu5...c........cmmm:.#@.......g......{..u>|.0.....?~.......i..........(JQ^... @....,p......pyy9lnn.....1_z./....^;..... @`...x....v:nnn....aooo..(J..I...SI...W.....F.......u..OBz.(.%i>.....*........ @.............p}}=lmmMg.......O.9...../&@..............|.m.@............79.....8..... . .8.t||<.A.[.|Vi>.4~}..%g.z.... @...6......J....F..l.........y".W....\..O.-?t..N..... @`...o..K.|.m,J.1.%..V..!-..... .........

<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "caa5998c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

Accept-Ranges: bytes

ETag: "c8592844c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2726

Cache-Control: private, max-age=8621

Expires: Tue, 23 Dec 2014 23:27:59 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

.PNG........IHDR...>.........$.=.....sRGB.........gAMA......a.....pHYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:DocumentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stRef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...P....IDATx^...N#K.....%.@.......B.D..$`.3U..j.3.h0..%m..E.iW.'........ ..?.......<<<.......V..i..d...`....S......v... ....S.Y.....r.._677...F..>=~....8z.....yyy)......`~r.>u.s{{...............Y.>5z.......!|....l6 [[[-z..x.........j...o{j..................EN...O..:..#....2....O......S.Y.?.......S.g.>..]b..X75eV]s....!|.//...#|........S..........j!|...........j....\u...:'''.....;;;C.........UM...O...?OOO..........F...?.W...U....X.............%v....O..!|..../X.4.....!|.......!|.......!|.......!|.......!|.......!|.......!|

<<< skipped >>>

GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "98a6d98c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2779

Cache-Control: private, max-age=8132

Expires: Tue, 23 Dec 2014 23:19:50 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB792256C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{..........b......w....,.E./.3.@..e....G..];z......f....34...v[...H1....g......'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4...$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@...T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g....,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......

<<< skipped >>>

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "524e5698c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

Accept-Ranges: bytes

ETag: "6972344c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 5182

Cache-Control: private, max-age=9334

Expires: Tue, 23 Dec 2014 23:39:53 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

.PNG........IHDR...[...G......9......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=994349 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Last-Modified: Thu, 04 Dec 2014 13:31:23 GMT

Accept-Ranges: bytes

ETag: "be63c598c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 6149

Cache-Control: private, max-age=10976

Expires: Wed, 24 Dec 2014 00:07:15 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8762

Expires: Tue, 23 Dec 2014 23:30:21 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6f33944c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6f33944c6fd01:0"

Cache-Control: private, max-age=9329

Expires: Tue, 23 Dec 2014 23:39:48 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "e8b65c98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "e8b65c98c6fd01:0"

Cache-Control: private, max-age=8769

Expires: Tue, 23 Dec 2014 23:30:28 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "c8592844c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "c8592844c6fd01:0"

Cache-Control: private, max-age=8620

Expires: Tue, 23 Dec 2014 23:27:59 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6972344c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6972344c6fd01:0"

Cache-Control: private, max-age=9334

Expires: Tue, 23 Dec 2014 23:39:53 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

POST /DecisionEngine.ashx HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: engine.dmccint.com

Content-Length: 2509

Connection: Keep-Alive

Cache-Control: no-cache

<OFFER_REQUEST><COMPLETE_COMMAND_LINE>false</COMPLETE_COMMAND_LINE><USER_PROFILE><PUBLISHER_ID_NUM>244</PUBLISHER_ID_NUM><SESSION_ID><![CDATA[49deca54-7b41-4951-ba0d-e55cf038edeb]]></SESSION_ID><TRACKING_ID><![CDATA[]]></TRACKING_ID><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DMVersion</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>1.4.0.4.141214.03</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultBrowser</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>IE</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>CurrentToolbar</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>Homepage</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[about:blank]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultSearch</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USE

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/xml; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 23 Dec 2014 21:04:16 GMT

Content-Length: 11519

...<OFFER_RESPONSE><MAIN_OFFER><OFFER_ID>1572961</OFFER_ID><OFFER_NAME>DVD Shrink v3.2.0.15</OFFER_NAME><OFFER_URL>no_dynamic_main_offer_url_supported_in_this_version</OFFER_URL><OFFER_DESCRIPTION /><OFFER_INSTALL_CMD><OFFER_ID>1572961</OFFER_ID><OFFER_STATE>default</OFFER_STATE><DOWNLOAD_URL>hXXp://VVV.afterdawn.com/software/general/download.cfm?version_id=1421&installer_download=1&perion=1</DOWNLOAD_URL><INSTALL_COMMAND_LINE /></OFFER_INSTALL_CMD><INSTALLATION_TYPE>1</INSTALLATION_TYPE><PRODUCT_ID /><PRODUCT_TYPE>Publisher's Offer</PRODUCT_TYPE><PRODUCT_VERSION /><ROOT_OFFER_ID>1572961</ROOT_OFFER_ID><DOWNLOAD_URL>hXXp://VVV.afterdawn.com/software/general/download.cfm?version_id=1421&installer_download=1&perion=1</DOWNLOAD_URL><OFFER_FILE_NAME /><DOWNLOAD_BACKUP_URL>http://VVV.afterdawn.com/software/general/download.cfm?version_id=1421&installer_download=1&perion=1</DOWNLOAD_BACKUP_URL><CONDITION_TYPE>None</CONDITION_TYPE><TOTAL_STEPS>1</TOTAL_STEPS><SOFTWARE_PRODUCT_VERSION /><ANTI_OFFER /><SUCCESS_CODE /><INSTALLATION_UI_ELEMENTS><UI_ELEMENT><NAME>DownloadBrowser</NAME><VALUE>IE</VALUE></UI_ELEMENT><UI_ELEMENT><NAME>CType</NAME><VALUE>-1</VALUE></UI_ELEMENT><UI_ELEMENT><NAME

<<< skipped >>>

GET ///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Tue, 21 Jan 2014 10:18:01 GMT

If-None-Match: "9024a8109216cf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Tue, 21 Jan 2014 10:18:01 GMT

ETag: "9024a8109216cf1:0"

Cache-Control: private, max-age=10250

Expires: Tue, 23 Dec 2014 23:55:01 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive

....

GET ///img/Logos/r_f2/r_92/4357d65f-a22b-4e28-a57c-d632a6270d43.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/994349/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Tue, 21 Jan 2014 10:18:01 GMT

If-None-Match: "9024a8109216cf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Tue, 21 Jan 2014 10:18:01 GMT

ETag: "9024a8109216cf1:0"

Cache-Control: private, max-age=10242

Expires: Tue, 23 Dec 2014 23:55:01 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

GET /customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1

Referer: hXXp://cms.dmccint.com/DynamicOffer/1569870/1514591/?mainofferId=1572961&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141214.03&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 13 Nov 2014 10:11:54 GMT

Accept-Ranges: bytes

ETag: "427df63f2affcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 10303

Cache-Control: private, max-age=31536000

Expires: Wed, 23 Dec 2015 21:04:18 GMT

Date: Tue, 23 Dec 2014 21:04:18 GMT

Connection: keep-alive

Vary: Accept-Encoding

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"~........7....t.....WO.....m....{'w.>}.4.........x'}Sg..h.j..w.....7NR}>.......WWW..{........w...(..v......GG...J.-.e.Y.......................v....uq..G'........U.Q:..>.......0................q[.e~............@).i..7...(.T.....O.,...X>Jw...W.lV,/._.......(......"....j.........*..Q......5pM~....A..X.u...b.............}.yq1o...vwz..*..Gi6i.r....5.....*.i...to...$......r.(]...G...n....?fe.Z^|t'.....v.......... D..|...VD..[......y.....C5#.......)~.....o..Awwo....x..I............?...p. n|....@.p{_.......h.6.6.6@...i...8.{....x,.....T.,....C...x.. ..x.C..=..i......e^.....5....:_ Y.l."....n.1.........}M........j.:N.....3t.w.y.%..m..n.m.........7..3.3A;{..'..w...I&.O...4....:.?g.eZ.>...Y...)4.GdT.o...BX.........ix.......E.._.../.....x.~...UJ.....iz...../N_.y|wB`......e.gMN..%.o..I..j.~...7.$'.O.s2.iU.UI<..UZ,.6 K|F..../Wm.X/..'...j.qzv.^...f...%X.tV...w....;.O...7...Y>#6....5.'....(..lq......MJ.........gQ.iu.f.....u...).Uz5/.......O.~......X/.v{B....jU...o5.g....,.9.1.V5d..Pw4.g....W....gOO......N...........g'o..|...,..:M.z....................7../_........9}............K..c..:.F4.?I..z..|q.../.|.>.../..y.tD..~s..9...._.|s..W_0..........8.........sB......1..IV. ..4'YS.[.....&......fvA.. .k.s.g4..._........Xd.4..n :..2'. ....jc.^...i..#.....kn..L.]h.U...1...5..0.^.g.y.Z..6...O.d.........9.E..$. ...1.8...,x..jy..=...v..[_..VU..x.^2wge.^3....#yY..e.Ij..UU...#....tyQ..MJ..X.?3.....f...HS^T3...

<<< skipped >>>

GET /customoffers/PC optimum boost/en/1/img/left_text.png HTTP/1.1

Accept: */*

Referer: hXXp://dehosting.dmccint.com/customoffers/PC optimum boost/en/1/PCOptimumBoost.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 13 Nov 2014 10:11:54 GMT

Accept-Ranges: bytes

ETag: "8a5af43f2affcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 11937

Cache-Control: private, max-age=31536000

Expires: Wed, 23 Dec 2015 21:04:19 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

.PNG........IHDR...=.........KF......sRGB.........gAMA......a.....pHYs..........o.d...6IDATx^.......@'....x)...... ..L..D=~.......r.....D....\...}.A.\.(zA.\.(zA.\.(zA.\.(zA.\.(zA.\.(zA.\.(z..}}|.... ...?8....s........l..`....I.~..g......{..o..}.}hs?S.'..T.a.......NU.X.1...Y.n....E9...s..6=..wz...|~jg.#..W.:NS.x...B^....ER.....#b!|'..P.......pX!>.._..i9G.c.l.4..n.....1.^.....v...#..l.....{._...E.^.y..]E.D...`."J....h\..x[k.>%..:.UQ.{..*t.0.....Gm.......C..q.'...G.;G.O.]...u...m.{...76-..f..Mr........>7G.Q@.:.E.>:.l.=..[6..{_'?...a..mh..(z...EO.jPa....Fn.z.o.iU.|..6....[...........A.Q.........).a.O6M..S.)..s...'..Q.&......=.....=.`l.I.{.=..V.,y.^^)zw.A.,z....!......f....Cj...c...I~......z........7.e...B.;R......k6.....q=. w.6-....G....GW#g........fa.q.....Q.....;6m.[...q......F..#s....&|.E......o...@?....x..%.%.....;m.[...*.}......U......z........=.<z..$.......&.FRZ.......'...G..r...9..g..>...O...Pc}d.N....j.:NQ.x..&../x...y.w....[............Cu..zmlZ..RL.\. z.YW.,...v.l..B...*.. ..5...eDa....K..5..x.....nm<oC.B..'.>i...j..:(..{W*.=...=..:-.;....z..4.S/...q.....F...." e(..2&=.}^..Xz.7... .>.*z.Y ..z..J3..Q..Evk.j.%....u.....-.A...(zA.\.(zA.\.(zA.\..Q.. .V......................................E.....$..]..w..........J...#?.'......m..[............o.....{~..P..6..'..D..]^_.r....../4._g....Ii..G.c..q....n......}L.N\......G.....<.....^..kY.......I.E...[...~..b....m.r..<..#9G.k...G...I2.._H.}...a..m..(...2..*:..ps~... #lor.|...u#k..R....b.U.....<......6.s..5..kS.>....6.........>

<<< skipped >>>

GET /customoffers/customframeapi.js HTTP/1.1

Accept: */*

Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Encoding: gzip

Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT

Accept-Ranges: bytes

ETag: "46a2919a7ac7cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 798

Cache-Control: private, max-age=31536000

Expires: Wed, 23 Dec 2015 21:04:19 GMT

Date: Tue, 23 Dec 2014 21:04:19 GMT

Connection: keep-alive

Vary: Accept-Encoding

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l.....4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W....(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r......Wu.UP....H.w........w.|....8O.:..W|.h..m]L.m...,k..I>......N..~...e.....k.uM8./po\....`]...yu..'Y...?#.4o..a.A..S..j..e<q.}.~...t.O.....H?z..k?J....f...~I..M~s.M...m.|..c...Y~...6.o..0. Z....We6....9.......zo.z..w........\..Rk.....K./..1..D........m.8....h:.l...w.t.0o?J0...h.,..............$=..._.....n.l..... ...F..3.V......U^.Ok]@.....K..b..>...o;..t`m....jZ..|t...Cj......y.[...v..Z...?.|..?......[..]..`.i..A.q..4m.....#.F|U,g..X.......I.'.."....z#.......h.......a..b.K.#L...k.M..-..&...6z..........;....8".F.....

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "d0643b44c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "0c67198c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 1076

Cache-Control: private, max-age=8981

Expires: Tue, 23 Dec 2014 23:33:52 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive

.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:CBFD1020532511E199C4D6240585BDC2" xmpMM:DocumentID="xmp.did:CBFD1021532511E199C4D6240585BDC2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CBFD101E532511E199C4D6240585BDC2" stRef:documentID="xmp.did:CBFD101F532511E199C4D6240585BDC2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..q<....IDATx.b)--}...p..}.....i...2q u...2... v..F.$3.Z...@...$..&..%..i. ....@......... g5.[0@.j.ua ..T..._f@..0.L.6 N..EP....v.$..}.v.H;..v ....@.....w....`.uP(...@..*..........1.%>.d....IEND.B`.....

<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "67f82544c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "404a5898c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 3937

Cache-Control: private, max-age=8771

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive

.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K..........*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?}...}...~..=............G...~,....xi3..e.o..@...WB...4.. u....... ?.H.."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q........l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo...........hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f

<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "d0643b44c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "d0643b44c6fd01:0"

Cache-Control: private, max-age=8627

Expires: Tue, 23 Dec 2014 23:27:59 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "404a5898c6fd01:0"

Cache-Control: private, max-age=8770

Expires: Tue, 23 Dec 2014 23:30:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2337

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:40:373" , "phase" : "InStartLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "7719" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_comb

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:16 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

HTTP/1.1 202 Accepted..Date: Tue, 23 Dec 2014 21:04:16 GMT..P3P: CP="NOI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length: 0..Connection: keep-alive......

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2268

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:44" , "phase" : "Android detection start" , "phase_type" : "regular" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "671" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_combinations_2014-12-23.csv" , "user_operating_system" : "Microsoft Windo

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2334

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:76" , "phase" : "StartingLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_combina

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2781

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:107" , "phase" : "InitComplete" , "phase_type" : "regular" , "order" : "2.0" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "EngineMgrCreated:828,BuildUserProfile:6656,retrieveCid:0,sendXML:0,xmlSent:16,startParse:391,endParse:15,StartOffersLoop:703,ValidateMO:0,NavigateFirstSlot:0,ReportInitComplete:0," , "general_status_code" : "1" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_id" : "1572961" , "product_id" : "0" , "product_type" : "Publisher's Offer" , "product_id_version" : "" , "rule_id" : "465651" , "vector_id" : "466244" , "is_parallel" : "0" , "call_service_duration" : "407" , "navigate_mo_duration" : "MONavigationCompleted:1578," , "navigate_global_duration" : "GlobalNavigationCompleted:2110," , "attempt_number" : "1" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_s

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2801

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:138" , "phase" : "OfferPresented" , "phase_type" : "regular" , "order" : "3.1" , "result" : "Success" , "error_details" : "" , "phase_duration" : "63" , "duration_details" : "" , "general_status_code" : "2" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_suggestion_number" : "1" , "offer_presented_number" : "1" , "slot_number" : "1" , "position_in_slot" : "1" , "server_settings" : {"DownloadBrowser":"IE","CType":"-1","SearchProvider":"Bing","UserMode":"-1"} , "user_selection_settings" : "" , "condition_type" : "None" , "offer_type" : "Main" , "offer_id" : "1572961" , "root_offer_id" : "1572961" , "rule_id" : "465651" , "vector_id" : "466244" , "product_id" : "0" , "product_id_version" : "" , "product_type" : "Publisher's Offer" , "state" : "" , "installation_type" : "0" , "attempt_number" : "1" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:18 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 2291

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "20876" , "json_send_time" : "2014-12-23.17:54:41:279" , "phase" : "ChromeError" , "phase_type" : "regular" , "order" : "" , "result" : "Error" , "error_details" : "error: did not found chrome full path" , "phase_duration" : "16" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "publisher_id" : "AfterDawn.com" , "publisher_internal_id" : "244" , "activated_by_stub" : "1" , "stub_version" : "1.3.9.0.140504.01" , "welcome_screen" : "0" ,"test_id":"44","group_id":"1", "publisher_account_id" : "A-4410674" , "channel_id" : "" , "machine_user_id" : "FXZ/RKL XW0KRSKYQZS7P1XAWA84/LVSSRISW8IEZO0WIRO4OGWJZXLA9ZKGQOLBMWLATTL7OAP8E LP9RINZA" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "general_id" : "GID1238065" , "dm_version" : "1.4.0.4.141214.03" , "build_id" : "0000000000000000000000" , "mrs_id" : "24" , "mrs_file_version" : "Bayes_glm_only_current_combinations_2014-12-23.csv" , "user_operating_sys

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:18 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

HTTP/1.1 202 Accepted..Date: Tue, 23 Dec 2014 21:04:18 GMT..P3P: CP="NOI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length: 0..Connection: keep-alive..

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "ac4d4d98c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

ETag: "ac4d4d98c6fd01:0"

Cache-Control: private, max-age=8245

Expires: Tue, 23 Dec 2014 23:21:36 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "6f33944c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

ETag: "6f33944c6fd01:0"

Cache-Control: private, max-age=8982

Expires: Tue, 23 Dec 2014 23:33:53 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:29:01 GMT

If-None-Match: "c8592844c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "caa5998c6fd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 2726

Cache-Control: private, max-age=8246

Expires: Tue, 23 Dec 2014 23:21:37 GMT

Date: Tue, 23 Dec 2014 21:04:11 GMT

Connection: keep-alive

<<< skipped >>>

GET /CmsThemes/Default/Images/InstallationSuccessful.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:31:22 GMT

Accept-Ranges: bytes

ETag: "e87a6698c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2670

Cache-Control: private, max-age=8890

Expires: Tue, 23 Dec 2014 23:32:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

.PNG........IHDR...#...".......`.....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:F1E913D3555911E18CA7F85F751BB1C7" xmpMM:DocumentID="xmp.did:F1E913D4555911E18CA7F85F751BB1C7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F1E913D1555911E18CA7F85F751BB1C7" stRef:documentID="xmp.did:F1E913D2555911E18CA7F85F751BB1C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>~. .....IDATx..W]l.U.>........t...V~.X ...I@HA.'~.D. .J4....o.V.&...X.B.E...M$}....l...o.P..g........w.eKA.....nw.....}.9.`.n....r.|?(J..7 .;.....`.,.a.8Op....O..f..*.m..... g..(.../.f0.E.......L..........Ru.r.....J.....`2..O..*8....@.....X...@|..@..,S..K.....P=.#..n....D.P..Y.x.:T.t.......Qv.n4..P6......x$.\....a.....#0}.W...y:.*.@.q...OJ.....pdIi..#9s.a...F..a....."P....H........].H....x4...O/.<.....h:.J<b)..[....y....|f.a.....cy a..#..K2.z~I..ZS....HM...[,Wj@..0..D.4a.d.HQ..?.sp...6.....g:....2#...X.V.,.@.S.<....)....%.....p.&......M....$.b.......I.>hI.O.c.6AW'....C<1..F[..

<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/1569870/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 04 Dec 2014 13:31:22 GMT

If-None-Match: "404a5898c6fd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 04 Dec 2014 13:29:01 GMT

Accept-Ranges: bytes

ETag: "67f82544c6fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 3937

Cache-Control: private, max-age=8890

Expires: Tue, 23 Dec 2014 23:32:22 GMT

Date: Tue, 23 Dec 2014 21:04:12 GMT

Connection: keep-alive

<<< skipped >>>

POST / HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 742

Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "technical" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "json_send_time" : "2014-12-23.17:54:41:107" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_WaitForDMInitComplete" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "244" , "publisher_account_id" : "A-4410674" , "publisher_id" : "AfterDawn.com" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0" }

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: ude.databssint.com

Content-Length: 731

Cache-Control: no-cache

{ "send_attempt" : "1" , "phase_type" : "regular" , "installation_session_id" : "49deca54-7b41-4951-ba0d-e55cf038edeb" , "json_send_time" : "2014-12-23.17:54:41:294" , "result" : "Success" , "error_details" : "" , "general_status_code" : "" , "phase" : "SmallStub_EndOfSession" , "attempt_number" : "1" , "internal_error_number" : "" , "bundle_id" : "c62722b7-da76-4ef0-adf0-9118edbfbf93" , "stub_version" : "1.3.9.0.140504.01" , "publisher_internal_id" : "244" , "publisher_account_id" : "A-4410674" , "publisher_id" : "AfterDawn.com" , "download_url" : "hXXp://resolver.dmccint.com/DMResolver/ResolveByBundleID/" , "tracking_id" : "" , "file_name" : "%original file name%.exe" , "extra_data" : "" , "Is_Test" : "0" }

HTTP/1.1 202 Accepted

Date: Tue, 23 Dec 2014 21:04:17 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

HTTP/1.1 202 Accepted..Date: Tue, 23 Dec 2014 21:04:17 GMT..P3P: CP="NOI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length: 0..Connection: keep-alive..

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

DVD_Shrink_v3.2.0.15.exe_1596:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

H#.Mx

dWi7.wU

zcÃ

.?AVfsURL@@

.?AVfsInternetURLFile@@

.?AVfsInternetURLFileDownloader@@

.?AVfsHttpFile@@

.?AVfsFtpConnection@@

.?AVfsFtpFile@@

.?AVfsHttpConnection@@

6'6,60646]6

2(2F2i2

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXps://VVV.verisign.com/cps0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

Nullsoft Install System v2.46.5-Unicode

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

LOCALS~1\Temp\nsaB4.tmp\webapphost.dll

n Data\Google\Chrome\User Data\Default

=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\webapphost.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp

n\App Paths\IEXPLORE.EXE

geDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1.0.0.1

Download.dll

nsaB4.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\webapphost.dll" (overwriteflag=1)

\webapphost.dll"

PLORE.EXE

gle\Chrome\User Data\Default

dleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

ByStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

4-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe /ByStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb

DVD_Shrink_v3.2.0.15.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\49deca54-7b41-4951-ba0d-e55cf038edeb\DVD_Shrink_v3.2.0.15.exe

LORE.EXE

IEXPLORE.EXE

49deca54-7b41-4951-ba0d-e55cf038edeb

hXXp://ude.databssint.com

hXXp://engine.dmccint.com/DecisionEngine.ashx

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico

Icons\icon.png

c62722b7-da76-4ef0-adf0-9118edbfbf93

AfterDawn.com

1572961

hXXp://cms.dmccint.com/MainOffer/1569870/

DVD Shrink v3.2.0.15

Setup.exe

hXXp://cms.dmccint.com/Global/GlobalPage/1569870/

hXXp://business.va.conduit.com/chrome/inline/instafeed/shell.html

6-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

ccmd.smc//:ptth=lrUegaPlabolG

1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

yStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

1.3.9.0.140504.01

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\webapp\

1989312

Bayes_glm_only_current_combinations_2014-12-23.csv

Microsoft Windows XP

6.0.2900.5512

%Documents and Settings%\%current user%\Local Settings\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default

/ByStub BundleIDGuid=c62722b7-da76-4ef0-adf0-9118edbfbf93 ShowLanguageDialog=False StubVersion=1.3.9.0.140504.01 /RunID=49deca54-7b41-4951-ba0d-e55cf038edeb MainOfferUrl=hXXp://cms.dmccint.com/MainOffer/1569870/ ServiceURL=hXXp://engine.dmccint.com/DecisionEngine.ashx ServiceVAURL=hXXp://engine.va.dmccint.com/DecisionEngine.ashx ServiceAMSURL=hXXp://engine.ams.dmccint.com/DecisionEngine.ashx BIUrl=hXXp://ude.databssint.com Environment=Prod PublisherID=244 PublisherName=AfterDawn.com AcountId=A-4410674 MainOfferKey=1572961 MainOfferName=DVD Shrink v3.2.0.15 DynamicOfferCount=2 IsSilent=false Lang=en GlobalPageUrl=hXXp://cms.dmccint.com/Global/GlobalPage/1569870/ MOBrowserInline=false MOInstallationType=1 Fwd="test_id":"44","group_id":"1" IconPath=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0\icon.ico UserSelectedLanguage=NotRequired

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\client_xml.xml

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB4.tmp\offer.xml

no_dynamic_main_offer_url_supported_in_this_version

%Program Files%\Internet Explorer\iexplore.exe

GenericDM.exe

1.4.0.4.141214.03

svchost.exe_1496:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512