Skip to main content

SearchProtectToolbar_pcap_be28dff543


Backdoor.Win32.Farfli.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: be28dff543300248ba2fc4b014fa156f

SHA1: 32ab877549b303cfea394a7d7a92eaa0e1494c4a

SHA256: 74a277bb8bb2b4ce0b943a398ec2dd358805b26b97a94ce8dca63a236ecc8185

SSDeep: 12288:QEbPLKsk W2HRSnxcCAJa90agBcrjj WB2k1//DZphYieONqeLIrbGRu6oK1hNWH:QEPbkIxoiCpnv/np ieQIrpHms

Size: 735680 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: ?? 2014 ClientConnect Ltd.

Created at: 2012-02-24 21:19:59

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):No processes have been created.The Backdoor injects its code into the following process(es):

%original file name%.exe:1060

Mutexes

The following mutexes were created/opened:

RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!ShimCacheMutexc:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_oleacc-msaa-loadedZonesCacheCounterMutexZonesCounterMutexZonesLockedCacheCounterMutexCTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003DDrawWindowListMutexDDrawDriverObjectListMutex__DDrawExclMode____DDrawCheckExclMode__c:!documents and settings!adm!local settings!history!history.ie5!mshist012015011220150113!_!SHMSFTHISTORY!_

File activity

The process %original file name%.exe:1060 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\icon.png (622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.dotdotdot.min[1].js (3016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[2].htm (25423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (1255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3724833[1].htm (29613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[2].htm (26894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (2 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (1889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\780547[1].htm (23622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].htm (2159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\985986[1].htm (31258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[1].htm (28444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\985986[1].htm (30015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6674bca0-3e48-4131-9b81-5071d5b2c2da[1].jpg (32468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[3].htm (27743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB3.tmp (41812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\64bfde2c-3be5-4981-ab13-3339cc75dd5f[1].png (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\985986[1].htm (25601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.dotdotdot.min[1].js (3016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[1].htm (31009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\System.dll (784 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NextButton_Sprite-wide-grey[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\X[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SmallLoader[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1060 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"WebBrowser_embedded.exe" = "6000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015011220150113\"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"%original file name%.exe" = "6000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CachePrefix" = ":2015011220150113:"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CacheLimit" = "8192"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1330111199"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 26 36 AE C0 71 CB BC 82 B2 AF F3 C3 1B 2D 1D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
b87a1c92512f3320e907c1534071f4b9c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\FDMClient.dll
62008374a494afeea2ee2ae9eee4c8c0c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\System.dll
07f09c1bf361f757675b77320a08506cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\manager\scripts\WebBrowser_embedded.exe
fb2d0b843bf1f8d7150ec2294c983d7dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\webapphost.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite-wide-grey[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite wide[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\icon.png (622 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\manager.js (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.dotdotdot.min[1].js (3016 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[2].htm (25423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\webapphost.dll (39329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\DM_loader.gif (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBG[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[1].png (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\gplay.js (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (1255 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\FDMClient.dll (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3724833[1].htm (29613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\X[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\manager.html (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\WelcomeScreen.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BoxBgNew[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\NoneSilentSuccess.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[2].htm (26894 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (2 bytes)
    %System%\wbem\Logs\wbemprox.log (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\init.html (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (83 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\certInlineLB.pfx (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\780547[1].htm (23622 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].htm (2159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\985986[1].htm (31258 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[1].htm (28444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\985986[1].htm (30015 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Failed.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6674bca0-3e48-4131-9b81-5071d5b2c2da[1].jpg (32468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\proxy.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[3].htm (27743 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\customframeapi[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsyB3.tmp (41812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SmallLoader[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NextButton_Sprite-wide-grey[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\64bfde2c-3be5-4981-ab13-3339cc75dd5f[1].png (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\985986[1].htm (25601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Success.htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.dotdotdot.min[1].js (3016 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-[1].png (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].html (6038 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\InstallationSuccessful[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[1].htm (31009 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\System.dll (784 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ?? 2014 ClientConnect Ltd.
Product Name: Setup.exe
Product Version: 1.4.0.4.141207.02
Legal Copyright: ?? 2014 ClientConnect Ltd.
Legal Trademarks:
Original Filename: Minecraft.exe
Internal Name:
File Version:
File Description: Setup.exe
Comments:
Language: Language Neutral

Company Name: ?? 2014 ClientConnect Ltd.Product Name: Setup.exeProduct Version: 1.4.0.4.141207.02Legal Copyright: ?? 2014 ClientConnect Ltd.Legal Trademarks: Original Filename: Minecraft.exeInternal Name: File Version: File Description: Setup.exeComments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409628432286724.50399f569e353af0ed51bf4c216faa9bed4e7
.rdata3276810898112643.0456191eee43954e068e650f7b73a8b0e6915
.data450564256605121.02085db9f7acbf1c3ddfe255077b699955dfa
.ndata471040813056000d41d8cd98f00b204e9800998ecf8427e
.rsrc8601600736076803.01562cbd1c2f25618ac4763be1d130ad20d87
.reloc8609792397840963.672110b317a7fb6b762a1feac024cc6713ac7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 6
3f9c32c5c969cbc52c783018b7b24fbc
6be939c7e5274b05a257ea4036ff230f
297df27b78cf9cae741f82a3e5f7b921
4f6b2cd0177b661a74ee4e0b3ceaf666
802182127e3ab3c609c988aed8d0703a
2588fc9648eae379999ccdb127b149e6

Network Activity

URLs

URL IP
hxxp://199.101.115.225/api/usages/
hxxp://23.9.107.19/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
hxxp://23.9.107.19/Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage
hxxp://23.9.107.19/Js/jquery.dotdotdot.min.js?fid=1857275
hxxp://e8210.g.akamaiedge.net///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png
hxxp://e8210.g.akamaiedge.net/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
hxxp://e8210.g.akamaiedge.net///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg
hxxp://e8210.g.akamaiedge.net/Global/GlobalPage/3724833/?Language=None&Welcome=true
hxxp://e8210.g.akamaiedge.net/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/X.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/-.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/button.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBG.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/InstallationSuccessful.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/images/SmallLoader.gif
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/BoxBgNew.png
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=985986
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1857275
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://e6652.g.akamaiedge.net/ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://a1128.g1.akamai.net/customoffers/customframeapi.js
hxxp://e6652.g.akamaiedge.net/LMS/PS_searchprotect_express/PS_searchprotect_express.json
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBG.png
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://cms.dmccint.com/CmsThemes/Default/Images/button.png
hxxp://data.dmccint.com/api/usages/
hxxp://cms.dmccint.com/CmsThemes/Default/Images/-.png
hxxp://cmsstorage.dmccint.com///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg23.9.107.19
hxxp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1857275
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=985986
hxxp://cms.dmccint.com/CmsThemes/Default/Images/X.png
hxxp://cms.dmccint.com/CmsThemes/Default/images/SmallLoader.gif
hxxp://cms.dmccint.com/CmsThemes/Default/Images/BoxBgNew.png
hxxp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://cmsstorage.dmccint.com///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png23.9.107.19
hxxp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
hxxp://dehosting.dmccint.com/customoffers/customframeapi.js184.84.243.32
hxxp://cms.dmccint.com/CmsThemes/Default/Images/InstallationSuccessful.png
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie23.9.102.129

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /customoffers/customframeapi.js HTTP/1.1

Accept: */*

Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dehosting.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Encoding: gzip

Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT

Accept-Ranges: bytes

ETag: "46a2919a7ac7cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 798

Cache-Control: private, max-age=31536000

Expires: Tue, 12 Jan 2016 06:36:07 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

Vary: Accept-Encoding

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l.....4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W....(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r......Wu.UP....H.w........w.|....8O.:..W|.h..m]L.m...,k..I>......N..~...e.....k.uM8./po\....`]...yu..'Y...?#.4o..a.A..S..j..e<q.}.~...t.O.....H?z..k?J....f...~I..M~s.M...m.|..c...Y~...6.o..0. Z....We6....9.......zo.z..w........\..Rk.....K./..1..D........m.8....h:.l...w.t.0o?J0...h.,..............$=..._.....n.l..... ...F..3.V......U^.Ok]@.....K..b..>...o;..t`m....jZ..|t...Cj......y.[...v..Z...?.|..?......[..]..`.i..A.q..4m.....#.F|U,g..X.......I.'.."....z#.......h.......a..b.K.#L...k.M..-..&...6z..........;....8".F...HTTP/1.1 200 OK..Content-Type: application/x-javascript..Content-Encoding: gzip..Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT..Accept-Ranges: bytes..ETag: "46a2919a7ac7cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 798..Cache-Control: private, max-age=31536000..Expires: Tue, 12 Jan 2016 06:36:07 GMT..Date: Mon, 12 Jan 2015 06:36:07 GMT..Connection: keep-alive..Vary: Accept-Encoding...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l.....4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W....(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r......Wu.UP....H.w........w.|....8

<<< skipped >>>

GET /ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: storage.stgbssint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 36273

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 21 Aug 2014 07:42:36 GMT

Accept-Ranges: bytes

ETag: "03ea67913bdcf1:528"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Cache-Control: private, max-age=86400

Expires: Tue, 13 Jan 2015 06:36:07 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

Vary: Accept-Encoding

Access-Control-Max-Age: 604800

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: origin, content-type

Access-Control-Allow-Methods: GET, OPTIONS

Access-Control-Allow-Origin: *

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

...............6.(.........n...n..|PAk..L<....L.Q Yl..fL.......^..}.........8....V....(.3.{..LZ.w.P(....o....|......._>.].u.{..._>{......>xt|.....w_.....xt.{S.Y..$...............R......jt.`....o^._c.c..|..W.h...)..I. .%....gk...V:.?o.w"x.gJfj..f#..B.D...:..&..e\.R..Z.....T.Ry..1...R.....*S..,m..{._....O..l.......1.../...O...|..)O....5?/x)S.P<.6[...\.<..&....S.U..%WK.L.Q.-Q..$.]..E.E'.M.\&..|.r.r..".....N..B%.8..ir.E...*H29.......d.p&.....X.".rH.8..g...<M.M.%.....\.h.V.GP.[........U...../T.N....FU.]....Fk.L..^.;h.W.R]F......=Je\..&.=..h..Ur.. %..........2)7i|.hH......@..'..y.&.R/..Rf.j.R&......v~C....$."T9eB2.]..........h:..ls.............x.v.i..s....w.Q..&.....Zq.;..Z...!.b.A.W.Q.....n..Z,x..'u.kq.....I.....E!efjo...k..JG....xs. .4Y.~.\........".fK$..J.n.'._ ..8....uW.*^').[\$q.....J..!.oU.J.M....?.....7Q.....4..X..#\.~O..?.Zh4.7.5.......5...........b......... .<..^..a......x.h{@.?..e.?.[.._.J...(.].....?...)..B...l.CM.....r.=.?.r.H......b...P... =...l..{..I .N............pu...........d.'. ......m.o6v.t.6..E.B.1.-.J.%.NL..'.=...HB....?............I.3-.Z.......>9..^|^..V.3.....;...wt...H......L.=.......mL.jtl.Xt.>...&i.8...j*p..o.7n...../...........|.......F....[Y...C./.E.Q.....].c..p|.o.....'.......P..........(L.H...Z. .O?c....d!.RB.......X........W_..q..G.j.N..:...7H..j.-..Pr.n..E/..O....z..B..|...!......./E\.....R..!.[.....v.7b6. ..>.|)6.E.A...>7..._.G...k.J...~..7b1R.kU@W.;.\.....e.od.n..X. q..E.'.T.".e..w=ZePa.0..l....l0.O.it..w6...r...|2...V.x.1..........H..0; ..O.<}z

<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "ecdb349252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "ecdb349252bd01:0"

Cache-Control: private, max-age=16729

Expires: Mon, 12 Jan 2015 11:14:55 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "6e4bd49252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "6e4bd49252bd01:0"

Cache-Control: private, max-age=18000

Expires: Mon, 12 Jan 2015 11:36:06 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

Accept-Ranges: bytes

ETag: "402ad449252bd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2779

Cache-Control: private, max-age=1110

Expires: Mon, 12 Jan 2015 06:54:37 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB792256C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{..........b......w....,.E./.3.@..e....G..];z......f....34...v[...H1....g......'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4...$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@...T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g....,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......

<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "d6cfd949252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/gif

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "d6cfd949252bd01:0"

Cache-Control: private, max-age=17999

Expires: Mon, 12 Jan 2015 11:36:06 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "7aa0dd49252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "7aa0dd49252bd01:0"

Cache-Control: private, max-age=17307

Expires: Mon, 12 Jan 2015 11:24:34 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "e0d5ba49252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "e0d5ba49252bd01:0"

Cache-Control: private, max-age=1281

Expires: Mon, 12 Jan 2015 06:57:28 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "6e4bd49252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "6e4bd49252bd01:0"

Cache-Control: private, max-age=17999

Expires: Mon, 12 Jan 2015 11:36:06 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "7aa0dd49252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "7aa0dd49252bd01:0"

Cache-Control: private, max-age=17307

Expires: Mon, 12 Jan 2015 11:24:34 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "28ffd549252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "28ffd549252bd01:0"

Cache-Control: private, max-age=17999

Expires: Mon, 12 Jan 2015 11:36:06 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "62dc049252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "62dc049252bd01:0"

Cache-Control: private, max-age=1111

Expires: Mon, 12 Jan 2015 06:54:38 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/X.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "7aa0dd49252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "7aa0dd49252bd01:0"

Cache-Control: private, max-age=17307

Expires: Mon, 12 Jan 2015 11:24:34 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT

If-None-Match: "28ffd549252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

ETag: "7aa0dd49252bd01:0"

Cache-Control: private, max-age=17307

Expires: Mon, 12 Jan 2015 11:24:34 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

POST /api/usages/ HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: data.dmccint.com

Content-Length: 2301

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "32089" , "json_send_time" : "2015-1-12.3:24:11:655" , "phase" : "StartingLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "2422" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "61e2d6c4-20da-48df-ace5-9e0978d3a621" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_screen" : "0", "publisher_account_id" : "A-480753" , "channel_id" : "" , "machine_user_id" : "SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG" , "bundle_id" : "0b9743f2-3fb2-43e6-b2aa-715431425a3e" , "general_id" : "unknown" , "dm_version" : "1.4.0.4.141207.02" , "build_id" : "00000000" , "mrs_id" : "17" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2015-01-12.csv" , "user_operating_sys

HTTP/1.1 202 Accepted

Cache-Control: no-cache

Pragma: no-cache

Expires: -1

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Date: Mon, 12 Jan 2015 06:35:19 GMT

Content-Length: 0

....

POST /api/usages/ HTTP/1.1

Accept: */*

Content-Type: application/json

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

Host: data.dmccint.com

Content-Length: 2253

Connection: Keep-Alive

Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "32089" , "json_send_time" : "2015-1-12.3:24:12:249" , "phase" : "ChromeError" , "phase_type" : "regular" , "order" : "" , "result" : "Error" , "error_details" : "error: did not found chrome full path" , "phase_duration" : "0" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "61e2d6c4-20da-48df-ace5-9e0978d3a621" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_screen" : "0", "publisher_account_id" : "A-480753" , "channel_id" : "" , "machine_user_id" : "SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG" , "bundle_id" : "0b9743f2-3fb2-43e6-b2aa-715431425a3e" , "general_id" : "unknown" , "dm_version" : "1.4.0.4.141207.02" , "build_id" : "00000000" , "mrs_id" : "17" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2015-01-12.csv" , "user_operating_system" : "Microsoft Windows XP" , "user_service_pa

HTTP/1.1 202 Accepted

Cache-Control: no-cache

Pragma: no-cache

Expires: -1

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Date: Mon, 12 Jan 2015 06:35:19 GMT

Content-Length: 0

HTTP/1.1 202 Accepted..Cache-Control: no-cache..Pragma: no-cache..Expires: -1..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"..Date: Mon, 12 Jan 2015 06:35:20 GMT..Content-Length: 0..HTTP/1.1 202 Accepted..Cache-Control: no-cache..Pragma: no-cache..Expires: -1..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"..Date: Mon, 12 Jan 2015 06:35:20 GMT..Content-Length: 0..

GET /Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT

Accept-Ranges: bytes

ETag: "946714a252bd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=16789

Expires: Mon, 12 Jan 2015 11:15:09 GMT

Date: Mon, 12 Jan 2015 06:35:20 GMT

Connection: keep-alive

/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1857275 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

n e?"string"==typeof e?(e=t(e,n),e.length?e:!1):e.jquery?e:!1:!1}function h(t){for(var e=t.innerHeight(),n=["paddingTop","paddingBottom"],r=0,o=n.length;o>r;r ){var a=parseInt(t.css(n[r]),10);isNaN(a)&&(a=0),e-=a}return e}if(!t.fn.dotdotdot){t.fn.dotdotdot=function(e){if(0==this.length)return t.fn.dotdotdot.debug('No element found for "' this.selector '".'),this;if(this.length>1)return this.each(function(){t(this).dotdotdot(e)});var o=this;o.data("dotdotdot")&&o.trigger("destroy.dot"),o.data("dotdotdot-style",o.attr("style")||""),o.css("word-wrap","break-word"),"nowrap"===o.css("white-space")&&o.css("white-space","normal"),o.bind_events=function(){return o.bind("update.dot",function(e,d){e.preventDefault(),e.stopPropagation(),l.maxHeight="number"==typeof l.height?l.height:h(o),l.maxHeight =l.tolerance,"undefined"!=typeof d&&(("string"==typeof d||d instanceof HTMLElement)&&(d=t("<div />").append(d).contents()),d instanceof t&&(i=d)),g=o.wrapInner('<div class="dotdotdot" />').children(),g.contents().detach().end().append(i.clone(!0)).find("br").replaceWith(" <br /> ").end().css({height:"auto",width:"auto",border:"none",padding:0,margin:0});var c=!1,u=!1;return s.afterElement&&(c=s.afterElement.clone(!0),c.show(),s.afterElement.detach()),a(g,l)&&(u="children"==l.wrap?n(g,l,c):r(g,o,g,l,c)),g.replaceWith(g.contents()),g=null,t.isFunction(l.callback)&&l.callback.call(o[0],u,i),s.isTruncated=u,u}).bind("isTruncated.dot",function(t,e){retur

..

GET /DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 176083

Cache-Control: private, max-age=18000

Expires: Mon, 12 Jan 2015 11:35:20 GMT

Date: Mon, 12 Jan 2015 06:35:20 GMT

Connection: keep-alive

....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th

<<< skipped >>>

GET /Global/GlobalPage/3724833/?Language=None&Welcome=true HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 188190

Cache-Control: private, max-age=17917

Expires: Mon, 12 Jan 2015 11:34:25 GMT

Date: Mon, 12 Jan 2015 06:35:48 GMT

Connection: keep-alive

....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th

<<< skipped >>>

GET /MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 168287

Cache-Control: private, max-age=17945

Expires: Mon, 12 Jan 2015 11:35:10 GMT

Date: Mon, 12 Jan 2015 06:36:05 GMT

Connection: keep-alive

....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th

<<< skipped >>>

GET /DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 176083

Cache-Control: private, max-age=17954

Expires: Mon, 12 Jan 2015 11:35:20 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th

<<< skipped >>>

GET /CmsThemes/Default/Images/InstallationSuccessful.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

Accept-Ranges: bytes

ETag: "6866ca49252bd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 2670

Cache-Control: private, max-age=1113

Expires: Mon, 12 Jan 2015 06:54:39 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

.PNG........IHDR...#...".......`.....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:F1E913D3555911E18CA7F85F751BB1C7" xmpMM:DocumentID="xmp.did:F1E913D4555911E18CA7F85F751BB1C7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F1E913D1555911E18CA7F85F751BB1C7" stRef:documentID="xmp.did:F1E913D2555911E18CA7F85F751BB1C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>~. .....IDATx..W]l.U.>........t...V~.X ...I@HA.'~.D. .J4....o.V.&...X.B.E...M$}....l...o.P..g........w.eKA.....nw.....}.9.`.n....r.|?(J..7 .;.....`.,.a.8Op....O..f..*.m..... g..(.../.f0.E.......L..........Ru.r.....J.....`2..O..*8....@.....X...@|..@..,S..K.....P=.#..n....D.P..Y.x.:T.t.......Qv.n4..P6......x$.\....a.....#0}.W...y:.*.@.q...OJ.....pdIi..#9s.a...F..a....."P....H........].H....x4...O/.<.....h:.J<b)..[....y....|f.a.....cy a..#..K2.z~I..ZS....HM...[,Wj@..0..D.4a.d.HQ..?.sp...6.....g:....2#...X.V.,.@.S.<....)....%.....p.&......M....$.b.......I.>hI.O.c.6AW'....C<1..F[..

<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

Accept-Ranges: bytes

ETag: "d6cfd949252bd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 1504

Cache-Control: private, max-age=1112

Expires: Mon, 12 Jan 2015 06:54:38 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

GIF89a.........................v.....5..d..e..........................{......................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981" xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:InstanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentID="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G..@.d. J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G

<<< skipped >>>

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:08 GMT

Accept-Ranges: bytes

ETag: "38cde645252bd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 2562

Cache-Control: private, max-age=1113

Expires: Mon, 12 Jan 2015 06:54:39 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB26C3E111E3AEC3EB792256C508" xmpMM:DocumentID="xmp.did:72B2EB27C3E111E3AEC3EB792256C508"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB24C3E111E3AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB25C3E111E3AEC3EB792256C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......tIDATx....o\W...{f.........P.hb..VDQ..R!..*6f.... ..T.6..."V(...*..Xb.#!;.H...r.R.3q.nR?.^..~h&.....9..2v.f...|.;.1.(...R..~...N.{6.....[.e.'-..1(..k6[K.V.r.}.^ul...._...3[[.7..S.|p.....3g.Z./_.... Cxw?...G9...BC...R.....Lmnn^.<^o........b...Z...{.`~.....d......x...I0..L..HM....".@..4..`.... ..4..... .I07....$h;..T#...C.H4...v(.iF.v(.IG.v(.)F.....;..0..T#XM.&A...`=.. .)F.(r......<...@.....E...#Xm.... ...:..d#XO.".@......A.R.`.. ..F...%. .IF.W)..l.C#...NZ..b.B.8........./..s.............;.^..E.MY"."....?{.'Y}%....\`....jg...\y.......6a...$~.....s.f~..K/.-.....9...Fu......|.....l

<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

Accept-Ranges: bytes

ETag: "6e4bd49252bd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 3937

Cache-Control: private, max-age=1112

Expires: Mon, 12 Jan 2015 06:54:38 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K..........*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?}...}...~..=............G...~,....xi3..e.o..@...WB...4.. u....... ?.H.."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q........l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo...........hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f

<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT

Accept-Ranges: bytes

ETag: "d6cfd949252bd01:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 1504

Cache-Control: private, max-age=18000

Expires: Mon, 12 Jan 2015 11:36:06 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

GIF89a.........................v.....5..d..e..........................{......................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981" xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:InstanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentID="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G..@.d. J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1857275 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:15 GMT

If-None-Match: "946714a252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: application/x-javascript

Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT

ETag: "946714a252bd01:0"

Cache-Control: private, max-age=16770

Expires: Mon, 12 Jan 2015 11:15:36 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

....

GET /Js/jquery.dotdotdot.min.js?fid=985986 HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT

Accept-Ranges: bytes

ETag: "946714a252bd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=5691

Expires: Mon, 12 Jan 2015 08:10:57 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes

<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 08 Jan 2015 09:27:15 GMT

If-None-Match: "946714a252bd01:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cms.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT

Accept-Ranges: bytes

ETag: "946714a252bd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6149

Cache-Control: private, max-age=16741

Expires: Mon, 12 Jan 2015 11:15:07 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes

<<< skipped >>>

GET ///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

Accept-Ranges: bytes

ETag: "32a2672dc0afcf1:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

Content-Length: 333236

Cache-Control: private, max-age=5794

Expires: Mon, 12 Jan 2015 08:12:01 GMT

Date: Mon, 12 Jan 2015 06:35:27 GMT

Connection: keep-alive

......Exif..II*.................Ducky.......d.....*hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:45FCD83A163D11E49FE3CE421291508F" xmpMM:InstanceID="xmp.iid:45FCD839163D11E49FE3CE421291508F" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6EB8642D163911E48C11D1513B2C29EC" stRef:documentID="xmp.did:6EB8642E163911E48C11D1513B2C29EC"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...&Adobe.d............... ........I................................................................................................................................................................].................................................................................!.. 1"..02@A#3.B$.P4.`%'.67C&p.D5......................!..1A"..Q2aq.BRb#.....r3 .....$.0....C.6..@...Scs.4t%.P.D5..&`....TdEUF.7......f...u.Vp...'....................... !1".0A2.PQa..@....B#3`.q.b.4..R...r...p.C$....sSc.......................!1AQ.aq... ......0@P`p..................@y`...............6"H. .6.$.L.#d@(....lp.. ........ ....AD.....

<<< skipped >>>

GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT

If-None-Match: "b29d692dc0afcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

ETag: "b29d692dc0afcf1:0"

Cache-Control: private, max-age=5754

Expires: Mon, 12 Jan 2015 08:12:01 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT

If-None-Match: "b29d692dc0afcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

ETag: "b29d692dc0afcf1:0"

Cache-Control: private, max-age=5754

Expires: Mon, 12 Jan 2015 08:12:01 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

Accept-Ranges: bytes

ETag: "b29d692dc0afcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 39121

Cache-Control: private, max-age=5810

Expires: Mon, 12 Jan 2015 08:12:16 GMT

Date: Mon, 12 Jan 2015 06:35:26 GMT

Connection: keep-alive

.PNG........IHDR.......l......D.c....tEXtSoftware.Adobe ImageReadyq.e<...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:00B0F7C5163B11E48EE988E2A06842E4" xmpMM:DocumentID="xmp.did:00B0F7C6163B11E48EE988E2A06842E4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:00B0F7C3163B11E48EE988E2A06842E4" stRef:documentID="xmp.did:00B0F7C4163B11E48EE988E2A06842E4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>%gO....FIDATx..}..$...Uu.......;..wx......4...~H................8.8w.uw...............].$...zG...^.....]3.~8">.wp.....p.p.p.......tX?................Ajb.F...a...{\d|...h.E..7..3.......?.h..y...'~..........wI4...........8....d...Xh......g.....A..-..0.b...G.\........L.....es...9./...... CM.TD #........L0..c.~...<.....oZ...L.....#.....4.@1....S?....@ C..\B..6.o...aH..8..jWf..]1%..04..l..6s..*..'....l.....{F.b.0f4...#..B......Y./....f...|..K8.3.>...i..&....P...Z.'....4..?.. @...........x?.).F.q#...I..ob......x....M[......]..a.....Km.p.X....p1z...j.{..-Z8..M.o.8.1T.......R..K.7.p..l.p..p..

<<< skipped >>>

GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT

If-None-Match: "b29d692dc0afcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

ETag: "b29d692dc0afcf1:0"

Cache-Control: private, max-age=5809

Expires: Mon, 12 Jan 2015 08:12:16 GMT

Date: Mon, 12 Jan 2015 06:35:27 GMT

Connection: keep-alive

....

GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT

If-None-Match: "b29d692dc0afcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/png

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

ETag: "b29d692dc0afcf1:0"

Cache-Control: private, max-age=5770

Expires: Mon, 12 Jan 2015 08:12:16 GMT

Date: Mon, 12 Jan 2015 06:36:06 GMT

Connection: keep-alive

....

GET ///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT

If-None-Match: "32a2672dc0afcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

ETag: "32a2672dc0afcf1:0"

Cache-Control: private, max-age=5770

Expires: Mon, 12 Jan 2015 08:12:17 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1

Accept: */*

Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None

Accept-Language: en-us

Accept-Encoding: gzip, deflate

If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT

If-None-Match: "b29d692dc0afcf1:0"

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cmsstorage.dmccint.com

Connection: Keep-Alive

HTTP/1.1 304 Not Modified

Content-Type: image/jpeg

Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT

ETag: "32a2672dc0afcf1:0"

Cache-Control: private, max-age=5770

Expires: Mon, 12 Jan 2015 08:12:17 GMT

Date: Mon, 12 Jan 2015 06:36:07 GMT

Connection: keep-alive

....

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1060:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

@.reloc

@.reloc

RegDeleteKeyExW

RegDeleteKeyExW

Kernel32.DLL

Kernel32.DLL

PSAPI.DLL

PSAPI.DLL

%s=%s

%s=%s

GetWindowsDirectoryW

GetWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

GetAsyncKeyState

GetAsyncKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationW

SHFileOperationW

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

RegDeleteKeyW

RegDeleteKeyW

RegCloseKey

RegCloseKey

RegEnumKeyW

RegEnumKeyW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

xLm%d

xLm%d

io%x"H

io%x"H

zcÁ

zcÁ

.?AVfsURL@@

.?AVfsURL@@

.?AVfsInternetURLFile@@

.?AVfsInternetURLFile@@

.?AVfsInternetURLFileDownloader@@

.?AVfsInternetURLFileDownloader@@

.?AVfsHttpFile@@

.?AVfsHttpFile@@

.?AVfsFtpConnection@@

.?AVfsFtpConnection@@

.?AVfsFtpFile@@

.?AVfsFtpFile@@

.?AVfsHttpConnection@@

.?AVfsHttpConnection@@

6'6,60646]6

6'6,60646]6

2(2F2i2

2(2F2i2

Thawte Certification1

Thawte Certification1

hXXp://ocsp.thawte.com0

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXps://VVV.verisign.com/cps0

hXXps://VVV.verisign.com/cps0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q

hXXp://ocsp.verisign.com0;

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://ocsp.verisign.com0

Nullsoft Install System v2.46.5-Unicode

Nullsoft Install System v2.46.5-Unicode

logging set to %d

logging set to %d

settings logging to %d

settings logging to %d

created uninstaller: %d, "%s"

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: success ("%s")

Exec: command="%s"

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack

Exch: stack

RMDir: "%s"

RMDir: "%s"

MessageBox: %d,"%s"

MessageBox: %d,"%s"

Delete: "%s"

Delete: "%s"

File: wrote %d to "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename failed: %s

Rename on reboot: %s

Rename on reboot: %s

Rename: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

SetFileAttributes: "%s":X

Sleep(%d)

Sleep(%d)

detailprint: %s

detailprint: %s

Call: %d

Call: %d

Aborting: "%s"

Aborting: "%s"

Jump: %d

Jump: %d

verifying installer: %d%%

verifying installer: %d%%

unpacking data: %d%%

unpacking data: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

install.log

install.log

%u.%u%s%s

%u.%u%s%s

Skipping section: "%s"

Skipping section: "%s"

Section: "%s"

Section: "%s"

New install of "%s" to "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

*?|/":

*?|/":

invalid registry key

invalid registry key

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

x%c

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

%s: failed opening file "%s"

LOCALS~1\Temp\nsoB4.tmp\webapphost.dll

LOCALS~1\Temp\nsoB4.tmp\webapphost.dll

n Data\Google\Chrome\User Data\Default

n Data\Google\Chrome\User Data\Default

4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png

4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp

n\App Paths\IEXPLORE.EXE

n\App Paths\IEXPLORE.EXE

1.0.0.1

1.0.0.1

Download.dll

Download.dll

nsoB4.tmp

nsoB4.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll" (overwriteflag=1)

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll" (overwriteflag=1)

\webapphost.dll"

\webapphost.dll"

PLORE.EXE

PLORE.EXE

gle\Chrome\User Data\Default

gle\Chrome\User Data\Default

4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico

4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp

webapp\

webapp\

2ECB2-F957-4D87-9D5D-2305651F3CB8

2ECB2-F957-4D87-9D5D-2305651F3CB8

c:\%original file name%.exe

c:\%original file name%.exe

%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB2.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

LORE.EXE

LORE.EXE

IEXPLORE.EXE

IEXPLORE.EXE

8072ECB2-F957-4D87-9D5D-2305651F3CB8

8072ECB2-F957-4D87-9D5D-2305651F3CB8

hXXp://data.dmccint.com/api/usages/

hXXp://data.dmccint.com/api/usages/

hXXp://engine.drive-c-files.com//DecisionEngine.ashx

hXXp://engine.drive-c-files.com//DecisionEngine.ashx

\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico

\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico

\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png

\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png

0b9743f2-3fb2-43e6-b2aa-715431425a3e

0b9743f2-3fb2-43e6-b2aa-715431425a3e

00000000

00000000

1857275

1857275

hXXp://cms.dmccint.com/MainOffer/3724833/

hXXp://cms.dmccint.com/MainOffer/3724833/

Setup.exe

Setup.exe

hXXp://cms.dmccint.com/Global/GlobalPage/3724833/

hXXp://cms.dmccint.com/Global/GlobalPage/3724833/

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapp\

1731578

1731578

1731593

1731593

Naive_recommender_Bayesian_adjust_2015-01-12.csv

Naive_recommender_Bayesian_adjust_2015-01-12.csv

Microsoft Windows XP

Microsoft Windows XP

6.0.2900.5512

6.0.2900.5512

%Documents and Settings%\%current user%\Local Settings\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\client_xml.xml

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\client_xml.xml

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\offer.xml

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\offer.xml

no_dynamic_main_offer_url_supported_in_this_version

no_dynamic_main_offer_url_supported_in_this_version

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe

Minecraft.exe

Minecraft.exe

1.4.0.4.141207.02

1.4.0.4.141207.02

svchost.exe_600:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512