SearchProtectToolbar_pcap_e4a140f0db

by malwarelabrobot on March 14th, 2015 in Malware Descriptions.

SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e4a140f0dba552c6764aaa413a118f48
SHA1: ad345f2cbbe0a71c5b5797030e4a9934b31b21cc
SHA256: 6a2afe8658ed43342c19ab9f5fc8ed6ecd32d18bb823dc104cb9d17e870c6138
SSDeep: 12288:xEGLLmWAq2IL94rprrvP0dp4Ap5JDuAHGPfmbdy4ZIDpBl4:x1nFAq2IA30diWLKlfCpGDl4
Size: 731488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ?? 2014 ClientConnect Ltd.
Created at: 2012-02-24 21:19:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):
No processes have been created.
The Malware injects its code into the following process(es):

%original file name%.exe:840

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
ShimCacheMutex
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
oleacc-msaa-loaded
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
DDrawDriverObjectListMutex
DDrawWindowListMutex
__DDrawExclMode__
__DDrawCheckExclMode__
_!SHMSFTHISTORY!_
c:!documents and settings!adm!local settings!history!history.ie5!mshist012015031320150314!

File activity

The process %original file name%.exe:840 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3729900[1].htm (27132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\NoneSilentSuccess.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.dotdotdot.min[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[3].js (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3706054[2].htm (23048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\gplay.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\webapphost.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nonadwords_trip[1].htm (4685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[1].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\certInlineLB.pfx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\NextButton_Sprite wide[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\Failed.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (41445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\FDMClient.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3706054[1].htm (24656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\boxshot[1].jpg (1564 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\InstallationSuccessful[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\752fefa4-2091-409c-b42c-abdd63222afb[2].jpg (524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BoxBgNew[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\WelcomeScreen.htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\DM_loader.gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nonadwords_trip[1].html (6898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\752fefa4-2091-409c-b42c-abdd63222afb[1].jpg (477 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\manager.html (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\icon.png (550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[2].png (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\Success.htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\manager.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\proxy.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PS_SearchProtectCH[1].json (22880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\init.html (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\customframeapi[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\sharedWorker.js (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3707848[1].htm (25222 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite-wide-grey[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nonadwords_trip[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\752fefa4-2091-409c-b42c-abdd63222afb[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (0 bytes)

Registry activity

The process %original file name%.exe:840 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031320150314]
"CachePrefix" = ":2015031320150314:"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015031320150314\"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"WebBrowser_embedded.exe" = "6000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"%original file name%.exe" = "6000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031320150314]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031320150314]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1330111199"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 26 50 76 E3 64 ED 62 D3 A7 72 70 25 34 D5 CF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031320150314]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
b87a1c92512f3320e907c1534071f4b9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx3.tmp\FDMClient.dll
62008374a494afeea2ee2ae9eee4c8c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx3.tmp\System.dll
07f09c1bf361f757675b77320a08506c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx3.tmp\manager\scripts\WebBrowser_embedded.exe
fb2d0b843bf1f8d7150ec2294c983d7d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx3.tmp\webapphost.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?? 2014 ClientConnect Ltd.
Product Name: Setup.exe
Product Version: 1.4.0.4.141207.02
Legal Copyright: ?? 2014 ClientConnect Ltd.
Legal Trademarks:
Original Filename: BLACKJACK_ARENA.exe
Internal Name:
File Version:
File Description: Setup.exe
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 28432 28672 4.50399 f569e353af0ed51bf4c216faa9bed4e7
.rdata 32768 10898 11264 3.04561 91eee43954e068e650f7b73a8b0e6915
.data 45056 425660 512 1.02085 db9f7acbf1c3ddfe255077b699955dfa
.ndata 471040 8130560 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 8601600 3288 3584 2.85443 4a45493a823b246abd36b043e8b496d1
.reloc 8605696 3978 4096 3.74736 4a4ad12c3d51c29781da455d71dc567e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://pixel.va.dmccint.com/api/usages/
hxxp://e8210.g.akamaiedge.net/Global/GlobalPage/3706054/?Language=None&Welcome=true
hxxp://e8210.g.akamaiedge.net/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=3712096
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=3712096GlobalPage
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/X.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/-.png
hxxp://e8210.g.akamaiedge.net///img/Offers/r_39/r_8f/14-11-16-16.09.56.301/boxshot.jpg
hxxp://e8210.g.akamaiedge.net///img/Logos/r_ec/r_b1/752fefa4-2091-409c-b42c-abdd63222afb.jpg
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/BoxBgNew.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBG.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/button.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/InstallationSuccessful.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/images/SmallLoader.gif
hxxp://engine.ams.drive-c-files.com/DecisionEngine.ashx
hxxp://e8210.g.akamaiedge.net/DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
hxxp://e8210.g.akamaiedge.net/DynamicOffer/3706054/3729900/?mainofferId=3712096&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None&HideOnCancel=true
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=3729900
hxxp://e8210.g.akamaiedge.net/Js/jquery.dotdotdot.min.js?fid=3707848
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/CancelBGGoogleDialog.png
hxxp://e8210.g.akamaiedge.net/CmsThemes/Default/Images/NextButton_Sprite wide.png
hxxp://e6652.g.akamaiedge.net/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
hxxp://a1128.g1.akamai.net/customoffers/customframeapi.js
hxxp://e6652.g.akamaiedge.net/LMS/PS_searchprotectCH/PS_SearchProtectCH.json
hxxp://engine.drive-c-files.com/DecisionEngine.ashx 195.78.120.173
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=3707848 23.59.100.83
hxxp://cms.dmccint.com/DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None 23.59.100.83
hxxp://data.dmccint.com/api/usages/ 199.101.115.225
hxxp://cms.dmccint.com/CmsThemes/Default/Images/button.png 23.59.100.83
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=3729900 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBGGoogleDialog.png 23.59.100.83
hxxp://cmsstorage.dmccint.com///img/Logos/r_ec/r_b1/752fefa4-2091-409c-b42c-abdd63222afb.jpg 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/Images/BoxBgNew.png 23.59.100.83
hxxp://dehosting.dmccint.com/customoffers/customframeapi.js 88.221.132.82
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=3712096 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/Images/X.png 23.59.100.83
hxxp://cmsstorage.dmccint.com///img/Offers/r_39/r_8f/14-11-16-16.09.56.301/boxshot.jpg 23.59.100.83
hxxp://cms.dmccint.com/Js/jquery.dotdotdot.min.js?fid=3712096GlobalPage 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/Images/NextButton_Sprite wide.png 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/Images/CancelBG.png 23.59.100.83
hxxp://storage.stgbssint.com/LMS/PS_searchprotectCH/PS_SearchProtectCH.json 23.59.118.129
hxxp://cms.dmccint.com/DynamicOffer/3706054/3729900/?mainofferId=3712096&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None&HideOnCancel=true 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/images/SmallLoader.gif 23.59.100.83
hxxp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true 23.59.100.83
hxxp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie 23.59.118.129
hxxp://cms.dmccint.com/CmsThemes/Default/Images/InstallationSuccessful.png 23.59.100.83
hxxp://cms.dmccint.com/CmsThemes/Default/Images/-.png 23.59.100.83
hxxp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None 23.59.100.83


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /customoffers/customframeapi.js HTTP/1.1
Accept: */*
Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dehosting.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Encoding: gzip
Last-Modified: Wed, 03 Sep 2014 13:26:01 GMT
Accept-Ranges: bytes
ETag: "46a2919a7ac7cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 798
Cache-Control: private, max-age=31536000
Expires: Sat, 12 Mar 2016 00:07:35 GMT
Date: Fri, 13 Mar 2015 00:07:35 GMT
Connection: keep-alive
Vary: Accept-Encoding
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"....i[T.t.N.....7NRz..:]eu.l...
..4_N.Y.....Y...T.U...[e5..a<...;w...,......;......X.3...Y....G..W.
...(g....`B_..W.....2/.......j......=...\...^d.|..b.Z.............}4r.
.....Wu.UP....H.w........w.|....8O.:..W|.h..m]L.m...,k..I>......N..
~...e.....k.uM8./po\....`]...yu..'Y...?#.4o..a.A..S..j..e<q.}.~...t
.O.....H?z..k?J....f...~I..M~s.M...m.|..c...Y~...6.o..0. Z....We6....9
.......zo.z..w........\..Rk.....K./..1..D........m.8....h:.l...w.t.0o?
J0...h.,..............$=..._.....n.l..... ...F..3.V......U^.Ok]@.....K
..b..>...o;..t`m....jZ..|t...Cj......y.[...v..Z...?.|..?......[..].
.`.i..A.q..4m.....#.F|U,g..X.......I.'.."....z#.......h.......a..b.K.#
L...k.M..-..&...6z..........;....8".F...HTTP/1.1 200 OK..Content-Type:
 application/x-javascript..Content-Encoding: gzip..Last-Modified: Wed,
 03 Sep 2014 13:26:01 GMT..Accept-Ranges: bytes..ETag: "46a2919a7ac7cf
1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length
: 798..Cache-Control: private, max-age=31536000..Expires: Sat, 12 Mar 
2016 00:07:35 GMT..Date: Fri, 13 Mar 2015 00:07:35 GMT..Connection: ke
ep-alive..Vary: Accept-Encoding...............`.I.%&/m.{.J.J..t...`.$.
[email protected]#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.
?"....i[T.t.N.....7NRz..:]eu.l.....4_N.Y.....Y...T.U...[e5..a<...;w
...,......;......X.3...Y....G..W....(g....`B_..W.....2/.......j......=
...\...^d.|..b.Z.............}4r......Wu.UP....H.w........w.|....8
<<< skipped >>>


GET /MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 168141
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:30 GMT
Date: Fri, 13 Mar 2015 00:07:30 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=3712096GlobalPage HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Mon, 02 Mar 2015 09:41:45 GMT
Accept-Ranges: bytes
ETag: "b27d518cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 6149
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:31 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "9ca65118cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1076
Cache-Control: private, max-age=317
Expires: Fri, 13 Mar 2015 00:12:48 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:CBFD1020532511E199C4D62405
85BDC2" xmpMM:DocumentID="xmp.did:CBFD1021532511E199C4D6240585BDC2">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CBFD101E532511E199C4
D6240585BDC2" stRef:documentID="xmp.did:CBFD101F532511E199C4D6240585BD
C2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>..q<....IDATx.b)--}...p..}.....i...2q u...
2... v..F.$3.Z...@...$..&..%..i. ....@......... g5.[[email protected] ..T..._f@.
.0.L.6 N..EP....v.$..}.v.H;..v [email protected]....`.uP(...@..*..........1.
%>.d....IEND.B`.....
<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "d6223c18cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2726
Cache-Control: private, max-age=3690
Expires: Fri, 13 Mar 2015 01:09:01 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR...>.........$.=.....sRGB.........gAMA......a.....p
HYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:co
m.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"
?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5
.0-c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:
rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Descript
ion rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM=
"hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap
/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows"
 xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Doc
umentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stR
ef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>...P....IDATx^...N#K.....%[email protected]..$`.3U..j.3.h0..%m..E.i
W.'........ ..?.......<<<.......V..i..d...`....S......v... ..
..S.Y.....r.._677...F..>=~....8z.....yyy)......`~r.>u.s{{.......
........Y.>5z.......!|....l6 [[[-z..x.........j...o{j..............
....EN...O..:..#....2....O......S.Y.?.......S.g.>..]b..X75eV]s....!
|.//...#|........S..........j!|...........j....\u...:'''.....;;;C.....
....UM...O...?OOO..........F...?.W...U....X.............%v....O..!|...
./X.4.....!|.......!|.......!|.......!|.......!|.......!|.......!|
<<< skipped >>>

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "2d64d18cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2562
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:31 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB26C3E111E3AEC3EB
792256C508" xmpMM:DocumentID="xmp.did:72B2EB27C3E111E3AEC3EB792256C508
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB24C3E111E3
AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB25C3E111E3AEC3EB7922
56C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.......tIDATx....o\W...{f.........P.hb..V
DQ..R!..*6f.... ..T.6..."V(...*..Xb.#!;.H...r.R.3q.nR?.^..~h&.....9..2
v.f...|.;.1.(...R..~...N.{6.....[.e.'-..1(..k6[K.V.r.}.^ul...._...3[[.
7..S.|p.....3g.Z./_.... Cxw?...G9...BC...R.....Lmnn^.<^o........b..
.Z...{.`~.....d......x...I0..L..HM...."[email protected]..`.... ..4..... .I07....$
h;..T#...C.H4...v(.iF.v(.IG.v(.)F.....;..0..T#XM.&A...`=.. .)F.(r.....
.<[email protected]...#Xm.... ...:..d#XO."[email protected].`.. ..F...%. .IF.W).
.l.C#...NZ..b.B.8........./..s.............;.^..E.MY"."....?{.'Y}%....
\`....jg...\y.......6a...$~.....s.f~..K/.-.....9...Fu......|.....l
<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "2e263118cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 933
Cache-Control: private, max-age=3632
Expires: Fri, 13 Mar 2015 01:08:03 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR.............e.......tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:C8E631185D6711E1A99F8AF4FF
A87D51" xmpMM:DocumentID="xmp.did:C8E631195D6711E1A99F8AF4FFA87D51">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C8E631165D6711E1A99F
8AF4FFA87D51" stRef:documentID="xmp.did:C8E631175D6711E1A99F8AF4FFA87D
51"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>Z..G....IDATx.b,--.a``8....01.........{f.....
..IEND.B`.....


GET /CmsThemes/Default/Images/CancelBG.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "d6223c18cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2726
Cache-Control: private, max-age=3690
Expires: Fri, 13 Mar 2015 01:09:01 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR...>.........$.=.....sRGB.........gAMA......a.....p
HYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:co
m.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"
?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5
.0-c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:
rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Descript
ion rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM=
"hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap
/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows"
 xmpMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Doc
umentID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stR
ef:documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>...P....IDATx^...N#K.....%[email protected]..$`.3U..j.3.h0..%m..E.i
W.'........ ..?.......<<<.......V..i..d...`....S......v... ..
..S.Y.....r.._677...F..>=~....8z.....yyy)......`~r.>u.s{{.......
........Y.>5z.......!|....l6 [[[-z..x.........j...o{j..............
....EN...O..:..#....2....O......S.Y.?.......S.g.>..]b..X75eV]s....!
|.//...#|........S..........j!|...........j....\u...:'''.....;;;C.....
....UM...O...?OOO..........F...?.W...U....X.............%v....O..!|...
./X.4.....!|.......!|.......!|.......!|.......!|.......!|.......!|
<<< skipped >>>

GET /CmsThemes/Default/Images/InstallationSuccessful.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "cce64518cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2670
Cache-Control: private, max-age=7857
Expires: Fri, 13 Mar 2015 02:18:28 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR...#...".......`.....tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:F1E913D3555911E18CA7F85F75
1BB1C7" xmpMM:DocumentID="xmp.did:F1E913D4555911E18CA7F85F751BB1C7">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F1E913D1555911E18CA7
F85F751BB1C7" stRef:documentID="xmp.did:F1E913D2555911E18CA7F85F751BB1
C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>~. .....IDATx..W]l.U.>........t...V~.X ...
I@HA.'~.D. .J4....o.V.&...X.B.E...M$}....l...o.P..g........w.eKA.....n
w.....}.9.`.n....r.|?(J..7 .;.....`.,.a.8Op....O..f..*.m..... g..(.../
.f0.E.......L..........Ru.r.....J.....`2..O..*[email protected]...@|..@..,S
..K.....P=.#..n....D.P..Y.x.:T.t.......Qv.n4..P6......x$.\....a.....#0
}.W...y:.*[email protected]..#9s.a...F..a....."P....H........].H....x
4...O/.<.....h:.J<b)..[....y....|f.a.....cy a..#..K2.z~I..ZS....
HM...[,[email protected]..?.sp...6.....g:....2#...X.V.,[email protected].<....).
...%.....p.&......M....$.b.......I.>hI.O.c.6AW'....C<1..F[..
<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "6205018cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1504
Cache-Control: private, max-age=15840
Expires: Fri, 13 Mar 2015 04:31:31 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
GIF89a.........................v.....5..d..e..........................
{......................................!..NETSCAPE2.0.....!..XMP DataX
MP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xm
pmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155
772, 2014/01/13-19:44:00        "> <rdf:RDF xmlns:rdf="hXXp://ww
w.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=
"" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://n
s.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com
/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981"
 xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:Ins
tanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Ad
obe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:ins
tanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentI
D="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> &l
t;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacke
t end="r"?>........................................................
......................................................................
....~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?&g
t;=<;:9876543210/.-, *)('&%$#"! .................................!.
......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v
._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,[email protected]. 
J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G
<<< skipped >>>

GET /DynamicOffer/3706054/3729900/?mainofferId=3712096&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None&HideOnCancel=true HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 168717
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:34 GMT
Date: Fri, 13 Mar 2015 00:07:34 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=3729900 HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3706054/3729900/?mainofferId=3712096&ShowSkipAll=0&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None&HideOnCancel=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Mon, 02 Mar 2015 09:41:45 GMT
Accept-Ranges: bytes
ETag: "b27d518cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 6149
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:35 GMT
Date: Fri, 13 Mar 2015 00:07:35 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/CancelBGGoogleDialog.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "8cf73d18cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 6035
Cache-Control: private, max-age=3696
Expires: Fri, 13 Mar 2015 01:09:11 GMT
Date: Fri, 13 Mar 2015 00:07:35 GMT
Connection: keep-alive
.PNG........IHDR...J...1.............sRGB.........gAMA......a.....pHYs
.......... ......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.a
dobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="ht
tp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.
0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xm
pMM:InstanceID="xmp.iid:257C616565E511E1B1E4ACFCC563EDC8" xmpMM:Docume
ntID="xmp.did:257C616665E511E1B1E4ACFCC563EDC8"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:257C616365E511E1B1E4ACFCC563EDC8" stRef:
documentID="xmp.did:257C616465E511E1B1E4ACFCC563EDC8"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>...P....IDATx^...N....P...L.).A(...A."1...$<rcK...r....] .E. 8
.^..[......o........ @.7.u&... @......(J..... @...'...^z....puu5...c..
......cmmm:.#@.......g......{..u>|.0.....?~.......i..........(JQ^..
. @....,p......pyy9lnn.....1_z./....^;..... @`...x....v:nnn....aooo..(
J..I...SI...W.....F.......u..OBz.(.%i>.....*........ @.............
p}}=lmmMg.......O.9...../&@..............|[email protected]....
. . .8.t||<.A.[.|Vi>.4~}..%g.z.... @...6......J....F..l.........
y".W....\..O.-?t..N..... @`...o..K.|.m,J.1.%..V..!-..... .........
<<< skipped >>>


POST /api/usages/ HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 550
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "dm_version" : "1.4.0.4.141207.02" , "tracking_id" : "" , "json_send_time" : "2015-3-13.2:7:41:458" , "phase" : "Init" , "phase_type" : "regular" , "attempt_number" : "1" , "bundle_id" : "6e4e2937-a2d8-424c-b0de-1517125686e7" , "Is_Test" : "0" , "installation_session_id" : "ae4011e0-7483-4a25-970f-3814d45fc4ca" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "publisher_account_id" : "A-480753" , "activated_by_stub" : "0" , "sln" : "14866" , "welcome_screen" : "0"  }
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:29 GMT
Content-Length: 0
....


POST /api/usages/ HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 585
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "14866" , "json_send_time" : "2015-3-13.2:7:42:130" , "phase" : "AfterNavM" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : ""  }
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:29 GMT
Content-Length: 0
HTTP/1.1 202 Accepted..Cache-Control: no-cache..Pragma: no-cache..Expi
res: -1..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Pow
ered-By: ASP.NET..P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND
 UNI COM NAV INT"..Date: Fri, 13 Mar 2015 00:07:29 GMT..Content-Length
: 0......


POST /api/usages/ HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 2239
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "14866" , "json_send_time" : "2015-3-13.2:7:46:458" , "phase" : "InStartLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "5000" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "ae4011e0-7483-4a25-970f-3814d45fc4ca" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_screen" : "0", "publisher_account_id" : "A-480753" , "channel_id" : "" , "machine_user_id" : "9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG" , "bundle_id" : "6e4e2937-a2d8-424c-b0de-1517125686e7" , "general_id" : "unknown" , "dm_version" : "1.4.0.4.141207.02" , "build_id" : "00000000" , "mrs_id" : "17" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2015-03-12.csv" , "user_operating_syste
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:34 GMT
Content-Length: 0
....


POST /api/usages/ HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 2239
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "14866" , "json_send_time" : "2015-3-13.2:7:46:724" , "phase" : "StartingLoop" , "phase_type" : "technical" , "order" : "" , "result" : "Success" , "error_details" : "" , "phase_duration" : "203" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "extra_details" : "" , "attempt_number" : "1" , "offer_id" : "" , "offer_suggestion_number" : "" , "installation_session_id" : "ae4011e0-7483-4a25-970f-3814d45fc4ca" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_screen" : "0", "publisher_account_id" : "A-480753" , "channel_id" : "" , "machine_user_id" : "9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG" , "bundle_id" : "6e4e2937-a2d8-424c-b0de-1517125686e7" , "general_id" : "unknown" , "dm_version" : "1.4.0.4.141207.02" , "build_id" : "00000000" , "mrs_id" : "17" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2015-03-12.csv" , "user_operating_syste
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:34 GMT
Content-Length: 0
....


POST /api/usages/ HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 2681
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "14866" , "json_send_time" : "2015-3-13.2:7:46:974" , "phase" : "InitComplete" , "phase_type" : "regular" , "order" : "2.0" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "EngineMgrCreated:672,BuildUserProfile:3766,retrieveCid:0,sendXML:0,xmlSent:0,startParse:766,endParse:0,StartOffersLoop:218,ValidateMO:0,NavigateFirstSlot:0,ReportInitComplete:0," , "general_status_code" : "1" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_id" : "3712096" , "product_id" : "0" , "product_type" : "Publisher's Offer" , "product_id_version" : "" , "rule_id" : "560021" , "vector_id" : "560614" , "is_parallel" : "0" , "call_service_duration" : "766" , "navigate_mo_duration" : "MONavigationCompleted:2297," , "navigate_global_duration" : "GlobalNavigationCompleted:2282," , "attempt_number" : "1" , "installation_session_id" : "ae4011e0-7483-4a25-970f-3814d45fc4ca" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:34 GMT
Content-Length: 0
....


POST /api/usages/ HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 2702
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "14866" , "json_send_time" : "2015-3-13.2:7:47:239" , "phase" : "OfferPresented" , "phase_type" : "regular" , "order" : "3.1" , "result" : "Success" , "error_details" : "" , "phase_duration" : "0" , "duration_details" : "" , "general_status_code" : "2" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "offer_suggestion_number" : "1" , "offer_presented_number" : "1" , "slot_number" : "1" , "position_in_slot" : "1" , "server_settings" : {"DownloadBrowser":"IE","CType":"-1","SearchProvider":"Bing","UserMode":"-1"} , "user_selection_settings" : "" , "condition_type" : "None" , "offer_type" : "Main" , "offer_id" : "3712096" , "root_offer_id" : "3712096" , "rule_id" : "560021" , "vector_id" : "560614" , "product_id" : "0" , "product_id_version" : "" , "product_type" : "Publisher's Offer" , "state" : "" , "installation_type" : "0" , "attempt_number" : "1" , "installation_session_id" : "ae4011e0-7483-4a25-970f-3814d45fc4ca" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : 
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:34 GMT
Content-Length: 0
....


POST /api/usages/ HTTP/1.1


Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: data.dmccint.com
Content-Length: 2193
Connection: Keep-Alive
Cache-Control: no-cache

{ "send_attempt" : "1" , "platform" : "Windows" , "slot_max_size" : "1" , "ioa" : "0" , "sln" : "14866" , "json_send_time" : "2015-3-13.2:7:47:489" , "phase" : "ChromeError" , "phase_type" : "regular" , "order" : "" , "result" : "Error" , "error_details" : "error: did not found chrome full path" , "phase_duration" : "16" , "duration_details" : "" , "general_status_code" : "" , "internal_error_number" : "" , "internal_error_description" : "" , "language_format" : "en" , "language_selected" : "None" , "Is_Test" : "0" , "download_url" : "" , "installation_session_id" : "ae4011e0-7483-4a25-970f-3814d45fc4ca" , "publisher_id" : "Incredimail / Perion" , "publisher_internal_id" : "198" , "activated_by_stub" : "0" , "stub_version" : "no_stub" , "welcome_screen" : "0", "publisher_account_id" : "A-480753" , "channel_id" : "" , "machine_user_id" : "9EKT4KIHYP05AIWKCMQN9NQXBR0OGZGUDWSPEVZXPXWQ6S2TD6LRCPJLMTQCFHUBKY67AOEAOT3MNTQYLME8MG" , "bundle_id" : "6e4e2937-a2d8-424c-b0de-1517125686e7" , "general_id" : "unknown" , "dm_version" : "1.4.0.4.141207.02" , "build_id" : "00000000" , "mrs_id" : "17" , "mrs_file_version" : "Naive_recommender_Bayesian_adjust_2015-03-12.csv" , "user_operating_system" : "Microsoft Windows XP" , "user_service_pa
HTTP/1.1 202 Accepted
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:35 GMT
Content-Length: 0
HTTP/1.1 202 Accepted..Cache-Control: no-cache..Pragma: no-cache..Expi
res: -1..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Pow
ered-By: ASP.NET..P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND
 UNI COM NAV INT"..Date: Fri, 13 Mar 2015 00:07:35 GMT..Content-Length
: 0..



GET /ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: storage.stgbssint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Thu, 19 Feb 2015 16:40:37 GMT
Accept-Ranges: bytes
ETag: "7e1bfdc9624cd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 46581
Cache-Control: private, max-age=86400
Expires: Sat, 14 Mar 2015 00:07:35 GMT
Date: Fri, 13 Mar 2015 00:07:35 GMT
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"~..7N...O.<y...<M...L_~..
..I.......wr...7O....o.x...w.7u.l....Yy.....~.$...y.....{uu5..7....o^.
}......n......}tD8.....\6.E..>|....H.<..."o3..]m..h]\~..I.l.e...
z...N...>j.w-.}.N.Y...g..|....E[.G...O..i..<m...9m.....w..O.....
..~...o...|w4...........j..Ge1:...hR.......X.....&y9.F.*[..lR......Q;.
..K.\...YQ..EV_..G;..l6 ....9.o.)~.?....../..-.Y......Q:[email protected]......
_Bx..._<..Y^?ZV.5>c.R.x{Z.e.j.....~CxM.........4{4..{.r^M..~..mq
.....f;..W..|b:|..g.z.2:...U1k.4J..z"..'e.....]...O..y..Qv..u..u.....?
:........e5}{.m.......IQ.-};/f.|y.=...bN......w.Q..-.b...p4.{}....i...
.[....^#.........O.|q.1..MdxB...W..D)....iB..~O8w:..o'....O..n=......P
 ..s"...*.&..Gi6i.r.....2?'..I0......=......~".......T.e.f....hl.j.../
<.u.T.... 6....X~!.r..A.5 ...R...h.......6..g.....=<n.C..s.....5
...P..O......k...7S.]......o.M.^..z9{...l...o..mh.u.(....n..g....BJ7.I
w..j....lkg....Wh&._;.D(Ryo..\.J..Tp..L.'...v...I8.II..j8e......._..9?
...NRo%i..F..L .q....z4..PA.CK.h.x. .....!k.o...o..~w. !ysG...O...NG4|
R..\3.3uA.m..i;0z..A..o.g.c..?.z.2>.4. ..3..I MV.l..l..t...X...(i..
.5.b`..P04..t.7..n....pfo.t.....`....h...wI.......\..P.....y..^S.y...@
H.................m..z...ym....s.-...#.......u^VW..n.V.W.........h....
.......-.o....T.y.jL}.._.J.gQ.6.A#".... ....}H../?..................&g
t;.........o.b...~..o....`..PrE...<....O.9}..~c.....N...h....Q?.7?f
...7RK...3.....x.......y.......}..}.......o.;....eE .........S&...
<<< skipped >>>

GET /LMS/PS_searchprotectCH/PS_SearchProtectCH.json HTTP/1.1


x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://storage.stgbssint.com/ps/SearchProtector/SP_UI_AD/prod/nonadwords_trip.html?Lang=en&UM=-1&CType=-1&DownLoadBrowser=ie#cms.dmccint.com/DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: storage.stgbssint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/json
Last-Modified: Thu, 12 Mar 2015 08:16:02 GMT
Accept-Ranges: bytes
ETag: "70858bc79c5cd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 243349
Cache-Control: private, max-age=7200
Expires: Fri, 13 Mar 2015 02:07:36 GMT
Date: Fri, 13 Mar 2015 00:07:36 GMT
Connection: keep-alive
Access-Control-Max-Age: 604800
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: origin, content-type
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
{"Product":"PS_SearchProtectCH","LastUpdate":1351464,"Translations":{"
ar":{"Keys":{"@@AcceptAndInstallButton@@":{"Text":"\u0623\u0648\u0627\
u0641\u0642 & \u0648\u0642\u0645 \u0628\u0627\u0644\u062a\u062b\u0628\
u064a\u062a"},"@@Body_text_1st_paragraph@@":{"Text":"\u064a\u064f\u063
1\u062c\u0649 \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\
u0644\u0648\u0645\u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u06
37 \u0627\u0644\u0647\u0627\u0645\u0629 \u0627\u0644\u062a\u0627\u0644
\u064a\u0629 \u0642\u0628\u0644 \u0627\u0644\u0645\u062a\u0627\u0628\u
0639\u0629."},"@@Body_text_1st_paragraph_2@@":{"Text":"\u0643\u062c\u0
632\u0621 \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u06
28\u0631\u0646\u0627\u0645\u062c\u060c \u064a\u0645\u0643\u0646\u0643 
\u0623\u064a\u0636\u064b\u0627 \u0627\u0644\u062d\u0635\u0648\u0644 \u
0639\u0644\u0649 \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u06
29 \u0627\u0644\u0628\u062d\u062b. \u064a\u064f\u0631\u062c\u0649 \u06
42\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u0639\u0644\u0648\u0645\
u0627\u062a \u0648\u0627\u0644\u0634\u0631\u0648\u0637 \u0642\u0628\u0
644 \u0627\u0644\u0627\u0633\u062a\u0645\u0631\u0627\u0631."},"@@Body_
text_2nd_paragraph_2@@":{"Text":"\u0642\u0645 \u0628\u062a\u062b\u0628
\u064a\u062a \u0645\u064a\u0632\u0629 \u062d\u0645\u0627\u064a\u0629 \
u0627\u0644\u0628\u062d\u062b \u0644\u062a\u0639\u064a\u064a\u0646 \u0
627\u0644\u0635\u0641\u062d\u0629 \u0627\u0644\u0631\u0626\u064a\u0633
\u064a\u0629 \u0648\u0639\u0644\u0627\u0645\u0629 \u0627\u0644\u06
<<< skipped >>>


GET ///img/Offers/r_39/r_8f/14-11-16-16.09.56.301/boxshot.jpg HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Sun, 16 Nov 2014 13:09:56 GMT
Accept-Ranges: bytes
ETag: "f8cc7a9e9e1d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 16185
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:31 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
......Exif..II*.................Ducky.......P.....*hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c02
1 79.154911, 2013/10/29-11:47:16        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpM
M:InstanceID="xmp.iid:AC46783505E111E49780B6B779278E31" xmpMM:Document
ID="xmp.did:AC46783605E111E49780B6B779278E31"> <xmpMM:DerivedFro
m stRef:instanceID="xmp.iid:AC46783305E111E49780B6B779278E31" stRef:do
cumentID="xmp.did:AC46783405E111E49780B6B779278E31"/> </rdf:Desc
ription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&
gt;....Adobe.d........................................................
......................................................................
......................................................................
...............................................!1A..Qaq"...2B...R#..b.
.34..r.CS...c$T.........................!1..AQ.aq.".....2...BR..b#..r.
.c$...%............?...Y.%....F.#B.....hB4!....F.#B.....hB4!....F.#B..
...hB4!....F.#B.....hB4!....F.#B.....hB4!....F.#B.....hB4!....F.#B....
.hB4!....F.#B.....hB4!...C....r.U......UR..;.A..SB*.6.......).h..U.'].
....hB4!....F.#B.....hB4!^.........(!.P.....).$.`.@'$.S.$.r.-.1..^
<<< skipped >>>

GET ///img/Logos/r_ec/r_b1/752fefa4-2091-409c-b42c-abdd63222afb.jpg HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Wed, 12 Nov 2014 13:23:17 GMT
Accept-Ranges: bytes
ETag: "561819d27bfecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 5501
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:32 GMT
Date: Fri, 13 Mar 2015 00:07:32 GMT
Connection: keep-alive
......Exif..II*.................Ducky.......P.....zhXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c01
4 79.151481, 2013/03/13-12:09:15        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:31518c97-5f4f-164
a-8d09-af8099c7a196" xmpMM:DocumentID="xmp.did:BC28621F93B011E3B19BB55
B2FBB893A" xmpMM:InstanceID="xmp.iid:BC28621E93B011E3B19BB55B2FBB893A"
 xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:31518c97-5f4f-164a-8d09-af8099c7a196" st
Ref:documentID="xmp.did:31518c97-5f4f-164a-8d09-af8099c7a196"/> <
;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket
 end="r"?>...&Adobe.d....................@...@...{.................
......................................................................
.....................................................7................
......................................................................
..... ...@P0!#$."........................!..1A"Qa2. q.B#[email protected]$
4.....................1.!A. q.0P.Qa....."[email protected]...................!.
1AQaq... @..0....P...........................)[email protected]..$...
..yz.....l...>....^....v s.Zg..\i-..-qu}/7.P.<..A..~-..B...I
<<< skipped >>>


GET /Global/GlobalPage/3706054/?Language=None&Welcome=true HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 188278
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:30 GMT
Date: Fri, 13 Mar 2015 00:07:30 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=3712096 HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Mon, 02 Mar 2015 09:41:45 GMT
Accept-Ranges: bytes
ETag: "b27d518cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 6149
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:31 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/-.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "2e263118cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 933
Cache-Control: private, max-age=14764
Expires: Fri, 13 Mar 2015 04:13:35 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR.............e.......tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:C8E631185D6711E1A99F8AF4FF
A87D51" xmpMM:DocumentID="xmp.did:C8E631195D6711E1A99F8AF4FFA87D51">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C8E631165D6711E1A99F
8AF4FFA87D51" stRef:documentID="xmp.did:C8E631175D6711E1A99F8AF4FFA87D
51"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>Z..G....IDATx.b,--.a``8....01.........{f.....
..IEND.B`.HTTP/1.1 200 OK..Content-Type: image/png..Last-Modified: Mon
, 02 Mar 2015 09:41:44 GMT..Accept-Ranges: bytes..ETag: "2e263118cd54d
01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..P3P: CP="IDC 
DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"..Content-Leng
th: 933..Cache-Control: private, max-age=14764..Expires: Fri, 13 Mar 2
015 04:13:35 GMT..Date: Fri, 13 Mar 2015 00:07:31 GMT..Connection: kee
p-alive...PNG........IHDR.............e.......tEXtSoftware.Adobe Image
Readyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..."
<<< skipped >>>

GET /CmsThemes/Default/Images/BoxBgNew.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "d88e3718cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 5182
Cache-Control: private, max-age=3651
Expires: Fri, 13 Mar 2015 01:08:22 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR...[...G......9......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "d8ff3918cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 3937
Cache-Control: private, max-age=3690
Expires: Fri, 13 Mar 2015 01:09:01 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e&
lt;...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12
B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11
E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> 
<xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8
635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K......
....*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.
o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?
}...}...~..=............G...~,[email protected].. u....... ?.H.
."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q..
......l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo......
.....hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU
..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f
<<< skipped >>>

GET /CmsThemes/Default/Images/X.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "9ca65118cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1076
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:31 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:CBFD1020532511E199C4D62405
85BDC2" xmpMM:DocumentID="xmp.did:CBFD1021532511E199C4D6240585BDC2">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CBFD101E532511E199C4
D6240585BDC2" stRef:documentID="xmp.did:CBFD101F532511E199C4D6240585BD
C2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>..q<....IDATx.b)--}...p..}.....i...2q u...
2... v..F.$3.Z...@...$..&..%..i. ....@......... g5.[[email protected] ..T..._f@.
.0.L.6 N..EP....v.$..}.v.H;..v [email protected]....`.uP(...@..*..........1.
%>.d....IEND.B`.....
<<< skipped >>>

GET /CmsThemes/Default/Images/button.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "d8ff3918cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 3937
Cache-Control: private, max-age=3690
Expires: Fri, 13 Mar 2015 01:09:01 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR...............r.....tEXtSoftware.Adobe ImageReadyq.e&
lt;...diTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:E4C0C980D870E111A2F7CE32BC247645" xmpMM:DocumentID="xmp.did:1D12
B49752CE11E4A35AAE9F3918A442" xmpMM:InstanceID="xmp.iid:1D12B49652CE11
E4A35AAE9F3918A442" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> 
<xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A3B36E671AF11E1BCD6B8
635898C9B3" stRef:documentID="xmp.did:4A3B36E771AF11E1BCD6B8635898C9B3
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>o.a*....IDATx...k.e.A......{..........P.K......
....*~.i.....i...V$...E.....Z.TJ.1..:*..m......*i..jn..;3.....]k.s..L.
o".}~.a.9.O.e}.._{....i..,.... ...g...._..-... ..".=....qT.{9..,../..?
}...}...~..=............G...~,[email protected].. u....... ?.H.
."<....Ey......W......,|.?~)....f..^;..W.........w.k7.1...z..^Q\Q..
......l./4...`.B..-....X..Kygy.....F.......u:.n&.....G.g.&...zvo......
.....hz...........hz.....v.y.&...zY.-..,L.......z.7.X...{...izvo..(.WU
..7.....t...._.h..f..^;...,~.....r.......TWg.......k.V.......T..=f
<<< skipped >>>

GET /CmsThemes/Default/Images/NextButton_Sprite-wide-grey.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/Global/GlobalPage/3706054/?Language=None&Welcome=true
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "2d64d18cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2562
Cache-Control: private, max-age=17959
Expires: Fri, 13 Mar 2015 05:06:50 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB26C3E111E3AEC3EB
792256C508" xmpMM:DocumentID="xmp.did:72B2EB27C3E111E3AEC3EB792256C508
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB24C3E111E3
AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB25C3E111E3AEC3EB7922
56C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.......tIDATx....o\W...{f.........P.hb..V
DQ..R!..*6f.... ..T.6..."V(...*..Xb.#!;.H...r.R.3q.nR?.^..~h&.....9..2
v.f...|.;.1.(...R..~...N.{6.....[.e.'-..1(..k6[K.V.r.}.^ul...._...3[[.
7..S.|p.....3g.Z./_.... Cxw?...G9...BC...R.....Lmnn^.<^o........b..
.Z...{.`~.....d......x...I0..L..HM...."[email protected]..`.... ..4..... .I07....$
h;..T#...C.H4...v(.iF.v(.IG.v(.)F.....;..0..T#XM.&A...`=.. .)F.(r.....
.<[email protected]...#Xm.... ...:..d#XO."[email protected].`.. ..F...%. .IF.W).
.l.C#...NZ..b.B.8........./..s.............;.^..E.MY"."....?{.'Y}%....
\`....jg...\y.......6a...$~.....s.f~..K/.-.....9...Fu......|.....l
<<< skipped >>>

GET /CmsThemes/Default/images/SmallLoader.gif HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "6205018cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1504
Cache-Control: private, max-age=15840
Expires: Fri, 13 Mar 2015 04:31:31 GMT
Date: Fri, 13 Mar 2015 00:07:31 GMT
Connection: keep-alive
GIF89a.........................v.....5..d..e..........................
{......................................!..NETSCAPE2.0.....!..XMP DataX
MP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xm
pmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155
772, 2014/01/13-19:44:00        "> <rdf:RDF xmlns:rdf="hXXp://ww
w.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=
"" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://n
s.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com
/xap/1.0/" xmpMM:OriginalDocumentID="A5EDB964567077337C8E54A0BBE35981"
 xmpMM:DocumentID="xmp.did:861DE9F12C2811E484A994AD54106D49" xmpMM:Ins
tanceID="xmp.iid:861DE9F02C2811E484A994AD54106D49" xmp:CreatorTool="Ad
obe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:ins
tanceID="xmp.iid:df987947-01f7-4167-b08b-2878b7f29ca6" stRef:documentI
D="adobe:docid:photoshop:b746f760-73f3-1177-8ee4-c7825aacab4e"/> &l
t;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacke
t end="r"?>........................................................
......................................................................
....~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?&g
t;=<;:9876543210/.-, *)('&%$#"! .................................!.
......,..........D`28Ga\.PA.......e3..L.UU:....Q..XCh.(...-.Z.....v..v
._0\Q.J'.a.z.....!.......,..........4.PA..]h28Ga,.eU.z.T..M,[email protected]. 
J.C.d4.N. .J'.b.2...!.......,..........4.PA..]h28Ga,.eU.z.T..M,K6G
<<< skipped >>>

GET /DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 176421
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:35 GMT
Date: Fri, 13 Mar 2015 00:07:35 GMT
Connection: keep-alive
....<!doctype html>..<!--[if lt IE 7 ]> <html class="ie
 ie6"> <![endif]-->..<!--[if IE 7 ]> <html class="ie
 ie7"> <![endif]-->..<!--[if IE 8 ]> <html class="ie
 ie8"> <![endif]-->..<!--[if IE 9 ]> <html class="ie
 ie9"> <![endif]-->..<!--[if (gt IE 9)|!(IE)]><html&
gt; <![endif]-->..<head>.. <meta http-equiv="X-UA-Compa
tible" content="IE=edge" />..    <meta charset="utf-8" />..  
 ..     <title>installation</title>..    <style>./* 
======================================================================
=======..   HTML5 Boilerplate CSS: h5bp.com/css..   ==================
======================================================== */..article, 
aside, details, figcaption, figure, footer, header, hgroup, nav, secti
on { display: block; }..audio, canvas, video { display: inline-block; 
*display: inline; *zoom: 1; }..audio:not([controls]) { display: none; 
}..[hidden] { display: none; }..html { font-size: 100%; -webkit-text-s
ize-adjust: 100%; -ms-text-size-adjust: 100%; }..html, button, input, 
select, textarea { font-family: sans-serif; color: #222; }..body { mar
gin: 0; font-size: 1em; line-height: 1.4; }..::-moz-selection { text-s
hadow: none; }..::selection {  text-shadow: none; }..a { color: #00e; 
outline:0 }..a:visited { color: #551a8b; }..a:hover { color: #06e; }..
a:focus { outline: none ; }..a:hover, a:active { outline: none;border:
 none; }...ie7 a:focus, *:focus {..     noFocusLine: expression(th
<<< skipped >>>

GET /Js/jquery.dotdotdot.min.js?fid=3707848 HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Mon, 02 Mar 2015 09:41:45 GMT
Accept-Ranges: bytes
ETag: "b27d518cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 6149
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:35 GMT
Date: Fri, 13 Mar 2015 00:07:35 GMT
Connection: keep-alive
/*. *.jQuery dotdotdot 1.6.16. *. *.Copyright (c) Fred Heusschen. *.ww
w.frebsite.nl. *. *.Plugin website:. *.dotdotdot.frebsite.nl. *. *.Dua
l licensed under the MIT and GPL licenses.. *.hXXp://en.wikipedia.org/
wiki/MIT_License. *.hXXp://en.wikipedia.org/wiki/GNU_General_Public_Li
cense. */.!function(t,e){function n(t,e,n){var r=t.children(),o=!1;t.e
mpty();for(var i=0,d=r.length;d>i;i  ){var l=r.eq(i);if(t.append(l)
,n&&t.append(n),a(t,e)){l.remove(),o=!0;break}n&&n.detach()}return o}f
unction r(e,n,i,d,l){var s=!1,c="table, thead, tbody, tfoot, tr, col, 
colgroup, object, embed, param, ol, ul, dl, blockquote, select, optgro
up, option, textarea, script, style",u="script, .dotdotdot-keep";retur
n e.contents().detach().each(function(){var f=this,h=t(f);if("undefine
d"==typeof f||3==f.nodeType&&0==t.trim(f.data).length)return!0;if(h.is
(u))e.append(h);else{if(s)return!0;e.append(h),l&&e[e.is(c)?"after":"a
ppend"](l),a(i,d)&&(s=3==f.nodeType?o(h,n,i,d,l):r(h,n,i,d,l),s||(h.de
tach(),s=!0)),s||l&&l.detach()}}),s}function o(e,n,r,o,d){var c=e[0];i
f(!c)return!1;var f=s(c),h=-1!==f.indexOf(" ")?" ":"...",p="letter"==o
.wrap?"":h,g=f.split(p),v=-1,w=-1,b=0,y=g.length-1;for(o.fallbackToLet
ter&&0==b&&0==y&&(p="",g=f.split(p),y=g.length-1);y>=b&&(0!=b||0!=y
);){var m=Math.floor((b y)/2);if(m==w)break;w=m,l(c,g.slice(0,w 1).joi
n(p) o.ellipsis),a(r,o)?(y=w,o.fallbackToLetter&&0==b&&0==y&&(p="",g=g
[0].split(p),v=-1,w=-1,b=0,y=g.length-1)):(v=w,b=w)}if(-1==v||1==g.len
gth&&0==g[0].length){var x=e.parent();e.detach();var T=d&&d.closes
<<< skipped >>>

GET /CmsThemes/Default/Images/NextButton_Sprite wide.png HTTP/1.1


Accept: */*
Referer: hXXp://cms.dmccint.com/DynamicOffer/3706054/3707848/?mainofferId=3712096&ShowSkipAll=1&DownloadBrowser=IE&CType=-1&SearchProvider=Bing&UserMode=-1&DMVersion=1.4.0.4.141207.02&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cms.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 02 Mar 2015 09:41:44 GMT
Accept-Ranges: bytes
ETag: "624f4c18cd54d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2779
Cache-Control: private, max-age=15743
Expires: Fri, 13 Mar 2015 04:29:58 GMT
Date: Fri, 13 Mar 2015 00:07:35 GMT
Connection: keep-alive
.PNG........IHDR.......}........R....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72B2EB22C3E111E3AEC3EB
792256C508" xmpMM:DocumentID="xmp.did:72B2EB23C3E111E3AEC3EB792256C508
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72B2EB20C3E111E3
AEC3EB792256C508" stRef:documentID="xmp.did:72B2EB21C3E111E3AEC3EB7922
56C508"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.x.I...MIDATx....k]i...s..i..j....n.bq.2.
c.Zq....("..A......tQ.S..8. h..af1.....f3.XZ.J[.T.i3.Mnnn.9..7..L.].C.
......dw6_....v..y=E=y...P.)........s..........#UU.8_.4A..k.Vk...{....
......b......w....,.E./[email protected]..];z......f....34...v[...H1....g..
....'.......bss.H......699y...^..0...TU....h.V ..x.sOL.?r..@JYX...:4..
.$...?!.@.. .B......t&.H3.KM..d.... ..... ..... .&(..H6..C.H5..C....@.
..T.... ..... ..... .&(..H6..C.H5..C.H...A.. ..............4B0....,g..
..,..n..;......G.|r........r.1..o..b..........mp.)...B.u....l......../
.\..`~~......P...C{.... ..Fh.W/].t....7..N,.1....'..D..z..c.......
<<< skipped >>>


POST /DecisionEngine.ashx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Host: engine.drive-c-files.com
Content-Length: 2509
Connection: Keep-Alive
Cache-Control: no-cache

<OFFER_REQUEST><COMPLETE_COMMAND_LINE>false</COMPLETE_COMMAND_LINE><USER_PROFILE><PUBLISHER_ID_NUM>198</PUBLISHER_ID_NUM><SESSION_ID><![CDATA[ae4011e0-7483-4a25-970f-3814d45fc4ca]]></SESSION_ID><TRACKING_ID><![CDATA[]]></TRACKING_ID><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DMVersion</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>1.4.0.4.141207.02</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultBrowser</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE>IE</USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>CurrentToolbar</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>Homepage</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[about:blank]]></USER_ATTRIBUTE_VALUE></USER_ATTRIBUTE><USER_ATTRIBUTE><USER_ATTRIBUTE_NAME>DefaultSearch</USER_ATTRIBUTE_NAME><USER_ATTRIBUTE_VALUE><![CDATA[]]></USER_ATTRIBUTE_VALUE>&l
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Fri, 13 Mar 2015 00:07:34 GMT
Content-Length: 8242
...<OFFER_RESPONSE><MAIN_OFFER><OFFER_ID>3712096<
/OFFER_ID><OFFER_NAME>BLACKJACK ARENA</OFFER_NAME><O
FFER_URL>no_dynamic_main_offer_url_supported_in_this_version</OF
FER_URL><OFFER_DESCRIPTION /><OFFER_INSTALL_CMD><OFF
ER_ID>3712096</OFFER_ID><OFFER_STATE>default</OFFER_
STATE><DOWNLOAD_URL>hXXp://VVV.freeridegames.com/do/getSDMGW?
type=Silent&gameId=100799&sId=sweet_full_whitelabel&subId=
10985</DOWNLOAD_URL><INSTALL_COMMAND_LINE /></OFFER_INS
TALL_CMD><INSTALLATION_TYPE>1</INSTALLATION_TYPE><PR
ODUCT_ID /><PRODUCT_TYPE>Publisher's Offer</PRODUCT_TYPE&g
t;<PRODUCT_VERSION /><ROOT_OFFER_ID>3712096</ROOT_OFFER
_ID><DOWNLOAD_URL>hXXp://VVV.freeridegames.com/do/getSDMGW?ty
pe=Silent&gameId=100799&sId=sweet_full_whitelabel&subId=10
985</DOWNLOAD_URL><OFFER_FILE_NAME /><DOWNLOAD_BACKUP_U
RL>hXXp://VVV.freeridegames.com/do/getSDMGW?type=Silent&gameId=
100799&sId=sweet_full_whitelabel&subId=10985</DOWNLOAD_BACK
UP_URL><CONDITION_TYPE>None</CONDITION_TYPE><TOTAL_S
TEPS>1</TOTAL_STEPS><SOFTWARE_PRODUCT_VERSION /><ANT
I_OFFER /><SUCCESS_CODE /><INSTALLATION_UI_ELEMENTS><
;UI_ELEMENT><NAME>DownloadBrowser</NAME><VALUE>IE
</VALUE></UI_ELEMENT><UI_ELEMENT><NAME>CType&l
t;/NAME><VALUE>-1</VALUE></UI_ELEMENT><UI_
<<< skipped >>>


GET ///img/Logos/r_ec/r_b1/752fefa4-2091-409c-b42c-abdd63222afb.jpg HTTP/1.1
Accept: */*
Referer: hXXp://cms.dmccint.com/MainOffer/3706054/?CurrentStep=1&TotalSteps=3&DMVersion=1.4.0.4.141207.02&IsSmartCustomFrame=true&Language=None
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cmsstorage.dmccint.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Wed, 12 Nov 2014 13:23:17 GMT
Accept-Ranges: bytes
ETag: "561819d27bfecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 5501
Cache-Control: private, max-age=18000
Expires: Fri, 13 Mar 2015 05:07:32 GMT
Date: Fri, 13 Mar 2015 00:07:32 GMT
Connection: keep-alive
......Exif..II*.................Ducky.......P.....zhXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c01
4 79.151481, 2013/03/13-12:09:15        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:31518c97-5f4f-164
a-8d09-af8099c7a196" xmpMM:DocumentID="xmp.did:BC28621F93B011E3B19BB55
B2FBB893A" xmpMM:InstanceID="xmp.iid:BC28621E93B011E3B19BB55B2FBB893A"
 xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:31518c97-5f4f-164a-8d09-af8099c7a196" st
Ref:documentID="xmp.did:31518c97-5f4f-164a-8d09-af8099c7a196"/> <
;/rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket
 end="r"?>...&Adobe.d....................@...@...{.................
......................................................................
.....................................................7................
......................................................................
..... ...@P0!#$."........................!..1A"Qa2. q.B#[email protected]$
4.....................1.!A. q.0P.Qa....."[email protected]...................!.
1AQaq... @..0....P...........................)[email protected]..$...
..yz.....l...>....^....v s.Zg..\i-..-qu}/7.P.<..A..~-..B...I
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_840:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
Z-U}G
.lH$F
.wv "
zcÁ
.?AVfsURL@@
.?AVfsInternetURLFile@@
.?AVfsInternetURLFileDownloader@@
.?AVfsHttpFile@@
.?AVfsFtpConnection@@
.?AVfsFtpFile@@
.?AVfsHttpConnection@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
6'6,60646]6
2(2F2i2
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXps://VVV.verisign.com/cps0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0q
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
LOCALS~1\Temp\nsx3.tmp\webapphost.dll
on Data\Google\Chrome\User Data\Default
.4.0.4.141207.02\14-12-08-12.20.18.575\0038824c-feac-413a-8789-94f89e52ddeb.png
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp\webapphost.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp
on\App Paths\IEXPLORE.EXE
1.0.0.1
Download.dll
nsx3.tmp
File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp\webapphost.dll" (overwriteflag=1)
\webapphost.dll"
XPLORE.EXE
gle\Chrome\User Data\Default
.4.0.4.141207.02\14-12-08-12.20.18.575\0038824c-feac-413a-8789-94f89e52ddeb.ico
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp
45C7A-2265-4E18-9610-99F026DADF11
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
LORE.EXE
IEXPLORE.EXE
PLORE.EXE
FA945C7A-2265-4E18-9610-99F026DADF11
hXXp://data.dmccint.com/api/usages/
hXXp://engine.drive-c-files.com//DecisionEngine.ashx
\\192.168.17.111\Bundles\59\512\ct5124859\6e4e2937a2d8424cb0de1517125686e7\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-08-12.20.18.575\0038824c-feac-413a-8789-94f89e52ddeb.ico
\\192.168.17.111\Bundles\59\512\ct5124859\6e4e2937a2d8424cb0de1517125686e7\Downloads\Prod\DDE1.4.0.4.141207.02\14-12-08-12.20.18.575\0038824c-feac-413a-8789-94f89e52ddeb.png
6e4e2937-a2d8-424c-b0de-1517125686e7
00000000
3712096
hXXp://cms.dmccint.com/MainOffer/3706054/
Setup.exe
hXXp://cms.dmccint.com/Global/GlobalPage/3706054/
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp\webapp\
Naive_recommender_Bayesian_adjust_2015-03-12.csv
Microsoft Windows XP
6.0.2900.5512
%Documents and Settings%\%current user%\Local Settings\Application Data
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp\client_xml.xml
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp\offer.xml
no_dynamic_main_offer_url_supported_in_this_version
%Program Files%\Internet Explorer\iexplore.exe
BLACKJACK_ARENA.exe
1.4.0.4.141207.02

svchost.exe_1508:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\button[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3729900[1].htm (27132 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NextButton_Sprite-wide-grey[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\NoneSilentSuccess.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.dotdotdot.min[1].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\X[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\jquery-1.10.1.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[3].js (916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3706054[2].htm (23048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\gplay.js (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\X[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[2].js (916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CancelBG[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\webapphost.dll (39329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nonadwords_trip[1].htm (4685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[1].png (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\certInlineLB.pfx (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\NextButton_Sprite wide[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\Failed.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (41445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\FDMClient.dll (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3706054[1].htm (24656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\boxshot[1].jpg (1564 bytes)
    %System%\wbem\Logs\wbemprox.log (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\InstallationSuccessful[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\WebBrowser_embedded.exe (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\752fefa4-2091-409c-b42c-abdd63222afb[2].jpg (524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BoxBgNew[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.dotdotdot.min[1].js (916 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\WelcomeScreen.htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CancelBG[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\DM_loader.gif (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CancelBGGoogleDialog[1].png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nonadwords_trip[1].html (6898 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\752fefa4-2091-409c-b42c-abdd63222afb[1].jpg (477 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NextButton_Sprite-wide-grey[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\SmallLoader[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\manager.html (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\button[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SmallLoader[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\icon.png (550 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\-[2].png (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\Success.htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\manager.js (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\proxy.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PS_SearchProtectCH[1].json (22880 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\init.html (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\customframeapi[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\manager\scripts\sharedWorker.js (296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3707848[1].htm (25222 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now