Worm.Win32.AutoItGen_26df0b3916

by malwarelabrobot on February 13th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR, WormAutoItGen.YR, PUPSpigot.YR (Lavasoft MAS)
Behaviour: Worm, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 26df0b3916a792e8876cff097b2d76ef
SHA1: 148a1687d971be0fa2767644be43ca2c5fe41b6f
SHA256: df64ffe221a0d025121926e2e3934df59463b3dc1d8577ee143bc51bcd5e5c78
SSDeep: 98304:bejlMkuV N3cVcy54bj4mUHBZGVOdNHuY1lGV:b2E0Bju6/0B4QdNHuGlY
Size: 5144648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-25 08:12:58
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

dotNetFx40_Full_x86_x64.exe:608
%original file name%.exe:2280
%original file name%.exe:912

The Worm injects its code into the following process(es):

Setup.exe:2864

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Setup.exe:2864 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI5C54.tmp.html (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI61F2.tmp.html (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_042118442.html (159496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20150212_042118973.html (1410924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_0 (20 bytes)

The process dotNetFx40_Full_x86_x64.exe:608 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\e4ee511aec94f6616b59d4b9c3\1025\eula.rtf (7 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended.mzz (328309 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll (512 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe (576 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\LocalizedData.xml (92 bytes)
C:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll (1371 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\LocalizedData.xml (865 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate1.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x64.msi (6999 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\Parameterinfo.xml (1912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\LocalizedData.xml (911 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\header.bmp (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DisplayIcon.ico (538 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\LocalizedData.xml (766 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\LocalizedData.xml (321 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x64.msu (37124 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\LocalizedData.xml (263 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Print.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate6.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\LocalizedData.xml (229 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate5.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe (1495 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqNotMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9RAST_x64.msi (824 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DHtmlHeader.html (984 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\LocalizedData.xml (242 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll (227 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\UiInfo.xml (622 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll (914 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.xsd (30 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\eula.rtf (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll (81 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll (2015 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\LocalizedData.xml (90 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9Rast_x86.msi (875 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\LocalizedData.xml (744 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\ParameterInfo.xml (2261 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\stop.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\LocalizedData.xml (593 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SplashScreen.bmp (31 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x86.msu (15000 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll (15 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\LocalizedData.xml (1042 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\LocalizedData.xml (587 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\LocalizedData.xml (535 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\eula.rtf (5 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Strings.xml (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll (16 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\warn.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\LocalizedData.xml (613 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate2.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\LocalizedData.xml (1168 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate7.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll (122 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\LocalizedData.xml (1482 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\LocalizedData.xml (301 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll (779 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\LocalizedData.xml (156 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate4.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\watermark.bmp (531 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x64.msi (14022 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\LocalizedData.xml (873 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\LocalizedData.xml (219 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll (5583 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Setup.ico (57 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\Parameterinfo.xml (1030 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\eula.rtf (8 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll (644 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x64.msu (38528 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate8.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Save.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate3.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\LocalizedData.xml (810 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\eula.rtf (891 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core.mzz (1381912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x86.msi (7866 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt (2445 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x86.msu (15320 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\eula.rtf (12 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x86.msi (2812 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\LocalizedData.xml (480 bytes)

The process %original file name%.exe:2280 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\state.rsm (930 bytes)
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe (8657 bytes)
C:\ProgramData\regid.2008-09.org.wixtoolset\regid.2008-09.org.wixtoolset doPDF 8.swidtag (886 bytes)

The process %original file name%.exe:912 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll (2546 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1044\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1055\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2052\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.thm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1032\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll (1663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll (1733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1045\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1030\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\roro.config (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1043\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1038\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperApplicationData.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1031\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.wxl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1036\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2070\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1035\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe (148700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log (26471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1060\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\License.htm (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1051\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full.R (6168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1053\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1042\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.png (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.config (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\3082\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\enus.config (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-image.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1041\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1049\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1040\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1029\mbapreq.wxl (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full (404972 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1028\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-text.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1046\mbapreq.wxl (2 bytes)

Registry activity

The process %original file name%.exe:2280 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"BundleTag" = "Type: REG_SZ, Length: 0"
"URLInfoAbout" = "http://www.dopdf.com"
"Publisher" = "Softland"
"EstimatedSize" = "49267"
"BundleDetectCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleCachePath" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe"
"EngineVersion" = "3.10.1124.0"
"BundleResumeCommandLine" = " /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log"
"BundlePatchCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleVersion" = "8.1.923.0"
"NoElevateOnModify" = "1"
"DisplayName" = "doPDF 8"

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"DisplayName" = "doPDF 8"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"DisplayVersion" = "8.1.923"
"BundleProviderKey" = "{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}"
"DisplayIcon" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe,0"

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"Version" = "8.1.923.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"ModifyPath" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /modify"
"BundleUpgradeCode" = "{AAA27109-5C52-48DC-8DAD-FBEBB79245D5}"

"QuietUninstallString" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /uninstall /quiet"
"Resume" = "1"
"BundleAddonCode" = "Type: REG_MULTI_SZ, Length: 0"

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"(Default)" = "{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"UninstallString" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /uninstall"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /burn.runonce"

The Worm deletes the following value(s) in system registry:

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Dependents\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"MinVersion"
"MaxVersion"

The process %original file name%.exe:912 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
"WpadDecisionTime" = "BA A8 84 7F 6A 46 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "BA A8 84 7F 6A 46 D0 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"
"WpadNetworkName" = "Network"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
251743dfd3fda414570524bac9e55381 c:\ProgramData\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe
a49949aff7282015a15fbfb7bd18ab05 c:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe
251743dfd3fda414570524bac9e55381 c:\Users\All Users\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe
a49949aff7282015a15fbfb7bd18ab05 c:\Users\All Users\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe
642e2ae9844847f82a472000c9d05a75 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll
4b788007e99e73f701d1f4eb1042418c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll
7553ac91bee22c474772e7eea9715800 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll
b9bc7ac88171cf0974c9bc7bc03e25d5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll
a49949aff7282015a15fbfb7bd18ab05 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe
35b62b395968b7754c298fbb410e9821 c:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll
7c136b92983cec25f85336056e45f3e8 c:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll
62876c2fe28b1b5c434b9fad80abe9f9 c:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll
9f0cd8981979154cc2a6393da42731c5 c:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll
7c9ae49b3a400c728a55dd1cacc8ffb2 c:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll
e663b67a66adf9375d1d183ca5fdd23d c:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll
9547d24ac04b4d0d1dbf84f74f54faf7 c:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll
881adf55d51976ca592033a7adf620b8 c:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll
93f57216fe49e7e2a75844edfccc2e09 c:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll
06cc83e6c677db13757df4242f5679f7 c:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll
c1bf3d63576d619b24837b72986dfad4 c:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll
e4860fc5d4c114d5c0781714f3bf041a c:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll
278fd7595b580a016705d00be363612f c:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll
fcfd69ec15a6897a940b0435439bf5fc c:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll
76d6e9f15d842e6a56ee42c9c5ccabca c:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll
bacea57a781c43738a3b065103479bb5 c:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll
550c79640eee713c73eb67b0736a92e6 c:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll
86cb58f2b6bc1174d200d0abe5497233 c:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll
7ef74af6ab5760950a1d233c582099f1 c:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll
28813510b82f45868b5bdc67fff9c9fa c:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll
357a1cbf08a83e657ffae8639ac1212a c:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll
407cdb7e1c2c862b486cde45f863ae6e c:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll
58cb55fa4d9e2f62f675720b1269137d c:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll
7c136b92983cec25f85336056e45f3e8 c:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll
b057315a8c04df29b7e4fd2b257b75f4 c:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll
006f8a615020a4a17f5e63801485df46 c:\e4ee511aec94f6616b59d4b9c3\Setup.exe
84c1daf5f30ff99895ecab3a55354bcf c:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll
eb881e3dddc84b20bd92abcec444455f c:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll
8dfbb95989af28058c7431704ce7cd66 c:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe
3f0363b40376047eff6a9b97d633b750 c:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: S
Product Name: d
Product Version: 8
Legal Copyright: C
Legal Trademarks:
Original Filename: n
Internal Name: setup
File Version: 8
File Description: d
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 297741 297984 4.55001 5d26d6a643d19ae02fc6861dbd240657
.rdata 303104 126876 126976 3.54022 8ec8f775f2a3c9e81506399acc167ad0
.data 430080 12960 3584 2.25979 2bde230c16419018f3330ed33e77178f
.wixburn 446464 56 512 0.52525 897e35e997b93373c8f34458609bda8d
.tls 450560 13 512 0.014135 8e3343efa9afc26ac6caf49228cbe049
.rsrc 454656 651556 651776 1.97334 d6f58c17a995faf274e2952bd6b2a07f
.reloc 1110016 16272 16384 4.68287 0e971942c19fd1a124065da269606dff

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.go.microsoft.akadns.net/fwlink/?LinkId=164193
hxxp://a767.dscms.akamai.net/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f 88.221.132.177
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.43.139.27
hxxp://crl.verisign.com/pca3.crl 23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 88.221.132.175
hxxp://go.microsoft.com/fwlink/?LinkId=164193 134.170.189.4
hxxp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe 80.239.149.72
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0 88.221.132.177
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 88.221.132.175


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Thu, 12 Feb 2015 02:23:43 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowed
cert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J.
.......z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.
0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m..
. ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g
..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......
r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....G
B..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{..."[email protected];
xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...Ujr
Zs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<......
...-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5
.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.
6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.
].f...|(3!.|..P...j..^..j....#([email protected]..*.O..i..u....9..S.Y.n..HXW..
.F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4...
....hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....
?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.
4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q..
...p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<
;..X.........'.E(<b[.......#.. ....XiLl|[email protected] 
[email protected][email protected]..;.......mm....>~............j%..>
;.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT
Accept-Ranges: bytes
ETag: "88c4768d3f2ad01:0"
Server: Microsoft-IIS/8.5
VTag: 438410416000000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:23:43 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{[email protected].|7z
.. ......>..Q...([email protected]\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.5
VTag: 4389615400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:23:43 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 438346843700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:23:44 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=411760, public, no-transform, must-revalidate
Last-Modified: Mon, 9 Feb 2015 20:44:25 GMT
Expires: Mon, 16 Feb 2015 20:44:25 GMT
Date: Thu, 12 Feb 2015 02:24:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015020
9204425Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20150209204425Z....20150216204425Z0...*.H........
......'.^.M......_.(.~....b^:.[&...z.^.W.<'g.[..N..Y.k...i....U.Kc-
.:B....]#...l.^..S0K.OV.. ..D/&.E?./...~.z....~.E.YA....c.4...~.t.$..X
[email protected]......... .^.....7.t...*T.=1.3..I...n..m.i9.6l.....
!..r..;..8..V...._......t..YE.^9.7...*&_.a......dM.......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT
Accept-Ranges: bytes
ETag: "75565c7ac03ad01:0"
Server: Microsoft-IIS/8.0
VTag: 279610143200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:24:14 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Y0... .....7......150427174215Z0.
..*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e
.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...
0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp
[email protected]..@.. ...M....z....Q...{u. .W..HTT
P/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 
28 Jan 2015 06:05:55 GMT..Accept-Ranges: bytes..ETag: "75565c7ac03ad01
:0"..Server: Microsoft-IIS/8.0..VTag: 279610143200000000..P3P: CP="ALL
 IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT
 COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Leng
th: 554..Cache-Control: max-age=900..Date: Thu, 12 Feb 2015 02:24:14 G
MT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1
.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation
1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0
_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0...
 .....7......150427174215Z0...*.H......................YIw.. ..(..y..O
.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..y
t.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.
'e...@.%...6./[email protected]..
<<< skipped >>>


HEAD /fwlink/?LinkId=164193 HTTP/1.1
Accept: */*
User-Agent: Burn
Host: go.microsoft.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4


HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 236
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Feb 2015 02:19:38 GMT
Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 12 Feb 2015 02:20:37 GMT
HTTP/1.1 302 Found..Cache-Control: private..Content-Length: 236..Conte
nt-Type: text/html; charset=utf-8..Expires: Thu, 12 Feb 2015 02:19:38 
GMT..Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3
085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe..Serv
er: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.
NET..Date: Thu, 12 Feb 2015 02:20:37 GMT......


GET /fwlink/?LinkId=164193 HTTP/1.1


Accept: */*
User-Agent: Burn
Host: go.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Feb 2015 02:19:39 GMT
Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 12 Feb 2015 02:20:38 GMT
Content-Length: 236
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://downl
oad.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/
VS_COMMON/dotnetfx40_full_x86_x64.exe">here</a>.</h2>..
</body></html>..HTTP/1.1 302 Found..Cache-Control: private
..Content-Type: text/html; charset=utf-8..Expires: Thu, 12 Feb 2015 02
:19:39 GMT..Location: hXXp://download.microsoft.com/download/B/D/D/BDD
EBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.ex
e..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-B
y: ASP.NET..Date: Thu, 12 Feb 2015 02:20:38 GMT..Content-Length: 236..
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://downl
oad.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/
VS_COMMON/dotnetfx40_full_x86_x64.exe">here</a>.</h2>..
</body></html>....



GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com


HTTP/1.1 200 OK
Server: Apache
ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"
Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT
Date: Thu, 12 Feb 2015 02:24:44 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..141210000000Z..150
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ..
..>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r
../[email protected]?....0.A.HTTP/1.1 200 OK..Server: Apache.
.ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: F
ri, 19 Dec 2014 01:00:19 GMT..Date: Thu, 12 Feb 2015 02:24:44 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1412100000
00Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT
Accept-Ranges: bytes
ETag: "803565fb436d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 57591
Date: Thu, 12 Feb 2015 02:24:15 GMT
Connection: keep-alive
MSCF............,...................I.................6Fm. .authroot.s
tl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.
k..........{=/....{g.~...............'....6..N....w......(.$.>.7...
........'.....`.bx....^..$.'.^.K.C......<[email protected]
.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m..
....  .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4..
...*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s
...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.
=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.
u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%.
.G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]
H. .....A.O.Xg..B...#[email protected]..*.....T...}o._./S..h@$
[email protected]..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w
.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R.
 [email protected].....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^.
...1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|I
C.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._
q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p
..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Ic
z......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[
...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..
2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=495772, public, no-transform, must-revalidate
Last-Modified: Tue, 10 Feb 2015 20:04:39 GMT
Expires: Tue, 17 Feb 2015 20:04:39 GMT
Date: Thu, 12 Feb 2015 02:24:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150210200439Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201502
10200439Z....20150217200439Z0...*.H...............U.#..&1x1.......n...
tJ...-..`.-d...X.......\._......[]n\].;....n..}b..Y...b1.q....".2.<
.../..:....\..... ..?...Y. .EF.e....Y!T#SLa.......&....I.t..v...Cy'uGK
...g......-.........G>}q......1....p...pxP,.l.e^f5..i)xoE....]....t
..?.....~..Su......D.,...\........0...0...0..{.........[..I|.....Zm..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000
000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA 
OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.
-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f
..;]s!.\"v...|....][email protected]. ..W....n..*
..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.
....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... 
.......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#
.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com
/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o
...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo.....
.E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=371792, public, no-transform, must-revalidate
Last-Modified: Mon, 9 Feb 2015 09:39:15 GMT
Expires: Mon, 16 Feb 2015 09:39:15 GMT
Date: Thu, 12 Feb 2015 02:24:43 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015020
9093915Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150209093915Z....20150216093915Z0...*.H........
.....~0...hO6...:&.O........D......Bnr.s.PL.....a.......|..]'[>...`
......I...P<I.$.T.....s..zF....... R...39...<.. J........~..{.g.
...W#..............|.r.l..<4.b.....er.kw.3.....P[.........Q.....Z?.
Sa.........6.F......8.{E.[......mQ/[email protected]."O.\....3.S.....0..
.0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U.
...VeriSign, Inc.1705..U....Class 3 Public Primary Certification Autho
rity0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symante
c Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Clas
s 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0....
......'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....
H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M..
.T..pS.p..^|o....S..v.).)[email protected]#qh...u1T.].G0.]
E...=._...... ........TE...Sa.s4........r...3.............0..0...U....
0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps
0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U..
......0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.....
........$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e....
...a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :
,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=411638, public, no-transform, must-revalidate
Last-Modified: Mon, 9 Feb 2015 20:44:24 GMT
Expires: Mon, 16 Feb 2015 20:44:24 GMT
Date: Thu, 12 Feb 2015 02:24:43 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015020
9204424Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150209204424Z....20150216204424Z0...*.H........
......2..T.U...=..C.V....Bo9..e..2.....S.'.#../Y].k.....n..1.8J\..PM.x
Y.P6H.....Q9...]...Z..d...Bl...!..7W.P*..-.a.-...q.f'k.d.Z...o.. D.q.8
w.!.:..8...C0.j.%V.#&.d..n..Q.,..kE.s...*....p..7....~..MI.LFE....e../
.....\..,Z.clG...v.R....Q....o.w..`...@^...%...K..,...#0...0...0......
....<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{
(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(.......
...p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}..
.r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n.
.i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>


HEAD /download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe HTTP/1.1
Accept: */*
User-Agent: Burn
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Host: download.microsoft.com


HTTP/1.1 200 OK
Content-Length: 50449456
Content-Type: application/octet-stream
Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT
Accept-Ranges: bytes
ETag: "2a1457bc5c7ca1:0"
Server: Microsoft-IIS/8.0
Content-Disposition: attachment
Date: Thu, 12 Feb 2015 02:20:39 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Content-Length: 50449456..Content-Type: application/o
ctet-stream..Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT..Accept-Rang
es: bytes..ETag: "2a1457bc5c7ca1:0"..Server: Microsoft-IIS/8.0..Conten
t-Disposition: attachment..Date: Thu, 12 Feb 2015 02:20:39 GMT..Connec
tion: keep-alive......


GET /download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe HTTP/1.1


Accept: */*
User-Agent: Burn
Host: download.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT
ETag: "2a1457bc5c7ca1:0"
Content-Length: 50449456
Date: Thu, 12 Feb 2015 02:20:39 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$............}...}..
.}...,...}.......}.......}...//..}.../...}.../...}.......}...}...}...,
 ..}...,/..}...,...}...,...}...,...}..Rich.}..........................
PE..L......J.........."..........^....................@...............
...........@............@...... [email protected]...........
................p.......l....................................V..@.....
.......................................text...........................
.... ..`[email protected]..............
..............@[email protected]...............................@[email protected]...(..
.....*[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................([email protected]...|...
....................................*...:...N...b...p...............r.
..X... ...H.......................r...Z...@...(.......................
................................................0...F...`...v.........
.........................."...2...H...`...n...........................
........(...2...>...P...\...l...x..................................
.....*...>...L...\...p...|............................... ...,.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=518392, public, no-transform, must-revalidate
Last-Modified: Wed, 11 Feb 2015 02:24:43 GMT
Expires: Wed, 18 Feb 2015 02:24:43 GMT
Date: Thu, 12 Feb 2015 02:24:51 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015021
1022443Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150211022443Z....20150218022443Z0...*.H........
.....<..|~!....'s.bW....e4x...VTE.L.....m.v.4-...2:,7.2oY../....~.L
......Ty.P<...*kV........0.0...X......<....XWn0=2;~%./..s...bw..
............"[email protected]....%.....M.3.<.6...)..g%
.Q..B).[[email protected]"..A.U...p. X.OXh.R.4.... ,N..........#0..
.0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class
 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U...
.US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U..
.2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3Veri
Sign Class 3 Code S..

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_2280:

.text
`.rdata
@.data
.wixburn8
@.tls
.rsrc
@.reloc
8.wixu
v%j.Yf;
t%SQW
SSSSh
PSSSSSSh
j.Zf;
j.Yf;
engine.cpp
3.10.1124.0
Failed to create pipes to connect to elevated parent process.
Failed to set elevated pipe into thread local storage for logging.
variable.cpp
Unsupported variable type.
Setting variable failed: ID '%ls', HRESULT 0x%x
Failed to find DllGetVersion entry point in msi.dll.
Failed to get msi.dll version info.
Failed to get windows directory.
Failed to open Windows folder key.
condition.cpp
Failed to parse condition '%ls' at position: %u
Failed to parse condition "%ls". Unexpected '~' operator at position %d.
Failed to parse condition "%ls". Unterminated literal at position %d.
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.
Failed to parse condition "%ls". Constant too big, at position %d.
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.
Failed to parse condition "%ls". Invalid version format, at position %d.
Failed to parse condition "%ls". Unexpected character at position %d.
search.cpp
Failed to get Key attribute.
Directory search: %ls, did not find path: %ls, reason: 0x%x
Failed to format key string.
Registry key not found. Key = '%ls'
Failed to open registry key. Key = '%ls'
Registry value not found. Key = '%ls', Value = '%ls'
Failed to query registry key value.
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x
Failed to open registry key.
Failed to query registry key value size.
Unsupported registry key value type. Type = '%u'
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x
Failed to get component path: %d
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
Unsupported product search type: %u
MsiProductSearch failed: ID '%ls', HRESULT 0x%x
MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x
section.cpp
Failed to read image section header, index: %u
Failed to read complete image section header, index: %u
Failed to read section info, data to short: %u
Failed to read section info, unsupported version: x
Failed to find container info, too few elements: %u
Failed to select approved exe nodes.
Failed to get approved exe node count.
approvedexe.cpp
Failed to allocate memory for approved exe structs.
Failed to get @Key.
Failed to create executable command.
Failed to create obfuscated executable command.
container.cpp
Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.
Failed to get path for executing module.
catalog.cpp
payload.cpp
Failed to get @DownloadUrl.
Failed to get @CertificateRootPublicKeyIdentifier.
Failed to hex decode @CertificateRootPublicKeyIdentifier.
Failed to get @CertificateRootThumbprint.
Failed to hex decode @CertificateRootThumbprint.
Failed to get directory portion of local file path
userexperience.cpp
package.cpp
Failed to parse EXE package.
Failed to get @ProviderKey.
Failed to get @ExecutableName.
Failed to get @AboutUrl.
Failed to get @UpdateUrl.
registration.cpp
Failed to overwrite the bundle provider key built-in variable.
Failed to format pending restart registry key to read.
Failed to open registration key.
Failed to create registration key.
Failed to register the bundle dependency key.
Failed to write volatile reboot required registry key.
Failed to delete registration key: %ls
Failed to build uninstall registry key path.
Failed to build cached executable path.
Failed to create run key.
Failed to write run key value.
Failed to delete run key value.
Failed to format the key path for update registration.
Failed to get the formatted key path for update registration.
Failed to create the key for update registration.
Failed to format key for update registration.
Failed to remove update registration key: %ls
Failed to get path for current executing process as layout directory.
Failed to get executing process as layout directory.
Failed to to copy executable name for bundle.
Failed to append execute action.
Failed to add dependent bundle provider key to ignore dependents.
Failed to process passthrough package.
Failed to plan rollback boundary for passthrough package.
plan.cpp
Failed to plan execute package.
Failed to append execute checkpoint.
Unexpected relation type encountered during plan: %d
Failed to add the package provider key "%ls" to the planned list.
Failed to check the dictionary for a related bundle provider key: "%ls".
Failed to remove unnecessary execute actions.
Failed to finalize slipstream execute actions.
Failed to append execute checkpoint for cache rollback.
Failed to grow plan's array of execute actions.
Failed to insert keep registration execute action.
Failed to insert remove registration execute action.
Failed to copy dependent provider key to registration action.
Failed to copy dependent provider key to rollback registration action.
Failed to get path for executing module as attached container working path.
logging.cpp
Failed to write send message to pipe.
Failed to pump messages during send message to pipe.
pipe.cpp
No status returned to PipePumpMessages()
Failed to read returned result to PipePumpMessages()
Failed to read returned restart to PipePumpMessages()
Failed to process message: %u
Failed to get message over pipe
Failed to create pipe guid.
Failed to convert pipe guid into string.
Failed to allocate pipe name.
Failed to allocate pipe secret.
Failed to create the security descriptor for the connection event and pipe.
Failed to allocate full name of pipe: %ls
Failed to create pipe: %ls
Failed to allocate full name of cache pipe: %ls
Failed to set pipe to non-blocking.
Failed to wait for child to connect to pipe.
Failed to reset pipe to blocking.
Failed to write secret length to pipe.
Failed to write secret to pipe.
Failed to write our process id to pipe.
Failed to read ACK from pipe.
Failed to allocate name of parent pipe.
Failed to open parent pipe: %ls
Failed to verify parent pipe: %ls
Failed to allocate name of parent cache pipe.
Failed to open companion process with PID: %u
Failed to write message type to pipe.
Failed to read message from pipe.
Failed to read size of verification secret from parent pipe.
Failed to read verification secret from parent pipe.
Failed to read verification process id from parent pipe.
core.cpp
Failed to execute searches.
Failed to detect provider key bundle id.
Failed to report detected related bundles.
Package type not supported by detect yet.
Failed to plan passthrough.
Another per-user setup is already executing.
Another per-machine setup is already executing.
Failed while caching, aborting execution.
Engine cannot start LaunchApprovedExe because it is busy with another action.
UX aborted LaunchApprovedExe begin.
Failed to format passthrough for command-line.
Failed to append passthrough to command-line.
cache.cpp
Failed to get provider state from authenticode certificate.
Failed to get signer chain from authenticode certificate.
Failed to verify expected payload against actual certificate chain.
Failed to seek to checksum in exe header.
Failed to seek to signature table in exe header.
Failed to seek to original data in exe burn section header.
Failed to get certificate public key identifier.
Failed to read certificate thumbprint.
Failed to find expected public key in certificate chain.
elevation.cpp
Failed to create pipe name and client token.
Failed to create pipe and cache pipe.
Failed to write registration operations to message buffer.
Failed to write dependent provider key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.
Failed to write bundle dependency key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.
Failed to write approved exe id to message buffer.
Failed to write approved exe arguments to message buffer.
Failed to write approved exe WaitForInputIdle timeout to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.
Failed to set elevated cache pipe into thread local storage for logging.
Failed to read file name: %u
Failed to read MSI data: %u
Failed to read approved exe process id.
Invalid launch approved exe message.
Unexpected elevated message sent to child process, msg: %u
Unexpected elevated cache message sent to child process, msg: %u
Failed to read registration operations.
Invalid data passed to cache or layout payload.
Failed to read dependent provider key.
Failed to execute dependent registration action for provider key: %ls
Failed to read exe package.
Failed to execute EXE package.
Failed to execute MSI package.
Failed to execute MSP package.
Failed to execute MSU package.
Failed to execute package provider action.
Failed to read bundle dependency key from message buffer.
Failed to execute package dependency action.
Invalid message type: %d
Failed to read approved exe id.
Failed to read approved exe arguments.
Failed to read approved exe WaitForInputIdle timeout.
The per-user process requested unknown approved exe with id: %ls
Failed to open the registry key for the approved exe path.
Failed to read the value for the approved exe path.
Failed to verify the executable path is in a secure location: %ls
The executable path is not in a secure location: %ls
Failed to launch approved exe: %ls
Failed to write the approved exe process id to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.
splashscreen.cpp
uithread.cpp
EngineForApplication.cpp
Failed to send embedded message over pipe.
Failed to send embedded progress message over pipe.
UX denied while trying to set download URL on embedded payload: %ls
Failed to set download URL.
Failed to set download password.
UX requested unknown approved exe with id: %ls
Failed to post launch approved exe message.
The string is too big: size %u
<the>.cab
cabextract.cpp
Failed to create begin operation event.
Failed to create operation complete event.
Failed to wait for operation complete.
Failed to begin and wait for operation.
Failed to set begin operation event.
Failed to reset operation complete event.
Failed to wait for operation complete event.
Failed to initialize cabinet.dll.
Failed to extract all files from container, erf: %d:%X:%d
Failed to set operation complete event.
Failed to wait for begin operation event.
Failed to reset begin operation event.
Invalid operation for this state.
Failed to move file pointer 0x%x bytes.
exeengine.cpp
Failed to evaluate executable package detect condition.
Invalid package current state: %d.
Failed to insert execute action.
Failed to build executable path.
Failed to get action arguments for executable package.
Bootstrapper application aborted during EXE progress.
Failed to wait for executable to complete: %ls
Process returned error: 0x%x
msiengine.cpp
Failed to calculate execute feature state.
Invalid package current state result encountered during plan: %d
Failed to detect compatible package from provider key.
Failed to copy the compatible provider key.
mspengine.cpp
msuengine.cpp
Failed to find Windows directory.
Failed to allocate WUSA.exe path.
dependency.cpp
Failed to get the Key attribute.
Failed to get the Imported attribute.
Failed to get provider key bundle id.
Failed to initialize provider key bundle id.
Failed to add the bundle provider key to the list of dependencies to ignore.
Failed to join the list of dependencies to ignore.
Failed to insert provider execute action.
Failed to append provider execute action.
Unrecognized registration action type: %d
Failed to append the key "%ls".
Failed to add the bundle provider key "%ls" to the list of ignored dependencies.
Failed to add the package provider key "%ls" to the list of ignored dependencies.
Failed to get the provider key package id.
Failed to copy the provider key.
Failed to open uninstall registry key.
Failed to enumerate uninstall key for related bundles.
Failed to open uninstall key for potential related bundle: %ls
relatedbundle.cpp
Failed to read provider key from registry for bundle: %ls
detect.cpp
Unexpected relation type encountered: %d
Failed to copy update url.
Failed attempt to download update feed from URL: '%ls' to: '%ls'
apply.cpp
BA aborted execute begin.
Failed to execute dependent registration action.
Failed attempt to download URL: '%ls' to: '%ls'
Failed to execute package provider registration action.
Failed to execute dependency action.
Failed to execute compatible package action.
Invalid execute action.
Invalid rollback action: %d.
UX aborted execute EXE package begin.
UX aborted EXE progress.
Failed to configure per-machine EXE package.
Failed to configure per-user EXE package.
UX aborted EXE package execute progress.
UX aborted execute MSI package begin.
UX aborted MSI package execute progress.
UX aborted execute MSP package begin.
BA aborted execute MSP target.
UX aborted MSP package execute progress.
UX aborted execute MSU package begin.
UX aborted MSU package execute progress.
Failed to parse approved exes.
pseudobundle.cpp
Failed to copy key for pseudo bundle payload.
Failed to copy key for pseudo bundle.
Failed to allocate space for burn package payload inside of passthrough bundle.
Failed to copy key for passthrough pseudo bundle payload.
Failed to copy filename for passthrough pseudo bundle.
Failed to copy local source path for passthrough pseudo bundle.
Failed to copy download source for passthrough pseudo bundle.
Failed to copy key for passthrough pseudo bundle.
Failed to copy cache id for passthrough pseudo bundle.
Failed to copy install arguments for passthrough bundle package
Failed to copy related arguments for passthrough bundle package
Failed to copy uninstall arguments for passthrough bundle package
Failed to create embedded pipe name and client token.
Failed to create embedded pipe.
embedded.cpp
Failed to wait for embedded process to connect to pipe.
Failed to wait for embedded executable: %ls
Unexpected embedded message sent to child process, msg: %u
NetFxChainer.cpp
k"bitsengine.cpp
Invalid BITS engine URL: %ls
Failed to copy download URL.
operator
operator ""
GetProcessWindowStation
%S#[k
buffutil.cpp
cryputil.cpp
logutil.cpp
Error 0x%x: %ls
Executable: %ls v%d.%d.%d.%d
memutil.cpp
pathutil.cpp
procutil.cpp
RegDeleteKeyExW
regutil.cpp
srputil.cpp
strutil.cpp
wiutil.cpp
xmlutil.cpp
kernel32.dll
shelutil.cpp
Kwuautil.cpp
fileutil.cpp
dirutil.cpp
dictutil.cpp
aclutil.cpp
certutil.cpp
svcutil.cpp
dlutil.cpp
Failed to send request to URL: %ls, trying to process HTTP status code anyway.
Unknown HTTP status code %d, returned from URL: %ls
atomutil.cpp
apuputil.cpp
timeutil.cpp
inetutil.cpp
uriutil.cpp
deputil.cpp
C:\src\wix39\build\ship\x86\burn.pdb
RegCloseKey
ADVAPI32.dll
MsgWaitForMultipleObjects
USER32.dll
OLEAUT32.dll
GDI32.dll
SHELL32.dll
ole32.dll
GetWindowsDirectoryW
ConnectNamedPipe
SetNamedPipeHandleState
CreateNamedPipeW
SetThreadExecutionState
KERNEL32.dll
Cabinet.dll
CryptHashPublicKeyInfo
CRYPT32.dll
msi.dll
RPCRT4.dll
WININET.dll
WINTRUST.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
ShellExecuteExW
VERSION.dll
GetCPInfo
GetProcessHeap
CertGetCertificateContextProperty
SHLWAPI.dll
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
HttpQueryInfoW
InternetCrackUrlW
Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'
Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!
Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!
Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!
Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!
Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!
Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.
Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.
Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!
Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!
Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!
LaunchApprovedExe begin, id: %1!ls!
Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!
Launching approved exe, path: '%1!ls!', 'command: %2!ls!'
LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!
Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!
Application canceled operation: %2!ls!, error: %1!ls!
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="setup.exe" version="1.0.0.0" processorArchitecture="x86" type="win32"></assemblyIdentity><description>WiX Toolset Bootstrapper</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
95:?:{:);5;&<0<
:):3:6<@<
7.84888<8@8
>.?4?8?<?@?
1"131?1[1{1
7(838>8^8
> ???[?~?
3U5C5O5Y5_5e5
= =$=(=,=
5 5$5(5,5
: :$:(:,:0:
WixBundleExecutePackageCacheFolder
WixBundleProviderKey
NTSuiteWebServer
WindowsFolder
WindowsVolume
[\%c]
.[%d]
.WiX Burn
SOFTWARE\Microsoft\Windows\CurrentVersion
.ComponentId
.keyPath
.language
ApprovedExeForElevation
.ValueName
"%ls" %s
.Attached
DownloadUrl
.FileSize
CertificateRootPublicKeyIdentifier
CertificateRootThumbprint
.ba%d
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage
.Size
.PerMachine
.RollbackLogPathVariable
.InstallCondition
.PatchTargetCode
.Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
BundleProviderKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%ls.RebootRequired
URLInfoAbout
URLUpdateInfo
ParentKeyName
burn.runonce
ProviderKey
.ExecutableName
AboutUrl
UpdateUrl
.DisableModify
.Filename
8%s\%s
.%s\state.rsm
.RelatedBundle
%ls%hs%ls_u_%ls%ls.%ls
uSOFTWARE\Policies\Microsoft\Windows\Installer
\\.\pipe\%ls
\\.\pipe\%ls.Cache
burn.elevated
burn.unelevated
BurnPipe.%s
s-%ls %ls %ls %u %ls
-q -%ls %ls %ls %u
.open
burn.embedded
burn.log.append
burn.related.detect
burn.related.upgrade
burn.related.addon
burn.related.patch
burn.related.update
burn.passthrough
burn.disable.unelevate
burn.ignoredependencies
burn.ancestors
/passive
passive
.unverified
.PackageCache
.WixBurnMessageWindow
.update\%ls
.InstallArguments
.Repairable
.MsiProperty
.RollbackValue
%s$="%s"
ADDLOCAL="%s"
ADDSOURCE="%s"
ADDDEFAULT="%s"
. REINSTALL="%s"
ADVERTISE="%s"
REMOVE="%s"
wusa.exe
.wuauserv
Imported
.Chain
.%ls -%ls %ls %ls %u
.%ls /pipe %ls
- Attempt to initialize the CRT more than once.
mscoree.dll
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_downlevel.cpp
user32.dll
desktopcrt140
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_nonmsdk.cpp
__acrt_post_initialize_nonmsdk_dependencies
portuguese-brazilian
AdvApi32.dll
Crypt32.dll
s0xx
%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls
\\?\UNC
%ls_uuuuuu%ls%ls%ls
srclient.dll
pMsi.dll
Msxml2.DOMDocument
MSXML.DOMDocument
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
pMicrosoft.Update.AutoUpdate
PendingFileRenameOperations
%u.%u.%u.%u
hXXp://appsyndication.org/2006/appsyn
hu-hu-huThu:hu:hu%cu:u
c:\%original file name%.exe
8.1.923
novapdf.exe

%original file name%.exe_912:

.text
`.rdata
@.data
.wixburn8
@.tls
.rsrc
@.reloc
8.wixu
v%j.Yf;
t%SQW
SSSSh
PSSSSSSh
j.Zf;
j.Yf;
engine.cpp
3.10.1124.0
Failed to create pipes to connect to elevated parent process.
Failed to set elevated pipe into thread local storage for logging.
variable.cpp
Unsupported variable type.
Setting variable failed: ID '%ls', HRESULT 0x%x
Failed to find DllGetVersion entry point in msi.dll.
Failed to get msi.dll version info.
Failed to get windows directory.
Failed to open Windows folder key.
condition.cpp
Failed to parse condition '%ls' at position: %u
Failed to parse condition "%ls". Unexpected '~' operator at position %d.
Failed to parse condition "%ls". Unterminated literal at position %d.
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.
Failed to parse condition "%ls". Constant too big, at position %d.
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.
Failed to parse condition "%ls". Invalid version format, at position %d.
Failed to parse condition "%ls". Unexpected character at position %d.
search.cpp
Failed to get Key attribute.
Directory search: %ls, did not find path: %ls, reason: 0x%x
Failed to format key string.
Registry key not found. Key = '%ls'
Failed to open registry key. Key = '%ls'
Registry value not found. Key = '%ls', Value = '%ls'
Failed to query registry key value.
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x
Failed to open registry key.
Failed to query registry key value size.
Unsupported registry key value type. Type = '%u'
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x
Failed to get component path: %d
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
Unsupported product search type: %u
MsiProductSearch failed: ID '%ls', HRESULT 0x%x
MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x
section.cpp
Failed to read image section header, index: %u
Failed to read complete image section header, index: %u
Failed to read section info, data to short: %u
Failed to read section info, unsupported version: x
Failed to find container info, too few elements: %u
Failed to select approved exe nodes.
Failed to get approved exe node count.
approvedexe.cpp
Failed to allocate memory for approved exe structs.
Failed to get @Key.
Failed to create executable command.
Failed to create obfuscated executable command.
container.cpp
Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.
Failed to get path for executing module.
catalog.cpp
payload.cpp
Failed to get @DownloadUrl.
Failed to get @CertificateRootPublicKeyIdentifier.
Failed to hex decode @CertificateRootPublicKeyIdentifier.
Failed to get @CertificateRootThumbprint.
Failed to hex decode @CertificateRootThumbprint.
Failed to get directory portion of local file path
userexperience.cpp
package.cpp
Failed to parse EXE package.
Failed to get @ProviderKey.
Failed to get @ExecutableName.
Failed to get @AboutUrl.
Failed to get @UpdateUrl.
registration.cpp
Failed to overwrite the bundle provider key built-in variable.
Failed to format pending restart registry key to read.
Failed to open registration key.
Failed to create registration key.
Failed to register the bundle dependency key.
Failed to write volatile reboot required registry key.
Failed to delete registration key: %ls
Failed to build uninstall registry key path.
Failed to build cached executable path.
Failed to create run key.
Failed to write run key value.
Failed to delete run key value.
Failed to format the key path for update registration.
Failed to get the formatted key path for update registration.
Failed to create the key for update registration.
Failed to format key for update registration.
Failed to remove update registration key: %ls
Failed to get path for current executing process as layout directory.
Failed to get executing process as layout directory.
Failed to to copy executable name for bundle.
Failed to append execute action.
Failed to add dependent bundle provider key to ignore dependents.
Failed to process passthrough package.
Failed to plan rollback boundary for passthrough package.
plan.cpp
Failed to plan execute package.
Failed to append execute checkpoint.
Unexpected relation type encountered during plan: %d
Failed to add the package provider key "%ls" to the planned list.
Failed to check the dictionary for a related bundle provider key: "%ls".
Failed to remove unnecessary execute actions.
Failed to finalize slipstream execute actions.
Failed to append execute checkpoint for cache rollback.
Failed to grow plan's array of execute actions.
Failed to insert keep registration execute action.
Failed to insert remove registration execute action.
Failed to copy dependent provider key to registration action.
Failed to copy dependent provider key to rollback registration action.
Failed to get path for executing module as attached container working path.
logging.cpp
Failed to write send message to pipe.
Failed to pump messages during send message to pipe.
pipe.cpp
No status returned to PipePumpMessages()
Failed to read returned result to PipePumpMessages()
Failed to read returned restart to PipePumpMessages()
Failed to process message: %u
Failed to get message over pipe
Failed to create pipe guid.
Failed to convert pipe guid into string.
Failed to allocate pipe name.
Failed to allocate pipe secret.
Failed to create the security descriptor for the connection event and pipe.
Failed to allocate full name of pipe: %ls
Failed to create pipe: %ls
Failed to allocate full name of cache pipe: %ls
Failed to set pipe to non-blocking.
Failed to wait for child to connect to pipe.
Failed to reset pipe to blocking.
Failed to write secret length to pipe.
Failed to write secret to pipe.
Failed to write our process id to pipe.
Failed to read ACK from pipe.
Failed to allocate name of parent pipe.
Failed to open parent pipe: %ls
Failed to verify parent pipe: %ls
Failed to allocate name of parent cache pipe.
Failed to open companion process with PID: %u
Failed to write message type to pipe.
Failed to read message from pipe.
Failed to read size of verification secret from parent pipe.
Failed to read verification secret from parent pipe.
Failed to read verification process id from parent pipe.
core.cpp
Failed to execute searches.
Failed to detect provider key bundle id.
Failed to report detected related bundles.
Package type not supported by detect yet.
Failed to plan passthrough.
Another per-user setup is already executing.
Another per-machine setup is already executing.
Failed while caching, aborting execution.
Engine cannot start LaunchApprovedExe because it is busy with another action.
UX aborted LaunchApprovedExe begin.
Failed to format passthrough for command-line.
Failed to append passthrough to command-line.
cache.cpp
Failed to get provider state from authenticode certificate.
Failed to get signer chain from authenticode certificate.
Failed to verify expected payload against actual certificate chain.
Failed to seek to checksum in exe header.
Failed to seek to signature table in exe header.
Failed to seek to original data in exe burn section header.
Failed to get certificate public key identifier.
Failed to read certificate thumbprint.
Failed to find expected public key in certificate chain.
elevation.cpp
Failed to create pipe name and client token.
Failed to create pipe and cache pipe.
Failed to write registration operations to message buffer.
Failed to write dependent provider key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.
Failed to write bundle dependency key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.
Failed to write approved exe id to message buffer.
Failed to write approved exe arguments to message buffer.
Failed to write approved exe WaitForInputIdle timeout to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.
Failed to set elevated cache pipe into thread local storage for logging.
Failed to read file name: %u
Failed to read MSI data: %u
Failed to read approved exe process id.
Invalid launch approved exe message.
Unexpected elevated message sent to child process, msg: %u
Unexpected elevated cache message sent to child process, msg: %u
Failed to read registration operations.
Invalid data passed to cache or layout payload.
Failed to read dependent provider key.
Failed to execute dependent registration action for provider key: %ls
Failed to read exe package.
Failed to execute EXE package.
Failed to execute MSI package.
Failed to execute MSP package.
Failed to execute MSU package.
Failed to execute package provider action.
Failed to read bundle dependency key from message buffer.
Failed to execute package dependency action.
Invalid message type: %d
Failed to read approved exe id.
Failed to read approved exe arguments.
Failed to read approved exe WaitForInputIdle timeout.
The per-user process requested unknown approved exe with id: %ls
Failed to open the registry key for the approved exe path.
Failed to read the value for the approved exe path.
Failed to verify the executable path is in a secure location: %ls
The executable path is not in a secure location: %ls
Failed to launch approved exe: %ls
Failed to write the approved exe process id to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.
splashscreen.cpp
uithread.cpp
EngineForApplication.cpp
Failed to send embedded message over pipe.
Failed to send embedded progress message over pipe.
UX denied while trying to set download URL on embedded payload: %ls
Failed to set download URL.
Failed to set download password.
UX requested unknown approved exe with id: %ls
Failed to post launch approved exe message.
The string is too big: size %u
<the>.cab
cabextract.cpp
Failed to create begin operation event.
Failed to create operation complete event.
Failed to wait for operation complete.
Failed to begin and wait for operation.
Failed to set begin operation event.
Failed to reset operation complete event.
Failed to wait for operation complete event.
Failed to initialize cabinet.dll.
Failed to extract all files from container, erf: %d:%X:%d
Failed to set operation complete event.
Failed to wait for begin operation event.
Failed to reset begin operation event.
Invalid operation for this state.
Failed to move file pointer 0x%x bytes.
exeengine.cpp
Failed to evaluate executable package detect condition.
Invalid package current state: %d.
Failed to insert execute action.
Failed to build executable path.
Failed to get action arguments for executable package.
Bootstrapper application aborted during EXE progress.
Failed to wait for executable to complete: %ls
Process returned error: 0x%x
msiengine.cpp
Failed to calculate execute feature state.
Invalid package current state result encountered during plan: %d
Failed to detect compatible package from provider key.
Failed to copy the compatible provider key.
mspengine.cpp
msuengine.cpp
Failed to find Windows directory.
Failed to allocate WUSA.exe path.
dependency.cpp
Failed to get the Key attribute.
Failed to get the Imported attribute.
Failed to get provider key bundle id.
Failed to initialize provider key bundle id.
Failed to add the bundle provider key to the list of dependencies to ignore.
Failed to join the list of dependencies to ignore.
Failed to insert provider execute action.
Failed to append provider execute action.
Unrecognized registration action type: %d
Failed to append the key "%ls".
Failed to add the bundle provider key "%ls" to the list of ignored dependencies.
Failed to add the package provider key "%ls" to the list of ignored dependencies.
Failed to get the provider key package id.
Failed to copy the provider key.
Failed to open uninstall registry key.
Failed to enumerate uninstall key for related bundles.
Failed to open uninstall key for potential related bundle: %ls
relatedbundle.cpp
Failed to read provider key from registry for bundle: %ls
detect.cpp
Unexpected relation type encountered: %d
Failed to copy update url.
Failed attempt to download update feed from URL: '%ls' to: '%ls'
apply.cpp
BA aborted execute begin.
Failed to execute dependent registration action.
Failed attempt to download URL: '%ls' to: '%ls'
Failed to execute package provider registration action.
Failed to execute dependency action.
Failed to execute compatible package action.
Invalid execute action.
Invalid rollback action: %d.
UX aborted execute EXE package begin.
UX aborted EXE progress.
Failed to configure per-machine EXE package.
Failed to configure per-user EXE package.
UX aborted EXE package execute progress.
UX aborted execute MSI package begin.
UX aborted MSI package execute progress.
UX aborted execute MSP package begin.
BA aborted execute MSP target.
UX aborted MSP package execute progress.
UX aborted execute MSU package begin.
UX aborted MSU package execute progress.
Failed to parse approved exes.
pseudobundle.cpp
Failed to copy key for pseudo bundle payload.
Failed to copy key for pseudo bundle.
Failed to allocate space for burn package payload inside of passthrough bundle.
Failed to copy key for passthrough pseudo bundle payload.
Failed to copy filename for passthrough pseudo bundle.
Failed to copy local source path for passthrough pseudo bundle.
Failed to copy download source for passthrough pseudo bundle.
Failed to copy key for passthrough pseudo bundle.
Failed to copy cache id for passthrough pseudo bundle.
Failed to copy install arguments for passthrough bundle package
Failed to copy related arguments for passthrough bundle package
Failed to copy uninstall arguments for passthrough bundle package
Failed to create embedded pipe name and client token.
Failed to create embedded pipe.
embedded.cpp
Failed to wait for embedded process to connect to pipe.
Failed to wait for embedded executable: %ls
Unexpected embedded message sent to child process, msg: %u
NetFxChainer.cpp
k"bitsengine.cpp
Invalid BITS engine URL: %ls
Failed to copy download URL.
operator
operator ""
GetProcessWindowStation
%S#[k
buffutil.cpp
cryputil.cpp
logutil.cpp
Error 0x%x: %ls
Executable: %ls v%d.%d.%d.%d
memutil.cpp
pathutil.cpp
procutil.cpp
RegDeleteKeyExW
regutil.cpp
srputil.cpp
strutil.cpp
wiutil.cpp
xmlutil.cpp
kernel32.dll
shelutil.cpp
Kwuautil.cpp
fileutil.cpp
dirutil.cpp
dictutil.cpp
aclutil.cpp
certutil.cpp
svcutil.cpp
dlutil.cpp
Failed to send request to URL: %ls, trying to process HTTP status code anyway.
Unknown HTTP status code %d, returned from URL: %ls
atomutil.cpp
apuputil.cpp
timeutil.cpp
inetutil.cpp
uriutil.cpp
deputil.cpp
C:\src\wix39\build\ship\x86\burn.pdb
RegCloseKey
ADVAPI32.dll
MsgWaitForMultipleObjects
USER32.dll
OLEAUT32.dll
GDI32.dll
SHELL32.dll
ole32.dll
GetWindowsDirectoryW
ConnectNamedPipe
SetNamedPipeHandleState
CreateNamedPipeW
SetThreadExecutionState
KERNEL32.dll
Cabinet.dll
CryptHashPublicKeyInfo
CRYPT32.dll
msi.dll
RPCRT4.dll
WININET.dll
WINTRUST.dll
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
ShellExecuteExW
VERSION.dll
GetCPInfo
GetProcessHeap
CertGetCertificateContextProperty
SHLWAPI.dll
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
HttpQueryInfoW
InternetCrackUrlW
Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'
Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!
Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!
Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!
Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!
Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!
Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.
Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.
Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!
Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!
Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!
LaunchApprovedExe begin, id: %1!ls!
Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!
Launching approved exe, path: '%1!ls!', 'command: %2!ls!'
LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!
Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!
Application canceled operation: %2!ls!, error: %1!ls!
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="setup.exe" version="1.0.0.0" processorArchitecture="x86" type="win32"></assemblyIdentity><description>WiX Toolset Bootstrapper</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
95:?:{:);5;&<0<
:):3:6<@<
7.84888<8@8
>.?4?8?<?@?
1"131?1[1{1
7(838>8^8
> ???[?~?
3U5C5O5Y5_5e5
= =$=(=,=
5 5$5(5,5
: :$:(:,:0:
WixBundleExecutePackageCacheFolder
WixBundleProviderKey
NTSuiteWebServer
WindowsFolder
WindowsVolume
[\%c]
.[%d]
.WiX Burn
SOFTWARE\Microsoft\Windows\CurrentVersion
.ComponentId
.keyPath
.language
ApprovedExeForElevation
.ValueName
"%ls" %s
.Attached
DownloadUrl
.FileSize
CertificateRootPublicKeyIdentifier
CertificateRootThumbprint
.ba%d
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage
.Size
.PerMachine
.RollbackLogPathVariable
.InstallCondition
.PatchTargetCode
.Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
BundleProviderKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%ls.RebootRequired
URLInfoAbout
URLUpdateInfo
ParentKeyName
burn.runonce
ProviderKey
.ExecutableName
AboutUrl
UpdateUrl
.DisableModify
.Filename
8%s\%s
.%s\state.rsm
.RelatedBundle
%ls%hs%ls_u_%ls%ls.%ls
uSOFTWARE\Policies\Microsoft\Windows\Installer
\\.\pipe\%ls
\\.\pipe\%ls.Cache
burn.elevated
burn.unelevated
BurnPipe.%s
s-%ls %ls %ls %u %ls
-q -%ls %ls %ls %u
.open
burn.embedded
burn.log.append
burn.related.detect
burn.related.upgrade
burn.related.addon
burn.related.patch
burn.related.update
burn.passthrough
burn.disable.unelevate
burn.ignoredependencies
burn.ancestors
/passive
passive
.unverified
.PackageCache
.WixBurnMessageWindow
.update\%ls
.InstallArguments
.Repairable
.MsiProperty
.RollbackValue
%s$="%s"
ADDLOCAL="%s"
ADDSOURCE="%s"
ADDDEFAULT="%s"
. REINSTALL="%s"
ADVERTISE="%s"
REMOVE="%s"
wusa.exe
.wuauserv
Imported
.Chain
.%ls -%ls %ls %ls %u
.%ls /pipe %ls
- Attempt to initialize the CRT more than once.
mscoree.dll
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_downlevel.cpp
user32.dll
desktopcrt140
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_nonmsdk.cpp
__acrt_post_initialize_nonmsdk_dependencies
portuguese-brazilian
AdvApi32.dll
Crypt32.dll
s0xx
%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls
\\?\UNC
%ls_uuuuuu%ls%ls%ls
srclient.dll
pMsi.dll
Msxml2.DOMDocument
MSXML.DOMDocument
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
pMicrosoft.Update.AutoUpdate
PendingFileRenameOperations
%u.%u.%u.%u
hXXp://appsyndication.org/2006/appsyn
hu-hu-huThu:hu:hu%cu:u
c:\%original file name%.exe
8.1.923
novapdf.exe

dotNetFx40_Full_x86_x64.exe_608:

.text
`.data
.boxld01
@.rsrc
@.reloc
GetProcessWindowStation
operator
Extraction took %d minutes and %d.%d seconds
Extraction took %d.%d seconds
Extraction took %d milliseconds
Failed to execute file
Exiting with result code: 0x%x
Failed to get error string from error: 0x%x
Failed to get error message for error: 0x%x.
Failed to set _SFX_CAB_EXE_PATH
Failed to set _SFX_CAB_EXE_PACKAGE
Failed to set _SFX_CAB_EXE_PARAMETERS
Unable to resolve the path of the exe
Executing command line: '%S'
Failed to stop reporting progress
Failed to open box from path: %S
Failed to start reporting progress
Extracting files to: %S
Failed to verify box container #%d.
Failed to extract all files out of box container #%d.
Failed to add file name on to status prefix: %S
Failed to create progress reporting initialization event
Failed to get path to executable.
Directory '%S' has been selected for file extraction
Cluster drive map: '%S'
Considering drive: '%S'...
Drive '%S' is rejected because it's a resource of a cluster
Drive '%S' is rejected because of the unknown or unsuitable drive type
Drive '%S' is rejected because it's not a hard disk or RAM disk
Drive '%S' is rejected because it can't be written to
Drive '%S' has been selected as the largest fixed drive
Drive '%S' has been selected as the largest removable drive
Failed to load advapi32.dll
Failed to load DecryptFileW from advapi.dll
Considering cluster resource: '%S'...
Drive map for cluster resource '%S' : '%S'
Cluster resource type: '%S'
Found a partition on cluster resource: '%S'
Ignoring the partition '%S' because it doesn't look like a DOS name
Failed to allocate the path ro the clusapi.dll
Failed to load clusapi.dll
Failed to load all required functions from the clusapi.dll
Successfully bound to the ClusApi.dll
--- logging level: %s ---
%u/%u/%u, %u:%u:%u
Error 0x%x: %s
=== Logging started: %S ===
Executable: %S v%d.%d.%d.%d
=== Logging stopped: %S ===
boxstub.pdb
j.Xf;
\$09^0~9
ADVAPI32.dll
KERNEL32.dll
COMCTL32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
GetCPInfo
GetProcessHeap
Cabinet.dll
OLEAUT32.dll
VERSION.dll
boxstub.exe
C:\ProgramData\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe
2/12/2015, 4:21:17
<assemblyIdentity name="BoxStub" version="1.0.0.0" processorArchitecture="x86" type="win32"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
6%6U6f6q6
:!:.:4:?:
6:7@7^7}7
> >$>(>,>0>4>8>
5 5$5,5@5
yKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
\dd_%s_decompression_log.txt
_SFX_CAB_EXE_PATH
H_SFX_CAB_EXE_PACKAGE
_SFX_CAB_EXE_PARAMETERS
%s...
\\.\?:
advapi32.dll
%s\clusapi.dll
=d/d/d d:d:d
\\?\UNC
kernel32.dll
%_SFX_CAB_EXE_PATH%\Setup.exe %_SFX_CAB_EXE_PARAMETERS% /x86 /x64
JUnable to execute the embedded application to complete the installation.
Microsoft .NET Framework 4 Setup
4.0.30319.01
dotNetFx40_Full_x86_x64.exe
Microsoft .NET Framework 4
10.0.21009.0 built by: DTG(RAVIR01-ravir)
BoxStub.exe
.NET Framework
10.0.21009.0

Setup.exe_2864:

.text
`.data
.rsrc
@.reloc
GetProcessWindowStation
Setup.pdb
KERNEL32.dll
SetupEngine.dll
GetCPInfo
Setup.exe
version="1.0.0.0"
name="Microsoft.IronMan.IronSpigot"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
}~/%D(
.;6  (&%
1<76  '&
1=;;6  )%#
<;76  )%#
=<<7  ))%
=<<77  '%
=<<76 ))##
==<;7   '##
=<;76 ))##
=<<6  )'#
=<;76 ))#
==<;66 )'#
=<<66  (%
yKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
kernel32.dll
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe
10.0.30319.1 built by: RTMRel
SetupUI.exe
.NET Framework
10.0.30319.1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dotNetFx40_Full_x86_x64.exe:608
    %original file name%.exe:2280
    %original file name%.exe:912

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI5C54.tmp.html (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI61F2.tmp.html (38 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_042118442.html (159496 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20150212_042118973.html (1410924 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1025\eula.rtf (7 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1055\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended.mzz (328309 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll (17 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll (512 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Setup.exe (576 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1043\LocalizedData.xml (92 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll (1371 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1028\LocalizedData.xml (86 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1040\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1044\LocalizedData.xml (865 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate1.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x64.msi (6999 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1029\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Client\Parameterinfo.xml (1912 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1031\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1028\eula.rtf (6 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1041\LocalizedData.xml (911 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\header.bmp (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\DisplayIcon.ico (538 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1036\LocalizedData.xml (766 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1033\LocalizedData.xml (321 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x64.msu (37124 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1049\LocalizedData.xml (263 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\3076\eula.rtf (6 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Client\UiInfo.xml (39 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Print.ico (1 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate6.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\2052\LocalizedData.xml (229 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate5.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe (1495 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqNotMet.ico (1 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\RGB9RAST_x64.msi (824 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\DHtmlHeader.html (984 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1053\LocalizedData.xml (242 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll (227 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Extended\UiInfo.xml (622 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll (914 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll (14 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\SetupUi.xsd (30 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1041\eula.rtf (19 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1035\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll (81 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll (2015 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1046\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1030\LocalizedData.xml (90 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\RGB9Rast_x86.msi (875 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\3082\LocalizedData.xml (86 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqMet.ico (1 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1045\eula.rtf (4 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\2070\LocalizedData.xml (744 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1037\eula.rtf (6 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\ParameterInfo.xml (2261 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\stop.ico (10 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1031\LocalizedData.xml (593 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\SplashScreen.bmp (31 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x86.msu (15000 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1038\eula.rtf (4 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll (15 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1029\LocalizedData.xml (1042 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1030\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1035\LocalizedData.xml (587 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1055\LocalizedData.xml (535 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\2052\eula.rtf (5 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Strings.xml (14 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll (14 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\UiInfo.xml (39 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll (16 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\warn.ico (10 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1042\LocalizedData.xml (613 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1053\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1044\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll (19 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate2.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1032\LocalizedData.xml (1168 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate7.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll (122 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll (17 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll (17 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\3082\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1033\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1040\LocalizedData.xml (1482 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1045\LocalizedData.xml (301 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll (779 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1038\LocalizedData.xml (156 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate4.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\2070\eula.rtf (4 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\watermark.bmp (531 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x64.msi (14022 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1025\LocalizedData.xml (873 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1043\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1037\LocalizedData.xml (219 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll (5583 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Setup.ico (57 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Extended\Parameterinfo.xml (1030 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1032\eula.rtf (8 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1036\eula.rtf (3 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll (644 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x64.msu (38528 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate8.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Save.ico (1 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate3.ico (894 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll (19 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\3076\LocalizedData.xml (810 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1049\eula.rtf (891 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\netfx_Core.mzz (1381912 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x86.msi (7866 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt (2445 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x86.msu (15320 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1042\eula.rtf (12 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll (18 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x86.msi (2812 bytes)
    C:\e4ee511aec94f6616b59d4b9c3\1046\LocalizedData.xml (480 bytes)
    C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\state.rsm (930 bytes)
    C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe (8657 bytes)
    C:\ProgramData\regid.2008-09.org.wixtoolset\regid.2008-09.org.wixtoolset doPDF 8.swidtag (886 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll (2546 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1044\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1055\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2052\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.thm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1032\mbapreq.wxl (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll (1663 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll (1733 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1045\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1030\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll (763 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\roro.config (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1043\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1038\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperApplicationData.xml (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1031\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.wxl (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1036\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2070\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1035\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe (148700 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log (26471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1060\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\License.htm (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1051\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full.R (6168 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1053\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1042\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.png (797 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.config (106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\3082\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\enus.config (98 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-image.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1041\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1049\mbapreq.wxl (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1040\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1029\mbapreq.wxl (891 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1028\mbapreq.wxl (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-text.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1046\mbapreq.wxl (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /burn.runonce"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now