mzpefinder_pcap_file.YR, WormAutoItGen.YR, PUPSpigot.YR (Lavasoft MAS)Behaviour: Worm, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 26df0b3916a792e8876cff097b2d76ef
SHA1: 148a1687d971be0fa2767644be43ca2c5fe41b6f
SHA256: df64ffe221a0d025121926e2e3934df59463b3dc1d8577ee143bc51bcd5e5c78
SSDeep: 98304:bejlMkuV N3cVcy54bj4mUHBZGVOdNHuY1lGV:b2E0Bju6/0B4QdNHuGlY
Size: 5144648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-25 08:12:58
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
dotNetFx40_Full_x86_x64.exe:608
%original file name%.exe:2280
%original file name%.exe:912
The Worm injects its code into the following process(es):
Setup.exe:2864
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Setup.exe:2864 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI5C54.tmp.html (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI61F2.tmp.html (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_042118442.html (159496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20150212_042118973.html (1410924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_0 (20 bytes)
The process dotNetFx40_Full_x86_x64.exe:608 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\e4ee511aec94f6616b59d4b9c3\1025\eula.rtf (7 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended.mzz (328309 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll (512 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe (576 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\LocalizedData.xml (92 bytes)
C:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll (1371 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\LocalizedData.xml (865 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate1.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x64.msi (6999 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\Parameterinfo.xml (1912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\LocalizedData.xml (911 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\header.bmp (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DisplayIcon.ico (538 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\LocalizedData.xml (766 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\LocalizedData.xml (321 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x64.msu (37124 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\LocalizedData.xml (263 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Print.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate6.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\LocalizedData.xml (229 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate5.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe (1495 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqNotMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9RAST_x64.msi (824 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DHtmlHeader.html (984 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\LocalizedData.xml (242 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll (227 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\UiInfo.xml (622 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll (914 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.xsd (30 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\eula.rtf (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll (81 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll (2015 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\LocalizedData.xml (90 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9Rast_x86.msi (875 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\LocalizedData.xml (744 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\ParameterInfo.xml (2261 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\stop.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\LocalizedData.xml (593 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SplashScreen.bmp (31 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x86.msu (15000 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll (15 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\LocalizedData.xml (1042 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\LocalizedData.xml (587 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\LocalizedData.xml (535 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\eula.rtf (5 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Strings.xml (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll (16 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\warn.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\LocalizedData.xml (613 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate2.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\LocalizedData.xml (1168 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate7.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll (122 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\LocalizedData.xml (1482 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\LocalizedData.xml (301 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll (779 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\LocalizedData.xml (156 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate4.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\watermark.bmp (531 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x64.msi (14022 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\LocalizedData.xml (873 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\LocalizedData.xml (219 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll (5583 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Setup.ico (57 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\Parameterinfo.xml (1030 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\eula.rtf (8 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll (644 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x64.msu (38528 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate8.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Save.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate3.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\LocalizedData.xml (810 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\eula.rtf (891 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core.mzz (1381912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x86.msi (7866 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt (2445 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x86.msu (15320 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\eula.rtf (12 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x86.msi (2812 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\LocalizedData.xml (480 bytes)
The process %original file name%.exe:2280 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\state.rsm (930 bytes)
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe (8657 bytes)
C:\ProgramData\regid.2008-09.org.wixtoolset\regid.2008-09.org.wixtoolset doPDF 8.swidtag (886 bytes)
The process %original file name%.exe:912 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll (2546 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1044\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1055\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2052\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.thm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1032\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll (1663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll (1733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1045\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1030\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\roro.config (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1043\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1038\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperApplicationData.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1031\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.wxl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1036\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2070\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1035\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe (148700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log (26471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1060\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\License.htm (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1051\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full.R (6168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1053\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1042\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.png (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.config (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\3082\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\enus.config (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-image.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1041\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1049\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1040\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1029\mbapreq.wxl (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full (404972 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1028\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-text.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1046\mbapreq.wxl (2 bytes)
Registry activity
The process %original file name%.exe:2280 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"BundleTag" = "Type: REG_SZ, Length: 0"
"URLInfoAbout" = "http://www.dopdf.com"
"Publisher" = "Softland"
"EstimatedSize" = "49267"
"BundleDetectCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleCachePath" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe"
"EngineVersion" = "3.10.1124.0"
"BundleResumeCommandLine" = " /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log"
"BundlePatchCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleVersion" = "8.1.923.0"
"NoElevateOnModify" = "1"
"DisplayName" = "doPDF 8"
[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"DisplayName" = "doPDF 8"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"DisplayVersion" = "8.1.923"
"BundleProviderKey" = "{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}"
"DisplayIcon" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe,0"
[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"Version" = "8.1.923.0"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"ModifyPath" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /modify"
"BundleUpgradeCode" = "{AAA27109-5C52-48DC-8DAD-FBEBB79245D5}"
"QuietUninstallString" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /uninstall /quiet"
"Resume" = "1"
"BundleAddonCode" = "Type: REG_MULTI_SZ, Length: 0"
[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"(Default)" = "{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"UninstallString" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /uninstall"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /burn.runonce"
The Worm deletes the following value(s) in system registry:
[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Dependents\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"MinVersion"
"MaxVersion"
The process %original file name%.exe:912 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
"WpadDecisionTime" = "BA A8 84 7F 6A 46 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "BA A8 84 7F 6A 46 D0 01"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"
"WpadNetworkName" = "Network"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
251743dfd3fda414570524bac9e55381 | c:\ProgramData\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe |
a49949aff7282015a15fbfb7bd18ab05 | c:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe |
251743dfd3fda414570524bac9e55381 | c:\Users\All Users\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe |
a49949aff7282015a15fbfb7bd18ab05 | c:\Users\All Users\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe |
642e2ae9844847f82a472000c9d05a75 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll |
4b788007e99e73f701d1f4eb1042418c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll |
7553ac91bee22c474772e7eea9715800 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll |
b9bc7ac88171cf0974c9bc7bc03e25d5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll |
a49949aff7282015a15fbfb7bd18ab05 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe |
35b62b395968b7754c298fbb410e9821 | c:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll |
7c136b92983cec25f85336056e45f3e8 | c:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll |
62876c2fe28b1b5c434b9fad80abe9f9 | c:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll |
9f0cd8981979154cc2a6393da42731c5 | c:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll |
7c9ae49b3a400c728a55dd1cacc8ffb2 | c:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll |
e663b67a66adf9375d1d183ca5fdd23d | c:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll |
9547d24ac04b4d0d1dbf84f74f54faf7 | c:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll |
881adf55d51976ca592033a7adf620b8 | c:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll |
93f57216fe49e7e2a75844edfccc2e09 | c:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll |
06cc83e6c677db13757df4242f5679f7 | c:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll |
c1bf3d63576d619b24837b72986dfad4 | c:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll |
e4860fc5d4c114d5c0781714f3bf041a | c:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll |
278fd7595b580a016705d00be363612f | c:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll |
fcfd69ec15a6897a940b0435439bf5fc | c:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll |
76d6e9f15d842e6a56ee42c9c5ccabca | c:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll |
bacea57a781c43738a3b065103479bb5 | c:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll |
550c79640eee713c73eb67b0736a92e6 | c:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll |
86cb58f2b6bc1174d200d0abe5497233 | c:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll |
7ef74af6ab5760950a1d233c582099f1 | c:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll |
28813510b82f45868b5bdc67fff9c9fa | c:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll |
357a1cbf08a83e657ffae8639ac1212a | c:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll |
407cdb7e1c2c862b486cde45f863ae6e | c:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll |
58cb55fa4d9e2f62f675720b1269137d | c:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll |
7c136b92983cec25f85336056e45f3e8 | c:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll |
b057315a8c04df29b7e4fd2b257b75f4 | c:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll |
006f8a615020a4a17f5e63801485df46 | c:\e4ee511aec94f6616b59d4b9c3\Setup.exe |
84c1daf5f30ff99895ecab3a55354bcf | c:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll |
eb881e3dddc84b20bd92abcec444455f | c:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll |
8dfbb95989af28058c7431704ce7cd66 | c:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe |
3f0363b40376047eff6a9b97d633b750 | c:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dotNetFx40_Full_x86_x64.exe:608
%original file name%.exe:2280
%original file name%.exe:912 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI5C54.tmp.html (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI61F2.tmp.html (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_042118442.html (159496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20150212_042118973.html (1410924 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\eula.rtf (7 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended.mzz (328309 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll (512 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe (576 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\LocalizedData.xml (92 bytes)
C:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll (1371 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\LocalizedData.xml (865 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate1.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x64.msi (6999 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\Parameterinfo.xml (1912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\LocalizedData.xml (911 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\header.bmp (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DisplayIcon.ico (538 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\LocalizedData.xml (766 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\LocalizedData.xml (321 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x64.msu (37124 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\LocalizedData.xml (263 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Print.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate6.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\LocalizedData.xml (229 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate5.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe (1495 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqNotMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9RAST_x64.msi (824 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DHtmlHeader.html (984 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\LocalizedData.xml (242 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll (227 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\UiInfo.xml (622 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll (914 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.xsd (30 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\eula.rtf (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll (81 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll (2015 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\LocalizedData.xml (90 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9Rast_x86.msi (875 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\LocalizedData.xml (744 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\ParameterInfo.xml (2261 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\stop.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\LocalizedData.xml (593 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SplashScreen.bmp (31 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x86.msu (15000 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll (15 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\LocalizedData.xml (1042 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\LocalizedData.xml (587 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\LocalizedData.xml (535 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\eula.rtf (5 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Strings.xml (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll (16 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\warn.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\LocalizedData.xml (613 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate2.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\LocalizedData.xml (1168 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate7.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll (122 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\LocalizedData.xml (1482 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\LocalizedData.xml (301 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll (779 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\LocalizedData.xml (156 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate4.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\watermark.bmp (531 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x64.msi (14022 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\LocalizedData.xml (873 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\LocalizedData.xml (219 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll (5583 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Setup.ico (57 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\Parameterinfo.xml (1030 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\eula.rtf (8 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll (644 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x64.msu (38528 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate8.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Save.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate3.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\LocalizedData.xml (810 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\eula.rtf (891 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core.mzz (1381912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x86.msi (7866 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt (2445 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x86.msu (15320 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\eula.rtf (12 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x86.msi (2812 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\LocalizedData.xml (480 bytes)
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\state.rsm (930 bytes)
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe (8657 bytes)
C:\ProgramData\regid.2008-09.org.wixtoolset\regid.2008-09.org.wixtoolset doPDF 8.swidtag (886 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll (2546 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1044\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1055\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2052\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.thm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1032\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll (1663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll (1733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1045\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1030\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\roro.config (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1043\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1038\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperApplicationData.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1031\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.wxl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1036\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2070\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1035\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe (148700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log (26471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1060\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\License.htm (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1051\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full.R (6168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1053\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1042\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.png (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.config (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\3082\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\enus.config (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-image.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1041\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1049\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1040\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1029\mbapreq.wxl (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1028\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-text.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1046\mbapreq.wxl (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /burn.runonce" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: S
Product Name: d
Product Version: 8
Legal Copyright: C
Legal Trademarks:
Original Filename: n
Internal Name: setup
File Version: 8
File Description: d
Comments:
Language: English (United States)
Company Name: SProduct Name: dProduct Version: 8 Legal Copyright: CLegal Trademarks: Original Filename: nInternal Name: setupFile Version: 8 File Description: dComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 297741 | 297984 | 4.55001 | 5d26d6a643d19ae02fc6861dbd240657 |
.rdata | 303104 | 126876 | 126976 | 3.54022 | 8ec8f775f2a3c9e81506399acc167ad0 |
.data | 430080 | 12960 | 3584 | 2.25979 | 2bde230c16419018f3330ed33e77178f |
.wixburn | 446464 | 56 | 512 | 0.52525 | 897e35e997b93373c8f34458609bda8d |
.tls | 450560 | 13 | 512 | 0.014135 | 8e3343efa9afc26ac6caf49228cbe049 |
.rsrc | 454656 | 651556 | 651776 | 1.97334 | d6f58c17a995faf274e2952bd6b2a07f |
.reloc | 1110016 | 16272 | 16384 | 4.68287 | 0e971942c19fd1a124065da269606dff |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.go.microsoft.akadns.net/fwlink/?LinkId=164193 | |
hxxp://a767.dscms.akamai.net/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0 | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f | 88.221.132.177 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 88.221.132.175 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://crl.verisign.com/pca3.crl | 23.43.133.163 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 88.221.132.175 |
hxxp://go.microsoft.com/fwlink/?LinkId=164193 | 134.170.189.4 |
hxxp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe | 80.239.149.72 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0 | 88.221.132.177 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 88.221.132.175 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 88.221.132.175 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Thu, 12 Feb 2015 02:23:43 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT
Accept-Ranges: bytes
ETag: "88c4768d3f2ad01:0"
Server: Microsoft-IIS/8.5
VTag: 438410416000000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:23:43 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M........z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Qw......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.5
VTag: 4389615400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:23:43 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~......
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 438346843700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:23:44 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..l..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=411760, public, no-transform, must-revalidate
Last-Modified: Mon, 9 Feb 2015 20:44:25 GMT
Expires: Mon, 16 Feb 2015 20:44:25 GMT
Date: Thu, 12 Feb 2015 02:24:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150209204425Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20150209204425Z....20150216204425Z0...*.H..............'.^.M......_.(.~....b^:.[&...z.^.W.<'g.[..N..Y.k...i....U.Kc-.:B....]#...l.^..S0K.OV.. ..D/&.E?./...~.z....~.E.YA....c.4...~.t.$..X.s......X@.......sx......... .^.....7.t...*T.=1.3..I...n..m.i9.6l.....!..r..;..8..V...._......t..YE.^9.7...*&_.a......dM.......#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT
Accept-Ranges: bytes
ETag: "75565c7ac03ad01:0"
Server: Microsoft-IIS/8.0
VTag: 279610143200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Thu, 12 Feb 2015 02:24:14 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0... .....7......150427174215Z0...*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp..j....lo....4........T9j...S.7Q.@.W..@.. ...M....z....Q...{u. .W..HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT..Accept-Ranges: bytes..ETag: "75565c7ac03ad01:0"..Server: Microsoft-IIS/8.0..VTag: 279610143200000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Thu, 12 Feb 2015 02:24:14 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0... .....7......150427174215Z0...*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp..j....lo....4........T9j...S.7Q.@.W..
<<< skipped >>>
HEAD /fwlink/?LinkId=164193 HTTP/1.1
Accept: */*
User-Agent: Burn
Host: go.microsoft.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 236
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Feb 2015 02:19:38 GMT
Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 12 Feb 2015 02:20:37 GMT
HTTP/1.1 302 Found..Cache-Control: private..Content-Length: 236..Content-Type: text/html; charset=utf-8..Expires: Thu, 12 Feb 2015 02:19:38 GMT..Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Thu, 12 Feb 2015 02:20:37 GMT......
GET /fwlink/?LinkId=164193 HTTP/1.1
Accept: */*
User-Agent: Burn
Host: go.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Thu, 12 Feb 2015 02:19:39 GMT
Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 12 Feb 2015 02:20:38 GMT
Content-Length: 236
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Expires: Thu, 12 Feb 2015 02:19:39 GMT..Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Thu, 12 Feb 2015 02:20:38 GMT..Content-Length: 236..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe">here</a>.</h2>..</body></html>....
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"
Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT
Date: Thu, 12 Feb 2015 02:24:44 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ....>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r../=l..?...9..V0..@Tk......fn?....0.A.HTTP/1.1 200 OK..Server: Apache..ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT..Date: Thu, 12 Feb 2015 02:24:44 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT
Accept-Ranges: bytes
ETag: "803565fb436d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 57591
Date: Thu, 12 Feb 2015 02:24:15 GMT
Connection: keep-alive
MSCF............,...................I.................6Fm. .authroot.stl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.k..........{=/....{g.~...............'....6..N....w......(.$.>.7...........'.....`.bx....^..$.'.^.K.C......<b=J..u....@.....2..e....pr.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m...... .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4.....*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%..G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]H. .....A.O.Xg..B...#.f.-..V@.g..8.....Ov...ET..*.....T...}o._./S..h@$.....!.@.D....c...A1..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R. K...s.@9....Jv.....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^....1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|IC.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Icz......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=495772, public, no-transform, must-revalidate
Last-Modified: Tue, 10 Feb 2015 20:04:39 GMT
Expires: Tue, 17 Feb 2015 20:04:39 GMT
Date: Thu, 12 Feb 2015 02:24:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20150210200439Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20150210200439Z....20150217200439Z0...*.H...............U.#..&1x1.......n...tJ...-..`.-d...X.......\._......[]n\].;....n..}b..Y...b1.q....".2.<.../..:....\..... ..?...Y. .EF.e....Y!T#SLa.......&....I.t..v...Cy'uGK...g......-.........G>}q......1....p...pxP,.l.e^f5..i)xoE....]....t..?.....~..Su......D.,...\........0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=371792, public, no-transform, must-revalidate
Last-Modified: Mon, 9 Feb 2015 09:39:15 GMT
Expires: Mon, 16 Feb 2015 09:39:15 GMT
Date: Thu, 12 Feb 2015 02:24:43 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150209093915Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150209093915Z....20150216093915Z0...*.H.............~0...hO6...:&.O........D......Bnr.s.PL.....a.......|..]'[>...`......I...P<I.$.T.....s..zF....... R...39...<.. J........~..{.g....W#..............|.r.l..<4.b.....er.kw.3.....P[.........Q.....Z?.Sa.........6.F......8.{E.[......mQ/.@..4......X.1P."O.\....3.S.....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=411638, public, no-transform, must-revalidate
Last-Modified: Mon, 9 Feb 2015 20:44:24 GMT
Expires: Mon, 16 Feb 2015 20:44:24 GMT
Date: Thu, 12 Feb 2015 02:24:43 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150209204424Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150209204424Z....20150216204424Z0...*.H..............2..T.U...=..C.V....Bo9..e..2.....S.'.#../Y].k.....n..1.8J\..PM.xY.P6H.....Q9...]...Z..d...Bl...!..7W.P*..-.a.-...q.f'k.d.Z...o.. D.q.8w.!.:..8...C0.j.%V.#&.d..n..Q.,..kE.s...*....p..7....~..MI.LFE....e../.....\..,Z.clG...v.R....Q....o.w..`...@^...%...K..,...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>
HEAD /download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe HTTP/1.1
Accept: */*
User-Agent: Burn
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Host: download.microsoft.com
HTTP/1.1 200 OK
Content-Length: 50449456
Content-Type: application/octet-stream
Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT
Accept-Ranges: bytes
ETag: "2a1457bc5c7ca1:0"
Server: Microsoft-IIS/8.0
Content-Disposition: attachment
Date: Thu, 12 Feb 2015 02:20:39 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Content-Length: 50449456..Content-Type: application/octet-stream..Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT..Accept-Ranges: bytes..ETag: "2a1457bc5c7ca1:0"..Server: Microsoft-IIS/8.0..Content-Disposition: attachment..Date: Thu, 12 Feb 2015 02:20:39 GMT..Connection: keep-alive......
GET /download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe HTTP/1.1
Accept: */*
User-Agent: Burn
Host: download.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT
ETag: "2a1457bc5c7ca1:0"
Content-Length: 50449456
Date: Thu, 12 Feb 2015 02:20:39 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}.......}.......}...//..}.../...}.../...}.......}...}...}..., ..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^....................@..........................@............@...... ..................@.......D...........................p.......l....................................V..@............................................text............................... ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B....................................................................................................................................................................................................................................................................................................................................................................................(...@...X...p...|.......................................*...:...N...b...p...............r...X... ...H.......................r...Z...@...(.......................................................................0...F...`...v..................................."...2...H...`...n...................................(...2...>...P...\...l...x.......................................*...>...L...\...p...|............................... ...,.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=518392, public, no-transform, must-revalidate
Last-Modified: Wed, 11 Feb 2015 02:24:43 GMT
Expires: Wed, 18 Feb 2015 02:24:43 GMT
Date: Thu, 12 Feb 2015 02:24:51 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150211022443Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150211022443Z....20150218022443Z0...*.H.............<..|~!....'s.bW....e4x...VTE.L.....m.v.4-...2:,7.2oY../....~.L......Ty.P<...*kV........0.0...X......<....XWn0=2;~%./..s...bw.............."..uD...b.V.f..v...a...@9.V..H....%.....M.3.<.6...)..g%.Q..B).[..=G_..K.@..g......L"..A.U...p. X.OXh.R.4.... ,N..........#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code S..
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2280:
.text
.text
`.rdata
`.rdata
@.data
@.data
.wixburn8
.wixburn8
@.tls
@.tls
.rsrc
.rsrc
@.reloc
@.reloc
8.wixu
8.wixu
v%j.Yf;
v%j.Yf;
t%SQW
t%SQW
SSSSh
SSSSh
PSSSSSSh
PSSSSSSh
j.Zf;
j.Zf;
j.Yf;
j.Yf;
engine.cpp
engine.cpp
3.10.1124.0
3.10.1124.0
Failed to create pipes to connect to elevated parent process.
Failed to create pipes to connect to elevated parent process.
Failed to set elevated pipe into thread local storage for logging.
Failed to set elevated pipe into thread local storage for logging.
variable.cpp
variable.cpp
Unsupported variable type.
Unsupported variable type.
Setting variable failed: ID '%ls', HRESULT 0x%x
Setting variable failed: ID '%ls', HRESULT 0x%x
Failed to find DllGetVersion entry point in msi.dll.
Failed to find DllGetVersion entry point in msi.dll.
Failed to get msi.dll version info.
Failed to get msi.dll version info.
Failed to get windows directory.
Failed to get windows directory.
Failed to open Windows folder key.
Failed to open Windows folder key.
condition.cpp
condition.cpp
Failed to parse condition '%ls' at position: %u
Failed to parse condition '%ls' at position: %u
Failed to parse condition "%ls". Unexpected '~' operator at position %d.
Failed to parse condition "%ls". Unexpected '~' operator at position %d.
Failed to parse condition "%ls". Unterminated literal at position %d.
Failed to parse condition "%ls". Unterminated literal at position %d.
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.
Failed to parse condition "%ls". Constant too big, at position %d.
Failed to parse condition "%ls". Constant too big, at position %d.
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.
Failed to parse condition "%ls". Invalid version format, at position %d.
Failed to parse condition "%ls". Invalid version format, at position %d.
Failed to parse condition "%ls". Unexpected character at position %d.
Failed to parse condition "%ls". Unexpected character at position %d.
search.cpp
search.cpp
Failed to get Key attribute.
Failed to get Key attribute.
Directory search: %ls, did not find path: %ls, reason: 0x%x
Directory search: %ls, did not find path: %ls, reason: 0x%x
Failed to format key string.
Failed to format key string.
Registry key not found. Key = '%ls'
Registry key not found. Key = '%ls'
Failed to open registry key. Key = '%ls'
Failed to open registry key. Key = '%ls'
Registry value not found. Key = '%ls', Value = '%ls'
Registry value not found. Key = '%ls', Value = '%ls'
Failed to query registry key value.
Failed to query registry key value.
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x
Failed to open registry key.
Failed to open registry key.
Failed to query registry key value size.
Failed to query registry key value size.
Unsupported registry key value type. Type = '%u'
Unsupported registry key value type. Type = '%u'
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x
Failed to get component path: %d
Failed to get component path: %d
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
Unsupported product search type: %u
Unsupported product search type: %u
MsiProductSearch failed: ID '%ls', HRESULT 0x%x
MsiProductSearch failed: ID '%ls', HRESULT 0x%x
MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x
MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x
section.cpp
section.cpp
Failed to read image section header, index: %u
Failed to read image section header, index: %u
Failed to read complete image section header, index: %u
Failed to read complete image section header, index: %u
Failed to read section info, data to short: %u
Failed to read section info, data to short: %u
Failed to read section info, unsupported version: x
Failed to read section info, unsupported version: x
Failed to find container info, too few elements: %u
Failed to find container info, too few elements: %u
Failed to select approved exe nodes.
Failed to select approved exe nodes.
Failed to get approved exe node count.
Failed to get approved exe node count.
approvedexe.cpp
approvedexe.cpp
Failed to allocate memory for approved exe structs.
Failed to allocate memory for approved exe structs.
Failed to get @Key.
Failed to get @Key.
Failed to create executable command.
Failed to create executable command.
Failed to create obfuscated executable command.
Failed to create obfuscated executable command.
container.cpp
container.cpp
Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.
Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.
Failed to get path for executing module.
Failed to get path for executing module.
catalog.cpp
catalog.cpp
payload.cpp
payload.cpp
Failed to get @DownloadUrl.
Failed to get @DownloadUrl.
Failed to get @CertificateRootPublicKeyIdentifier.
Failed to get @CertificateRootPublicKeyIdentifier.
Failed to hex decode @CertificateRootPublicKeyIdentifier.
Failed to hex decode @CertificateRootPublicKeyIdentifier.
Failed to get @CertificateRootThumbprint.
Failed to get @CertificateRootThumbprint.
Failed to hex decode @CertificateRootThumbprint.
Failed to hex decode @CertificateRootThumbprint.
Failed to get directory portion of local file path
Failed to get directory portion of local file path
userexperience.cpp
userexperience.cpp
package.cpp
package.cpp
Failed to parse EXE package.
Failed to parse EXE package.
Failed to get @ProviderKey.
Failed to get @ProviderKey.
Failed to get @ExecutableName.
Failed to get @ExecutableName.
Failed to get @AboutUrl.
Failed to get @AboutUrl.
Failed to get @UpdateUrl.
Failed to get @UpdateUrl.
registration.cpp
registration.cpp
Failed to overwrite the bundle provider key built-in variable.
Failed to overwrite the bundle provider key built-in variable.
Failed to format pending restart registry key to read.
Failed to format pending restart registry key to read.
Failed to open registration key.
Failed to open registration key.
Failed to create registration key.
Failed to create registration key.
Failed to register the bundle dependency key.
Failed to register the bundle dependency key.
Failed to write volatile reboot required registry key.
Failed to write volatile reboot required registry key.
Failed to delete registration key: %ls
Failed to delete registration key: %ls
Failed to build uninstall registry key path.
Failed to build uninstall registry key path.
Failed to build cached executable path.
Failed to build cached executable path.
Failed to create run key.
Failed to create run key.
Failed to write run key value.
Failed to write run key value.
Failed to delete run key value.
Failed to delete run key value.
Failed to format the key path for update registration.
Failed to format the key path for update registration.
Failed to get the formatted key path for update registration.
Failed to get the formatted key path for update registration.
Failed to create the key for update registration.
Failed to create the key for update registration.
Failed to format key for update registration.
Failed to format key for update registration.
Failed to remove update registration key: %ls
Failed to remove update registration key: %ls
Failed to get path for current executing process as layout directory.
Failed to get path for current executing process as layout directory.
Failed to get executing process as layout directory.
Failed to get executing process as layout directory.
Failed to to copy executable name for bundle.
Failed to to copy executable name for bundle.
Failed to append execute action.
Failed to append execute action.
Failed to add dependent bundle provider key to ignore dependents.
Failed to add dependent bundle provider key to ignore dependents.
Failed to process passthrough package.
Failed to process passthrough package.
Failed to plan rollback boundary for passthrough package.
Failed to plan rollback boundary for passthrough package.
plan.cpp
plan.cpp
Failed to plan execute package.
Failed to plan execute package.
Failed to append execute checkpoint.
Failed to append execute checkpoint.
Unexpected relation type encountered during plan: %d
Unexpected relation type encountered during plan: %d
Failed to add the package provider key "%ls" to the planned list.
Failed to add the package provider key "%ls" to the planned list.
Failed to check the dictionary for a related bundle provider key: "%ls".
Failed to check the dictionary for a related bundle provider key: "%ls".
Failed to remove unnecessary execute actions.
Failed to remove unnecessary execute actions.
Failed to finalize slipstream execute actions.
Failed to finalize slipstream execute actions.
Failed to append execute checkpoint for cache rollback.
Failed to append execute checkpoint for cache rollback.
Failed to grow plan's array of execute actions.
Failed to grow plan's array of execute actions.
Failed to insert keep registration execute action.
Failed to insert keep registration execute action.
Failed to insert remove registration execute action.
Failed to insert remove registration execute action.
Failed to copy dependent provider key to registration action.
Failed to copy dependent provider key to registration action.
Failed to copy dependent provider key to rollback registration action.
Failed to copy dependent provider key to rollback registration action.
Failed to get path for executing module as attached container working path.
Failed to get path for executing module as attached container working path.
logging.cpp
logging.cpp
Failed to write send message to pipe.
Failed to write send message to pipe.
Failed to pump messages during send message to pipe.
Failed to pump messages during send message to pipe.
pipe.cpp
pipe.cpp
No status returned to PipePumpMessages()
No status returned to PipePumpMessages()
Failed to read returned result to PipePumpMessages()
Failed to read returned result to PipePumpMessages()
Failed to read returned restart to PipePumpMessages()
Failed to read returned restart to PipePumpMessages()
Failed to process message: %u
Failed to process message: %u
Failed to get message over pipe
Failed to get message over pipe
Failed to create pipe guid.
Failed to create pipe guid.
Failed to convert pipe guid into string.
Failed to convert pipe guid into string.
Failed to allocate pipe name.
Failed to allocate pipe name.
Failed to allocate pipe secret.
Failed to allocate pipe secret.
Failed to create the security descriptor for the connection event and pipe.
Failed to create the security descriptor for the connection event and pipe.
Failed to allocate full name of pipe: %ls
Failed to allocate full name of pipe: %ls
Failed to create pipe: %ls
Failed to create pipe: %ls
Failed to allocate full name of cache pipe: %ls
Failed to allocate full name of cache pipe: %ls
Failed to set pipe to non-blocking.
Failed to set pipe to non-blocking.
Failed to wait for child to connect to pipe.
Failed to wait for child to connect to pipe.
Failed to reset pipe to blocking.
Failed to reset pipe to blocking.
Failed to write secret length to pipe.
Failed to write secret length to pipe.
Failed to write secret to pipe.
Failed to write secret to pipe.
Failed to write our process id to pipe.
Failed to write our process id to pipe.
Failed to read ACK from pipe.
Failed to read ACK from pipe.
Failed to allocate name of parent pipe.
Failed to allocate name of parent pipe.
Failed to open parent pipe: %ls
Failed to open parent pipe: %ls
Failed to verify parent pipe: %ls
Failed to verify parent pipe: %ls
Failed to allocate name of parent cache pipe.
Failed to allocate name of parent cache pipe.
Failed to open companion process with PID: %u
Failed to open companion process with PID: %u
Failed to write message type to pipe.
Failed to write message type to pipe.
Failed to read message from pipe.
Failed to read message from pipe.
Failed to read size of verification secret from parent pipe.
Failed to read size of verification secret from parent pipe.
Failed to read verification secret from parent pipe.
Failed to read verification secret from parent pipe.
Failed to read verification process id from parent pipe.
Failed to read verification process id from parent pipe.
core.cpp
core.cpp
Failed to execute searches.
Failed to execute searches.
Failed to detect provider key bundle id.
Failed to detect provider key bundle id.
Failed to report detected related bundles.
Failed to report detected related bundles.
Package type not supported by detect yet.
Package type not supported by detect yet.
Failed to plan passthrough.
Failed to plan passthrough.
Another per-user setup is already executing.
Another per-user setup is already executing.
Another per-machine setup is already executing.
Another per-machine setup is already executing.
Failed while caching, aborting execution.
Failed while caching, aborting execution.
Engine cannot start LaunchApprovedExe because it is busy with another action.
Engine cannot start LaunchApprovedExe because it is busy with another action.
UX aborted LaunchApprovedExe begin.
UX aborted LaunchApprovedExe begin.
Failed to format passthrough for command-line.
Failed to format passthrough for command-line.
Failed to append passthrough to command-line.
Failed to append passthrough to command-line.
cache.cpp
cache.cpp
Failed to get provider state from authenticode certificate.
Failed to get provider state from authenticode certificate.
Failed to get signer chain from authenticode certificate.
Failed to get signer chain from authenticode certificate.
Failed to verify expected payload against actual certificate chain.
Failed to verify expected payload against actual certificate chain.
Failed to seek to checksum in exe header.
Failed to seek to checksum in exe header.
Failed to seek to signature table in exe header.
Failed to seek to signature table in exe header.
Failed to seek to original data in exe burn section header.
Failed to seek to original data in exe burn section header.
Failed to get certificate public key identifier.
Failed to get certificate public key identifier.
Failed to read certificate thumbprint.
Failed to read certificate thumbprint.
Failed to find expected public key in certificate chain.
Failed to find expected public key in certificate chain.
elevation.cpp
elevation.cpp
Failed to create pipe name and client token.
Failed to create pipe name and client token.
Failed to create pipe and cache pipe.
Failed to create pipe and cache pipe.
Failed to write registration operations to message buffer.
Failed to write registration operations to message buffer.
Failed to write dependent provider key to message buffer.
Failed to write dependent provider key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.
Failed to write bundle dependency key to message buffer.
Failed to write bundle dependency key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.
Failed to write approved exe id to message buffer.
Failed to write approved exe id to message buffer.
Failed to write approved exe arguments to message buffer.
Failed to write approved exe arguments to message buffer.
Failed to write approved exe WaitForInputIdle timeout to message buffer.
Failed to write approved exe WaitForInputIdle timeout to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.
Failed to set elevated cache pipe into thread local storage for logging.
Failed to set elevated cache pipe into thread local storage for logging.
Failed to read file name: %u
Failed to read file name: %u
Failed to read MSI data: %u
Failed to read MSI data: %u
Failed to read approved exe process id.
Failed to read approved exe process id.
Invalid launch approved exe message.
Invalid launch approved exe message.
Unexpected elevated message sent to child process, msg: %u
Unexpected elevated message sent to child process, msg: %u
Unexpected elevated cache message sent to child process, msg: %u
Unexpected elevated cache message sent to child process, msg: %u
Failed to read registration operations.
Failed to read registration operations.
Invalid data passed to cache or layout payload.
Invalid data passed to cache or layout payload.
Failed to read dependent provider key.
Failed to read dependent provider key.
Failed to execute dependent registration action for provider key: %ls
Failed to execute dependent registration action for provider key: %ls
Failed to read exe package.
Failed to read exe package.
Failed to execute EXE package.
Failed to execute EXE package.
Failed to execute MSI package.
Failed to execute MSI package.
Failed to execute MSP package.
Failed to execute MSP package.
Failed to execute MSU package.
Failed to execute MSU package.
Failed to execute package provider action.
Failed to execute package provider action.
Failed to read bundle dependency key from message buffer.
Failed to read bundle dependency key from message buffer.
Failed to execute package dependency action.
Failed to execute package dependency action.
Invalid message type: %d
Invalid message type: %d
Failed to read approved exe id.
Failed to read approved exe id.
Failed to read approved exe arguments.
Failed to read approved exe arguments.
Failed to read approved exe WaitForInputIdle timeout.
Failed to read approved exe WaitForInputIdle timeout.
The per-user process requested unknown approved exe with id: %ls
The per-user process requested unknown approved exe with id: %ls
Failed to open the registry key for the approved exe path.
Failed to open the registry key for the approved exe path.
Failed to read the value for the approved exe path.
Failed to read the value for the approved exe path.
Failed to verify the executable path is in a secure location: %ls
Failed to verify the executable path is in a secure location: %ls
The executable path is not in a secure location: %ls
The executable path is not in a secure location: %ls
Failed to launch approved exe: %ls
Failed to launch approved exe: %ls
Failed to write the approved exe process id to message buffer.
Failed to write the approved exe process id to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.
splashscreen.cpp
splashscreen.cpp
uithread.cpp
uithread.cpp
EngineForApplication.cpp
EngineForApplication.cpp
Failed to send embedded message over pipe.
Failed to send embedded message over pipe.
Failed to send embedded progress message over pipe.
Failed to send embedded progress message over pipe.
UX denied while trying to set download URL on embedded payload: %ls
UX denied while trying to set download URL on embedded payload: %ls
Failed to set download URL.
Failed to set download URL.
Failed to set download password.
Failed to set download password.
UX requested unknown approved exe with id: %ls
UX requested unknown approved exe with id: %ls
Failed to post launch approved exe message.
Failed to post launch approved exe message.
The string is too big: size %u
The string is too big: size %u
.cab
.cab
cabextract.cpp
cabextract.cpp
Failed to create begin operation event.
Failed to create begin operation event.
Failed to create operation complete event.
Failed to create operation complete event.
Failed to wait for operation complete.
Failed to wait for operation complete.
Failed to begin and wait for operation.
Failed to begin and wait for operation.
Failed to set begin operation event.
Failed to set begin operation event.
Failed to reset operation complete event.
Failed to reset operation complete event.
Failed to wait for operation complete event.
Failed to wait for operation complete event.
Failed to initialize cabinet.dll.
Failed to initialize cabinet.dll.
Failed to extract all files from container, erf: %d:%X:%d
Failed to extract all files from container, erf: %d:%X:%d
Failed to set operation complete event.
Failed to set operation complete event.
Failed to wait for begin operation event.
Failed to wait for begin operation event.
Failed to reset begin operation event.
Failed to reset begin operation event.
Invalid operation for this state.
Invalid operation for this state.
Failed to move file pointer 0x%x bytes.
Failed to move file pointer 0x%x bytes.
exeengine.cpp
exeengine.cpp
Failed to evaluate executable package detect condition.
Failed to evaluate executable package detect condition.
Invalid package current state: %d.
Invalid package current state: %d.
Failed to insert execute action.
Failed to insert execute action.
Failed to build executable path.
Failed to build executable path.
Failed to get action arguments for executable package.
Failed to get action arguments for executable package.
Bootstrapper application aborted during EXE progress.
Bootstrapper application aborted during EXE progress.
Failed to wait for executable to complete: %ls
Failed to wait for executable to complete: %ls
Process returned error: 0x%x
Process returned error: 0x%x
msiengine.cpp
msiengine.cpp
Failed to calculate execute feature state.
Failed to calculate execute feature state.
Invalid package current state result encountered during plan: %d
Invalid package current state result encountered during plan: %d
Failed to detect compatible package from provider key.
Failed to detect compatible package from provider key.
Failed to copy the compatible provider key.
Failed to copy the compatible provider key.
mspengine.cpp
mspengine.cpp
msuengine.cpp
msuengine.cpp
Failed to find Windows directory.
Failed to find Windows directory.
Failed to allocate WUSA.exe path.
Failed to allocate WUSA.exe path.
dependency.cpp
dependency.cpp
Failed to get the Key attribute.
Failed to get the Key attribute.
Failed to get the Imported attribute.
Failed to get the Imported attribute.
Failed to get provider key bundle id.
Failed to get provider key bundle id.
Failed to initialize provider key bundle id.
Failed to initialize provider key bundle id.
Failed to add the bundle provider key to the list of dependencies to ignore.
Failed to add the bundle provider key to the list of dependencies to ignore.
Failed to join the list of dependencies to ignore.
Failed to join the list of dependencies to ignore.
Failed to insert provider execute action.
Failed to insert provider execute action.
Failed to append provider execute action.
Failed to append provider execute action.
Unrecognized registration action type: %d
Unrecognized registration action type: %d
Failed to append the key "%ls".
Failed to append the key "%ls".
Failed to add the bundle provider key "%ls" to the list of ignored dependencies.
Failed to add the bundle provider key "%ls" to the list of ignored dependencies.
Failed to add the package provider key "%ls" to the list of ignored dependencies.
Failed to add the package provider key "%ls" to the list of ignored dependencies.
Failed to get the provider key package id.
Failed to get the provider key package id.
Failed to copy the provider key.
Failed to copy the provider key.
Failed to open uninstall registry key.
Failed to open uninstall registry key.
Failed to enumerate uninstall key for related bundles.
Failed to enumerate uninstall key for related bundles.
Failed to open uninstall key for potential related bundle: %ls
Failed to open uninstall key for potential related bundle: %ls
relatedbundle.cpp
relatedbundle.cpp
Failed to read provider key from registry for bundle: %ls
Failed to read provider key from registry for bundle: %ls
detect.cpp
detect.cpp
Unexpected relation type encountered: %d
Unexpected relation type encountered: %d
Failed to copy update url.
Failed to copy update url.
Failed attempt to download update feed from URL: '%ls' to: '%ls'
Failed attempt to download update feed from URL: '%ls' to: '%ls'
apply.cpp
apply.cpp
BA aborted execute begin.
BA aborted execute begin.
Failed to execute dependent registration action.
Failed to execute dependent registration action.
Failed attempt to download URL: '%ls' to: '%ls'
Failed attempt to download URL: '%ls' to: '%ls'
Failed to execute package provider registration action.
Failed to execute package provider registration action.
Failed to execute dependency action.
Failed to execute dependency action.
Failed to execute compatible package action.
Failed to execute compatible package action.
Invalid execute action.
Invalid execute action.
Invalid rollback action: %d.
Invalid rollback action: %d.
UX aborted execute EXE package begin.
UX aborted execute EXE package begin.
UX aborted EXE progress.
UX aborted EXE progress.
Failed to configure per-machine EXE package.
Failed to configure per-machine EXE package.
Failed to configure per-user EXE package.
Failed to configure per-user EXE package.
UX aborted EXE package execute progress.
UX aborted EXE package execute progress.
UX aborted execute MSI package begin.
UX aborted execute MSI package begin.
UX aborted MSI package execute progress.
UX aborted MSI package execute progress.
UX aborted execute MSP package begin.
UX aborted execute MSP package begin.
BA aborted execute MSP target.
BA aborted execute MSP target.
UX aborted MSP package execute progress.
UX aborted MSP package execute progress.
UX aborted execute MSU package begin.
UX aborted execute MSU package begin.
UX aborted MSU package execute progress.
UX aborted MSU package execute progress.
Failed to parse approved exes.
Failed to parse approved exes.
pseudobundle.cpp
pseudobundle.cpp
Failed to copy key for pseudo bundle payload.
Failed to copy key for pseudo bundle payload.
Failed to copy key for pseudo bundle.
Failed to copy key for pseudo bundle.
Failed to allocate space for burn package payload inside of passthrough bundle.
Failed to allocate space for burn package payload inside of passthrough bundle.
Failed to copy key for passthrough pseudo bundle payload.
Failed to copy key for passthrough pseudo bundle payload.
Failed to copy filename for passthrough pseudo bundle.
Failed to copy filename for passthrough pseudo bundle.
Failed to copy local source path for passthrough pseudo bundle.
Failed to copy local source path for passthrough pseudo bundle.
Failed to copy download source for passthrough pseudo bundle.
Failed to copy download source for passthrough pseudo bundle.
Failed to copy key for passthrough pseudo bundle.
Failed to copy key for passthrough pseudo bundle.
Failed to copy cache id for passthrough pseudo bundle.
Failed to copy cache id for passthrough pseudo bundle.
Failed to copy install arguments for passthrough bundle package
Failed to copy install arguments for passthrough bundle package
Failed to copy related arguments for passthrough bundle package
Failed to copy related arguments for passthrough bundle package
Failed to copy uninstall arguments for passthrough bundle package
Failed to copy uninstall arguments for passthrough bundle package
Failed to create embedded pipe name and client token.
Failed to create embedded pipe name and client token.
Failed to create embedded pipe.
Failed to create embedded pipe.
embedded.cpp
embedded.cpp
Failed to wait for embedded process to connect to pipe.
Failed to wait for embedded process to connect to pipe.
Failed to wait for embedded executable: %ls
Failed to wait for embedded executable: %ls
Unexpected embedded message sent to child process, msg: %u
Unexpected embedded message sent to child process, msg: %u
NetFxChainer.cpp
NetFxChainer.cpp
k"bitsengine.cpp
k"bitsengine.cpp
Invalid BITS engine URL: %ls
Invalid BITS engine URL: %ls
Failed to copy download URL.
Failed to copy download URL.
operator
operator
operator ""
operator ""
GetProcessWindowStation
GetProcessWindowStation
%S#[k
%S#[k
buffutil.cpp
buffutil.cpp
cryputil.cpp
cryputil.cpp
logutil.cpp
logutil.cpp
Error 0x%x: %ls
Error 0x%x: %ls
Executable: %ls v%d.%d.%d.%d
Executable: %ls v%d.%d.%d.%d
memutil.cpp
memutil.cpp
pathutil.cpp
pathutil.cpp
procutil.cpp
procutil.cpp
RegDeleteKeyExW
RegDeleteKeyExW
regutil.cpp
regutil.cpp
srputil.cpp
srputil.cpp
strutil.cpp
strutil.cpp
wiutil.cpp
wiutil.cpp
xmlutil.cpp
xmlutil.cpp
kernel32.dll
kernel32.dll
shelutil.cpp
shelutil.cpp
Kwuautil.cpp
Kwuautil.cpp
fileutil.cpp
fileutil.cpp
dirutil.cpp
dirutil.cpp
dictutil.cpp
dictutil.cpp
aclutil.cpp
aclutil.cpp
certutil.cpp
certutil.cpp
svcutil.cpp
svcutil.cpp
dlutil.cpp
dlutil.cpp
Failed to send request to URL: %ls, trying to process HTTP status code anyway.
Failed to send request to URL: %ls, trying to process HTTP status code anyway.
Unknown HTTP status code %d, returned from URL: %ls
Unknown HTTP status code %d, returned from URL: %ls
atomutil.cpp
atomutil.cpp
apuputil.cpp
apuputil.cpp
timeutil.cpp
timeutil.cpp
inetutil.cpp
inetutil.cpp
uriutil.cpp
uriutil.cpp
deputil.cpp
deputil.cpp
C:\src\wix39\build\ship\x86\burn.pdb
C:\src\wix39\build\ship\x86\burn.pdb
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
GDI32.dll
GDI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
ConnectNamedPipe
ConnectNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
CreateNamedPipeW
CreateNamedPipeW
SetThreadExecutionState
SetThreadExecutionState
KERNEL32.dll
KERNEL32.dll
Cabinet.dll
Cabinet.dll
CryptHashPublicKeyInfo
CryptHashPublicKeyInfo
CRYPT32.dll
CRYPT32.dll
msi.dll
msi.dll
RPCRT4.dll
RPCRT4.dll
WININET.dll
WININET.dll
WINTRUST.dll
WINTRUST.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
ShellExecuteExW
ShellExecuteExW
VERSION.dll
VERSION.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
CertGetCertificateContextProperty
CertGetCertificateContextProperty
SHLWAPI.dll
SHLWAPI.dll
HttpOpenRequestW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
InternetCrackUrlW
InternetCrackUrlW
Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'
Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'
Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!
Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!
Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!
Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!
Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!
Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!
Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!
Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!
Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!
Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!
Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.
Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.
Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.
Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.
Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!
Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!
Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!
Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!
Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!
Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!
LaunchApprovedExe begin, id: %1!ls!
LaunchApprovedExe begin, id: %1!ls!
Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!
Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!
Launching approved exe, path: '%1!ls!', 'command: %2!ls!'
Launching approved exe, path: '%1!ls!', 'command: %2!ls!'
LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!
LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!
Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!
Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!
Application canceled operation: %2!ls!, error: %1!ls!
Application canceled operation: %2!ls!, error: %1!ls!
WiX Toolset BootstrapperPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
WiX Toolset BootstrapperPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
95:?:{:);5;&
95:?:{:);5;&
:):3:6
:):3:6
7.84888
7.84888
>.?4?8?@?
>.?4?8?@?
1"131?1[1{1
1"131?1[1{1
7(838>8^8
7(838>8^8
> ???[?~?
> ???[?~?
3U5C5O5Y5_5e5
3U5C5O5Y5_5e5
= =$=(=,=
= =$=(=,=
5 5$5(5,5
5 5$5(5,5
: :$:(:,:0:
: :$:(:,:0:
WixBundleExecutePackageCacheFolder
WixBundleExecutePackageCacheFolder
WixBundleProviderKey
WixBundleProviderKey
NTSuiteWebServer
NTSuiteWebServer
WindowsFolder
WindowsFolder
WindowsVolume
WindowsVolume
[\%c]
[\%c]
.[%d]
.[%d]
.WiX Burn
.WiX Burn
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
.ComponentId
.ComponentId
.keyPath
.keyPath
.language
.language
ApprovedExeForElevation
ApprovedExeForElevation
.ValueName
.ValueName
"%ls" %s
"%ls" %s
.Attached
.Attached
DownloadUrl
DownloadUrl
.FileSize
.FileSize
CertificateRootPublicKeyIdentifier
CertificateRootPublicKeyIdentifier
CertificateRootThumbprint
CertificateRootThumbprint
.ba%d
.ba%d
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage
.Size
.Size
.PerMachine
.PerMachine
.RollbackLogPathVariable
.RollbackLogPathVariable
.InstallCondition
.InstallCondition
.PatchTargetCode
.PatchTargetCode
.Update
.Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
BundleProviderKey
BundleProviderKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%ls.RebootRequired
%ls.RebootRequired
URLInfoAbout
URLInfoAbout
URLUpdateInfo
URLUpdateInfo
ParentKeyName
ParentKeyName
burn.runonce
burn.runonce
ProviderKey
ProviderKey
.ExecutableName
.ExecutableName
AboutUrl
AboutUrl
UpdateUrl
UpdateUrl
.DisableModify
.DisableModify
.Filename
.Filename
8%s\%s
8%s\%s
.%s\state.rsm
.%s\state.rsm
.RelatedBundle
.RelatedBundle
%ls%hs%ls_u_%ls%ls.%ls
%ls%hs%ls_u_%ls%ls.%ls
uSOFTWARE\Policies\Microsoft\Windows\Installer
uSOFTWARE\Policies\Microsoft\Windows\Installer
\\.\pipe\%ls
\\.\pipe\%ls
\\.\pipe\%ls.Cache
\\.\pipe\%ls.Cache
burn.elevated
burn.elevated
burn.unelevated
burn.unelevated
BurnPipe.%s
BurnPipe.%s
s-%ls %ls %ls %u %ls
s-%ls %ls %ls %u %ls
-q -%ls %ls %ls %u
-q -%ls %ls %ls %u
.open
.open
burn.embedded
burn.embedded
burn.log.append
burn.log.append
burn.related.detect
burn.related.detect
burn.related.upgrade
burn.related.upgrade
burn.related.addon
burn.related.addon
burn.related.patch
burn.related.patch
burn.related.update
burn.related.update
burn.passthrough
burn.passthrough
burn.disable.unelevate
burn.disable.unelevate
burn.ignoredependencies
burn.ignoredependencies
burn.ancestors
burn.ancestors
/passive
/passive
passive
passive
.unverified
.unverified
.PackageCache
.PackageCache
.WixBurnMessageWindow
.WixBurnMessageWindow
.update\%ls
.update\%ls
.InstallArguments
.InstallArguments
.Repairable
.Repairable
.MsiProperty
.MsiProperty
.RollbackValue
.RollbackValue
%s$="%s"
%s$="%s"
ADDLOCAL="%s"
ADDLOCAL="%s"
ADDSOURCE="%s"
ADDSOURCE="%s"
ADDDEFAULT="%s"
ADDDEFAULT="%s"
. REINSTALL="%s"
. REINSTALL="%s"
ADVERTISE="%s"
ADVERTISE="%s"
REMOVE="%s"
REMOVE="%s"
wusa.exe
wusa.exe
.wuauserv
.wuauserv
Imported
Imported
.Chain
.Chain
.%ls -%ls %ls %ls %u
.%ls -%ls %ls %ls %u
.%ls /pipe %ls
.%ls /pipe %ls
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
mscoree.dll
mscoree.dll
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_downlevel.cpp
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_downlevel.cpp
user32.dll
user32.dll
desktopcrt140
desktopcrt140
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_nonmsdk.cpp
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_nonmsdk.cpp
__acrt_post_initialize_nonmsdk_dependencies
__acrt_post_initialize_nonmsdk_dependencies
portuguese-brazilian
portuguese-brazilian
AdvApi32.dll
AdvApi32.dll
Crypt32.dll
Crypt32.dll
s0xx
s0xx
%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls
%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls
\\?\UNC
\\?\UNC
%ls_uuuuuu%ls%ls%ls
%ls_uuuuuu%ls%ls%ls
srclient.dll
srclient.dll
pMsi.dll
pMsi.dll
Msxml2.DOMDocument
Msxml2.DOMDocument
MSXML.DOMDocument
MSXML.DOMDocument
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
pMicrosoft.Update.AutoUpdate
pMicrosoft.Update.AutoUpdate
PendingFileRenameOperations
PendingFileRenameOperations
%u.%u.%u.%u
%u.%u.%u.%u
hXXp://appsyndication.org/2006/appsyn
hXXp://appsyndication.org/2006/appsyn
hu-hu-huThu:hu:hu%cu:u
hu-hu-huThu:hu:hu%cu:u
c:\%original file name%.exe
c:\%original file name%.exe
8.1.923
8.1.923
novapdf.exe
novapdf.exe
%original file name%.exe_912:
.text
.text
`.rdata
`.rdata
@.data
@.data
.wixburn8
.wixburn8
@.tls
@.tls
.rsrc
.rsrc
@.reloc
@.reloc
8.wixu
8.wixu
v%j.Yf;
v%j.Yf;
t%SQW
t%SQW
SSSSh
SSSSh
PSSSSSSh
PSSSSSSh
j.Zf;
j.Zf;
j.Yf;
j.Yf;
engine.cpp
engine.cpp
3.10.1124.0
3.10.1124.0
Failed to create pipes to connect to elevated parent process.
Failed to create pipes to connect to elevated parent process.
Failed to set elevated pipe into thread local storage for logging.
Failed to set elevated pipe into thread local storage for logging.
variable.cpp
variable.cpp
Unsupported variable type.
Unsupported variable type.
Setting variable failed: ID '%ls', HRESULT 0x%x
Setting variable failed: ID '%ls', HRESULT 0x%x
Failed to find DllGetVersion entry point in msi.dll.
Failed to find DllGetVersion entry point in msi.dll.
Failed to get msi.dll version info.
Failed to get msi.dll version info.
Failed to get windows directory.
Failed to get windows directory.
Failed to open Windows folder key.
Failed to open Windows folder key.
condition.cpp
condition.cpp
Failed to parse condition '%ls' at position: %u
Failed to parse condition '%ls' at position: %u
Failed to parse condition "%ls". Unexpected '~' operator at position %d.
Failed to parse condition "%ls". Unexpected '~' operator at position %d.
Failed to parse condition "%ls". Unterminated literal at position %d.
Failed to parse condition "%ls". Unterminated literal at position %d.
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.
Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.
Failed to parse condition "%ls". Constant too big, at position %d.
Failed to parse condition "%ls". Constant too big, at position %d.
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.
Failed to parse condition "%ls". Invalid version format, at position %d.
Failed to parse condition "%ls". Invalid version format, at position %d.
Failed to parse condition "%ls". Unexpected character at position %d.
Failed to parse condition "%ls". Unexpected character at position %d.
search.cpp
search.cpp
Failed to get Key attribute.
Failed to get Key attribute.
Directory search: %ls, did not find path: %ls, reason: 0x%x
Directory search: %ls, did not find path: %ls, reason: 0x%x
Failed to format key string.
Failed to format key string.
Registry key not found. Key = '%ls'
Registry key not found. Key = '%ls'
Failed to open registry key. Key = '%ls'
Failed to open registry key. Key = '%ls'
Registry value not found. Key = '%ls', Value = '%ls'
Registry value not found. Key = '%ls', Value = '%ls'
Failed to query registry key value.
Failed to query registry key value.
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x
Failed to open registry key.
Failed to open registry key.
Failed to query registry key value size.
Failed to query registry key value size.
Unsupported registry key value type. Type = '%u'
Unsupported registry key value type. Type = '%u'
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x
Failed to get component path: %d
Failed to get component path: %d
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
Unsupported product search type: %u
Unsupported product search type: %u
MsiProductSearch failed: ID '%ls', HRESULT 0x%x
MsiProductSearch failed: ID '%ls', HRESULT 0x%x
MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x
MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x
section.cpp
section.cpp
Failed to read image section header, index: %u
Failed to read image section header, index: %u
Failed to read complete image section header, index: %u
Failed to read complete image section header, index: %u
Failed to read section info, data to short: %u
Failed to read section info, data to short: %u
Failed to read section info, unsupported version: x
Failed to read section info, unsupported version: x
Failed to find container info, too few elements: %u
Failed to find container info, too few elements: %u
Failed to select approved exe nodes.
Failed to select approved exe nodes.
Failed to get approved exe node count.
Failed to get approved exe node count.
approvedexe.cpp
approvedexe.cpp
Failed to allocate memory for approved exe structs.
Failed to allocate memory for approved exe structs.
Failed to get @Key.
Failed to get @Key.
Failed to create executable command.
Failed to create executable command.
Failed to create obfuscated executable command.
Failed to create obfuscated executable command.
container.cpp
container.cpp
Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.
Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.
Failed to get path for executing module.
Failed to get path for executing module.
catalog.cpp
catalog.cpp
payload.cpp
payload.cpp
Failed to get @DownloadUrl.
Failed to get @DownloadUrl.
Failed to get @CertificateRootPublicKeyIdentifier.
Failed to get @CertificateRootPublicKeyIdentifier.
Failed to hex decode @CertificateRootPublicKeyIdentifier.
Failed to hex decode @CertificateRootPublicKeyIdentifier.
Failed to get @CertificateRootThumbprint.
Failed to get @CertificateRootThumbprint.
Failed to hex decode @CertificateRootThumbprint.
Failed to hex decode @CertificateRootThumbprint.
Failed to get directory portion of local file path
Failed to get directory portion of local file path
userexperience.cpp
userexperience.cpp
package.cpp
package.cpp
Failed to parse EXE package.
Failed to parse EXE package.
Failed to get @ProviderKey.
Failed to get @ProviderKey.
Failed to get @ExecutableName.
Failed to get @ExecutableName.
Failed to get @AboutUrl.
Failed to get @AboutUrl.
Failed to get @UpdateUrl.
Failed to get @UpdateUrl.
registration.cpp
registration.cpp
Failed to overwrite the bundle provider key built-in variable.
Failed to overwrite the bundle provider key built-in variable.
Failed to format pending restart registry key to read.
Failed to format pending restart registry key to read.
Failed to open registration key.
Failed to open registration key.
Failed to create registration key.
Failed to create registration key.
Failed to register the bundle dependency key.
Failed to register the bundle dependency key.
Failed to write volatile reboot required registry key.
Failed to write volatile reboot required registry key.
Failed to delete registration key: %ls
Failed to delete registration key: %ls
Failed to build uninstall registry key path.
Failed to build uninstall registry key path.
Failed to build cached executable path.
Failed to build cached executable path.
Failed to create run key.
Failed to create run key.
Failed to write run key value.
Failed to write run key value.
Failed to delete run key value.
Failed to delete run key value.
Failed to format the key path for update registration.
Failed to format the key path for update registration.
Failed to get the formatted key path for update registration.
Failed to get the formatted key path for update registration.
Failed to create the key for update registration.
Failed to create the key for update registration.
Failed to format key for update registration.
Failed to format key for update registration.
Failed to remove update registration key: %ls
Failed to remove update registration key: %ls
Failed to get path for current executing process as layout directory.
Failed to get path for current executing process as layout directory.
Failed to get executing process as layout directory.
Failed to get executing process as layout directory.
Failed to to copy executable name for bundle.
Failed to to copy executable name for bundle.
Failed to append execute action.
Failed to append execute action.
Failed to add dependent bundle provider key to ignore dependents.
Failed to add dependent bundle provider key to ignore dependents.
Failed to process passthrough package.
Failed to process passthrough package.
Failed to plan rollback boundary for passthrough package.
Failed to plan rollback boundary for passthrough package.
plan.cpp
plan.cpp
Failed to plan execute package.
Failed to plan execute package.
Failed to append execute checkpoint.
Failed to append execute checkpoint.
Unexpected relation type encountered during plan: %d
Unexpected relation type encountered during plan: %d
Failed to add the package provider key "%ls" to the planned list.
Failed to add the package provider key "%ls" to the planned list.
Failed to check the dictionary for a related bundle provider key: "%ls".
Failed to check the dictionary for a related bundle provider key: "%ls".
Failed to remove unnecessary execute actions.
Failed to remove unnecessary execute actions.
Failed to finalize slipstream execute actions.
Failed to finalize slipstream execute actions.
Failed to append execute checkpoint for cache rollback.
Failed to append execute checkpoint for cache rollback.
Failed to grow plan's array of execute actions.
Failed to grow plan's array of execute actions.
Failed to insert keep registration execute action.
Failed to insert keep registration execute action.
Failed to insert remove registration execute action.
Failed to insert remove registration execute action.
Failed to copy dependent provider key to registration action.
Failed to copy dependent provider key to registration action.
Failed to copy dependent provider key to rollback registration action.
Failed to copy dependent provider key to rollback registration action.
Failed to get path for executing module as attached container working path.
Failed to get path for executing module as attached container working path.
logging.cpp
logging.cpp
Failed to write send message to pipe.
Failed to write send message to pipe.
Failed to pump messages during send message to pipe.
Failed to pump messages during send message to pipe.
pipe.cpp
pipe.cpp
No status returned to PipePumpMessages()
No status returned to PipePumpMessages()
Failed to read returned result to PipePumpMessages()
Failed to read returned result to PipePumpMessages()
Failed to read returned restart to PipePumpMessages()
Failed to read returned restart to PipePumpMessages()
Failed to process message: %u
Failed to process message: %u
Failed to get message over pipe
Failed to get message over pipe
Failed to create pipe guid.
Failed to create pipe guid.
Failed to convert pipe guid into string.
Failed to convert pipe guid into string.
Failed to allocate pipe name.
Failed to allocate pipe name.
Failed to allocate pipe secret.
Failed to allocate pipe secret.
Failed to create the security descriptor for the connection event and pipe.
Failed to create the security descriptor for the connection event and pipe.
Failed to allocate full name of pipe: %ls
Failed to allocate full name of pipe: %ls
Failed to create pipe: %ls
Failed to create pipe: %ls
Failed to allocate full name of cache pipe: %ls
Failed to allocate full name of cache pipe: %ls
Failed to set pipe to non-blocking.
Failed to set pipe to non-blocking.
Failed to wait for child to connect to pipe.
Failed to wait for child to connect to pipe.
Failed to reset pipe to blocking.
Failed to reset pipe to blocking.
Failed to write secret length to pipe.
Failed to write secret length to pipe.
Failed to write secret to pipe.
Failed to write secret to pipe.
Failed to write our process id to pipe.
Failed to write our process id to pipe.
Failed to read ACK from pipe.
Failed to read ACK from pipe.
Failed to allocate name of parent pipe.
Failed to allocate name of parent pipe.
Failed to open parent pipe: %ls
Failed to open parent pipe: %ls
Failed to verify parent pipe: %ls
Failed to verify parent pipe: %ls
Failed to allocate name of parent cache pipe.
Failed to allocate name of parent cache pipe.
Failed to open companion process with PID: %u
Failed to open companion process with PID: %u
Failed to write message type to pipe.
Failed to write message type to pipe.
Failed to read message from pipe.
Failed to read message from pipe.
Failed to read size of verification secret from parent pipe.
Failed to read size of verification secret from parent pipe.
Failed to read verification secret from parent pipe.
Failed to read verification secret from parent pipe.
Failed to read verification process id from parent pipe.
Failed to read verification process id from parent pipe.
core.cpp
core.cpp
Failed to execute searches.
Failed to execute searches.
Failed to detect provider key bundle id.
Failed to detect provider key bundle id.
Failed to report detected related bundles.
Failed to report detected related bundles.
Package type not supported by detect yet.
Package type not supported by detect yet.
Failed to plan passthrough.
Failed to plan passthrough.
Another per-user setup is already executing.
Another per-user setup is already executing.
Another per-machine setup is already executing.
Another per-machine setup is already executing.
Failed while caching, aborting execution.
Failed while caching, aborting execution.
Engine cannot start LaunchApprovedExe because it is busy with another action.
Engine cannot start LaunchApprovedExe because it is busy with another action.
UX aborted LaunchApprovedExe begin.
UX aborted LaunchApprovedExe begin.
Failed to format passthrough for command-line.
Failed to format passthrough for command-line.
Failed to append passthrough to command-line.
Failed to append passthrough to command-line.
cache.cpp
cache.cpp
Failed to get provider state from authenticode certificate.
Failed to get provider state from authenticode certificate.
Failed to get signer chain from authenticode certificate.
Failed to get signer chain from authenticode certificate.
Failed to verify expected payload against actual certificate chain.
Failed to verify expected payload against actual certificate chain.
Failed to seek to checksum in exe header.
Failed to seek to checksum in exe header.
Failed to seek to signature table in exe header.
Failed to seek to signature table in exe header.
Failed to seek to original data in exe burn section header.
Failed to seek to original data in exe burn section header.
Failed to get certificate public key identifier.
Failed to get certificate public key identifier.
Failed to read certificate thumbprint.
Failed to read certificate thumbprint.
Failed to find expected public key in certificate chain.
Failed to find expected public key in certificate chain.
elevation.cpp
elevation.cpp
Failed to create pipe name and client token.
Failed to create pipe name and client token.
Failed to create pipe and cache pipe.
Failed to create pipe and cache pipe.
Failed to write registration operations to message buffer.
Failed to write registration operations to message buffer.
Failed to write dependent provider key to message buffer.
Failed to write dependent provider key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.
Failed to write bundle dependency key to message buffer.
Failed to write bundle dependency key to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.
Failed to write approved exe id to message buffer.
Failed to write approved exe id to message buffer.
Failed to write approved exe arguments to message buffer.
Failed to write approved exe arguments to message buffer.
Failed to write approved exe WaitForInputIdle timeout to message buffer.
Failed to write approved exe WaitForInputIdle timeout to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.
Failed to set elevated cache pipe into thread local storage for logging.
Failed to set elevated cache pipe into thread local storage for logging.
Failed to read file name: %u
Failed to read file name: %u
Failed to read MSI data: %u
Failed to read MSI data: %u
Failed to read approved exe process id.
Failed to read approved exe process id.
Invalid launch approved exe message.
Invalid launch approved exe message.
Unexpected elevated message sent to child process, msg: %u
Unexpected elevated message sent to child process, msg: %u
Unexpected elevated cache message sent to child process, msg: %u
Unexpected elevated cache message sent to child process, msg: %u
Failed to read registration operations.
Failed to read registration operations.
Invalid data passed to cache or layout payload.
Invalid data passed to cache or layout payload.
Failed to read dependent provider key.
Failed to read dependent provider key.
Failed to execute dependent registration action for provider key: %ls
Failed to execute dependent registration action for provider key: %ls
Failed to read exe package.
Failed to read exe package.
Failed to execute EXE package.
Failed to execute EXE package.
Failed to execute MSI package.
Failed to execute MSI package.
Failed to execute MSP package.
Failed to execute MSP package.
Failed to execute MSU package.
Failed to execute MSU package.
Failed to execute package provider action.
Failed to execute package provider action.
Failed to read bundle dependency key from message buffer.
Failed to read bundle dependency key from message buffer.
Failed to execute package dependency action.
Failed to execute package dependency action.
Invalid message type: %d
Invalid message type: %d
Failed to read approved exe id.
Failed to read approved exe id.
Failed to read approved exe arguments.
Failed to read approved exe arguments.
Failed to read approved exe WaitForInputIdle timeout.
Failed to read approved exe WaitForInputIdle timeout.
The per-user process requested unknown approved exe with id: %ls
The per-user process requested unknown approved exe with id: %ls
Failed to open the registry key for the approved exe path.
Failed to open the registry key for the approved exe path.
Failed to read the value for the approved exe path.
Failed to read the value for the approved exe path.
Failed to verify the executable path is in a secure location: %ls
Failed to verify the executable path is in a secure location: %ls
The executable path is not in a secure location: %ls
The executable path is not in a secure location: %ls
Failed to launch approved exe: %ls
Failed to launch approved exe: %ls
Failed to write the approved exe process id to message buffer.
Failed to write the approved exe process id to message buffer.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.
Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.
splashscreen.cpp
splashscreen.cpp
uithread.cpp
uithread.cpp
EngineForApplication.cpp
EngineForApplication.cpp
Failed to send embedded message over pipe.
Failed to send embedded message over pipe.
Failed to send embedded progress message over pipe.
Failed to send embedded progress message over pipe.
UX denied while trying to set download URL on embedded payload: %ls
UX denied while trying to set download URL on embedded payload: %ls
Failed to set download URL.
Failed to set download URL.
Failed to set download password.
Failed to set download password.
UX requested unknown approved exe with id: %ls
UX requested unknown approved exe with id: %ls
Failed to post launch approved exe message.
Failed to post launch approved exe message.
The string is too big: size %u
The string is too big: size %u
.cab
.cab
cabextract.cpp
cabextract.cpp
Failed to create begin operation event.
Failed to create begin operation event.
Failed to create operation complete event.
Failed to create operation complete event.
Failed to wait for operation complete.
Failed to wait for operation complete.
Failed to begin and wait for operation.
Failed to begin and wait for operation.
Failed to set begin operation event.
Failed to set begin operation event.
Failed to reset operation complete event.
Failed to reset operation complete event.
Failed to wait for operation complete event.
Failed to wait for operation complete event.
Failed to initialize cabinet.dll.
Failed to initialize cabinet.dll.
Failed to extract all files from container, erf: %d:%X:%d
Failed to extract all files from container, erf: %d:%X:%d
Failed to set operation complete event.
Failed to set operation complete event.
Failed to wait for begin operation event.
Failed to wait for begin operation event.
Failed to reset begin operation event.
Failed to reset begin operation event.
Invalid operation for this state.
Invalid operation for this state.
Failed to move file pointer 0x%x bytes.
Failed to move file pointer 0x%x bytes.
exeengine.cpp
exeengine.cpp
Failed to evaluate executable package detect condition.
Failed to evaluate executable package detect condition.
Invalid package current state: %d.
Invalid package current state: %d.
Failed to insert execute action.
Failed to insert execute action.
Failed to build executable path.
Failed to build executable path.
Failed to get action arguments for executable package.
Failed to get action arguments for executable package.
Bootstrapper application aborted during EXE progress.
Bootstrapper application aborted during EXE progress.
Failed to wait for executable to complete: %ls
Failed to wait for executable to complete: %ls
Process returned error: 0x%x
Process returned error: 0x%x
msiengine.cpp
msiengine.cpp
Failed to calculate execute feature state.
Failed to calculate execute feature state.
Invalid package current state result encountered during plan: %d
Invalid package current state result encountered during plan: %d
Failed to detect compatible package from provider key.
Failed to detect compatible package from provider key.
Failed to copy the compatible provider key.
Failed to copy the compatible provider key.
mspengine.cpp
mspengine.cpp
msuengine.cpp
msuengine.cpp
Failed to find Windows directory.
Failed to find Windows directory.
Failed to allocate WUSA.exe path.
Failed to allocate WUSA.exe path.
dependency.cpp
dependency.cpp
Failed to get the Key attribute.
Failed to get the Key attribute.
Failed to get the Imported attribute.
Failed to get the Imported attribute.
Failed to get provider key bundle id.
Failed to get provider key bundle id.
Failed to initialize provider key bundle id.
Failed to initialize provider key bundle id.
Failed to add the bundle provider key to the list of dependencies to ignore.
Failed to add the bundle provider key to the list of dependencies to ignore.
Failed to join the list of dependencies to ignore.
Failed to join the list of dependencies to ignore.
Failed to insert provider execute action.
Failed to insert provider execute action.
Failed to append provider execute action.
Failed to append provider execute action.
Unrecognized registration action type: %d
Unrecognized registration action type: %d
Failed to append the key "%ls".
Failed to append the key "%ls".
Failed to add the bundle provider key "%ls" to the list of ignored dependencies.
Failed to add the bundle provider key "%ls" to the list of ignored dependencies.
Failed to add the package provider key "%ls" to the list of ignored dependencies.
Failed to add the package provider key "%ls" to the list of ignored dependencies.
Failed to get the provider key package id.
Failed to get the provider key package id.
Failed to copy the provider key.
Failed to copy the provider key.
Failed to open uninstall registry key.
Failed to open uninstall registry key.
Failed to enumerate uninstall key for related bundles.
Failed to enumerate uninstall key for related bundles.
Failed to open uninstall key for potential related bundle: %ls
Failed to open uninstall key for potential related bundle: %ls
relatedbundle.cpp
relatedbundle.cpp
Failed to read provider key from registry for bundle: %ls
Failed to read provider key from registry for bundle: %ls
detect.cpp
detect.cpp
Unexpected relation type encountered: %d
Unexpected relation type encountered: %d
Failed to copy update url.
Failed to copy update url.
Failed attempt to download update feed from URL: '%ls' to: '%ls'
Failed attempt to download update feed from URL: '%ls' to: '%ls'
apply.cpp
apply.cpp
BA aborted execute begin.
BA aborted execute begin.
Failed to execute dependent registration action.
Failed to execute dependent registration action.
Failed attempt to download URL: '%ls' to: '%ls'
Failed attempt to download URL: '%ls' to: '%ls'
Failed to execute package provider registration action.
Failed to execute package provider registration action.
Failed to execute dependency action.
Failed to execute dependency action.
Failed to execute compatible package action.
Failed to execute compatible package action.
Invalid execute action.
Invalid execute action.
Invalid rollback action: %d.
Invalid rollback action: %d.
UX aborted execute EXE package begin.
UX aborted execute EXE package begin.
UX aborted EXE progress.
UX aborted EXE progress.
Failed to configure per-machine EXE package.
Failed to configure per-machine EXE package.
Failed to configure per-user EXE package.
Failed to configure per-user EXE package.
UX aborted EXE package execute progress.
UX aborted EXE package execute progress.
UX aborted execute MSI package begin.
UX aborted execute MSI package begin.
UX aborted MSI package execute progress.
UX aborted MSI package execute progress.
UX aborted execute MSP package begin.
UX aborted execute MSP package begin.
BA aborted execute MSP target.
BA aborted execute MSP target.
UX aborted MSP package execute progress.
UX aborted MSP package execute progress.
UX aborted execute MSU package begin.
UX aborted execute MSU package begin.
UX aborted MSU package execute progress.
UX aborted MSU package execute progress.
Failed to parse approved exes.
Failed to parse approved exes.
pseudobundle.cpp
pseudobundle.cpp
Failed to copy key for pseudo bundle payload.
Failed to copy key for pseudo bundle payload.
Failed to copy key for pseudo bundle.
Failed to copy key for pseudo bundle.
Failed to allocate space for burn package payload inside of passthrough bundle.
Failed to allocate space for burn package payload inside of passthrough bundle.
Failed to copy key for passthrough pseudo bundle payload.
Failed to copy key for passthrough pseudo bundle payload.
Failed to copy filename for passthrough pseudo bundle.
Failed to copy filename for passthrough pseudo bundle.
Failed to copy local source path for passthrough pseudo bundle.
Failed to copy local source path for passthrough pseudo bundle.
Failed to copy download source for passthrough pseudo bundle.
Failed to copy download source for passthrough pseudo bundle.
Failed to copy key for passthrough pseudo bundle.
Failed to copy key for passthrough pseudo bundle.
Failed to copy cache id for passthrough pseudo bundle.
Failed to copy cache id for passthrough pseudo bundle.
Failed to copy install arguments for passthrough bundle package
Failed to copy install arguments for passthrough bundle package
Failed to copy related arguments for passthrough bundle package
Failed to copy related arguments for passthrough bundle package
Failed to copy uninstall arguments for passthrough bundle package
Failed to copy uninstall arguments for passthrough bundle package
Failed to create embedded pipe name and client token.
Failed to create embedded pipe name and client token.
Failed to create embedded pipe.
Failed to create embedded pipe.
embedded.cpp
embedded.cpp
Failed to wait for embedded process to connect to pipe.
Failed to wait for embedded process to connect to pipe.
Failed to wait for embedded executable: %ls
Failed to wait for embedded executable: %ls
Unexpected embedded message sent to child process, msg: %u
Unexpected embedded message sent to child process, msg: %u
NetFxChainer.cpp
NetFxChainer.cpp
k"bitsengine.cpp
k"bitsengine.cpp
Invalid BITS engine URL: %ls
Invalid BITS engine URL: %ls
Failed to copy download URL.
Failed to copy download URL.
operator
operator
operator ""
operator ""
GetProcessWindowStation
GetProcessWindowStation
%S#[k
%S#[k
buffutil.cpp
buffutil.cpp
cryputil.cpp
cryputil.cpp
logutil.cpp
logutil.cpp
Error 0x%x: %ls
Error 0x%x: %ls
Executable: %ls v%d.%d.%d.%d
Executable: %ls v%d.%d.%d.%d
memutil.cpp
memutil.cpp
pathutil.cpp
pathutil.cpp
procutil.cpp
procutil.cpp
RegDeleteKeyExW
RegDeleteKeyExW
regutil.cpp
regutil.cpp
srputil.cpp
srputil.cpp
strutil.cpp
strutil.cpp
wiutil.cpp
wiutil.cpp
xmlutil.cpp
xmlutil.cpp
kernel32.dll
kernel32.dll
shelutil.cpp
shelutil.cpp
Kwuautil.cpp
Kwuautil.cpp
fileutil.cpp
fileutil.cpp
dirutil.cpp
dirutil.cpp
dictutil.cpp
dictutil.cpp
aclutil.cpp
aclutil.cpp
certutil.cpp
certutil.cpp
svcutil.cpp
svcutil.cpp
dlutil.cpp
dlutil.cpp
Failed to send request to URL: %ls, trying to process HTTP status code anyway.
Failed to send request to URL: %ls, trying to process HTTP status code anyway.
Unknown HTTP status code %d, returned from URL: %ls
Unknown HTTP status code %d, returned from URL: %ls
atomutil.cpp
atomutil.cpp
apuputil.cpp
apuputil.cpp
timeutil.cpp
timeutil.cpp
inetutil.cpp
inetutil.cpp
uriutil.cpp
uriutil.cpp
deputil.cpp
deputil.cpp
C:\src\wix39\build\ship\x86\burn.pdb
C:\src\wix39\build\ship\x86\burn.pdb
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
GDI32.dll
GDI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
ConnectNamedPipe
ConnectNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
CreateNamedPipeW
CreateNamedPipeW
SetThreadExecutionState
SetThreadExecutionState
KERNEL32.dll
KERNEL32.dll
Cabinet.dll
Cabinet.dll
CryptHashPublicKeyInfo
CryptHashPublicKeyInfo
CRYPT32.dll
CRYPT32.dll
msi.dll
msi.dll
RPCRT4.dll
RPCRT4.dll
WININET.dll
WININET.dll
WINTRUST.dll
WINTRUST.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
ShellExecuteExW
ShellExecuteExW
VERSION.dll
VERSION.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
CertGetCertificateContextProperty
CertGetCertificateContextProperty
SHLWAPI.dll
SHLWAPI.dll
HttpOpenRequestW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
InternetCrackUrlW
InternetCrackUrlW
Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'
Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'
Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!
Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!
Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!
Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!
Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!
Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!
Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!
Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!
Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!
Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!
Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!
Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.
Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.
Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.
Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.
Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!
Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!
Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!
Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!
Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!
Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!
LaunchApprovedExe begin, id: %1!ls!
LaunchApprovedExe begin, id: %1!ls!
Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!
Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!
Launching approved exe, path: '%1!ls!', 'command: %2!ls!'
Launching approved exe, path: '%1!ls!', 'command: %2!ls!'
LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!
LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!
Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!
Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!
Application canceled operation: %2!ls!, error: %1!ls!
Application canceled operation: %2!ls!, error: %1!ls!
WiX Toolset BootstrapperPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
WiX Toolset BootstrapperPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
95:?:{:);5;&
95:?:{:);5;&
:):3:6
:):3:6
7.84888
7.84888
>.?4?8?@?
>.?4?8?@?
1"131?1[1{1
1"131?1[1{1
7(838>8^8
7(838>8^8
> ???[?~?
> ???[?~?
3U5C5O5Y5_5e5
3U5C5O5Y5_5e5
= =$=(=,=
= =$=(=,=
5 5$5(5,5
5 5$5(5,5
: :$:(:,:0:
: :$:(:,:0:
WixBundleExecutePackageCacheFolder
WixBundleExecutePackageCacheFolder
WixBundleProviderKey
WixBundleProviderKey
NTSuiteWebServer
NTSuiteWebServer
WindowsFolder
WindowsFolder
WindowsVolume
WindowsVolume
[\%c]
[\%c]
.[%d]
.[%d]
.WiX Burn
.WiX Burn
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
.ComponentId
.ComponentId
.keyPath
.keyPath
.language
.language
ApprovedExeForElevation
ApprovedExeForElevation
.ValueName
.ValueName
"%ls" %s
"%ls" %s
.Attached
.Attached
DownloadUrl
DownloadUrl
.FileSize
.FileSize
CertificateRootPublicKeyIdentifier
CertificateRootPublicKeyIdentifier
CertificateRootThumbprint
CertificateRootThumbprint
.ba%d
.ba%d
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage
.Size
.Size
.PerMachine
.PerMachine
.RollbackLogPathVariable
.RollbackLogPathVariable
.InstallCondition
.InstallCondition
.PatchTargetCode
.PatchTargetCode
.Update
.Update
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
BundleProviderKey
BundleProviderKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%ls.RebootRequired
%ls.RebootRequired
URLInfoAbout
URLInfoAbout
URLUpdateInfo
URLUpdateInfo
ParentKeyName
ParentKeyName
burn.runonce
burn.runonce
ProviderKey
ProviderKey
.ExecutableName
.ExecutableName
AboutUrl
AboutUrl
UpdateUrl
UpdateUrl
.DisableModify
.DisableModify
.Filename
.Filename
8%s\%s
8%s\%s
.%s\state.rsm
.%s\state.rsm
.RelatedBundle
.RelatedBundle
%ls%hs%ls_u_%ls%ls.%ls
%ls%hs%ls_u_%ls%ls.%ls
uSOFTWARE\Policies\Microsoft\Windows\Installer
uSOFTWARE\Policies\Microsoft\Windows\Installer
\\.\pipe\%ls
\\.\pipe\%ls
\\.\pipe\%ls.Cache
\\.\pipe\%ls.Cache
burn.elevated
burn.elevated
burn.unelevated
burn.unelevated
BurnPipe.%s
BurnPipe.%s
s-%ls %ls %ls %u %ls
s-%ls %ls %ls %u %ls
-q -%ls %ls %ls %u
-q -%ls %ls %ls %u
.open
.open
burn.embedded
burn.embedded
burn.log.append
burn.log.append
burn.related.detect
burn.related.detect
burn.related.upgrade
burn.related.upgrade
burn.related.addon
burn.related.addon
burn.related.patch
burn.related.patch
burn.related.update
burn.related.update
burn.passthrough
burn.passthrough
burn.disable.unelevate
burn.disable.unelevate
burn.ignoredependencies
burn.ignoredependencies
burn.ancestors
burn.ancestors
/passive
/passive
passive
passive
.unverified
.unverified
.PackageCache
.PackageCache
.WixBurnMessageWindow
.WixBurnMessageWindow
.update\%ls
.update\%ls
.InstallArguments
.InstallArguments
.Repairable
.Repairable
.MsiProperty
.MsiProperty
.RollbackValue
.RollbackValue
%s$="%s"
%s$="%s"
ADDLOCAL="%s"
ADDLOCAL="%s"
ADDSOURCE="%s"
ADDSOURCE="%s"
ADDDEFAULT="%s"
ADDDEFAULT="%s"
. REINSTALL="%s"
. REINSTALL="%s"
ADVERTISE="%s"
ADVERTISE="%s"
REMOVE="%s"
REMOVE="%s"
wusa.exe
wusa.exe
.wuauserv
.wuauserv
Imported
Imported
.Chain
.Chain
.%ls -%ls %ls %ls %u
.%ls -%ls %ls %ls %u
.%ls /pipe %ls
.%ls /pipe %ls
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
mscoree.dll
mscoree.dll
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_downlevel.cpp
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_downlevel.cpp
user32.dll
user32.dll
desktopcrt140
desktopcrt140
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_nonmsdk.cpp
f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_nonmsdk.cpp
__acrt_post_initialize_nonmsdk_dependencies
__acrt_post_initialize_nonmsdk_dependencies
portuguese-brazilian
portuguese-brazilian
AdvApi32.dll
AdvApi32.dll
Crypt32.dll
Crypt32.dll
s0xx
s0xx
%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls
%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls
\\?\UNC
\\?\UNC
%ls_uuuuuu%ls%ls%ls
%ls_uuuuuu%ls%ls%ls
srclient.dll
srclient.dll
pMsi.dll
pMsi.dll
Msxml2.DOMDocument
Msxml2.DOMDocument
MSXML.DOMDocument
MSXML.DOMDocument
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
pMicrosoft.Update.AutoUpdate
pMicrosoft.Update.AutoUpdate
PendingFileRenameOperations
PendingFileRenameOperations
%u.%u.%u.%u
%u.%u.%u.%u
hXXp://appsyndication.org/2006/appsyn
hXXp://appsyndication.org/2006/appsyn
hu-hu-huThu:hu:hu%cu:u
hu-hu-huThu:hu:hu%cu:u
c:\%original file name%.exe
c:\%original file name%.exe
8.1.923
8.1.923
novapdf.exe
novapdf.exe
dotNetFx40_Full_x86_x64.exe_608:
.text
.text
`.data
`.data
.boxld01
.boxld01
@.rsrc
@.rsrc
@.reloc
@.reloc
GetProcessWindowStation
GetProcessWindowStation
operator
operator
Extraction took %d minutes and %d.%d seconds
Extraction took %d minutes and %d.%d seconds
Extraction took %d.%d seconds
Extraction took %d.%d seconds
Extraction took %d milliseconds
Extraction took %d milliseconds
Failed to execute file
Failed to execute file
Exiting with result code: 0x%x
Exiting with result code: 0x%x
Failed to get error string from error: 0x%x
Failed to get error string from error: 0x%x
Failed to get error message for error: 0x%x.
Failed to get error message for error: 0x%x.
Failed to set _SFX_CAB_EXE_PATH
Failed to set _SFX_CAB_EXE_PATH
Failed to set _SFX_CAB_EXE_PACKAGE
Failed to set _SFX_CAB_EXE_PACKAGE
Failed to set _SFX_CAB_EXE_PARAMETERS
Failed to set _SFX_CAB_EXE_PARAMETERS
Unable to resolve the path of the exe
Unable to resolve the path of the exe
Executing command line: '%S'
Executing command line: '%S'
Failed to stop reporting progress
Failed to stop reporting progress
Failed to open box from path: %S
Failed to open box from path: %S
Failed to start reporting progress
Failed to start reporting progress
Extracting files to: %S
Extracting files to: %S
Failed to verify box container #%d.
Failed to verify box container #%d.
Failed to extract all files out of box container #%d.
Failed to extract all files out of box container #%d.
Failed to add file name on to status prefix: %S
Failed to add file name on to status prefix: %S
Failed to create progress reporting initialization event
Failed to create progress reporting initialization event
Failed to get path to executable.
Failed to get path to executable.
Directory '%S' has been selected for file extraction
Directory '%S' has been selected for file extraction
Cluster drive map: '%S'
Cluster drive map: '%S'
Considering drive: '%S'...
Considering drive: '%S'...
Drive '%S' is rejected because it's a resource of a cluster
Drive '%S' is rejected because it's a resource of a cluster
Drive '%S' is rejected because of the unknown or unsuitable drive type
Drive '%S' is rejected because of the unknown or unsuitable drive type
Drive '%S' is rejected because it's not a hard disk or RAM disk
Drive '%S' is rejected because it's not a hard disk or RAM disk
Drive '%S' is rejected because it can't be written to
Drive '%S' is rejected because it can't be written to
Drive '%S' has been selected as the largest fixed drive
Drive '%S' has been selected as the largest fixed drive
Drive '%S' has been selected as the largest removable drive
Drive '%S' has been selected as the largest removable drive
Failed to load advapi32.dll
Failed to load advapi32.dll
Failed to load DecryptFileW from advapi.dll
Failed to load DecryptFileW from advapi.dll
Considering cluster resource: '%S'...
Considering cluster resource: '%S'...
Drive map for cluster resource '%S' : '%S'
Drive map for cluster resource '%S' : '%S'
Cluster resource type: '%S'
Cluster resource type: '%S'
Found a partition on cluster resource: '%S'
Found a partition on cluster resource: '%S'
Ignoring the partition '%S' because it doesn't look like a DOS name
Ignoring the partition '%S' because it doesn't look like a DOS name
Failed to allocate the path ro the clusapi.dll
Failed to allocate the path ro the clusapi.dll
Failed to load clusapi.dll
Failed to load clusapi.dll
Failed to load all required functions from the clusapi.dll
Failed to load all required functions from the clusapi.dll
Successfully bound to the ClusApi.dll
Successfully bound to the ClusApi.dll
--- logging level: %s ---
--- logging level: %s ---
%u/%u/%u, %u:%u:%u
%u/%u/%u, %u:%u:%u
Error 0x%x: %s
Error 0x%x: %s
=== Logging started: %S ===
=== Logging started: %S ===
Executable: %S v%d.%d.%d.%d
Executable: %S v%d.%d.%d.%d
=== Logging stopped: %S ===
=== Logging stopped: %S ===
boxstub.pdb
boxstub.pdb
j.Xf;
j.Xf;
\$09^0~9
\$09^0~9
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
COMCTL32.dll
COMCTL32.dll
RPCRT4.dll
RPCRT4.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
Cabinet.dll
Cabinet.dll
OLEAUT32.dll
OLEAUT32.dll
VERSION.dll
VERSION.dll
boxstub.exe
boxstub.exe
C:\ProgramData\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe
C:\ProgramData\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe
2/12/2015, 4:21:17
2/12/2015, 4:21:17
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
6%6U6f6q6
6%6U6f6q6
:!:.:4:?:
:!:.:4:?:
6:7@7^7}7
6:7@7^7}7
> >$>(>,>0>4>8>
> >$>(>,>0>4>8>
5 5$5,5@5
5 5$5,5@5
yKERNEL32.DLL
yKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
\dd_%s_decompression_log.txt
\dd_%s_decompression_log.txt
_SFX_CAB_EXE_PATH
_SFX_CAB_EXE_PATH
H_SFX_CAB_EXE_PACKAGE
H_SFX_CAB_EXE_PACKAGE
_SFX_CAB_EXE_PARAMETERS
_SFX_CAB_EXE_PARAMETERS
%s...
%s...
\\.\?:
\\.\?:
advapi32.dll
advapi32.dll
%s\clusapi.dll
%s\clusapi.dll
=d/d/d d:d:d
=d/d/d d:d:d
\\?\UNC
\\?\UNC
kernel32.dll
kernel32.dll
%_SFX_CAB_EXE_PATH%\Setup.exe %_SFX_CAB_EXE_PARAMETERS% /x86 /x64
%_SFX_CAB_EXE_PATH%\Setup.exe %_SFX_CAB_EXE_PARAMETERS% /x86 /x64
JUnable to execute the embedded application to complete the installation.
JUnable to execute the embedded application to complete the installation.
Microsoft .NET Framework 4 Setup
Microsoft .NET Framework 4 Setup
4.0.30319.01
4.0.30319.01
dotNetFx40_Full_x86_x64.exe
dotNetFx40_Full_x86_x64.exe
Microsoft .NET Framework 4
Microsoft .NET Framework 4
10.0.21009.0 built by: DTG(RAVIR01-ravir)
10.0.21009.0 built by: DTG(RAVIR01-ravir)
BoxStub.exe
BoxStub.exe
.NET Framework
.NET Framework
10.0.21009.0
10.0.21009.0
Setup.exe_2864:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
GetProcessWindowStation
GetProcessWindowStation
Setup.pdb
Setup.pdb
KERNEL32.dll
KERNEL32.dll
SetupEngine.dll
SetupEngine.dll
GetCPInfo
GetCPInfo
Setup.exe
Setup.exe
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.IronMan.IronSpigot"
name="Microsoft.IronMan.IronSpigot"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
}~/%D(
}~/%D(
.;6 (&%
.;6 (&%
1
1
1=;;6 )%#
1=;;6 )%#
=
=
=
=
=
=
==
==
=
=
=
=
=
=
==
==
=
=
yKERNEL32.DLL
yKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
kernel32.dll
kernel32.dll
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe
10.0.30319.1 built by: RTMRel
10.0.30319.1 built by: RTMRel
SetupUI.exe
SetupUI.exe
.NET Framework
.NET Framework
10.0.30319.1
10.0.30319.1