Gen.Variant.Graftor.Elzob.20639_94f8a8849c

by malwarelabrobot on April 4th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.Elzob.20639 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.20639 (AdAware), Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 94f8a8849ce16926af9b6579324eb210
SHA1: fc15088ed06a610af4363cfa93c6ff005ab93d9e
SHA256: b04069a274b9714acc68c3ddf4420b7a51d0f5745f98ac44cb025f0968b121bf
SSDeep: 49152:Z1O7D2Oy7YhgzoByHMV9pwxE53Ru7ejCtepPlkEo3hEOPbnJPxGe2fOY:Z1MizEgz8MMV9GxEG6CckEVOPrJPm
Size: 2703360 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2012-04-06 12:51:23
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup.exe:1624
1.exe:4044
2.exe:2276
%original file name%.exe:2196

The Trojan injects its code into the following process(es):

setup.exe:3220
WUDhost.exe:2840

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:3220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1035\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1029\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1051\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.dll (2327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1053\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1042\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\3082\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1032\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\tr\Adguard.Burn.resources.dll (1705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1045\mbapreq.wxl (425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hu\Adguard.Burn.resources.dll (596 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\zh\Adguard.Burn.resources.dll (858 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\2070\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1043\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Adguard_20170403152745.log (38305 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\BootstrapperApplicationData.xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\nl\Adguard.Burn.resources.dll (571 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\es\Adguard.Burn.resources.dll (1367 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1041\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1036\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1031\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1049\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbahost.dll (1297 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1040\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1060\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\BootstrapperCore.dll (1778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\pt\Adguard.Burn.resources.dll (1054 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1028\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1046\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1044\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\pl\Adguard.Burn.resources.dll (507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1055\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\BootstrapperCore.config (805 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\it\Adguard.Burn.resources.dll (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\sr\Adguard.Burn.resources.dll (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\Adguard.Burn.dll (32892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\zh-TW\Adguard.Burn.resources.dll (1656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\he\Adguard.Burn.resources.dll (658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\de\Adguard.Burn.resources.dll (1992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\2052\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1030\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\ja\Adguard.Burn.resources.dll (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1038\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\ru\Adguard.Burn.resources.dll (2256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.png (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hr\Adguard.Burn.resources.dll (1754 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.thm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hy\Adguard.Burn.resources.dll (396 bytes)

The process 1.exe:4044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\adguard\setup.exe (17400294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B91M244W.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\setup[1].exe (17129277 bytes)

The process WUDhost.exe:2840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\WindowsTask\fafa.exe (11518 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\System32\Logs\fafa.exe (0 bytes)

The process 2.exe:2276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut427D.tmp (3505 bytes)
C:\ProgramData\System32\Logs\WUDhost.exe (2461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut4182.tmp (14190 bytes)
C:\ProgramData\System32\Logs\fafa.exe (11518 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WUDhost.exe.lnk (828 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut427D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut4182.tmp (0 bytes)

The process %original file name%.exe:2196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe (173 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe (147 bytes)

Registry activity

The process setup.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "setup.exe"

[HKLM\SOFTWARE\Adguard]
"affiliateid" = "26950"

The process 1.exe:4044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "A0 CC 33 9B 75 AC D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1_RASAPI32]
"FileTracingMask" = "4294901760"

"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "A0 CC 33 9B 75 AC D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5	File path
c3310d4df72326a1f0d9164512a2cf46	c:\ProgramData\System32\Logs\WUDhost.exe
7d1e5fb34fea118053d3f090c620f0a9	c:\ProgramData\WindowsTask\fafa.exe
c3310d4df72326a1f0d9164512a2cf46	c:\Users\All Users\System32\Logs\WUDhost.exe
7d1e5fb34fea118053d3f090c620f0a9	c:\Users\All Users\WindowsTask\fafa.exe
af9f7bcd44c24592b9d89cc3aea8b706	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\setup[1].exe
5af2db1f906fbccf53b1526bad7daeee	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe
bd34c683a07b47017db078a407aaa30c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe
af9f7bcd44c24592b9d89cc3aea8b706	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\adguard\setup.exe
f1380f37872589509947a491c3d702d4	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\Adguard.Burn.dll
e8438baa6ac4617827df66bf3b10bc9a	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\BootstrapperCore.dll
97032b4195c362fa8000cf0d5e014045	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\de\Adguard.Burn.resources.dll
acd72bb0c8ae2670a3fae954fd13d0ed	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\es\Adguard.Burn.resources.dll
45593ace40ea9c5ad93feab8b085e3ff	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\he\Adguard.Burn.resources.dll
c27ed8d994bb136c531b862fe050c16c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hr\Adguard.Burn.resources.dll
e510a6416a55963326a4802e0afd6a2d	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hu\Adguard.Burn.resources.dll
443ccf4cd9e7b54970529195ede9d1c7	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hy\Adguard.Burn.resources.dll
85b4190d00bc3c41628452207074218f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\it\Adguard.Burn.resources.dll
4f2f29b168ca3d04a72e1dfb137dcccd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\ja\Adguard.Burn.resources.dll
b4222e6179984e6921671a07f5413a06	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbahost.dll
f7f61854e65bc49951283c9a1e52c945	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.dll
b273507e91bead933701ec58169e117b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\nl\Adguard.Burn.resources.dll
8042f3c8b1f956569d5a903c0c37fd37	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\pl\Adguard.Burn.resources.dll
7e9abade96a54fbd1fb372b5e69374c0	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\pt\Adguard.Burn.resources.dll
e130942925043815f4b51a73e0bcb24f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\ru\Adguard.Burn.resources.dll
27d2c4e2f6057c9591fe1f3f57624f9f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\sr\Adguard.Burn.resources.dll
7073b6808126790abf4c20a1e8e0f1a2	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\tr\Adguard.Burn.resources.dll
b160862123bfa9f7490f65611fe54abe	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\zh-TW\Adguard.Burn.resources.dll
ecd99fe38f66a3048978a97ed695724a	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\zh\Adguard.Burn.resources.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	14766	16384	4.31589	fcf9b1a470ab37098356dd50085d8c88
.rdata	20480	2178	4096	2.38072	4aa8682a734eef34e27e38ad2e7b7709
.data	24576	10780	12288	0.268124	48507b379509ef395e1420c132236db7
.rsrc	36864	2663460	2666496	5.54456	b336bc586f05cb74d7d49aab7d03e490

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://static.adguard.com/windows/setup.exe	104.20.31.130
time.windows.com	52.178.223.23
teredo.ipv6.microsoft.com	157.56.106.189
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /windows/setup.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)

Host: static.adguard.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 03 Apr 2017 12:26:56 GMT

Content-Type: application/octet-stream

Content-Length: 35366216

Connection: keep-alive

Set-Cookie: __cfduid=d7baf0c7416cb681992c2eb6d7cc4f5d71491222416; expires=Tue, 03-Apr-18 12:26:56 GMT; path=/; domain=.adguard.com; HttpOnly

Last-Modified: Thu, 30 Mar 2017 09:16:54 GMT

Content-MD5: af9f7bcd44c24592b9d89cc3aea8b706

ETag: "58dccd06-21ba548"

CF-Cache-Status: HIT

Expires: Mon, 03 Apr 2017 16:26:56 GMT

Cache-Control: public, max-age=14400

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 349c04e9816d4ea2-DME

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....i.b.....i.`.....i.a.....8.......8.......8.........................
....../......./.l............./.......Rich............PE..L......V....
.................H....................@..........................0....
........@..................................j..@.......p...........8j..
.;.......;...]..T...................d^.......^..@.....................
.......................text...X........................... ..`.rdata..
L...........................@..@.data...`............v..............@.
...wixburn8...........................@..@.tls........................
........@....rsrc...p...........................@..@.reloc...;.......&
lt;..................@..B.............................................
......................................................................
......................................................................
...............................................U...M.VW.}...u..O .E..G
0.E..G4.G.PWh#.@.Q............t.~.............O....PQj.W........_..^].
U...u..E..u..u..p..p...........~.........].U..V.u..v..v..3....f...f..Y
Y^].U...E.3.V.;#E...t......J...B..u. ..M..B..a...a...1.A.^].U...E.VW3.
...D.....t......J.f.....f;.u. ....M...U.....y..y._.1.A.^].U...E(..tj.M
..U.S.].W.} ...t*...u(..t....A..........M..H..M..H..X..x.... ..M.V.p0.
.t..p4.u$WSQ.u...R.u..u..O.....^_[].$.U...E..E.t-.U..J..B.#M.#E...t..B
..J.#E.#M.;B.u.;J.t.2.]...].U......cbF..U...V.u....aF..........E..

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

WUDhost.exe_2840:

.text

`.rsrc

.reloc

j.Yf;

r%f;M

j.Xf;

j.Zf;

PSSSSSSh

Gt.Ht$

@Kv.AKv

kernel32.dll

?#%X.y

GetProcessWindowStation

operator

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

@%SWV(U

/AutoIt3ExecuteScript

/AutoIt3ExecuteLine

CMDLINE

CMDLINERAW

>>>AUTOIT NO CMDEXECUTE<<<

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MAPKEYS

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDownDelay

SendKeyDelay

TCPTimeout

mscoree.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

789:;<=>?

APPSKEY

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

KEYS

\\?\UNC\

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 14, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\ProgramData\System32\Logs\WUDhost.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.

>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

1!<....(

%c=/Kr

<*-('(-)/)((4

H%d=j@

3.3.14.2

hXXp://VVV.autoitscript.com/autoit3/

WUDhost.exe_2840_rwx_001B0000_00002000:

%SWVU

The procedure %s could not be located in the DLL %s.

The ordinal %d could not be located in the DLL %s.

WUDhost.exe_2840_rwx_00241000_000D8000:

j.Yf;

r%f;M

j.Xf;

j.Zf;

PSSSSSSh

Gt.Ht$

@Kv.AKv

kernel32.dll

?#%X.y

GetProcessWindowStation

operator

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

/AutoIt3ExecuteScript

/AutoIt3ExecuteLine

CMDLINE

CMDLINERAW

>>>AUTOIT NO CMDEXECUTE<<<

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MAPKEYS

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDownDelay

SendKeyDelay

TCPTimeout

mscoree.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

789:;<=>?

APPSKEY

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

KEYS

\\?\UNC\

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 14, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\ProgramData\System32\Logs\WUDhost.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.

>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

1!<....(

%c=/Kr

<*-('(-)/)((4

H%d=j@

WUDhost.exe_2840_rwx_0031F000_00002000:

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

kernel32.dll

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

USER32.dll

GDI32.dll

COMDLG32.dll

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

@%SWV(U

3.3.14.2

hXXp://VVV.autoitscript.com/autoit3/

setup.exe_1624:

.text

`.rdata

@.data

.wixburn8

@.tls

.rsrc

@.reloc

8.wixu

v%j.Yf;

t%SQW

SSSSh

PSSSSSSh

j.Zf;

j.Yf;

engine.cpp

3.10.1.2213

Failed to create pipes to connect to elevated parent process.

Failed to set elevated pipe into thread local storage for logging.

variable.cpp

Unsupported variable type.

Setting variable failed: ID '%ls', HRESULT 0x%x

Failed to find DllGetVersion entry point in msi.dll.

Failed to get msi.dll version info.

Failed to get windows directory.

Failed to open Windows folder key.

condition.cpp

Failed to parse condition '%ls' at position: %u

Failed to parse condition "%ls". Unexpected '~' operator at position %d.

Failed to parse condition "%ls". Unterminated literal at position %d.

Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.

Failed to parse condition "%ls". Constant too big, at position %d.

Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.

Failed to parse condition "%ls". Invalid version format, at position %d.

Failed to parse condition "%ls". Unexpected character at position %d.

search.cpp

Failed to get Key attribute.

Directory search: %ls, did not find path: %ls, reason: 0x%x

Failed to format key string.

Registry key not found. Key = '%ls'

Failed to open registry key. Key = '%ls'

Registry value not found. Key = '%ls', Value = '%ls'

Failed to query registry key value.

RegistrySearchExists failed: ID '%ls', HRESULT 0x%x

Failed to open registry key.

Failed to query registry key value size.

Unsupported registry key value type. Type = '%u'

RegistrySearchValue failed: ID '%ls', HRESULT 0x%x

Failed to get component path: %d

MsiComponentSearch failed: ID '%ls', HRESULT 0x%x

Unsupported product search type: %u

MsiProductSearch failed: ID '%ls', HRESULT 0x%x

MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x

section.cpp

Failed to read image section header, index: %u

Failed to read complete image section header, index: %u

Failed to read section info, data to short: %u

Failed to read section info, unsupported version: x

Failed to find container info, too few elements: %u

Failed to select approved exe nodes.

Failed to get approved exe node count.

approvedexe.cpp

Failed to allocate memory for approved exe structs.

Failed to get @Key.

Failed to create executable command.

Failed to create obfuscated executable command.

container.cpp

Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.

Failed to get path for executing module.

catalog.cpp

payload.cpp

Failed to get @DownloadUrl.

Failed to get @CertificateRootPublicKeyIdentifier.

Failed to hex decode @CertificateRootPublicKeyIdentifier.

Failed to get @CertificateRootThumbprint.

Failed to hex decode @CertificateRootThumbprint.

Failed to get directory portion of local file path

userexperience.cpp

package.cpp

Failed to parse EXE package.

Failed to get @ProviderKey.

Failed to get @ExecutableName.

Failed to get @AboutUrl.

Failed to get @UpdateUrl.

registration.cpp

Failed to overwrite the bundle provider key built-in variable.

Failed to format pending restart registry key to read.

Failed to open registration key.

Failed to create registration key.

Failed to register the bundle dependency key.

Failed to write volatile reboot required registry key.

Failed to delete registration key: %ls

Failed to build uninstall registry key path.

Failed to build cached executable path.

Failed to create run key.

Failed to write run key value.

Failed to delete run key value.

Failed to format the key path for update registration.

Failed to get the formatted key path for update registration.

Failed to create the key for update registration.

Failed to format key for update registration.

Failed to remove update registration key: %ls

Failed to get path for current executing process as layout directory.

Failed to get executing process as layout directory.

Failed to to copy executable name for bundle.

Failed to append execute action.

Failed to add dependent bundle provider key to ignore dependents.

Failed to process passthrough package.

Failed to plan rollback boundary for passthrough package.

plan.cpp

Failed to plan execute package.

Failed to append execute checkpoint.

Failed to calculate execute actions for package: %ls

Unexpected relation type encountered during plan: %d

Failed to add the package provider key "%ls" to the planned list.

Failed to check the dictionary for a related bundle provider key: "%ls".

Failed to remove unnecessary execute actions.

Failed to finalize slipstream execute actions.

Failed to append execute checkpoint for cache rollback.

Failed to grow plan's array of execute actions.

Failed to insert keep registration execute action.

Failed to insert remove registration execute action.

Failed to copy dependent provider key to registration action.

Failed to copy dependent provider key to rollback registration action.

Failed to get path for executing module as attached container working path.

logging.cpp

Failed to write send message to pipe.

Failed to pump messages during send message to pipe.

pipe.cpp

No status returned to PipePumpMessages()

Failed to read returned result to PipePumpMessages()

Failed to read returned restart to PipePumpMessages()

Failed to process message: %u

Failed to get message over pipe

Failed to create pipe guid.

Failed to convert pipe guid into string.

Failed to allocate pipe name.

Failed to allocate pipe secret.

Failed to create the security descriptor for the connection event and pipe.

Failed to allocate full name of pipe: %ls

Failed to create pipe: %ls

Failed to allocate full name of cache pipe: %ls

Failed to set pipe to non-blocking.

Failed to wait for child to connect to pipe.

Failed to reset pipe to blocking.

Failed to write secret length to pipe.

Failed to write secret to pipe.

Failed to write our process id to pipe.

Failed to read ACK from pipe.

Failed to allocate name of parent pipe.

Failed to open parent pipe: %ls

Failed to verify parent pipe: %ls

Failed to allocate name of parent cache pipe.

Failed to open companion process with PID: %u

Failed to write message type to pipe.

Failed to read message from pipe.

Failed to read size of verification secret from parent pipe.

Failed to read verification secret from parent pipe.

Failed to read verification process id from parent pipe.

core.cpp

Failed to execute searches.

Failed to detect provider key bundle id.

Failed to report detected related bundles.

Package type not supported by detect yet.

Failed to plan passthrough.

Another per-user setup is already executing.

Another per-machine setup is already executing.

Failed while caching, aborting execution.

Engine cannot start LaunchApprovedExe because it is busy with another action.

UX aborted LaunchApprovedExe begin.

Failed to format passthrough for command-line.

Failed to append passthrough to command-line.

cache.cpp

Failed to get provider state from authenticode certificate.

Failed to get signer chain from authenticode certificate.

Failed to verify expected payload against actual certificate chain.

Failed to seek to checksum in exe header.

Failed to seek to signature table in exe header.

Failed to seek to original data in exe burn section header.

Failed to get certificate public key identifier.

Failed to read certificate thumbprint.

Failed to find expected public key in certificate chain.

elevation.cpp

Failed to create pipe name and client token.

Failed to create pipe and cache pipe.

Failed to write registration operations to message buffer.

Failed to write dependent provider key to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.

Failed to write bundle dependency key to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.

Failed to write approved exe id to message buffer.

Failed to write approved exe arguments to message buffer.

Failed to write approved exe WaitForInputIdle timeout to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.

Failed to set elevated cache pipe into thread local storage for logging.

Failed to read file name: %u

Failed to read MSI data: %u

Failed to read approved exe process id.

Invalid launch approved exe message.

Unexpected elevated message sent to child process, msg: %u

Unexpected elevated cache message sent to child process, msg: %u

Failed to read registration operations.

Invalid data passed to cache or layout payload.

Failed to read dependent provider key.

Failed to execute dependent registration action for provider key: %ls

Failed to read EXE package id.

Failed to execute EXE package.

Failed to execute MSI package.

Failed to execute MSP package.

Failed to execute MSU package.

Failed to execute package provider action.

Failed to read bundle dependency key from message buffer.

Failed to execute package dependency action.

Invalid message type: %d

Failed to read approved exe id.

Failed to read approved exe arguments.

Failed to read approved exe WaitForInputIdle timeout.

The per-user process requested unknown approved exe with id: %ls

Failed to open the registry key for the approved exe path.

Failed to read the value for the approved exe path.

Failed to verify the executable path is in a secure location: %ls

The executable path is not in a secure location: %ls

Failed to launch approved exe: %ls

Failed to write the approved exe process id to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.

splashscreen.cpp

uithread.cpp

EngineForApplication.cpp

Failed to send embedded message over pipe.

Failed to send embedded progress message over pipe.

UX denied while trying to set download URL on embedded payload: %ls

Failed to set download URL.

Failed to set download password.

UX requested unknown approved exe with id: %ls

Failed to post launch approved exe message.

The string is too big: size %u

<the>.cab

cabextract.cpp

Failed to create begin operation event.

Failed to create operation complete event.

Failed to wait for operation complete.

Failed to begin and wait for operation.

Failed to set begin operation event.

Failed to reset operation complete event.

Failed to wait for operation complete event.

Failed to initialize cabinet.dll.

Failed to extract all files from container, erf: %d:%X:%d

Failed to set operation complete event.

Failed to wait for begin operation event.

Failed to reset begin operation event.

Invalid operation for this state.

Failed to move file pointer 0x%x bytes.

Failed to evaluate executable package detect condition.

exeengine.cpp

Invalid package current state: %d.

Failed to insert execute action.

Failed to build executable path.

Invalid Exe package action: %d.

Failed to evaluate executable package command-line condition.

Bootstrapper application aborted during EXE progress.

Failed to wait for executable to complete: %ls

Process returned error: 0x%x

msiengine.cpp

Failed to calculate execute feature state.

Invalid package current state result encountered during plan: %d

Failed to detect compatible package from provider key.

Failed to copy the compatible provider key.

mspengine.cpp

msuengine.cpp

Failed to find Windows directory.

Failed to allocate WUSA.exe path.

dependency.cpp

Failed to get the Key attribute.

Failed to get the Imported attribute.

Failed to get provider key bundle id.

Failed to initialize provider key bundle id.

Failed to add the bundle provider key to the list of dependencies to ignore.

Failed to join the list of dependencies to ignore.

Failed to insert provider execute action.

Failed to append provider execute action.

Unrecognized registration action type: %d

Failed to append the key "%ls".

Failed to add the bundle provider key "%ls" to the list of ignored dependencies.

Failed to add the package provider key "%ls" to the list of ignored dependencies.

Failed to get the provider key package id.

Failed to copy the provider key.

Failed to open uninstall registry key.

Failed to enumerate uninstall key for related bundles.

Failed to open uninstall key for potential related bundle: %ls

relatedbundle.cpp

Failed to read provider key from registry for bundle: %ls

detect.cpp

Unexpected relation type encountered: %d

Failed to copy update url.

Failed attempt to download update feed from URL: '%ls' to: '%ls'

apply.cpp

BA aborted execute begin.

Failed to execute dependent registration action.

Failed attempt to download URL: '%ls' to: '%ls'

Failed to execute package provider registration action.

Failed to execute dependency action.

Failed to execute compatible package action.

Invalid execute action.

Invalid rollback action: %d.

UX aborted execute EXE package begin.

UX aborted EXE progress.

Failed to configure per-machine EXE package.

Failed to configure per-user EXE package.

UX aborted EXE package execute progress.

UX aborted execute MSI package begin.

UX aborted MSI package execute progress.

UX aborted execute MSP package begin.

BA aborted execute MSP target.

UX aborted MSP package execute progress.

UX aborted execute MSU package begin.

UX aborted MSU package execute progress.

Failed to parse approved exes.

pseudobundle.cpp

Failed to copy key for pseudo bundle payload.

Failed to copy key for pseudo bundle.

Failed to allocate space for burn package payload inside of passthrough bundle.

Failed to copy key for passthrough pseudo bundle payload.

Failed to copy filename for passthrough pseudo bundle.

Failed to copy local source path for passthrough pseudo bundle.

Failed to copy download source for passthrough pseudo bundle.

Failed to copy key for passthrough pseudo bundle.

Failed to copy cache id for passthrough pseudo bundle.

Failed to copy install arguments for passthrough bundle package

Failed to copy related arguments for passthrough bundle package

Failed to copy uninstall arguments for passthrough bundle package

Failed to create embedded pipe name and client token.

Failed to create embedded pipe.

embedded.cpp

Failed to wait for embedded process to connect to pipe.

Failed to wait for embedded executable: %ls

Unexpected embedded message sent to child process, msg: %u

NetFxChainer.cpp

k"bitsengine.cpp

Invalid BITS engine URL: %ls

Failed to copy download URL.

operator

operator ""

%S#[k

buffutil.cpp

cryputil.cpp

logutil.cpp

Error 0x%x: %ls

Executable: %ls v%d.%d.%d.%d

memutil.cpp

pathutil.cpp

procutil.cpp

RegDeleteKeyExW

regutil.cpp

srputil.cpp

strutil.cpp

wiutil.cpp

xmlutil.cpp

kernel32.dll

shelutil.cpp

Kwuautil.cpp

fileutil.cpp

dirutil.cpp

dictutil.cpp

aclutil.cpp

certutil.cpp

svcutil.cpp

dlutil.cpp

Failed to send request to URL: %ls, trying to process HTTP status code anyway.

Unknown HTTP status code %d, returned from URL: %ls

atomutil.cpp

apuputil.cpp

timeutil.cpp

inetutil.cpp

uriutil.cpp

deputil.cpp

InvokeMainViaCRT

ExitMainViaCRT

Microsoft.CRTProvider

C:\build\work\eca3d12b\wix3\build\ship\x86\burn.pdb

.text$di

.text$mn

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zETW0

.rdata$zETW1

.rdata$zETW2

.rdata$zETW9

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.wixburn

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

RegCloseKey

ADVAPI32.dll

MsgWaitForMultipleObjects

USER32.dll

OLEAUT32.dll

GDI32.dll

SHELL32.dll

ole32.dll

GetWindowsDirectoryW

ConnectNamedPipe

SetNamedPipeHandleState

CreateNamedPipeW

SetThreadExecutionState

KERNEL32.dll

Cabinet.dll

CryptHashPublicKeyInfo

CRYPT32.dll

msi.dll

RPCRT4.dll

WININET.dll

WINTRUST.dll

RegOpenKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

ShellExecuteExW

VERSION.dll

GetCPInfo

GetProcessHeap

CertGetCertificateContextProperty

SHLWAPI.dll

HttpOpenRequestW

HttpAddRequestHeadersW

HttpSendRequestW

HttpQueryInfoW

InternetCrackUrlW

}{c%Fy

{.VA|8

1.xGl

Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!

Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!

Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!

Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!

Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!

Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!

Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!

Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!

Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.

Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.

Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!

Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!

Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!

LaunchApprovedExe begin, id: %1!ls!

Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!

Launching approved exe, path: '%1!ls!', 'command: %2!ls!'

LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!

Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!

Application canceled operation: %2!ls!, error: %1!ls!

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="setup.exe" version="1.0.0.0" processorArchitecture="x86" type="win32"></assemblyIdentity><description>WiX Toolset Bootstrapper</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

77l7

8'8@8^8|8

6(7/74787<7@7

3%3s3z3

6"6(6.636=6]6{6

>">(>.>4>:>

0$0,0004080<0

9$9,949<9

WixBundleExecutePackageCacheFolder

WixBundleExecutePackageAction

WixBundleProviderKey

NTSuiteWebServer

WindowsFolder

WindowsVolume

[\%c]

.[%d]

.WiX Burn

SOFTWARE\Microsoft\Windows\CurrentVersion

.ComponentId

.keyPath

.language

ApprovedExeForElevation

.ValueName

"%ls" %s

.Attached

DownloadUrl

.FileSize

CertificateRootPublicKeyIdentifier

CertificateRootThumbprint

.ba%d

Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage

.Size

.PerMachine

.RollbackLogPathVariable

.InstallCondition

.PatchTargetCode

.Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

BundleProviderKey

burn.runonce

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

%ls.RebootRequired

URLInfoAbout

URLUpdateInfo

ParentKeyName

ProviderKey

.ExecutableName

AboutUrl

UpdateUrl

.DisableModify

.Filename

8%s\%s

.%s\state.rsm

.RelatedBundle

%ls%hs%ls_u_%ls%ls.%ls

SOFTWARE\Policies\Microsoft\Windows\Installer

.burn.elevated

burn.unelevated

\\.\pipe\%ls

\\.\pipe\%ls.Cache

BurnPipe.%s

s-%ls %ls %ls %u %ls

-q -%ls %ls %ls %u

.open

burn.embedded

burn.log.append

burn.related.detect

burn.related.upgrade

burn.related.addon

burn.related.patch

burn.related.update

burn.passthrough

burn.disable.unelevate

burn.ignoredependencies

burn.ancestors

/passive

passive

.unverified

.PackageCache

.WixBurnMessageWindow

.update\%ls

.DetectCondition

.InstallArguments

.Repairable

.UninstallArgument

.MsiProperty

.RollbackValue

%s$="%s"

ADDLOCAL="%s"

ADDSOURCE="%s"

ADDDEFAULT="%s"

. REINSTALL="%s"

ADVERTISE="%s"

REMOVE="%s"

wusa.exe

.wuauserv

Imported

.Chain

.%ls -%ls %ls %ls %u

.%ls /pipe %ls

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

AdvApi32.dll

Crypt32.dll

s0xx

%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls

\\?\UNC

%ls_uuuuuu%ls%ls%ls

srclient.dll

Msi.dll

Msxml2.DOMDocument

MSXML.DOMDocument

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

pMicrosoft.Update.AutoUpdate

PendingFileRenameOperations

%u.%u.%u.%u

hXXp://appsyndication.org/2006/appsyn

hu-hu-huThu:hu:hu%cu:u

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\adguard\setup.exe

6.1.331.1732

setup.exe

setup.exe_3220:

.text

`.rdata

@.data

.wixburn8

@.tls

.rsrc

@.reloc

8.wixu

v%j.Yf;

t%SQW

SSSSh

PSSSSSSh

j.Zf;

j.Yf;

engine.cpp

3.10.1.2213

Failed to create pipes to connect to elevated parent process.

Failed to set elevated pipe into thread local storage for logging.

variable.cpp

Unsupported variable type.

Setting variable failed: ID '%ls', HRESULT 0x%x

Failed to find DllGetVersion entry point in msi.dll.

Failed to get msi.dll version info.

Failed to get windows directory.

Failed to open Windows folder key.

condition.cpp

Failed to parse condition '%ls' at position: %u

Failed to parse condition "%ls". Unexpected '~' operator at position %d.

Failed to parse condition "%ls". Unterminated literal at position %d.

Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.

Failed to parse condition "%ls". Constant too big, at position %d.

Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.

Failed to parse condition "%ls". Invalid version format, at position %d.

Failed to parse condition "%ls". Unexpected character at position %d.

search.cpp

Failed to get Key attribute.

Directory search: %ls, did not find path: %ls, reason: 0x%x

Failed to format key string.

Registry key not found. Key = '%ls'

Failed to open registry key. Key = '%ls'

Registry value not found. Key = '%ls', Value = '%ls'

Failed to query registry key value.

RegistrySearchExists failed: ID '%ls', HRESULT 0x%x

Failed to open registry key.

Failed to query registry key value size.

Unsupported registry key value type. Type = '%u'

RegistrySearchValue failed: ID '%ls', HRESULT 0x%x

Failed to get component path: %d

MsiComponentSearch failed: ID '%ls', HRESULT 0x%x

Unsupported product search type: %u

MsiProductSearch failed: ID '%ls', HRESULT 0x%x

MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x

section.cpp

Failed to read image section header, index: %u

Failed to read complete image section header, index: %u

Failed to read section info, data to short: %u

Failed to read section info, unsupported version: x

Failed to find container info, too few elements: %u

Failed to select approved exe nodes.

Failed to get approved exe node count.

approvedexe.cpp

Failed to allocate memory for approved exe structs.

Failed to get @Key.

Failed to create executable command.

Failed to create obfuscated executable command.

container.cpp

Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.

Failed to get path for executing module.

catalog.cpp

payload.cpp

Failed to get @DownloadUrl.

Failed to get @CertificateRootPublicKeyIdentifier.

Failed to hex decode @CertificateRootPublicKeyIdentifier.

Failed to get @CertificateRootThumbprint.

Failed to hex decode @CertificateRootThumbprint.

Failed to get directory portion of local file path

userexperience.cpp

package.cpp

Failed to parse EXE package.

Failed to get @ProviderKey.

Failed to get @ExecutableName.

Failed to get @AboutUrl.

Failed to get @UpdateUrl.

registration.cpp

Failed to overwrite the bundle provider key built-in variable.

Failed to format pending restart registry key to read.

Failed to open registration key.

Failed to create registration key.

Failed to register the bundle dependency key.

Failed to write volatile reboot required registry key.

Failed to delete registration key: %ls

Failed to build uninstall registry key path.

Failed to build cached executable path.

Failed to create run key.

Failed to write run key value.

Failed to delete run key value.

Failed to format the key path for update registration.

Failed to get the formatted key path for update registration.

Failed to create the key for update registration.

Failed to format key for update registration.

Failed to remove update registration key: %ls

Failed to get path for current executing process as layout directory.

Failed to get executing process as layout directory.

Failed to to copy executable name for bundle.

Failed to append execute action.

Failed to add dependent bundle provider key to ignore dependents.

Failed to process passthrough package.

Failed to plan rollback boundary for passthrough package.

plan.cpp

Failed to plan execute package.

Failed to append execute checkpoint.

Failed to calculate execute actions for package: %ls

Unexpected relation type encountered during plan: %d

Failed to add the package provider key "%ls" to the planned list.

Failed to check the dictionary for a related bundle provider key: "%ls".

Failed to remove unnecessary execute actions.

Failed to finalize slipstream execute actions.

Failed to append execute checkpoint for cache rollback.

Failed to grow plan's array of execute actions.

Failed to insert keep registration execute action.

Failed to insert remove registration execute action.

Failed to copy dependent provider key to registration action.

Failed to copy dependent provider key to rollback registration action.

Failed to get path for executing module as attached container working path.

logging.cpp

Failed to write send message to pipe.

Failed to pump messages during send message to pipe.

pipe.cpp

No status returned to PipePumpMessages()

Failed to read returned result to PipePumpMessages()

Failed to read returned restart to PipePumpMessages()

Failed to process message: %u

Failed to get message over pipe

Failed to create pipe guid.

Failed to convert pipe guid into string.

Failed to allocate pipe name.

Failed to allocate pipe secret.

Failed to create the security descriptor for the connection event and pipe.

Failed to allocate full name of pipe: %ls

Failed to create pipe: %ls

Failed to allocate full name of cache pipe: %ls

Failed to set pipe to non-blocking.

Failed to wait for child to connect to pipe.

Failed to reset pipe to blocking.

Failed to write secret length to pipe.

Failed to write secret to pipe.

Failed to write our process id to pipe.

Failed to read ACK from pipe.

Failed to allocate name of parent pipe.

Failed to open parent pipe: %ls

Failed to verify parent pipe: %ls

Failed to allocate name of parent cache pipe.

Failed to open companion process with PID: %u

Failed to write message type to pipe.

Failed to read message from pipe.

Failed to read size of verification secret from parent pipe.

Failed to read verification secret from parent pipe.

Failed to read verification process id from parent pipe.

core.cpp

Failed to execute searches.

Failed to detect provider key bundle id.

Failed to report detected related bundles.

Package type not supported by detect yet.

Failed to plan passthrough.

Another per-user setup is already executing.

Another per-machine setup is already executing.

Failed while caching, aborting execution.

Engine cannot start LaunchApprovedExe because it is busy with another action.

UX aborted LaunchApprovedExe begin.

Failed to format passthrough for command-line.

Failed to append passthrough to command-line.

cache.cpp

Failed to get provider state from authenticode certificate.

Failed to get signer chain from authenticode certificate.

Failed to verify expected payload against actual certificate chain.

Failed to seek to checksum in exe header.

Failed to seek to signature table in exe header.

Failed to seek to original data in exe burn section header.

Failed to get certificate public key identifier.

Failed to read certificate thumbprint.

Failed to find expected public key in certificate chain.

elevation.cpp

Failed to create pipe name and client token.

Failed to create pipe and cache pipe.

Failed to write registration operations to message buffer.

Failed to write dependent provider key to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.

Failed to write bundle dependency key to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.

Failed to write approved exe id to message buffer.

Failed to write approved exe arguments to message buffer.

Failed to write approved exe WaitForInputIdle timeout to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.

Failed to set elevated cache pipe into thread local storage for logging.

Failed to read file name: %u

Failed to read MSI data: %u

Failed to read approved exe process id.

Invalid launch approved exe message.

Unexpected elevated message sent to child process, msg: %u

Unexpected elevated cache message sent to child process, msg: %u

Failed to read registration operations.

Invalid data passed to cache or layout payload.

Failed to read dependent provider key.

Failed to execute dependent registration action for provider key: %ls

Failed to read EXE package id.

Failed to execute EXE package.

Failed to execute MSI package.

Failed to execute MSP package.

Failed to execute MSU package.

Failed to execute package provider action.

Failed to read bundle dependency key from message buffer.

Failed to execute package dependency action.

Invalid message type: %d

Failed to read approved exe id.

Failed to read approved exe arguments.

Failed to read approved exe WaitForInputIdle timeout.

The per-user process requested unknown approved exe with id: %ls

Failed to open the registry key for the approved exe path.

Failed to read the value for the approved exe path.

Failed to verify the executable path is in a secure location: %ls

The executable path is not in a secure location: %ls

Failed to launch approved exe: %ls

Failed to write the approved exe process id to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.

splashscreen.cpp

uithread.cpp

EngineForApplication.cpp

Failed to send embedded message over pipe.

Failed to send embedded progress message over pipe.

UX denied while trying to set download URL on embedded payload: %ls

Failed to set download URL.

Failed to set download password.

UX requested unknown approved exe with id: %ls

Failed to post launch approved exe message.

The string is too big: size %u

<the>.cab

cabextract.cpp

Failed to create begin operation event.

Failed to create operation complete event.

Failed to wait for operation complete.

Failed to begin and wait for operation.

Failed to set begin operation event.

Failed to reset operation complete event.

Failed to wait for operation complete event.

Failed to initialize cabinet.dll.

Failed to extract all files from container, erf: %d:%X:%d

Failed to set operation complete event.

Failed to wait for begin operation event.

Failed to reset begin operation event.

Invalid operation for this state.

Failed to move file pointer 0x%x bytes.

Failed to evaluate executable package detect condition.

exeengine.cpp

Invalid package current state: %d.

Failed to insert execute action.

Failed to build executable path.

Invalid Exe package action: %d.

Failed to evaluate executable package command-line condition.

Bootstrapper application aborted during EXE progress.

Failed to wait for executable to complete: %ls

Process returned error: 0x%x

msiengine.cpp

Failed to calculate execute feature state.

Invalid package current state result encountered during plan: %d

Failed to detect compatible package from provider key.

Failed to copy the compatible provider key.

mspengine.cpp

msuengine.cpp

Failed to find Windows directory.

Failed to allocate WUSA.exe path.

dependency.cpp

Failed to get the Key attribute.

Failed to get the Imported attribute.

Failed to get provider key bundle id.

Failed to initialize provider key bundle id.

Failed to add the bundle provider key to the list of dependencies to ignore.

Failed to join the list of dependencies to ignore.

Failed to insert provider execute action.

Failed to append provider execute action.

Unrecognized registration action type: %d

Failed to append the key "%ls".

Failed to add the bundle provider key "%ls" to the list of ignored dependencies.

Failed to add the package provider key "%ls" to the list of ignored dependencies.

Failed to get the provider key package id.

Failed to copy the provider key.

Failed to open uninstall registry key.

Failed to enumerate uninstall key for related bundles.

Failed to open uninstall key for potential related bundle: %ls

relatedbundle.cpp

Failed to read provider key from registry for bundle: %ls

detect.cpp

Unexpected relation type encountered: %d

Failed to copy update url.

Failed attempt to download update feed from URL: '%ls' to: '%ls'

apply.cpp

BA aborted execute begin.

Failed to execute dependent registration action.

Failed attempt to download URL: '%ls' to: '%ls'

Failed to execute package provider registration action.

Failed to execute dependency action.

Failed to execute compatible package action.

Invalid execute action.

Invalid rollback action: %d.

UX aborted execute EXE package begin.

UX aborted EXE progress.

Failed to configure per-machine EXE package.

Failed to configure per-user EXE package.

UX aborted EXE package execute progress.

UX aborted execute MSI package begin.

UX aborted MSI package execute progress.

UX aborted execute MSP package begin.

BA aborted execute MSP target.

UX aborted MSP package execute progress.

UX aborted execute MSU package begin.

UX aborted MSU package execute progress.

Failed to parse approved exes.

pseudobundle.cpp

Failed to copy key for pseudo bundle payload.

Failed to copy key for pseudo bundle.

Failed to allocate space for burn package payload inside of passthrough bundle.

Failed to copy key for passthrough pseudo bundle payload.

Failed to copy filename for passthrough pseudo bundle.

Failed to copy local source path for passthrough pseudo bundle.

Failed to copy download source for passthrough pseudo bundle.

Failed to copy key for passthrough pseudo bundle.

Failed to copy cache id for passthrough pseudo bundle.

Failed to copy install arguments for passthrough bundle package

Failed to copy related arguments for passthrough bundle package

Failed to copy uninstall arguments for passthrough bundle package

Failed to create embedded pipe name and client token.

Failed to create embedded pipe.

embedded.cpp

Failed to wait for embedded process to connect to pipe.

Failed to wait for embedded executable: %ls

Unexpected embedded message sent to child process, msg: %u

NetFxChainer.cpp

k"bitsengine.cpp

Invalid BITS engine URL: %ls

Failed to copy download URL.

operator

operator ""

%S#[k

buffutil.cpp

cryputil.cpp

logutil.cpp

Error 0x%x: %ls

Executable: %ls v%d.%d.%d.%d

memutil.cpp

pathutil.cpp

procutil.cpp

RegDeleteKeyExW

regutil.cpp

srputil.cpp

strutil.cpp

wiutil.cpp

xmlutil.cpp

kernel32.dll

shelutil.cpp

Kwuautil.cpp

fileutil.cpp

dirutil.cpp

dictutil.cpp

aclutil.cpp

certutil.cpp

svcutil.cpp

dlutil.cpp

Failed to send request to URL: %ls, trying to process HTTP status code anyway.

Unknown HTTP status code %d, returned from URL: %ls

atomutil.cpp

apuputil.cpp

timeutil.cpp

inetutil.cpp

uriutil.cpp

deputil.cpp

InvokeMainViaCRT

ExitMainViaCRT

Microsoft.CRTProvider

C:\build\work\eca3d12b\wix3\build\ship\x86\burn.pdb

.text$di

.text$mn

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zETW0

.rdata$zETW1

.rdata$zETW2

.rdata$zETW9

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.wixburn

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

RegCloseKey

ADVAPI32.dll

MsgWaitForMultipleObjects

USER32.dll

OLEAUT32.dll

GDI32.dll

SHELL32.dll

ole32.dll

GetWindowsDirectoryW

ConnectNamedPipe

SetNamedPipeHandleState

CreateNamedPipeW

SetThreadExecutionState

KERNEL32.dll

Cabinet.dll

CryptHashPublicKeyInfo

CRYPT32.dll

msi.dll

RPCRT4.dll

WININET.dll

WINTRUST.dll

RegOpenKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

ShellExecuteExW

VERSION.dll

GetCPInfo

GetProcessHeap

CertGetCertificateContextProperty

SHLWAPI.dll

HttpOpenRequestW

HttpAddRequestHeadersW

HttpSendRequestW

HttpQueryInfoW

InternetCrackUrlW

}{c%Fy

{.VA|8

1.xGl

Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!

Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!

Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!

Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!

Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!

Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!

Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!

Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!

Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.

Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.

Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!

Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!

Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!

LaunchApprovedExe begin, id: %1!ls!

Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!

Launching approved exe, path: '%1!ls!', 'command: %2!ls!'

LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!

Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!

Application canceled operation: %2!ls!, error: %1!ls!

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="setup.exe" version="1.0.0.0" processorArchitecture="x86" type="win32"></assemblyIdentity><description>WiX Toolset Bootstrapper</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

77l7

8'8@8^8|8

6(7/74787<7@7

3%3s3z3

6"6(6.636=6]6{6

>">(>.>4>:>

0$0,0004080<0

9$9,949<9

WixBundleExecutePackageCacheFolder

WixBundleExecutePackageAction

WixBundleProviderKey

NTSuiteWebServer

WindowsFolder

WindowsVolume

[\%c]

.[%d]

.WiX Burn

SOFTWARE\Microsoft\Windows\CurrentVersion

.ComponentId

.keyPath

.language

ApprovedExeForElevation

.ValueName

"%ls" %s

.Attached

DownloadUrl

.FileSize

CertificateRootPublicKeyIdentifier

CertificateRootThumbprint

.ba%d

Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage

.Size

.PerMachine

.RollbackLogPathVariable

.InstallCondition

.PatchTargetCode

.Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

BundleProviderKey

burn.runonce

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

%ls.RebootRequired

URLInfoAbout

URLUpdateInfo

ParentKeyName

ProviderKey

.ExecutableName

AboutUrl

UpdateUrl

.DisableModify

.Filename

8%s\%s

.%s\state.rsm

.RelatedBundle

%ls%hs%ls_u_%ls%ls.%ls

SOFTWARE\Policies\Microsoft\Windows\Installer

.burn.elevated

burn.unelevated

\\.\pipe\%ls

\\.\pipe\%ls.Cache

BurnPipe.%s

s-%ls %ls %ls %u %ls

-q -%ls %ls %ls %u

.open

burn.embedded

burn.log.append

burn.related.detect

burn.related.upgrade

burn.related.addon

burn.related.patch

burn.related.update

burn.passthrough

burn.disable.unelevate

burn.ignoredependencies

burn.ancestors

/passive

passive

.unverified

.PackageCache

.WixBurnMessageWindow

.update\%ls

.DetectCondition

.InstallArguments

.Repairable

.UninstallArgument

.MsiProperty

.RollbackValue

%s$="%s"

ADDLOCAL="%s"

ADDSOURCE="%s"

ADDDEFAULT="%s"

. REINSTALL="%s"

ADVERTISE="%s"

REMOVE="%s"

wusa.exe

.wuauserv

Imported

.Chain

.%ls -%ls %ls %ls %u

.%ls /pipe %ls

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

AdvApi32.dll

Crypt32.dll

s0xx

%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls

\\?\UNC

%ls_uuuuuu%ls%ls%ls

srclient.dll

Msi.dll

Msxml2.DOMDocument

MSXML.DOMDocument

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

pMicrosoft.Update.AutoUpdate

PendingFileRenameOperations

%u.%u.%u.%u

hXXp://appsyndication.org/2006/appsyn

hu-hu-huThu:hu:hu%cu:u

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\adguard\setup.exe

6.1.331.1732

setup.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

setup.exe:1624
1.exe:4044
2.exe:2276
%original file name%.exe:2196
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1035\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1029\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1051\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.dll (2327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1053\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1042\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\3082\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1032\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\tr\Adguard.Burn.resources.dll (1705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1045\mbapreq.wxl (425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hu\Adguard.Burn.resources.dll (596 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\zh\Adguard.Burn.resources.dll (858 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\2070\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1043\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Adguard_20170403152745.log (38305 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\BootstrapperApplicationData.xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\nl\Adguard.Burn.resources.dll (571 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\es\Adguard.Burn.resources.dll (1367 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1041\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1036\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1031\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1049\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbahost.dll (1297 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1040\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1060\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\BootstrapperCore.dll (1778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\pt\Adguard.Burn.resources.dll (1054 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1028\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1046\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1044\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\pl\Adguard.Burn.resources.dll (507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1055\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\BootstrapperCore.config (805 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\it\Adguard.Burn.resources.dll (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\sr\Adguard.Burn.resources.dll (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\Adguard.Burn.dll (32892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\zh-TW\Adguard.Burn.resources.dll (1656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\he\Adguard.Burn.resources.dll (658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\de\Adguard.Burn.resources.dll (1992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\2052\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1030\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\ja\Adguard.Burn.resources.dll (681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\1038\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\ru\Adguard.Burn.resources.dll (2256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.png (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hr\Adguard.Burn.resources.dll (1754 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\mbapreq.thm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{e2a82ed3-dba7-43f6-8ef3-e303140c55dd}\.ba1\hy\Adguard.Burn.resources.dll (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\adguard\setup.exe (17400294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B91M244W.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\setup[1].exe (17129277 bytes)
C:\ProgramData\WindowsTask\fafa.exe (11518 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut427D.tmp (3505 bytes)
C:\ProgramData\System32\Logs\WUDhost.exe (2461 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut4182.tmp (14190 bytes)
C:\ProgramData\System32\Logs\fafa.exe (11518 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WUDhost.exe.lnk (828 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe (173 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe (147 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Graftor.Elzob.20639_94f8a8849c

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Graftor.Elzob.20639_94f8a8849c

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet