Backdoor.Win32.Farfli.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: be28dff543300248ba2fc4b014fa156f
SHA1: 32ab877549b303cfea394a7d7a92eaa0e1494c4a
SHA256: 74a277bb8bb2b4ce0b943a398ec2dd358805b26b97a94ce8dca63a236ecc8185
SSDeep: 12288:QEbPLKsk W2HRSnxcCAJa90agBcrjj WB2k1//DZphYieONqeLIrbGRu6oK1hNWH:QEPbkIxoiCpnv/np ieQIrpHms
Size: 735680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ?? 2014 ClientConnect Ltd.
Created at: 2012-02-24 21:19:59
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):No processes have been created.The Backdoor injects its code into the following process(es):
%original file name%.exe:1060
Mutexes
The following mutexes were created/opened:
RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!ShimCacheMutexc:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_oleacc-msaa-loadedZonesCacheCounterMutexZonesCounterMutexZonesLockedCacheCounterMutexCTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003DDrawWindowListMutexDDrawDriverObjectListMutex__DDrawExclMode____DDrawCheckExclMode__c:!documents and settings!adm!local settings!history!history.ie5!mshist012015011220150113!_!SHMSFTHISTORY!_
File activity
The process %original file name%.exe:1060 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\icon.png (622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.dotdotdot.min[1].js (3016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[2].htm (25423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (1255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3724833[1].htm (29613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[2].htm (26894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (2 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (1889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\780547[1].htm (23622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].htm (2159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\985986[1].htm (31258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[1].htm (28444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\985986[1].htm (30015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6674bca0-3e48-4131-9b81-5071d5b2c2da[1].jpg (32468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[3].htm (27743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB3.tmp (41812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\64bfde2c-3be5-4981-ab13-3339cc75dd5f[1].png (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\985986[1].htm (25601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.dotdotdot.min[1].js (3016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[1].htm (31009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\System.dll (784 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NextButton_Sprite-wide-grey[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\X[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SmallLoader[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1060 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"WebBrowser_embedded.exe" = "6000"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015011220150113\"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"%original file name%.exe" = "6000"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CachePrefix" = ":2015011220150113:"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CacheLimit" = "8192"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011220150113]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1330111199"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 26 36 AE C0 71 CB BC 82 B2 AF F3 C3 1B 2D 1D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
b87a1c92512f3320e907c1534071f4b9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\FDMClient.dll |
62008374a494afeea2ee2ae9eee4c8c0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\System.dll |
07f09c1bf361f757675b77320a08506c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\manager\scripts\WebBrowser_embedded.exe |
fb2d0b843bf1f8d7150ec2294c983d7d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoB4.tmp\webapphost.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\icon.png (622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.dotdotdot.min[1].js (3016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[2].htm (25423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (1255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3724833[1].htm (29613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[2].htm (26894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (2 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBGGoogleDialog[1].png (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\780547[1].htm (23622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[2].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].htm (2159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\985986[1].htm (31258 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3724833[1].htm (28444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\985986[1].htm (30015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6674bca0-3e48-4131-9b81-5071d5b2c2da[1].jpg (32468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[3].htm (27743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB3.tmp (41812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\64bfde2c-3be5-4981-ab13-3339cc75dd5f[1].png (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\985986[1].htm (25601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.dotdotdot.min[1].js (3016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\adwords_express[1].html (6038 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3724833[1].htm (31009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB4.tmp\System.dll (784 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ?? 2014 ClientConnect Ltd.
Product Name: Setup.exe
Product Version: 1.4.0.4.141207.02
Legal Copyright: ?? 2014 ClientConnect Ltd.
Legal Trademarks:
Original Filename: Minecraft.exe
Internal Name:
File Version:
File Description: Setup.exe
Comments:
Language: Language Neutral
Company Name: ?? 2014 ClientConnect Ltd.Product Name: Setup.exeProduct Version: 1.4.0.4.141207.02Legal Copyright: ?? 2014 ClientConnect Ltd.Legal Trademarks: Original Filename: Minecraft.exeInternal Name: File Version: File Description: Setup.exeComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 28432 | 28672 | 4.50399 | f569e353af0ed51bf4c216faa9bed4e7 |
.rdata | 32768 | 10898 | 11264 | 3.04561 | 91eee43954e068e650f7b73a8b0e6915 |
.data | 45056 | 425660 | 512 | 1.02085 | db9f7acbf1c3ddfe255077b699955dfa |
.ndata | 471040 | 8130560 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 8601600 | 7360 | 7680 | 3.01562 | cbd1c2f25618ac4763be1d130ad20d87 |
.reloc | 8609792 | 3978 | 4096 | 3.67211 | 0b317a7fb6b762a1feac024cc6713ac7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 6
3f9c32c5c969cbc52c783018b7b24fbc
6be939c7e5274b05a257ea4036ff230f
297df27b78cf9cae741f82a3e5f7b921
4f6b2cd0177b661a74ee4e0b3ceaf666
802182127e3ab3c609c988aed8d0703a
2588fc9648eae379999ccdb127b149e6
Network Activity
URLs
URL | IP |
---|---|
hxxp://199.101.115.225/api/usages/ | |
hxxp://23.9.107.19/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None | |
hxxp://23.9.107.19/Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage | |
hxxp://23.9.107.19/Js/jquery.dotdotdot.min.js?fid=1857275 | |
hxxp://e8210.g.akamaiedge.net///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png | |
hxxp://e8210.g.akamaiedge.net/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None | |
hxxp://e8210.g.akamaiedge.net///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg | |
hxxp://e8210.g.akamaiedge.net/Global/GlobalPage/3724833/?Language=None&Welcome=true | |
hxxp://e8210.g.akamaiedge.net/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/X.png | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/-.png | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/button.png | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBG.png | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/InstallationSuccessful.png | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/images/SmallLoader.gif | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/BoxBgNew.png | |
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=985986 | |
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1857275 | |
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBGGoogleDialog.png | |
hxxp://e6652.g.akamaiedge.net/ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie | |
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite wide.png | |
hxxp://a1128.g1.akamai.net/customoffers/customframeapi.js | |
hxxp://e6652.g.akamaiedge.net/LMS/PS_searchprotect_express/PS_searchprotect_express.json | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBG.png | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/button.png | |
hxxp://data.dmccint.com/api/usages/ | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/-.png | |
hxxp://cmsstorage.dmccint.com///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg | 23.9.107.19 |
hxxp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true | |
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage | |
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=1857275 | |
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=985986 | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/X.png | |
hxxp://cms.dmccint.com/CmsThemes/Default/images/SmallLoader.gif | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/BoxBgNew.png | |
hxxp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png | |
hxxp://cmsstorage.dmccint.com///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png | 23.9.107.19 |
hxxp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None | |
hxxp://dehosting.dmccint.com/customoffers/customframeapi.js | 184.84.243.32 |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/InstallationSuccessful.png | |
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite wide.png | |
hxxp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie | 23.9.102.129 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /customoffers/customframeapi.js HTTP/1.1
Accept: */*
Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dehosting.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Encoding: gzip
Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT
Accept-Ranges: bytes
ETag: "46a2919a7ac7cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 798
Cache-Control: private, max-age=31536000
Expires: Tue, 12 Jan 2016 06:36:07 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
Vary: Accept-Encoding
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l.....4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W....(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r......Wu.UP....H.w........w.|....8O.:..W|.h..m]L.m...,k..I>......N..~...e.....k.uM8./po\....`]...yu..'Y...?#.4o..a.A..S..j..e<q.}.~...t.O.....H?z..k?J....f...~I..M~s.M...m.|..c...Y~...6.o..0. Z....We6....9.......zo.z..w........\..Rk.....K./..1..D........m.8....h:.l...w.t.0o?J0...h.,..............$=..._.....n.l..... ...F..3.V......U^.Ok]@.....K..b..>...o;..t`m....jZ..|t...Cj......y.[...v..Z...?.|..?......[..]..`.i..A.q..4m.....#.F|U,g..X.......I.'.."....z#.......h.......a..b.K.#L...k.M..-..&...6z..........;....8".F...HTTP/1.1 200 OK..Content-Type: application/x-javascript..Content-Encoding: gzip..Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT..Accept-Ranges: bytes..ETag: "46a2919a7ac7cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 798..Cache-Control: private, max-age=31536000..Expires: Tue, 12 Jan 2016 06:36:07 GMT..Date: Mon, 12 Jan 2015 06:36:07 GMT..Connection: keep-alive..Vary: Accept-Encoding...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l.....4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W....(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r......Wu.UP....H.w........w.|....8
<<< skipped >>>
GET /ps/SearchProtector/SP_UI_AD/prod/adwords_express.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: storage.stgbssint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 36273
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Thu, 21 Aug 2014 07:42:36 GMT
Accept-Ranges: bytes
ETag: "03ea67913bdcf1:528"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: private, max-age=86400
Expires: Tue, 13 Jan 2015 06:36:07 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
...............6.(.........n...n..|PAk..L<....L.Q Yl..fL.......^..}.........8....V....(.3.{..LZ.w.P(....o....|......._>.].u.{..._>{......>xt|.....w_.....xt.{S.Y..$...............R......jt.`....o^._c.c..|..W.h...)..I. .%....gk...V:.?o.w"x.gJfj..f#..B.D...:..&..e\.R..Z.....T.Ry..1...R.....*S..,m..{._....O..l.......1.../...O...|..)O....5?/x)S.P<.6[...\.<..&....S.U..%WK.L.Q.-Q..$.]..E.E'.M.\&..|.r.r..".....N..B%.8..ir.E...*H29.......d.p&.....X.".rH.8..g...<M.M.%.....\.h.V.GP.[........U...../T.N....FU.]....Fk.L..^.;h.W.R]F......=Je\..&.=..h..Ur.. %..........2)7i|.hH......@..'..y.&.R/..Rf.j.R&......v~C....$."T9eB2.]..........h:..ls.............x.v.i..s....w.Q..&.....Zq.;..Z...!.b.A.W.Q.....n..Z,x..'u.kq.....I.....E!efjo...k..JG....xs. .4Y.~.\........".fK$..J.n.'._ ..8....uW.*^').[\$q.....J..!.oU.J.M....?.....7Q.....4..X..#\.~O..?.Zh4.7.5.......5...........b......... .<..^..a......x.h{@.?..e.?.[.._.J...(.].....?...)..B...l.CM.....r.=.?.r.H......b...P... =...l..{..I .N............pu...........d.'. ......m.o6v.t.6..E.B.1.-.J.%.NL..'.=...HB....?............I.3-.Z.......>9..^|^..V.3.....;...wt...H......L.=.......mL.jtl.Xt.>...&i.8...j*p..o.7n...../...........|.......F....[Y...C./.E.Q.....].c..p|.o.....'.......P..........(L.H...Z. .O?c....d!.RB.......X........W_..q..G.j.N..:...7H..j.-..Pr.n..E/..O....z..B..|...!......./E\.....R..!.[.....v.7b6. ..>.|)6.E.A...>7..._.G...k.J...~..7b1R.kU@W.;.\.....e.od.n..X. q..E.'.T.".e..w=ZePa.0..l....l0.O.it..w6...r...|2...V.x.1..........H..0; ..O.<}z
<<< skipped >>>
GET /CmsThemes/Default/Images/-.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "ecdb349252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "ecdb349252bd01:0"
Cache-Control: private, max-age=16729
Expires: Mon, 12 Jan 2015 11:14:55 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/button.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "6e4bd49252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "6e4bd49252bd01:0"
Cache-Control: private, max-age=18000
Expires: Mon, 12 Jan 2015 11:36:06 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
Accept-Ranges: bytes
ETag: "402ad449252bd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 2779
Cache-Control: private, max-age=1110
Expires: Mon, 12 Jan 2015 06:54:37 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB792256C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{..........b......w....,.E./.3.@..e....G..];z......f....34...v[...H1....g......'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4...$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@...T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g....,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......
<<< skipped >>>
GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "d6cfd949252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/gif
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "d6cfd949252bd01:0"
Cache-Control: private, max-age=17999
Expires: Mon, 12 Jan 2015 11:36:06 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/X.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "7aa0dd49252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "7aa0dd49252bd01:0"
Cache-Control: private, max-age=17307
Expires: Mon, 12 Jan 2015 11:24:34 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "e0d5ba49252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "e0d5ba49252bd01:0"
Cache-Control: private, max-age=1281
Expires: Mon, 12 Jan 2015 06:57:28 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/button.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "6e4bd49252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "6e4bd49252bd01:0"
Cache-Control: private, max-age=17999
Expires: Mon, 12 Jan 2015 11:36:06 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/X.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "7aa0dd49252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "7aa0dd49252bd01:0"
Cache-Control: private, max-age=17307
Expires: Mon, 12 Jan 2015 11:24:34 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "28ffd549252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "28ffd549252bd01:0"
Cache-Control: private, max-age=17999
Expires: Mon, 12 Jan 2015 11:36:06 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "62dc049252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "62dc049252bd01:0"
Cache-Control: private, max-age=1111
Expires: Mon, 12 Jan 2015 06:54:38 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/X.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "7aa0dd49252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "7aa0dd49252bd01:0"
Cache-Control: private, max-age=17307
Expires: Mon, 12 Jan 2015 11:24:34 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:14 GMT
If-None-Match: "28ffd549252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
ETag: "7aa0dd49252bd01:0"
Cache-Control: private, max-age=17307
Expires: Mon, 12 Jan 2015 11:24:34 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
POST /api/usages/ HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 2301
Connection: Keep-Alive
Cache-Control: no-cache
{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "32089" , "json_send_time" : "2015-1-12.3:24:11:655" , "phase" : "StartingLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "2422" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "61e2d6c4-20da-48df-ace5-9e0978d3a621" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_screen" : "0", "publisher_account_id" : "A-480753" , "channel_id" : "" , "machine_user_id" : "SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG" , "bundle_id" : "0b9743f2-3fb2-43e6-b2aa-715431425a3e" , "general_id" : "unknown" , "dm_version" : "1.4.0.4.141207.02" , "build_id" : "00000000" , "mrs_id" : "17" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2015-01-12.csv" , "user_operating_sys
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Mon, 12 Jan 2015 06:35:19 GMT
Content-Length: 0
....
POST /api/usages/ HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 2253
Connection: Keep-Alive
Cache-Control: no-cache
{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "32089" , "json_send_time" : "2015-1-12.3:24:12:249" , "phase" : "ChromeError" , "phase_type" : "regular" , "order" : "" , "result" : "Error" , "error_details" : "error: did not found chrome full path" , "phase_duration" : "0" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "61e2d6c4-20da-48df-ace5-9e0978d3a621" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_screen" : "0", "publisher_account_id" : "A-480753" , "channel_id" : "" , "machine_user_id" : "SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG" , "bundle_id" : "0b9743f2-3fb2-43e6-b2aa-715431425a3e" , "general_id" : "unknown" , "dm_version" : "1.4.0.4.141207.02" , "build_id" : "00000000" , "mrs_id" : "17" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2015-01-12.csv" , "user_operating_system" : "Microsoft Windows XP" , "user_service_pa
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Mon, 12 Jan 2015 06:35:19 GMT
Content-Length: 0
HTTP/1.1 202 Accepted..Cache-Control: no-cache..Pragma: no-cache..Expires: -1..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"..Date: Mon, 12 Jan 2015 06:35:20 GMT..Content-Length: 0..HTTP/1.1 202 Accepted..Cache-Control: no-cache..Pragma: no-cache..Expires: -1..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"..Date: Mon, 12 Jan 2015 06:35:20 GMT..Content-Length: 0..
GET /Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT
Accept-Ranges: bytes
ETag: "946714a252bd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6149
Cache-Control: private, max-age=16789
Expires: Mon, 12 Jan 2015 11:15:09 GMT
Date: Mon, 12 Jan 2015 06:35:20 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>
GET /Js/jquery.dotdotdot.min.js?fid=1857275 HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
n e?"string"==typeof e?(e=t(e,n),e.length?e:!1):e.jquery?e:!1:!1}function h(t){for(var e=t.innerHeight(),n=["paddingTop","paddingBottom"],r=0,o=n.length;o>r;r ){var a=parseInt(t.css(n[r]),10);isNaN(a)&&(a=0),e-=a}return e}if(!t.fn.dotdotdot){t.fn.dotdotdot=function(e){if(0==this.length)return t.fn.dotdotdot.debug('No element found for "' this.selector '".'),this;if(this.length>1)return this.each(function(){t(this).dotdotdot(e)});var o=this;o.data("dotdotdot")&&o.trigger("destroy.dot"),o.data("dotdotdot-style",o.attr("style")||""),o.css("word-wrap","break-word"),"nowrap"===o.css("white-space")&&o.css("white-space","normal"),o.bind_events=function(){return o.bind("update.dot",function(e,d){e.preventDefault(),e.stopPropagation(),l.maxHeight="number"==typeof l.height?l.height:h(o),l.maxHeight =l.tolerance,"undefined"!=typeof d&&(("string"==typeof d||d instanceof HTMLElement)&&(d=t("<div />").append(d).contents()),d instanceof t&&(i=d)),g=o.wrapInner('<div class="dotdotdot" />').children(),g.contents().detach().end().append(i.clone(!0)).find("br").replaceWith(" <br /> ").end().css({height:"auto",width:"auto",border:"none",padding:0,margin:0});var c=!1,u=!1;return s.afterElement&&(c=s.afterElement.clone(!0),c.show(),s.afterElement.detach()),a(g,l)&&(u="children"==l.wrap?n(g,l,c):r(g,o,g,l,c)),g.replaceWith(g.contents()),g=null,t.isFunction(l.callback)&&l.callback.call(o[0],u,i),s.isTruncated=u,u}).bind("isTruncated.dot",function(t,e){retur
..
GET /DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 176083
Cache-Control: private, max-age=18000
Expires: Mon, 12 Jan 2015 11:35:20 GMT
Date: Mon, 12 Jan 2015 06:35:20 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th
<<< skipped >>>
GET /Global/GlobalPage/3724833/?Language=None&Welcome=true HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 188190
Cache-Control: private, max-age=17917
Expires: Mon, 12 Jan 2015 11:34:25 GMT
Date: Mon, 12 Jan 2015 06:35:48 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th
<<< skipped >>>
GET /MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 168287
Cache-Control: private, max-age=17945
Expires: Mon, 12 Jan 2015 11:35:10 GMT
Date: Mon, 12 Jan 2015 06:36:05 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th
<<< skipped >>>
GET /DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 176083
Cache-Control: private, max-age=17954
Expires: Mon, 12 Jan 2015 11:35:20 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html> <![endif]-->..<head>.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <meta charset="utf-8" />.. .. <title>installation</title>.. <style>./* =============================================================================.. HTML5 Boilerplate CSS: h5bp.com/css.. ========================================================================== */..article, aside, details, figcaption, figure, footer, header, hgroup, nav, section { display: block; }..audio, canvas, video { display: inline-block; *display: inline; *zoom: 1; }..audio:not([controls]) { display: none; }..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, select, textarea { font-family: sans-serif; color: #222; }..body { margin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-shadow: none; }..::selection { text-shadow: none; }..a { color: #00e; outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..a:focus { outline: none ; }..a:hover, a:active { outline: none;border: none; }...ie7 a:focus, *:focus {.. noFocusLine: expression(th
<<< skipped >>>
GET /CmsThemes/Default/Images/InstallationSuccessful.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
Accept-Ranges: bytes
ETag: "6866ca49252bd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2670
Cache-Control: private, max-age=1113
Expires: Mon, 12 Jan 2015 06:54:39 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
.PNG........IHDR...#...".......`.....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:F1E913D3555911E18CA7F85F751BB1C7" xmpMM:DocumentID="xmp.did:F1E913D4555911E18CA7F85F751BB1C7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F1E913D1555911E18CA7F85F751BB1C7" stRef:documentID="xmp.did:F1E913D2555911E18CA7F85F751BB1C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>~. .....IDATx..W]l.U.>........t...V~.X ...I@HA.'~.D. .J4....o.V.&...X.B.E...M$}....l...o.P..g........w.eKA.....nw.....}.9.`.n....r.|?(J..7 .;.....`.,.a.8Op....O..f..*.m..... g..(.../.f0.E.......L..........Ru.r.....J.....`2..O..*8....@.....X...@|..@..,S..K.....P=.#..n....D.P..Y.x.:T.t.......Qv.n4..P6......x$.\....a.....#0}.W...y:.*.@.q...OJ.....pdIi..#9s.a...F..a....."P....H........].H....x4...O/.<.....h:.J<b)..[....y....|f.a.....cy a..#..K2.z~I..ZS....HM...[,Wj@..0..D.4a.d.HQ..?.sp...6.....g:....2#...X.V.,.@.S.<....)....%.....p.&......M....$.b.......I.>hI.O.c.6AW'....C<1..F[..
<<< skipped >>>
GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
Accept-Ranges: bytes
ETag: "d6cfd949252bd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1504
Cache-Control: private, max-age=1112
Expires: Mon, 12 Jan 2015 06:54:38 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
GIF89a.........................v.....5..d..e..........................{......................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981" xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:InstanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentID="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G..@.d. J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G
<<< skipped >>>
GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:08 GMT
Accept-Ranges: bytes
ETag: "38cde645252bd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 2562
Cache-Control: private, max-age=1113
Expires: Mon, 12 Jan 2015 06:54:39 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB26C3E111E3AEC3EB792256C508" xmpMM:DocumentID="xmp.did:72B2EB27C3E111E3AEC3EB792256C508"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB24C3E111E3AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB25C3E111E3AEC3EB792256C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......tIDATx....o\W...{f.........P.hb..VDQ..R!..*6f.... ..T.6..."V(...*..Xb.#!;.H...r.R.3q.nR?.^..~h&.....9..2v.f...|.;.1.(...R..~...N.{6.....[.e.'-..1(..k6[K.V.r.}.^ul...._...3[[.7..S.|p.....3g.Z./_.... Cxw?...G9...BC...R.....Lmnn^.<^o........b...Z...{.`~.....d......x...I0..L..HM....".@..4..`.... ..4..... .I07....$h;..T#...C.H4...v(.iF.v(.IG.v(.)F.....;..0..T#XM.&A...`=.. .)F.(r......<...@.....E...#Xm.... ...:..d#XO.".@......A.R.`.. ..F...%. .IF.W)..l.C#...NZ..b.B.8........./..s.............;.^..E.MY"."....?{.'Y}%....\`....jg...\y.......6a...$~.....s.f~..K/.-.....9...Fu......|.....l
<<< skipped >>>
GET /CmsThemes/Default/Images/button.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
Accept-Ranges: bytes
ETag: "6e4bd49252bd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 3937
Cache-Control: private, max-age=1112
Expires: Mon, 12 Jan 2015 06:54:38 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e<...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K..........*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?}...}...~..=............G...~,....xi3..e.o..@...WB...4.. u....... ?.H.."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q........l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo...........hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f
<<< skipped >>>
GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Thu, 08 Jan 2015 09:27:14 GMT
Accept-Ranges: bytes
ETag: "d6cfd949252bd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1504
Cache-Control: private, max-age=18000
Expires: Mon, 12 Jan 2015 11:36:06 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
GIF89a.........................v.....5..d..e..........................{......................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981" xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:InstanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentID="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!.......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G..@.d. J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G
<<< skipped >>>
GET /Js/jquery.dotdotdot.min.js?fid=1857275 HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:15 GMT
If-None-Match: "946714a252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: application/x-javascript
Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT
ETag: "946714a252bd01:0"
Cache-Control: private, max-age=16770
Expires: Mon, 12 Jan 2015 11:15:36 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
....
GET /Js/jquery.dotdotdot.min.js?fid=985986 HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT
Accept-Ranges: bytes
ETag: "946714a252bd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6149
Cache-Control: private, max-age=5691
Expires: Mon, 12 Jan 2015 08:10:57 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>
GET /Js/jquery.dotdotdot.min.js?fid=1857275GlobalPage HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 08 Jan 2015 09:27:15 GMT
If-None-Match: "946714a252bd01:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Thu, 08 Jan 2015 09:27:15 GMT
Accept-Ranges: bytes
ETag: "946714a252bd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6149
Cache-Control: private, max-age=16741
Expires: Mon, 12 Jan 2015 11:15:07 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.www.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dual licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_License. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.empty();for(var i=0,d=r.length;d>i;i ){var l=r.eq(i);if(t.append(l),n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}function r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgroup, option, textarea, script, style",u="script, .dotdotdot-keep";return e.contents().detach().each(function(){var f=this,h=t(f);if("undefined"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"append"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.detach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];if(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLetter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).join(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.length&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>
GET ///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
Accept-Ranges: bytes
ETag: "32a2672dc0afcf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 333236
Cache-Control: private, max-age=5794
Expires: Mon, 12 Jan 2015 08:12:01 GMT
Date: Mon, 12 Jan 2015 06:35:27 GMT
Connection: keep-alive
......Exif..II*.................Ducky.......d.....*hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:45FCD83A163D11E49FE3CE421291508F" xmpMM:InstanceID="xmp.iid:45FCD839163D11E49FE3CE421291508F" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6EB8642D163911E48C11D1513B2C29EC" stRef:documentID="xmp.did:6EB8642E163911E48C11D1513B2C29EC"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...&Adobe.d............... ........I................................................................................................................................................................].................................................................................!.. 1"..02@A#3.B$.P4.`%'.67C&p.D5......................!..1A"..Q2aq.BRb#.....r3 .....$.0....C.6..@...Scs.4t%.P.D5..&`....TdEUF.7......f...u.Vp...'....................... !1".0A2.PQa..@....B#3`.q.b.4..R...r...p.C$....sSc.......................!1AQ.aq... ......0@P`p..................@y`...............6"H. .6.$.L.#d@(....lp.. ........ ....AD.....
<<< skipped >>>
GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT
If-None-Match: "b29d692dc0afcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
ETag: "b29d692dc0afcf1:0"
Cache-Control: private, max-age=5754
Expires: Mon, 12 Jan 2015 08:12:01 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT
If-None-Match: "b29d692dc0afcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
ETag: "b29d692dc0afcf1:0"
Cache-Control: private, max-age=5754
Expires: Mon, 12 Jan 2015 08:12:01 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3724833/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
Accept-Ranges: bytes
ETag: "b29d692dc0afcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 39121
Cache-Control: private, max-age=5810
Expires: Mon, 12 Jan 2015 08:12:16 GMT
Date: Mon, 12 Jan 2015 06:35:26 GMT
Connection: keep-alive
.PNG........IHDR.......l......D.c....tEXtSoftware.Adobe ImageReadyq.e<...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:00B0F7C5163B11E48EE988E2A06842E4" xmpMM:DocumentID="xmp.did:00B0F7C6163B11E48EE988E2A06842E4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:00B0F7C3163B11E48EE988E2A06842E4" stRef:documentID="xmp.did:00B0F7C4163B11E48EE988E2A06842E4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>%gO....FIDATx..}..$...Uu.......;..wx......4...~H................8.8w.uw...............].$...zG...^.....]3.~8">.wp.....p.p.p.......tX?................Ajb.F...a...{\d|...h.E..7..3.......?.h..y...'~..........wI4...........8....d...Xh......g.....A..-..0.b...G.\........L.....es...9./...... CM.TD #........L0..c.~...<.....oZ...L.....#.....4.@1....S?....@ C..\B..6.o...aH..8..jWf..]1%..04..l..6s..*..'....l.....{F.b.0f4...#..B......Y./....f...|..K8.3.>...i..&....P...Z.'....4..?.. @...........x?.).F.q#...I..ob......x....M[......]..a.....Km.p.X....p1z...j.{..-Z8..M.o.8.1T.......R..K.7.p..l.p..p..
<<< skipped >>>
GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT
If-None-Match: "b29d692dc0afcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
ETag: "b29d692dc0afcf1:0"
Cache-Control: private, max-age=5809
Expires: Mon, 12 Jan 2015 08:12:16 GMT
Date: Mon, 12 Jan 2015 06:35:27 GMT
Connection: keep-alive
....
GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT
If-None-Match: "b29d692dc0afcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/png
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
ETag: "b29d692dc0afcf1:0"
Cache-Control: private, max-age=5770
Expires: Mon, 12 Jan 2015 08:12:16 GMT
Date: Mon, 12 Jan 2015 06:36:06 GMT
Connection: keep-alive
....
GET ///img/offers/r_d1/r_9c/6674bca0-3e48-4131-9b81-5071d5b2c2da.jpg HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3724833/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT
If-None-Match: "32a2672dc0afcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/jpeg
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
ETag: "32a2672dc0afcf1:0"
Cache-Control: private, max-age=5770
Expires: Mon, 12 Jan 2015 08:12:17 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
GET ///img/offers/r_ac/r_37/64bfde2c-3be5-4981-ab13-3339cc75dd5f.png HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3724833/985986/?mainofferId=1857275&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 04 Aug 2014 08:43:34 GMT
If-None-Match: "b29d692dc0afcf1:0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Content-Type: image/jpeg
Last-Modified: Mon, 04 Aug 2014 08:43:34 GMT
ETag: "32a2672dc0afcf1:0"
Cache-Control: private, max-age=5770
Expires: Mon, 12 Jan 2015 08:12:17 GMT
Date: Mon, 12 Jan 2015 06:36:07 GMT
Connection: keep-alive
....
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1060:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
xLm%d
xLm%d
io%x"H
io%x"H
zcÃ
zcÃ
.?AVfsURL@@
.?AVfsURL@@
.?AVfsInternetURLFile@@
.?AVfsInternetURLFile@@
.?AVfsInternetURLFileDownloader@@
.?AVfsInternetURLFileDownloader@@
.?AVfsHttpFile@@
.?AVfsHttpFile@@
.?AVfsFtpConnection@@
.?AVfsFtpConnection@@
.?AVfsFtpFile@@
.?AVfsFtpFile@@
.?AVfsHttpConnection@@
.?AVfsHttpConnection@@
6'6,60646]6
6'6,60646]6
2(2F2i2
2(2F2i2
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXps://VVV.verisign.com/cps0
hXXps://VVV.verisign.com/cps0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q
hXXp://ocsp.verisign.com0;
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
Nullsoft Install System v2.46.5-Unicode
Nullsoft Install System v2.46.5-Unicode
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%s: failed opening file "%s"
LOCALS~1\Temp\nsoB4.tmp\webapphost.dll
LOCALS~1\Temp\nsoB4.tmp\webapphost.dll
n Data\Google\Chrome\User Data\Default
n Data\Google\Chrome\User Data\Default
4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png
4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp
n\App Paths\IEXPLORE.EXE
n\App Paths\IEXPLORE.EXE
1.0.0.1
1.0.0.1
Download.dll
Download.dll
nsoB4.tmp
nsoB4.tmp
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll" (overwriteflag=1)
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapphost.dll" (overwriteflag=1)
\webapphost.dll"
\webapphost.dll"
PLORE.EXE
PLORE.EXE
gle\Chrome\User Data\Default
gle\Chrome\User Data\Default
4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico
4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp
webapp\
webapp\
2ECB2-F957-4D87-9D5D-2305651F3CB8
2ECB2-F957-4D87-9D5D-2305651F3CB8
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB2.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
LORE.EXE
LORE.EXE
IEXPLORE.EXE
IEXPLORE.EXE
8072ECB2-F957-4D87-9D5D-2305651F3CB8
8072ECB2-F957-4D87-9D5D-2305651F3CB8
hXXp://data.dmccint.com/api/usages/
hXXp://data.dmccint.com/api/usages/
hXXp://engine.drive-c-files.com//DecisionEngine.ashx
hXXp://engine.drive-c-files.com//DecisionEngine.ashx
\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico
\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.ico
\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png
\\192.168.17.111\Bundles\1\413\ct4137501\0b9743f23fb243e6b2aa715431425a3e\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-15-02.15.07.589\caf073b9-38e1-4752-8520-49a48fa441df.png
0b9743f2-3fb2-43e6-b2aa-715431425a3e
0b9743f2-3fb2-43e6-b2aa-715431425a3e
00000000
00000000
1857275
1857275
hXXp://cms.dmccint.com/MainOffer/3724833/
hXXp://cms.dmccint.com/MainOffer/3724833/
Setup.exe
Setup.exe
hXXp://cms.dmccint.com/Global/GlobalPage/3724833/
hXXp://cms.dmccint.com/Global/GlobalPage/3724833/
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\webapp\
1731578
1731578
1731593
1731593
Naive_recommender_Bayesian_adjust_2015-01-12.csv
Naive_recommender_Bayesian_adjust_2015-01-12.csv
Microsoft Windows XP
Microsoft Windows XP
6.0.2900.5512
6.0.2900.5512
%Documents and Settings%\%current user%\Local Settings\Application Data
%Documents and Settings%\%current user%\Local Settings\Application Data
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\client_xml.xml
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\client_xml.xml
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\offer.xml
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoB4.tmp\offer.xml
no_dynamic_main_offer_url_supported_in_this_version
no_dynamic_main_offer_url_supported_in_this_version
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
Minecraft.exe
Minecraft.exe
1.4.0.4.141207.02
1.4.0.4.141207.02
svchost.exe_600:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512