Gen.Variant.Application.Bundler.DownloadGuide.48_b65f6e09f1

by malwarelabrobot on February 7th, 2018 in Malware Descriptions.

Gen:Variant.Application.Bundler.DownloadGuide.48 (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b65f6e09f186b60460d0c79f966d94f2
SHA1: 5322a3641d5b7d9dc8e0d864f7492e5e66329ae1
SHA256: c469a59adfef859fa347a25287525303d0b2866dfb52ad3fd245cb9d9971e3e0
SSDeep: 12288:gTSyvkI4mrAluA2DsZdczNJl5ADBwRmXZybAjMZni:xyz4mAuACzV58BwzAIZni
Size: 580696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-11-16 07:02:27
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2028

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG566A.tmp (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\progress.zip.part (5654 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\index.html (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\css\style.css (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\progress.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\index.html (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\index.html (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\index.html (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\index.html (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\uifile.zip.part (2933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\dlgres\DLG-Product-Logo.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\css\style.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\img\progress.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\img\progress-bar.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\base.zip.part (1964 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\last.zip.part (1968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018020620180207\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\css\style.css (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\noconnection.html (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\img\img1.png (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\css\style.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\uifile.zip.part (2937 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012 (0 bytes)

Registry activity

The process %original file name%.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018020620180207]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018020620180207]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"fdwSupport" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018020620180207]
"CacheLimit" = "8192"
"CachePrefix" = ":2018020620180207:"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018020620180207]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018020620180207"

[HKLM\SOFTWARE\Microsoft\Tracing\b65f6e09f186b60460d0c79f966d94f2_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017101120171012]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.1.0.201
File Description:
Comments:
Language: Korean (Korea)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 380232 380416 4.54221 db4cc8a2831dffeb9c5c4237073ae96d
.rdata 385024 137892 138240 5.05935 5e663731276572b0cf1b8001d4580ee8
.data 524288 18592 8704 2.75969 9d151c4644703a82a26c6348ad2be1ea
.rsrc 544768 16064 16384 3.37948 67d42c5acb2cab2a60dc81259eec73da
.reloc 561152 29968 30208 4.13538 ef1bcb7d6556c7329124068bee5a3085

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 122
128011cf26c877a4ef21fe31e8060d0e
7518be98a27e03fdd83e6bf1262735f5
6deec90876ffe28eb85dbd5babdfb2b7
455ed01e357a33bbfedca4da16f96968
0c55335a80b427d5e6adac2e33d43e61
1f826d3b9c0b4a1a12c6437ed4d89274
b6722544219a5933e4cfc6aed10257a7
07496b91347124add57aa9579ebe3898
13bafaa222cdcc5703c69943fc07d900
26a7a9e8b734bdc7c2aa95980ea8fcd3
5297964574238e281df7be2d8f582656
1f0d16a6e46976c2831deafbe7e5609d
ee19f218fb375bf06a22c6e101a0c409
9dccc8388f58aeaf9c345a3e16b790f1
58df2da97012bd35ba361878b7857895
e6e313efc5d24f2656ab5bb75c7c259b
a0708c58fde593be27355502e98c3ddd
37fce5f1a2043e3b9665cf95deee1991
2d8aec9c6fcdf71c7376066f60ee9237
2250d42fa138896604ddb7604f389386
4285819d76ad47d63822fe14dcc9849f
b1523dc6777b45e12565e07d21beec7f
f427cdb0b032420115fa781ad0887abc
508519ebd877f47d51bfbb7ff73d58fa
ad33ea5b310be92ede39ec223b9453ab
3fd9dd4dcadf43c5bbd140eddbaddfa8

URLs

URL IP
hxxp://dlg-configs-neu.cloudapp.net/
hxxp://dlg-configs-neu.cloudapp.net/config-from-production
hxxp://cs9.wpc.v0cdn.net/public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/computerbild-flow-5-text-en-us.zip
hxxp://cs9.wpc.v0cdn.net/public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/base.zip
hxxp://dlg-messages-eus.cloudapp.net/1/dg/3
hxxp://cs9.wpc.v0cdn.net/public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/progress.zip
hxxp://cs9.wpc.v0cdn.net/public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/driverfinder-single-avira-en-us.zip
hxxp://cs9.wpc.v0cdn.net/public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/last.zip
dlg-configs.buzzrin.de 23.102.60.206
az687722.vo.msecnd.net 93.184.221.200


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE PUP W32/DownloadGuide.D
ET MALWARE PUP Win32/DownloadGuide.A

Traffic

POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 422
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:49 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"RequirementsCheckSuccessful","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"revenuewire/driverfinder/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:55 GMT
Connection: close
Content-Length: 0



GET /public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/last.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: fgXouqoJyZc91T1FRhXKXg==
Content-Type: application/octet-stream
Date: Tue, 06 Feb 2018 13:32:53 GMT
Etag: 0x8D4B16A159C8D5C
Last-Modified: Mon, 12 Jun 2017 08:07:35 GMT
Server: ECAcc (vie/4435)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: df36c47d-001e-0041-174a-9f4d23000000
x-ms-version: 2009-09-19
Content-Length: 37851
Connection: close
PK........(h&F._.a....W.......index.html..]o.6.....8..d...b..E2...S..u
.a..u..H.JRN...}GJ..G..v2`Q...}1......?...........M..2`i...V..f..~...X
..l9./.X.t...i'7..(..WL-<...pEx.....y.~..m3...#...|n.%.......d...L.
2......aM.l.....h..[3..R..L.....7a!dxk(.R.!.h..........%.1y.[.5.DW..,I
L.,7pU....... '....p.xe..U'.....D4.FbI.F...A...5....Z.....;H.x..ht/d..
C..Z.<de.....F...$[..SaJfy..m..9..*.....<W..k...i<..@...pG...
.....5e-K..........&..^..jG.M....d...\6....._..z....5{......{E.._7....
G.z...j.P..V..C..h.,.d.J{)...0)A...J.}5W)<us.....Lwv}e.X....OB.....
.....,0H.>U.%h."d.."..N..B.2m..]......3.1....Ui\........1...}w(3.D=
.3.i .OT.....p....vwF?."....R......0.y_..vQ|f....Q...4.Yu<....|3yVI
.E...o..u..1.=..Z.8.d.X...GVo....W.w.....w...?v....... 0m.1Q...Q.@....
...l..i....f.>..e.l..:..CD*.......kt....X..h....D...c$...".....V..f
1..'..@.2..].Gr.`e....7.\..%..aQ....Gx.q."..#JfsU.9X.....1...........x
...(.....QT.....8Y2y.....!.4...)..........=.......V7..^.Z.W..".Ui.....
<%.3$...;.<..O.>uN.9w.-f..]RY..........J..r}J.J..="!...6...#h
1.;..{.YW.V........5..p..K..%.....3...^t.Hs ..v5..{2.X.....F......ow..
.PK.........`=FX..8............css\style.css.V...0.}N....Q.....&M.[...
..Xq.e.M...{.7.u....RX{....1)._..j..)x..t&M.K...v..?h.o..(.7.....R.Z..
g,KZ'(<".......Z.Y-WK..3..L.:4.3U....d\bE9`..&.iR.."=......d.c....x
.%l..7.....,.....*B.J%....& ..&..yN....J,.....j.q.pvQ..r.........F..~u
...TJ.~...?/J..........H..!.....}....%[.Eq.&....g(,..b.9Z.P..7..g..i#.
~M..u.....t.;.....aE..o/.} ..b{f....}...<.d..g.......... ..{..4
<<< skipped >>>


POST /config-from-production HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-configs.buzzrin.de
Content-Length: 219
Connection: Close

{"os":"WinNT","osver":"6.1.7601 (Service Pack 1) SP: 1.0","lang":"en-US","uid":"88dcd395-b062-45b3-a6cd-79f37c0eba08","prod":"computerbild/1.0/campaigns/product website/","expiresOn":"2117-11-17T19:02:07.6768125 00:00"}
HTTP/1.1 200 OK
Content-Type: text/plain
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:52 GMT
Connection: close
Content-Length: 15596
{"certificate":"computerbild","productSetup":"","windowHeight":389,"wi
ndowWidth":506,"product":{"version":"1.0","displayName":"ComputerBild"
,"installCodeJs":"dmFyIF8weDg0YzM9WyJceDc1XHg2RVx4NjRceDY1XHg2Nlx4Njlc
eDZFXHg2NVx4NjQiLCIiLCJceDVGXHg1Rlx4NjdceDY0XHg2MVx4NUZceDVGIiwiXHg2Q1
x4NjVceDZFXHg2N1x4NzRceDY4IiwiXHgzRiIsIlx4NjlceDZFXHg2NFx4NjVceDc4XHg0
Rlx4NjYiLCJceDNEIiwiXHg1RiIsIlx4MjYiLCJceDcyXHg2NVx4NzBceDZDXHg2MVx4Nj
NceDY1IiwiXHg2Nlx4NzJceDZGXHg2RFx4NDNceDY4XHg2MVx4NzJceDQzXHg2Rlx4NjRc
eDY1IiwiXHg2N1x4NjVceDc0XHg1NFx4NjlceDZEXHg2NSIsIlx4NjZceDZDXHg2Rlx4Nk
ZceDcyIiwiXHg3M1x4NzVceDYyXHg3M1x4NzRceDcyIiwiXHg3NVx4NzJceDZDIiwiXHg2
Q1x4NkZceDYzXHg2MVx4NkNceDQ2XHg2OVx4NkNceDY1IiwiXHg1Rlx4NUZceDY0XHg2Q1
x4NjlceDY0XHg1Rlx4NUYiLCJceDczXHgzNFx4NENceDM3XHg1Rlx4MzNceDcyXHg2NFx4
NzBceDQwXHg3Mlx4NzRceDc5IiwiXHg2M1x4NzVceDczXHg3NFx4NkZceDZEXHg0NFx4Nj
FceDc0XHg2MSIsIlx4NzBceDYxXHg3Mlx4NzNceDY1IiwiXHg1MFx4NzJceDZGXHg2NFx4
NzVceDYzXHg3NFx4NDNceDY4XHg2NVx4NjNceDZCXHg3M1x4NzVceDZEIiwiXHgyNlx4NU
ZceDYzXHg2OFx4NkJceDczXHg3NVx4NkRceDVGXHgzRCIsIlx4NTBceDcyXHg2Rlx4NjRc
eDc1XHg2M1x4NzRceDQ0XHg2Rlx4NzdceDZFXHg2Q1x4NkZceDYxXHg2NFx4NTNceDc0XH
g2MVx4NzJceDc0XHg2NVx4NjQiLCJceDUwXHg3Mlx4NkZceDY0XHg3NVx4NjNceDc0XHg0
NFx4NkZceDc3XHg2RVx4NkNceDZGXHg2MVx4NjRceDQzXHg2Rlx4NkRceDcwXHg2Q1x4Nj
VceDc0XHg2NVx4NjQiLCJceDc0XHg2NVx4NzNceDc0IiwiXHg0OFx4NjFceDZFXHg2NFx4
NkNceDY1XHgyMFx4NUFceDQ5XHg1MFx4MjBceDY2XHg2OVx4NkNceDY1IiwiXHg2Q1x4Nk
ZceDY3IiwiXHg2N1x4NjVceDc0XHg1M1x4NzBceDY1XHg2M1x4NjlceDYxXHg2Q1x4NDZc
eDZGXHg2Q1x4NjRceDY1XHg3MiIsIlx4NUMiLCJceDYzXHg2Rlx4NzBceDc5XHg0Nl
<<< skipped >>>


GET /public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/driverfinder-single-avira-en-us.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: uMSBJRgPVm VVdAJw4bihQ==
Content-Type: application/octet-stream
Date: Tue, 06 Feb 2018 13:32:53 GMT
Etag: 0x8D531846BA7DDF0
Last-Modified: Wed, 22 Nov 2017 08:38:35 GMT
Server: ECAcc (vie/F2DE)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 79f0f9d6-001e-0045-344a-9fb8a1000000
x-ms-version: 2009-09-19
Content-Length: 44116
Connection: close
PK.........~uK.;.......O......index.html.\.r..u.=..;....TKQ.....Hr8$4.
Z.dx..T*...&......i..V.G^"U..<..$.9...Iigl....".........^..?....=..
7../.qi.>.\. .....8O.......62.0$.........Si...l........V.?..D....A.
e~5...}.2d.8..9..'C.["..UK..D...yK.3..j..9_..S.....x....W........vg...
...:.8.|.-pn......~}.,.0.Uzr*.......P....H\..8..C...,..N..v...&......y
..2,yD#..J..v.J'.^......OZ.E...A...u...8...`Yx........)..:Q..A..=.x.Ri
/QZ.....L.Z..o...O_.......s.O....R..>q.......r..A.{. ]....#0l....8.
y.$..g.,..K... ..2.<[.l$h.^.a(.9..b...|..5{.k.0.3......7..m*..E....
3..o.........?l3..a......<.NZ.....f......!"M]....b}...r~........x)N
>}Q.D=..5.UG...gq.:y....... ..'.~.%../WJ....?...t.........~wd..8.Ze
..........b'S..",2........?K......K..K;g'..*_..._V<.J.....;..U\9k.=
..1.h..7,.....?..?6y.y.h\59.g...].#..(r.Y.Q...~..A.....y?M.d..eS.?-..-
.Z5=._..!.2..,..|.dw.Q....X....^..@^....1&{.'.....6@...c..=r...g......
...VIL..$_.............K.%..c...G.z../.o'&..-OZ...=?G......AV......s..
R.V..,...\.E........Q..L.E...x,69;...`....).....J.Ld...2....-...`..=.Y
>.....wM...."L...Z...-3s.q'..\........_D.]....y%..W..~..F..u....=zT
$iw..;..j#/...r...n.t.]./.k7...D.Q.ROm...k./.1.]H.....x.....r...l..Q.z
...C..3.N..W..6........[....J....".....^f7d.,.. q'%.#.@.SE..t.-`."..H.
...........A..&.1y..V.T.\./..|.(....Lx.i....L....U&%..!..kW...L.7..u..
.G.Yw8.V..^w.........*..'.w..g...x7....x...&....Yw0....h".S..c....;<
;...(..^..H.......3..q...".. .b.))...?H......e..A.$8.......Q.....pg.;b
Qh. .qe......C.?i.L......n.T..........=...O.s*.....u...?.W8.kc.0)"
<<< skipped >>>


HEAD / HTTP/1.1
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-configs.buzzrin.de
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:50 GMT
Connection: close



GET /public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/computerbild-flow-5-text-en-us.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: bR/krerj6VpBokLPoWwBeg==
Content-Type: application/octet-stream
Date: Tue, 06 Feb 2018 13:32:53 GMT
Etag: 0x8D4B16A15A8E987
Last-Modified: Mon, 12 Jun 2017 08:07:35 GMT
Server: ECAcc (vie/F2D8)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 38ccbac4-001e-0005-094a-9f914f000000
x-ms-version: 2009-09-19
Content-Length: 47505
Connection: close
PK.........X.Hs.2'....j.......index.html.Xmo.6......,S$6Z.qV..#.h..H.6
.....a.$.VB.*I%.....)Q..'s...E.....Q._.../.................f..u......i
I...Dt>._..6...k...r.S...W.5..#...EK"............. .".g..F... .bT-)
..-%M..{#K....T."...)...Z....T..co...xY..k.....)b.......N....7K...B...
.../.Q.......K....JE........JN.G.. .z.....p....S...-O....$..{...F.0'..
.T.?...'............S.2..(.j).>...l...J..["Q.,.F..../.U|.....t..Z..
3.&..R_...C.3H.Qt..Y....>..O.....j.W-5^!.....y.<...ltw..R}.i.p.,
...=.f..q.xD..u..Y...\.q.@....\...4/.a.W.;7.d..-..Y}.%..<_...g*..m.
.f.........y.%...o ..d........CDk.........%...-.i....s..q!%...F.P.#.e.
..?.`D.Q..M...(_.%....u....ET.*-S....F?..{.g....F.C...n....Zd3...%....
..o..h$....fm......_.jf........S..a.....7.....X!....z..-...tr*..>.t
..M..y1-....l..TA.F.-..7c....?.. ..M..-.VO..K..d..?.=....qgJ9.....!\..
sh^..2UU,{&..........lbtS.j2l....A...<....h2...z....}......C....E..
C....&.`.H.;E..c.`OR]H...3..V..=]..g.Z...u..E.B. .h..&..q-..vcI.......
..^tw..X.......|'!h.y.u...h.Q.-..^...(...l..eb....7pM..b....t....r....
.e...?..~(..E........L..A:.Y...k.?.sU .e..M.U..=[......W.'...._f.9..C.
...........Z.^R.......... ..;")T.lB7..................]HQ.x..&...$....
P...a...^..h....!.I..h.j.O.~~.....H.&MI..PhhE%.........".....CO.....DB
Qh.CG..j.>d..`k.AH........y...Ie.`..<..........%].7.j........J..
.D6D.@...Zz.4Zg&o.8.G d.2..a...-..}u.p..........2.o........L...])8.d..
1....V....s...!.c.4.*....^.....n....^G.&.....y]).M-.&...D...-....Y....
x.;0..6A?../...........n=.t.FLV...(J..-),.g. {.P..;5eD..}...2v.. .
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 419
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:49 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"RequirementsCheckStarted","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"revenuewire/driverfinder/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:55 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 371
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:51 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"ProductShown","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:57 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 414
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:49 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"RequirementsCheckFailed","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"freemium/weather hub/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:53 GMT
Connection: close
Content-Length: 0



GET /public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/progress.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: /W1xKOOIUzMMh1sTtbSAMw==
Content-Type: application/octet-stream
Date: Tue, 06 Feb 2018 13:32:53 GMT
Etag: 0x8D4B16A1597F951
Last-Modified: Mon, 12 Jun 2017 08:07:35 GMT
Server: ECAcc (vie/F293)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 2ffaa10b-001e-004d-3d4a-9fa3d2000000
x-ms-version: 2009-09-19
Content-Length: 85824
Connection: close
PK........WZvJp.P.............index.html.Ymo.6......,.52R.I.7$..-m..k.
....).J.-&2.Q.. .....%J..:]...L...;...........|...H._=..;. H(..g.[2..i
0.....J..d>...l9........]N1.._.,.G9V.g(J.(....z5....R.o...5}T....Np
!.RZ$.J..Ag..sc=. .......%*D4.7..........|............,....y....<.,
......A..<F...........D.<......M..$=.W.n@....Z..v......_.,..g...
.w...<E.....C...G.m......X,.o.~...wt.....w%X...W.z..D.....aI\...y..
..@PY.n.Xw.m1.........v.aL?R...0vL.U;a..Ua.GK...`.d...m.lmf$-.:}.M..r.
.r..FSt|t4D9`..Yg.@....]..9:D.....d..._}.u...g.r{2..|... ..l...*8I}..~
.T..0..z.Sy^.......$..g-.B.!....@6....=.L..yLg.....OQ.....b..b.~BnRt..
O.@y....2.....|../5.....[....`>0.:.m...OX.T.......zqP............ .
7.".........h.g=...y...)QG.fp..U........5...Q......%..2.........&.mI..
...Q..v. ..m.#v.X...O.lU./8h...."O).....=.t}..3.-.]..t[.WFr......S._eo
!.\@.P...J.C...4.o.Q.).Tuo...=...B.=...G...^..a/|.....:".X."[.4#..,~..
.m.?.m.].nc.....'^.7.K-..9.Hq.3O...t.-....c-"2J<:.7...[.'..e$......
...~...Y...N...t.m..).s.@.yn....M^.a!..:m.%.............Vah..q.q..8...
..w*..D..u.n...........]...}].Aq...H....<8..X.I.8........cqk...E,.?
....7~.._.......s..a.T@.]/.Y........n......S.k.....V..*X.....=....N.D.
.5.I........h..7..l..>2.BA.m...=n..}[;.':... .......v...w..i.N.Ap83
........c.....Jy........`.3.. .5_<.ik.........r.F.......8.!."zT...w
7{lI..8b...S.C...|.<(.LIH.i.x^J.|...u...;._.D..n..#.Z....'p2.. g8U.
.)...`.........(>...ngT5&...:2kR.m.^..X..z?....YGgd.X....'.LXa*..-.
4...2..."...{.....2.9.iV.....U}d.d.[.M.&..T...32.M'..h|.7.hoV.c...
<<< skipped >>>


GET /public-source/downloadguide/computerbild/1.0/default/campaigns/product website/ui/base.zip HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=3600
Content-MD5: 1qejZaR1U4Sbj96r0jh9BA==
Content-Type: application/octet-stream
Date: Tue, 06 Feb 2018 13:32:53 GMT
Etag: 0x8D4B16A15927AFC
Last-Modified: Mon, 12 Jun 2017 08:07:35 GMT
Server: ECAcc (vie/443B)
X-Cache: HIT
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 9b288f7b-001e-0029-094a-9f1372000000
x-ms-version: 2009-09-19
Content-Length: 34432
Connection: close
PK........0.uJx.`.............index.html.VM..6.= @..C...l..r.......E..
...r.Rc..4...:F...#R.%w...!:H.9.....#{........).F..>..o......eN8..,
...OH.d.p..]5......R ..M.w.P.._N.|qi.|Nx.....}...5..I...C...[K...S.v.l
..()..r.c..M..t.E...FT.X.szk...5...E.b..L6B%..b..,..Q|3...nB....... ..
..s.....r..J......W}.C...U.(.Z.....0..j>.8di7..|...j.....%\|..Z.B.z
..&kp..../.?..z..,..IN.B.z...`.....$..l.P.C.1..1.q....%..=.1..*.......
......;...4Q..N...bs%..5?H......]...^.~{.oB.Ro......pH.....Cs.......iF
...r.=...S(.I.a .xy.t......I'..C..0V.....p..!.o....^..t...w.01......;.
......6!m.w...fL9....E.99..1.A.x.#....5.....IU....z2....G.G.>...W.E
VLZ..t<.S.9T................"..pT...xd.o;....k7...............i...i
8E.qO.d......ni`..h...'.(.i._.vs.....Q-.k<..q..=FB.$.P.M.q.....l.T.
.%.."{r....j..iH..e..e.............,.#'..&..P.7.&.O."......:...y=%b..[
.d.kb...e..... .~X.>.o....uZ.`w.....*..Z|.;!U..f$9!.I.n=a.L..L.z..)
.....<d..I.:..|.r...-q.uS.....m.09..=mp.. ........W...PK........kSv
JB4.Po...C.......css\style.css.TKn.0.]..;L.....R.]........r.J[q.....&.
.E..y~...g.0.....D..u-.&i1..G.....:....a....EU.Rd.wo....?..|a...J.C..Z
..z.w=.....%...eU..$...,W............@.a.DN8..,...z...Q..rL./\".......
Ca.z.z....hf..2...G.n..c......}./.m.p.X.WJ..iL.a..M.7.n..:*..]($....m.
.P...a~..'...-..H.......q\0%Mm........n....%....../....z......(.....i.
.T..Yt~.|u.0]$O.g.p.i.\n..w......./.G......V...PK.........`nE.H}.1....
k......js\jquery-1.10.2.min.js..i....0.}....D4m@.f...'.]....N....;aS:h
.....4...........-e.y.y....P....]N...~.a..wG...d<zrT......x....
<<< skipped >>>


POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 377
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:49 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"ApplicationStarted","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:53 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 388
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:49 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"LoadingPrerequisitesCompleted","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:56 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 377
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:49 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"ApplicationVisible","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:56 GMT
Connection: close
Content-Length: 0



POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 415
Connection: Close

{"BuildId":"311802cc-d41d-438f-b907-442c8c81eca2","Client":"freemium","DlgVersion":"3.1.0.201","Culture":"en-US","LocalTime":"2018-02-06T13:32:49 02:00","SessionId":"5eca40a3-f6f4-42ec-86b5-df2fe7a8fe4a","MessageName":"RequirementsCheckStarted","Product":"computerbild","ProductVersion":"1.0","Region":"default","Campaign":"product website","Offer":"freemium/weather hub/1.0/default","TrackBackUrl":"","SubId":null}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Tue, 06 Feb 2018 13:32:53 GMT
Connection: close
Content-Length: 0







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_2028:




.text
`.rdata
@.data
.rsrc
@.reloc
tùu
9>t.hx
8%uEP3
?.uEW
operator
GetProcessWindowStation
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
F3.1.0.201
.b.JsaM
-hcx`-eyy}R
~-*(~*- 3-*(~*
0 696<> 601_
gj( .j#' -/j9#0/jbo.fo.cj
<f.dG
).RN"
z.QV![
Fa'%Cr
Dx-I}7
.Px{3c
%{u.oMQ
%ðJ
N63Œs]
(3$"5.38
46>&94&=
900%U
<!- ==}|
0=5:< ,_
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
zcÁ
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
< =3=9=@={=
121=1^244
9!949@9[9
6 6;6`6{6
=!= =6=:=?=
< <$<(<,<0<4<8<<<@<
1$1,181\1|1
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
Advapi32.dll
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG566A.tmp
3.1.0.201






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG566A.tmp (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\progress.zip.part (5654 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\index.html (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\css\style.css (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\progress.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\index.html (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\index.html (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\index.html (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\index.html (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\uifile.zip.part (2933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\dlgres\DLG-Product-Logo.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\css\style.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\img\progress.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\img\progress-bar.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\base.zip.part (1964 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\last.zip.part (1968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018020620180207\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\last\css\style.css (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\initWindow\noconnection.html (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\ba9a67534b6e9a468651bf74611d0a02\img\img1.png (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\common\base\css\style.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DLG\ui\offers\1522ef138ba104249c3934a80811f825\uifile.zip.part (2937 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2024 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now