Worm.Win32.AutoItGen_26df0b3916 – Adaware

mzpefinder_pcap_file.YR, WormAutoItGen.YR, PUPSpigot.YR (Lavasoft MAS)Behaviour: Worm, PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 26df0b3916a792e8876cff097b2d76ef

SHA1: 148a1687d971be0fa2767644be43ca2c5fe41b6f

SHA256: df64ffe221a0d025121926e2e3934df59463b3dc1d8577ee143bc51bcd5e5c78

SSDeep: 98304:bejlMkuV N3cVcy54bj4mUHBZGVOdNHuY1lGV:b2E0Bju6/0B4QdNHuGlY

Size: 5144648 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-11-25 08:12:58

Analyzed on: Windows7Ada SP1 64-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

dotNetFx40_Full_x86_x64.exe:608
%original file name%.exe:2280
%original file name%.exe:912

The Worm injects its code into the following process(es):

Setup.exe:2864

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Setup.exe:2864 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI5C54.tmp.html (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI61F2.tmp.html (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_042118442.html (159496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20150212_042118973.html (1410924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_0 (20 bytes)

The process dotNetFx40_Full_x86_x64.exe:608 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

C:\e4ee511aec94f6616b59d4b9c3\1025\eula.rtf (7 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended.mzz (328309 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll (512 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe (576 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\LocalizedData.xml (92 bytes)
C:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll (1371 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\LocalizedData.xml (865 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate1.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x64.msi (6999 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\Parameterinfo.xml (1912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\LocalizedData.xml (911 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\header.bmp (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DisplayIcon.ico (538 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\LocalizedData.xml (766 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\LocalizedData.xml (321 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x64.msu (37124 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\LocalizedData.xml (263 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Print.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate6.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\LocalizedData.xml (229 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate5.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe (1495 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqNotMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9RAST_x64.msi (824 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DHtmlHeader.html (984 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\LocalizedData.xml (242 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll (227 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\UiInfo.xml (622 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll (914 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.xsd (30 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\eula.rtf (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll (81 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll (2015 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\LocalizedData.xml (90 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9Rast_x86.msi (875 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\LocalizedData.xml (744 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\ParameterInfo.xml (2261 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\stop.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\LocalizedData.xml (593 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SplashScreen.bmp (31 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x86.msu (15000 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll (15 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\LocalizedData.xml (1042 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\LocalizedData.xml (587 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\LocalizedData.xml (535 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\eula.rtf (5 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Strings.xml (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll (16 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\warn.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\LocalizedData.xml (613 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate2.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\LocalizedData.xml (1168 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate7.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll (122 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\LocalizedData.xml (1482 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\LocalizedData.xml (301 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll (779 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\LocalizedData.xml (156 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate4.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\watermark.bmp (531 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x64.msi (14022 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\LocalizedData.xml (873 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\LocalizedData.xml (219 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll (5583 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Setup.ico (57 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\Parameterinfo.xml (1030 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\eula.rtf (8 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll (644 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x64.msu (38528 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate8.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Save.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate3.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\LocalizedData.xml (810 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\eula.rtf (891 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core.mzz (1381912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x86.msi (7866 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt (2445 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x86.msu (15320 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\eula.rtf (12 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x86.msi (2812 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\LocalizedData.xml (480 bytes)

The process %original file name%.exe:2280 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\state.rsm (930 bytes)
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe (8657 bytes)
C:\ProgramData\regid.2008-09.org.wixtoolset\regid.2008-09.org.wixtoolset doPDF 8.swidtag (886 bytes)

The process %original file name%.exe:912 makes changes in the file system.

The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll (2546 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1044\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1055\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2052\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.thm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1032\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll (1663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll (1733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1045\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1030\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\roro.config (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1043\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1038\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperApplicationData.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1031\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.wxl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1036\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2070\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1035\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe (148700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log (26471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1060\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\License.htm (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1051\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full.R (6168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1053\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1042\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.png (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.config (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\3082\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\enus.config (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-image.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1041\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1049\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1040\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1029\mbapreq.wxl (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full (404972 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1028\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-text.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1046\mbapreq.wxl (2 bytes)

Registry activity

The process %original file name%.exe:2280 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"BundleTag" = "Type: REG_SZ, Length: 0"
"URLInfoAbout" = "http://www.dopdf.com"
"Publisher" = "Softland"
"EstimatedSize" = "49267"
"BundleDetectCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleCachePath" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe"
"EngineVersion" = "3.10.1124.0"
"BundleResumeCommandLine" = " /burn.log.append C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log"
"BundlePatchCode" = "Type: REG_MULTI_SZ, Length: 0"
"BundleVersion" = "8.1.923.0"
"NoElevateOnModify" = "1"
"DisplayName" = "doPDF 8"

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"DisplayName" = "doPDF 8"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"DisplayVersion" = "8.1.923"
"BundleProviderKey" = "{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}"
"DisplayIcon" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe,0"

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"Version" = "8.1.923.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"ModifyPath" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /modify"
"BundleUpgradeCode" = "{AAA27109-5C52-48DC-8DAD-FBEBB79245D5}"

"QuietUninstallString" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /uninstall /quiet"
"Resume" = "1"
"BundleAddonCode" = "Type: REG_MULTI_SZ, Length: 0"

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"(Default)" = "{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"UninstallString" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /uninstall"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /burn.runonce"

The Worm deletes the following value(s) in system registry:

[HKCR\Installer\Dependencies\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Dependents\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}]
"MinVersion"
"MaxVersion"

The process %original file name%.exe:912 makes changes in the system registry.

The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecision" = "0"
"WpadDecisionTime" = "BA A8 84 7F 6A 46 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecisionTime" = "BA A8 84 7F 6A 46 D0 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDecision" = "0"
"WpadNetworkName" = "Network"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDecisionReason" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE1E4E39-627C-4D52-9D86-A515AB38A003}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ef-0d-5d]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
251743dfd3fda414570524bac9e55381	c:\ProgramData\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe
a49949aff7282015a15fbfb7bd18ab05	c:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe
251743dfd3fda414570524bac9e55381	c:\Users\All Users\Package Cache\58DA3D74DB353AAD03588CBB5CEA8234166D8B99\dotNetFx40_Full_x86_x64.exe
a49949aff7282015a15fbfb7bd18ab05	c:\Users\All Users\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe
642e2ae9844847f82a472000c9d05a75	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll
4b788007e99e73f701d1f4eb1042418c	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll
7553ac91bee22c474772e7eea9715800	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll
b9bc7ac88171cf0974c9bc7bc03e25d5	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll
a49949aff7282015a15fbfb7bd18ab05	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe
35b62b395968b7754c298fbb410e9821	c:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll
7c136b92983cec25f85336056e45f3e8	c:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll
62876c2fe28b1b5c434b9fad80abe9f9	c:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll
9f0cd8981979154cc2a6393da42731c5	c:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll
7c9ae49b3a400c728a55dd1cacc8ffb2	c:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll
e663b67a66adf9375d1d183ca5fdd23d	c:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll
9547d24ac04b4d0d1dbf84f74f54faf7	c:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll
881adf55d51976ca592033a7adf620b8	c:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll
93f57216fe49e7e2a75844edfccc2e09	c:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll
06cc83e6c677db13757df4242f5679f7	c:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll
c1bf3d63576d619b24837b72986dfad4	c:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll
e4860fc5d4c114d5c0781714f3bf041a	c:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll
278fd7595b580a016705d00be363612f	c:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll
fcfd69ec15a6897a940b0435439bf5fc	c:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll
76d6e9f15d842e6a56ee42c9c5ccabca	c:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll
bacea57a781c43738a3b065103479bb5	c:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll
550c79640eee713c73eb67b0736a92e6	c:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll
86cb58f2b6bc1174d200d0abe5497233	c:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll
7ef74af6ab5760950a1d233c582099f1	c:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll
28813510b82f45868b5bdc67fff9c9fa	c:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll
357a1cbf08a83e657ffae8639ac1212a	c:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll
407cdb7e1c2c862b486cde45f863ae6e	c:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll
58cb55fa4d9e2f62f675720b1269137d	c:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll
7c136b92983cec25f85336056e45f3e8	c:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll
b057315a8c04df29b7e4fd2b257b75f4	c:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll
006f8a615020a4a17f5e63801485df46	c:\e4ee511aec94f6616b59d4b9c3\Setup.exe
84c1daf5f30ff99895ecab3a55354bcf	c:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll
eb881e3dddc84b20bd92abcec444455f	c:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll
8dfbb95989af28058c7431704ce7cd66	c:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe
3f0363b40376047eff6a9b97d633b750	c:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
dotNetFx40_Full_x86_x64.exe:608
%original file name%.exe:2280
%original file name%.exe:912
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI5C54.tmp.html (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HFI61F2.tmp.html (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup_20150212_042118442.html (159496 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20150212_042118973.html (1410924 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\eula.rtf (7 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended.mzz (328309 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\SetupResources.dll (512 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Setup.exe (576 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\LocalizedData.xml (92 bytes)
C:\e4ee511aec94f6616b59d4b9c3\sqmapi.dll (1371 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\LocalizedData.xml (865 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate1.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x64.msi (6999 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\Parameterinfo.xml (1912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\LocalizedData.xml (911 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\header.bmp (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DisplayIcon.ico (538 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\LocalizedData.xml (766 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\LocalizedData.xml (321 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x64.msu (37124 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\LocalizedData.xml (263 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Client\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Print.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate6.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\LocalizedData.xml (229 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate5.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUtility.exe (1495 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqNotMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9RAST_x64.msi (824 bytes)
C:\e4ee511aec94f6616b59d4b9c3\DHtmlHeader.html (984 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\LocalizedData.xml (242 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\SetupResources.dll (227 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\UiInfo.xml (622 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\SetupResources.dll (914 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.xsd (30 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1041\eula.rtf (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1028\SetupResources.dll (81 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupUi.dll (2015 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\LocalizedData.xml (90 bytes)
C:\e4ee511aec94f6616b59d4b9c3\RGB9Rast_x86.msi (875 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\LocalizedData.xml (86 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\SysReqMet.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\LocalizedData.xml (744 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\eula.rtf (6 bytes)
C:\e4ee511aec94f6616b59d4b9c3\ParameterInfo.xml (2261 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\stop.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1031\LocalizedData.xml (593 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SplashScreen.bmp (31 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x86.msu (15000 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\SetupResources.dll (15 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\LocalizedData.xml (1042 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\LocalizedData.xml (587 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1055\LocalizedData.xml (535 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2052\eula.rtf (5 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Strings.xml (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\SetupResources.dll (14 bytes)
C:\e4ee511aec94f6616b59d4b9c3\UiInfo.xml (39 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\SetupResources.dll (16 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\warn.ico (10 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\LocalizedData.xml (613 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1044\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate2.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\LocalizedData.xml (1168 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate7.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\SetupResources.dll (122 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1053\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\SetupResources.dll (17 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3082\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1033\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1029\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1040\LocalizedData.xml (1482 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\LocalizedData.xml (301 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\SetupResources.dll (779 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1045\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\LocalizedData.xml (156 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate4.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\2070\eula.rtf (4 bytes)
C:\e4ee511aec94f6616b59d4b9c3\watermark.bmp (531 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x64.msi (14022 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1025\LocalizedData.xml (873 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1037\LocalizedData.xml (219 bytes)
C:\e4ee511aec94f6616b59d4b9c3\SetupEngine.dll (5583 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Setup.ico (57 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Extended\Parameterinfo.xml (1030 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1032\eula.rtf (8 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1036\eula.rtf (3 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1035\SetupResources.dll (644 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.0-KB956250-v6001-x64.msu (38528 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate8.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Save.ico (1 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Graphics\Rotate3.ico (894 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1043\SetupResources.dll (19 bytes)
C:\e4ee511aec94f6616b59d4b9c3\3076\LocalizedData.xml (810 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1049\eula.rtf (891 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core.mzz (1381912 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Core_x86.msi (7866 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt (2445 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1038\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\Windows6.1-KB958488-v6001-x86.msu (15320 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1042\eula.rtf (12 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1030\SetupResources.dll (18 bytes)
C:\e4ee511aec94f6616b59d4b9c3\netfx_Extended_x86.msi (2812 bytes)
C:\e4ee511aec94f6616b59d4b9c3\1046\LocalizedData.xml (480 bytes)
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\state.rsm (930 bytes)
C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe (8657 bytes)
C:\ProgramData\regid.2008-09.org.wixtoolset\regid.2008-09.org.wixtoolset doPDF 8.swidtag (886 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.dll (2546 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1044\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1055\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2052\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.thm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1032\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\SetupBootstrapper.dll (1663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbahost.dll (1733 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1045\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1030\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.dll (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\roro.config (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1043\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1038\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperApplicationData.xml (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1031\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.wxl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1036\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\2070\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1035\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.be\novapdf.exe (148700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\doPDF_8_20150212042030.log (26471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1060\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\License.htm (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1051\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\Netfx4Full.R (6168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1053\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1042\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\mbapreq.png (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\BootstrapperCore.config (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\3082\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\languages\enus.config (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-image.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1041\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1049\mbapreq.wxl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1040\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1029\mbapreq.wxl (891 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1028\mbapreq.wxl (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\logo-text.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\.ba1\1046\mbapreq.wxl (2 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}" = "C:\ProgramData\Package Cache\{c61b55b1-0524-4fc7-a4d2-6896ae2a2edb}\novapdf.exe /burn.runonce"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: S
Product Name: d
Product Version: 8
Legal Copyright: C
Legal Trademarks:
Original Filename: n
Internal Name: setup
File Version: 8
File Description: d
Comments:
Language: English (United States)

Company Name: SProduct Name: dProduct Version: 8 Legal Copyright: CLegal Trademarks: Original Filename: nInternal Name: setupFile Version: 8 File Description: dComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	297741	297984	4.55001	5d26d6a643d19ae02fc6861dbd240657
.rdata	303104	126876	126976	3.54022	8ec8f775f2a3c9e81506399acc167ad0
.data	430080	12960	3584	2.25979	2bde230c16419018f3330ed33e77178f
.wixburn	446464	56	512	0.52525	897e35e997b93373c8f34458609bda8d
.tls	450560	13	512	0.014135	8e3343efa9afc26ac6caf49228cbe049
.rsrc	454656	651556	651776	1.97334	d6f58c17a995faf274e2952bd6b2a07f
.reloc	1110016	16272	16384	4.68287	0e971942c19fd1a124065da269606dff

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.go.microsoft.akadns.net/fwlink/?LinkId=164193
hxxp://a767.dscms.akamai.net/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f	88.221.132.177
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.175
hxxp://go.microsoft.com/fwlink/?LinkId=164193	134.170.189.4
hxxp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe	80.239.149.72
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0	88.221.132.177
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.175

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3eb4084a43bb33e0 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT

If-None-Match: "0af536cf2ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

Accept-Ranges: bytes

ETag: "0b2464b1797cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6408

Date: Thu, 12 Feb 2015 02:23:43 GMT

Connection: keep-alive

MSCF............,...................O.......'#.........D.z .disallowedcert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J........z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m... ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....GB..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{...".Op@L.2M...1;xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...UjrZs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<.........-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.].f...|(3!.|..P...j..^..j....#(...@...As..*.O..i..u....9..S.Y.n..HXW...F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4.......hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q.....p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<..X.........'.E(<b[.......#.. ....XiLl|..=.....&P.@H.J.oo...a...x B....l.....@.P......!8..@...q2..;.......mm....>~............j%..>.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.

<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT

If-None-Match: "96bfbfb1d77cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.5

VTag: 438410416000000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Thu, 12 Feb 2015 02:23:43 GMT

Connection: keep-alive

0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M........z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Qw......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.........

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT

If-None-Match: "a413fc3b169cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT

Accept-Ranges: bytes

ETag: "d2e35dc7e31cd01:0"

Server: Microsoft-IIS/8.5

VTag: 4389615400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Thu, 12 Feb 2015 02:23:43 GMT

Connection: keep-alive

0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~......

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT

If-None-Match: "87fbb3811f68cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT

Accept-Ranges: bytes

ETag: "9a9a44d511bd01:0"

Server: Microsoft-IIS/8.0

VTag: 438346843700000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Thu, 12 Feb 2015 02:23:44 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..l..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=411760, public, no-transform, must-revalidate

Last-Modified: Mon, 9 Feb 2015 20:44:25 GMT

Expires: Mon, 16 Feb 2015 20:44:25 GMT

Date: Thu, 12 Feb 2015 02:24:46 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150209204425Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20150209204425Z....20150216204425Z0...*.H..............'.^.M......_.(.~....b^:.[&...z.^.W.<'g.[..N..Y.k...i....U.Kc-.:B....]#...l.^..S0K.OV.. ..D/&.E?./...~.z....~.E.YA....c.4...~.t.$..X.s......X@.......sx......... .^.....7.t...*T.=1.3..I...n..m.i9.6l.....!..r..;..8..V...._......t..YE.^9.7...*&_.a......dM.......#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...

<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT

If-None-Match: "924558f3e994cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT

Accept-Ranges: bytes

ETag: "75565c7ac03ad01:0"

Server: Microsoft-IIS/8.0

VTag: 279610143200000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 12 Feb 2015 02:24:14 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0... .....7......150427174215Z0...*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp..j....lo....4........T9j...S.7Q.@.W..@.. ...M....z....Q...{u. .W..HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 28 Jan 2015 06:05:55 GMT..Accept-Ranges: bytes..ETag: "75565c7ac03ad01:0"..Server: Microsoft-IIS/8.0..VTag: 279610143200000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 554..Cache-Control: max-age=900..Date: Thu, 12 Feb 2015 02:24:14 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150127173215Z..150428055215Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Y0... .....7......150427174215Z0...*.H......................YIw.. ..(..y..O.G].B.."?.@...[1.}.X...]...e.J....pP.I....!6...%.D.k...>c.|R.?.i..yt.z..B.........b....n..m5...0....2..I!)v....z....y.#pXz.DO.....mF...e.'e...@.%...6./.bPZ...=....bp..j....lo....4........T9j...S.7Q.@.W..

<<< skipped >>>

HEAD /fwlink/?LinkId=164193 HTTP/1.1

Accept: */*

User-Agent: Burn

Host: go.microsoft.com

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4

HTTP/1.1 302 Found

Cache-Control: private

Content-Length: 236

Content-Type: text/html; charset=utf-8

Expires: Thu, 12 Feb 2015 02:19:38 GMT

Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 12 Feb 2015 02:20:37 GMT

HTTP/1.1 302 Found..Cache-Control: private..Content-Length: 236..Content-Type: text/html; charset=utf-8..Expires: Thu, 12 Feb 2015 02:19:38 GMT..Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Thu, 12 Feb 2015 02:20:37 GMT......

GET /fwlink/?LinkId=164193 HTTP/1.1

Accept: */*

User-Agent: Burn

Host: go.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Expires: Thu, 12 Feb 2015 02:19:39 GMT

Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 12 Feb 2015 02:20:38 GMT

Content-Length: 236

<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Expires: Thu, 12 Feb 2015 02:19:39 GMT..Location: hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Thu, 12 Feb 2015 02:20:38 GMT..Content-Length: 236..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://download.microsoft.com/download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe">here</a>.</h2>..</body></html>....

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"

Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT

Date: Thu, 12 Feb 2015 02:24:44 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ....>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r../=l..?...9..V0..@Tk......fn?....0.A.HTTP/1.1 200 OK..Server: Apache..ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT..Date: Thu, 12 Feb 2015 02:24:44 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..141210000000Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?edfce88b3139a87f HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 23 Jan 2015 02:29:11 GMT

Accept-Ranges: bytes

ETag: "803565fb436d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 57591

Date: Thu, 12 Feb 2015 02:24:15 GMT

Connection: keep-alive

MSCF............,...................I.................6Fm. .authroot.stl......8..CK...<T...g.v!M.d..f.%d..}K..5......dM*K..J.,%K"...!..=.k..........{=/....{g.~...............'....6..N....w......(.$.>.7...........'.....`.bx....^..$.'.^.K.C......<b=J..u....@.....2..e....pr.....usXq.d.i.jF$.4.........KI.Q........A2m:..E.P|...(.^p..=G|.....m...... .6...H.e.....X'...%$r.Y.(..)........|...;...V^r.VM.._*X.I. ..4.....*.....Y..`.0w.u...c.i.[..-...x..<.8.<.p..,..y.[v.Yn`......!.s...4e......B...$.,..........w.Pd.)....,..#.%..h...8...`.A...8.i(.!.$/.=.....i.\X.H......"...a...k...y6....F.._?\*.&..3.AJo.!..`....9....=.p.u..u....f.f....w...?..S..I.;.....5._...F.f..G?$......."..kq.y'.6tJ.e%..G.n.....z<.pX"....1..g."........V:.H.-...!}LM..t..-.y.j&...n{..-.]H. .....A.O.Xg..B...#.f.-..V@.g..8.....Ov...ET..*.....T...}o._./S..h@$.....!.@.D....c...A1..#.:?."....1..v.....&G...?O1x6"5.@..$.U...n.J...w.Y.{..........E.N.&...&.rC..W.....M.........,.e.....&eI(/eSO.B..K...R. K...s.@9....Jv.....(..Y./;-..M5.0.H2.y....:...........a.U....%.S.).^....1.B..a..=...q...X .B....F.../..../.Z...'..t....C....,.^...N=..t%N|IC.#.)6...q.E.J.i.E.>....".L........>...Vy.7.jxx......G........._q.1^..H&.4Z......^.E.K 9.Xg...qO.6%>..T....;n..s.'u.-...=.........p..p.Rn.........=.......F........d. d.AR.0U..........9b...=N..#....c.Icz......u.0............Y.q..b.wYE.......R...s..W....r].....hT....k.g..[...s.....X..`=zb.>..../..=........J.N.h...(}.5.7. .;..=F..F...'.?..2...3...=...B..`....{...f.`Kb..@..`Z.0!^8.t..<l.j..lI.P.q.>k

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=495772, public, no-transform, must-revalidate

Last-Modified: Tue, 10 Feb 2015 20:04:39 GMT

Expires: Tue, 17 Feb 2015 20:04:39 GMT

Date: Thu, 12 Feb 2015 02:24:44 GMT

Connection: keep-alive

0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20150210200439Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20150210200439Z....20150217200439Z0...*.H...............U.#..&1x1.......n...tJ...-..`.-d...X.......\._......[]n\].;....n..}b..Y...b1.q....".2.<.../..:....\..... ..?...Y. .EF.e....Y!T#SLa.......&....I.t..v...Cy'uGK...g......-.........G>}q......1....p...pxP,.l.e^f5..i)xoE....]....t..?.....~..Su......D.,...\........0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=371792, public, no-transform, must-revalidate

Last-Modified: Mon, 9 Feb 2015 09:39:15 GMT

Expires: Mon, 16 Feb 2015 09:39:15 GMT

Date: Thu, 12 Feb 2015 02:24:43 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150209093915Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150209093915Z....20150216093915Z0...*.H.............~0...hO6...:&.O........D......Bnr.s.PL.....a.......|..]'[>...`......I...P<I.$.T.....s..zF....... R...39...<.. J........~..{.g....W#..............|.r.l..<4.b.....er.kw.3.....P[.........Q.....Z?.Sa.........6.F......8.{E.[......mQ/.@..4......X.1P."O.\....3.S.....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=411638, public, no-transform, must-revalidate

Last-Modified: Mon, 9 Feb 2015 20:44:24 GMT

Expires: Mon, 16 Feb 2015 20:44:24 GMT

Date: Thu, 12 Feb 2015 02:24:43 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150209204424Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150209204424Z....20150216204424Z0...*.H..............2..T.U...=..C.V....Bo9..e..2.....S.'.#../Y].k.....n..1.8J\..PM.xY.P6H.....Q9...]...Z..d...Bl...!..7W.P*..-.a.-...q.f'k.d.Z...o.. D.q.8w.!.:..8...C0.j.%V.#&.d..n..Q.,..kE.s...*....p..7....~..MI.LFE....e../.....\..,Z.clG...v.R....Q....o.w..`...@^...%...K..,...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......

<<< skipped >>>

HEAD /download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe HTTP/1.1

Accept: */*

User-Agent: Burn

Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

Host: download.microsoft.com

HTTP/1.1 200 OK

Content-Length: 50449456

Content-Type: application/octet-stream

Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT

Accept-Ranges: bytes

ETag: "2a1457bc5c7ca1:0"

Server: Microsoft-IIS/8.0

Content-Disposition: attachment

Date: Thu, 12 Feb 2015 02:20:39 GMT

Connection: keep-alive

HTTP/1.1 200 OK..Content-Length: 50449456..Content-Type: application/octet-stream..Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT..Accept-Ranges: bytes..ETag: "2a1457bc5c7ca1:0"..Server: Microsoft-IIS/8.0..Content-Disposition: attachment..Date: Thu, 12 Feb 2015 02:20:39 GMT..Connection: keep-alive......

GET /download/B/D/D/BDDEBF99-3085-4B95-9807-F39F8DA6CE5B/VS_COMMON/dotnetfx40_full_x86_x64.exe HTTP/1.1

Accept: */*

User-Agent: Burn

Host: download.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: MC1=GUID=20cc5f0a4bcab1428d26959ee608abae&HASH=0a5f&LV=201311&V=4&LU=1384780351153; A=I&I=AxUFAAAAAACJCgAAyvfr1KdJh6Ap2Hyr3 VUwg!!&V=4

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Accept-Ranges: bytes

Server: Microsoft-IIS/8.5

Content-Disposition: attachment

Last-Modified: Fri, 19 Mar 2010 01:44:38 GMT

ETag: "2a1457bc5c7ca1:0"

Content-Length: 50449456

Date: Thu, 12 Feb 2015 02:20:39 GMT

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}...,...}.......}.......}...//..}.../...}.../...}.......}...}...}..., ..}...,/..}...,...}...,...}...,...}..Rich.}..........................PE..L......J.........."..........^....................@..........................@............@...... ..................@.......D...........................p.......l....................................V..@............................................text............................... ..`.data....7..........................@....boxld01............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B....................................................................................................................................................................................................................................................................................................................................................................................(...@...X...p...|.......................................*...:...N...b...p...............r...X... ...H.......................r...Z...@...(.......................................................................0...F...`...v..................................."...2...H...`...n...................................(...2...>...P...\...l...x.......................................*...>...L...\...p...|............................... ...,.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=518392, public, no-transform, must-revalidate

Last-Modified: Wed, 11 Feb 2015 02:24:43 GMT

Expires: Wed, 18 Feb 2015 02:24:43 GMT

Date: Thu, 12 Feb 2015 02:24:51 GMT

Connection: keep-alive

0..........0..... .....0......0...0........6?s....V....OlL".O..20150211022443Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150211022443Z....20150218022443Z0...*.H.............<..|~!....'s.bW....e4x...VTE.L.....m.v.4-...2:,7.2oY../....~.L......Ty.P<...*kV........0.0...X......<....XWn0=2;~%./..s...bw.............."..uD...b.V.f..v...a...@9.V..H....%.....M.3.<.6...)..g%.Q..B).[..=G_..K.@..g......L"..A.U...p. X.OXh.R.4.... ,N..........#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code S..

Map

The Worm connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2280:

.text

`.rdata

@.data

.wixburn8

@.tls

.rsrc

@.reloc

8.wixu

v%j.Yf;

t%SQW

SSSSh

PSSSSSSh

j.Zf;

j.Yf;

engine.cpp

3.10.1124.0

Failed to create pipes to connect to elevated parent process.

Failed to set elevated pipe into thread local storage for logging.

variable.cpp

Unsupported variable type.

Setting variable failed: ID '%ls', HRESULT 0x%x

Failed to find DllGetVersion entry point in msi.dll.

Failed to get msi.dll version info.

Failed to get windows directory.

Failed to open Windows folder key.

condition.cpp

Failed to parse condition '%ls' at position: %u

Failed to parse condition "%ls". Unexpected '~' operator at position %d.

Failed to parse condition "%ls". Unterminated literal at position %d.

Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.

Failed to parse condition "%ls". Constant too big, at position %d.

Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.

Failed to parse condition "%ls". Invalid version format, at position %d.

Failed to parse condition "%ls". Unexpected character at position %d.

search.cpp

Failed to get Key attribute.

Directory search: %ls, did not find path: %ls, reason: 0x%x

Failed to format key string.

Registry key not found. Key = '%ls'

Failed to open registry key. Key = '%ls'

Registry value not found. Key = '%ls', Value = '%ls'

Failed to query registry key value.

RegistrySearchExists failed: ID '%ls', HRESULT 0x%x

Failed to open registry key.

Failed to query registry key value size.

Unsupported registry key value type. Type = '%u'

RegistrySearchValue failed: ID '%ls', HRESULT 0x%x

Failed to get component path: %d

MsiComponentSearch failed: ID '%ls', HRESULT 0x%x

Unsupported product search type: %u

MsiProductSearch failed: ID '%ls', HRESULT 0x%x

MsiFeatureSearch failed: ID '%ls', HRESULT 0x%x

section.cpp

Failed to read image section header, index: %u

Failed to read complete image section header, index: %u

Failed to read section info, data to short: %u

Failed to read section info, unsupported version: x

Failed to find container info, too few elements: %u

Failed to select approved exe nodes.

Failed to get approved exe node count.

approvedexe.cpp

Failed to allocate memory for approved exe structs.

Failed to get @Key.

Failed to create executable command.

Failed to create obfuscated executable command.

container.cpp

Failed to get @DownloadUrl. Either @SourcePath or @DownloadUrl needs to be provided.

Failed to get path for executing module.

catalog.cpp

payload.cpp

Failed to get @DownloadUrl.

Failed to get @CertificateRootPublicKeyIdentifier.

Failed to hex decode @CertificateRootPublicKeyIdentifier.

Failed to get @CertificateRootThumbprint.

Failed to hex decode @CertificateRootThumbprint.

Failed to get directory portion of local file path

userexperience.cpp

package.cpp

Failed to parse EXE package.

Failed to get @ProviderKey.

Failed to get @ExecutableName.

Failed to get @AboutUrl.

Failed to get @UpdateUrl.

registration.cpp

Failed to overwrite the bundle provider key built-in variable.

Failed to format pending restart registry key to read.

Failed to open registration key.

Failed to create registration key.

Failed to register the bundle dependency key.

Failed to write volatile reboot required registry key.

Failed to delete registration key: %ls

Failed to build uninstall registry key path.

Failed to build cached executable path.

Failed to create run key.

Failed to write run key value.

Failed to delete run key value.

Failed to format the key path for update registration.

Failed to get the formatted key path for update registration.

Failed to create the key for update registration.

Failed to format key for update registration.

Failed to remove update registration key: %ls

Failed to get path for current executing process as layout directory.

Failed to get executing process as layout directory.

Failed to to copy executable name for bundle.

Failed to append execute action.

Failed to add dependent bundle provider key to ignore dependents.

Failed to process passthrough package.

Failed to plan rollback boundary for passthrough package.

plan.cpp

Failed to plan execute package.

Failed to append execute checkpoint.

Unexpected relation type encountered during plan: %d

Failed to add the package provider key "%ls" to the planned list.

Failed to check the dictionary for a related bundle provider key: "%ls".

Failed to remove unnecessary execute actions.

Failed to finalize slipstream execute actions.

Failed to append execute checkpoint for cache rollback.

Failed to grow plan's array of execute actions.

Failed to insert keep registration execute action.

Failed to insert remove registration execute action.

Failed to copy dependent provider key to registration action.

Failed to copy dependent provider key to rollback registration action.

Failed to get path for executing module as attached container working path.

logging.cpp

Failed to write send message to pipe.

Failed to pump messages during send message to pipe.

pipe.cpp

No status returned to PipePumpMessages()

Failed to read returned result to PipePumpMessages()

Failed to read returned restart to PipePumpMessages()

Failed to process message: %u

Failed to get message over pipe

Failed to create pipe guid.

Failed to convert pipe guid into string.

Failed to allocate pipe name.

Failed to allocate pipe secret.

Failed to create the security descriptor for the connection event and pipe.

Failed to allocate full name of pipe: %ls

Failed to create pipe: %ls

Failed to allocate full name of cache pipe: %ls

Failed to set pipe to non-blocking.

Failed to wait for child to connect to pipe.

Failed to reset pipe to blocking.

Failed to write secret length to pipe.

Failed to write secret to pipe.

Failed to write our process id to pipe.

Failed to read ACK from pipe.

Failed to allocate name of parent pipe.

Failed to open parent pipe: %ls

Failed to verify parent pipe: %ls

Failed to allocate name of parent cache pipe.

Failed to open companion process with PID: %u

Failed to write message type to pipe.

Failed to read message from pipe.

Failed to read size of verification secret from parent pipe.

Failed to read verification secret from parent pipe.

Failed to read verification process id from parent pipe.

core.cpp

Failed to execute searches.

Failed to detect provider key bundle id.

Failed to report detected related bundles.

Package type not supported by detect yet.

Failed to plan passthrough.

Another per-user setup is already executing.

Another per-machine setup is already executing.

Failed while caching, aborting execution.

Engine cannot start LaunchApprovedExe because it is busy with another action.

UX aborted LaunchApprovedExe begin.

Failed to format passthrough for command-line.

Failed to append passthrough to command-line.

cache.cpp

Failed to get provider state from authenticode certificate.

Failed to get signer chain from authenticode certificate.

Failed to verify expected payload against actual certificate chain.

Failed to seek to checksum in exe header.

Failed to seek to signature table in exe header.

Failed to seek to original data in exe burn section header.

Failed to get certificate public key identifier.

Failed to read certificate thumbprint.

Failed to find expected public key in certificate chain.

elevation.cpp

Failed to create pipe name and client token.

Failed to create pipe and cache pipe.

Failed to write registration operations to message buffer.

Failed to write dependent provider key to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_EXE_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSI_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSP_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_MSU_PACKAGE message to per-machine process.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_PROVIDER message to per-machine process.

Failed to write bundle dependency key to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_EXECUTE_PACKAGE_DEPENDENCY message to per-machine process.

Failed to write approved exe id to message buffer.

Failed to write approved exe arguments to message buffer.

Failed to write approved exe WaitForInputIdle timeout to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE message to per-machine process.

Failed to set elevated cache pipe into thread local storage for logging.

Failed to read file name: %u

Failed to read MSI data: %u

Failed to read approved exe process id.

Invalid launch approved exe message.

Unexpected elevated message sent to child process, msg: %u

Unexpected elevated cache message sent to child process, msg: %u

Failed to read registration operations.

Invalid data passed to cache or layout payload.

Failed to read dependent provider key.

Failed to execute dependent registration action for provider key: %ls

Failed to read exe package.

Failed to execute EXE package.

Failed to execute MSI package.

Failed to execute MSP package.

Failed to execute MSU package.

Failed to execute package provider action.

Failed to read bundle dependency key from message buffer.

Failed to execute package dependency action.

Invalid message type: %d

Failed to read approved exe id.

Failed to read approved exe arguments.

Failed to read approved exe WaitForInputIdle timeout.

The per-user process requested unknown approved exe with id: %ls

Failed to open the registry key for the approved exe path.

Failed to read the value for the approved exe path.

Failed to verify the executable path is in a secure location: %ls

The executable path is not in a secure location: %ls

Failed to launch approved exe: %ls

Failed to write the approved exe process id to message buffer.

Failed to send BURN_ELEVATION_MESSAGE_TYPE_LAUNCH_APPROVED_EXE_PROCESSID message to per-user process.

splashscreen.cpp

uithread.cpp

EngineForApplication.cpp

Failed to send embedded message over pipe.

Failed to send embedded progress message over pipe.

UX denied while trying to set download URL on embedded payload: %ls

Failed to set download URL.

Failed to set download password.

UX requested unknown approved exe with id: %ls

Failed to post launch approved exe message.

The string is too big: size %u

.cab

cabextract.cpp

Failed to create begin operation event.

Failed to create operation complete event.

Failed to wait for operation complete.

Failed to begin and wait for operation.

Failed to set begin operation event.

Failed to reset operation complete event.

Failed to wait for operation complete event.

Failed to initialize cabinet.dll.

Failed to extract all files from container, erf: %d:%X:%d

Failed to set operation complete event.

Failed to wait for begin operation event.

Failed to reset begin operation event.

Invalid operation for this state.

Failed to move file pointer 0x%x bytes.

exeengine.cpp

Failed to evaluate executable package detect condition.

Invalid package current state: %d.

Failed to insert execute action.

Failed to build executable path.

Failed to get action arguments for executable package.

Bootstrapper application aborted during EXE progress.

Failed to wait for executable to complete: %ls

Process returned error: 0x%x

msiengine.cpp

Failed to calculate execute feature state.

Invalid package current state result encountered during plan: %d

Failed to detect compatible package from provider key.

Failed to copy the compatible provider key.

mspengine.cpp

msuengine.cpp

Failed to find Windows directory.

Failed to allocate WUSA.exe path.

dependency.cpp

Failed to get the Key attribute.

Failed to get the Imported attribute.

Failed to get provider key bundle id.

Failed to initialize provider key bundle id.

Failed to add the bundle provider key to the list of dependencies to ignore.

Failed to join the list of dependencies to ignore.

Failed to insert provider execute action.

Failed to append provider execute action.

Unrecognized registration action type: %d

Failed to append the key "%ls".

Failed to add the bundle provider key "%ls" to the list of ignored dependencies.

Failed to add the package provider key "%ls" to the list of ignored dependencies.

Failed to get the provider key package id.

Failed to copy the provider key.

Failed to open uninstall registry key.

Failed to enumerate uninstall key for related bundles.

Failed to open uninstall key for potential related bundle: %ls

relatedbundle.cpp

Failed to read provider key from registry for bundle: %ls

detect.cpp

Unexpected relation type encountered: %d

Failed to copy update url.

Failed attempt to download update feed from URL: '%ls' to: '%ls'

apply.cpp

BA aborted execute begin.

Failed to execute dependent registration action.

Failed attempt to download URL: '%ls' to: '%ls'

Failed to execute package provider registration action.

Failed to execute dependency action.

Failed to execute compatible package action.

Invalid execute action.

Invalid rollback action: %d.

UX aborted execute EXE package begin.

UX aborted EXE progress.

Failed to configure per-machine EXE package.

Failed to configure per-user EXE package.

UX aborted EXE package execute progress.

UX aborted execute MSI package begin.

UX aborted MSI package execute progress.

UX aborted execute MSP package begin.

BA aborted execute MSP target.

UX aborted MSP package execute progress.

UX aborted execute MSU package begin.

UX aborted MSU package execute progress.

Failed to parse approved exes.

pseudobundle.cpp

Failed to copy key for pseudo bundle payload.

Failed to copy key for pseudo bundle.

Failed to allocate space for burn package payload inside of passthrough bundle.

Failed to copy key for passthrough pseudo bundle payload.

Failed to copy filename for passthrough pseudo bundle.

Failed to copy local source path for passthrough pseudo bundle.

Failed to copy download source for passthrough pseudo bundle.

Failed to copy key for passthrough pseudo bundle.

Failed to copy cache id for passthrough pseudo bundle.

Failed to copy install arguments for passthrough bundle package

Failed to copy related arguments for passthrough bundle package

Failed to copy uninstall arguments for passthrough bundle package

Failed to create embedded pipe name and client token.

Failed to create embedded pipe.

embedded.cpp

Failed to wait for embedded process to connect to pipe.

Failed to wait for embedded executable: %ls

Unexpected embedded message sent to child process, msg: %u

NetFxChainer.cpp

k"bitsengine.cpp

Invalid BITS engine URL: %ls

Failed to copy download URL.

operator

operator ""

GetProcessWindowStation

%S#[k

buffutil.cpp

cryputil.cpp

logutil.cpp

Error 0x%x: %ls

Executable: %ls v%d.%d.%d.%d

memutil.cpp

pathutil.cpp

procutil.cpp

RegDeleteKeyExW

regutil.cpp

srputil.cpp

strutil.cpp

wiutil.cpp

xmlutil.cpp

kernel32.dll

shelutil.cpp

Kwuautil.cpp

fileutil.cpp

dirutil.cpp

dictutil.cpp

aclutil.cpp

certutil.cpp

svcutil.cpp

dlutil.cpp

Failed to send request to URL: %ls, trying to process HTTP status code anyway.

Unknown HTTP status code %d, returned from URL: %ls

atomutil.cpp

apuputil.cpp

timeutil.cpp

inetutil.cpp

uriutil.cpp

deputil.cpp

C:\src\wix39\build\ship\x86\burn.pdb

RegCloseKey

ADVAPI32.dll

MsgWaitForMultipleObjects

USER32.dll

OLEAUT32.dll

GDI32.dll

SHELL32.dll

ole32.dll

GetWindowsDirectoryW

ConnectNamedPipe

SetNamedPipeHandleState

CreateNamedPipeW

SetThreadExecutionState

KERNEL32.dll

Cabinet.dll

CryptHashPublicKeyInfo

CRYPT32.dll

msi.dll

RPCRT4.dll

WININET.dll

WINTRUST.dll

RegOpenKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

ShellExecuteExW

VERSION.dll

GetCPInfo

GetProcessHeap

CertGetCertificateContextProperty

SHLWAPI.dll

HttpOpenRequestW

HttpAddRequestHeadersW

HttpSendRequestW

HttpQueryInfoW

InternetCrackUrlW

Burn v%1!hs!, Windows v%2!d!.%3!d! (Build %4!d!: Service Pack %5!d!), path: %6!ls!, cmdline: '%7!ls!'

Detected related bundle: %1!ls!, type: %2!hs!, scope: %3!hs!, version: %4!hs!, operation: %5!hs!

Detected related package: %1!ls!, scope: %2!hs!, version: %3!hs!, language: %4!u! operation: %5!hs!

Planned package: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, cache: %7!hs!, uncache: %8!hs!, dependency: %9!hs!

Planned feature: %1!ls!, state: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute action: %5!hs!, rollback action: %6!hs!

Planned related bundle: %1!ls!, type: %2!hs!, default requested: %3!hs!, ba requested: %4!hs!, execute: %5!hs!, rollback: %6!hs!, dependency: %7!hs!

Planned upgrade bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!

Planned forward compatible bundle: %1!ls!, default requested: %2!hs!, ba requested: %3!hs!, execute: %4!hs!, rollback: %5!hs!, dependency: %6!hs!

Plan skipped related bundle: %1!ls!, type: %2!hs!, provider key: %3!ls!, because an embedded bundle with the same provider key is being installed.

Plan skipped dependent bundle repair: %1!ls!, type: %2!hs!, because no packages are being executed during this uninstall operation.

Session begin, registration key: %1!ls!, options: 0x%2!x!, disable resume: %3!hs!

Updating session, registration key: %1!ls!, resume: %2!hs!, restart initiated: %3!hs!, disable resume: %4!hs!

Session end, registration key: %1!ls!, resume: %2!hs!, restart: %3!hs!, disable resume: %4!hs!

LaunchApprovedExe begin, id: %1!ls!

Searching registry for approved exe path, key: %1!ls!, value: '%2!ls!', win64: %3!ls!

Launching approved exe, path: '%1!ls!', 'command: %2!ls!'

LaunchApprovedExe complete, result: 0x%1!x!, processId: %2!lu!

Plan skipped removal of provider key: %1!ls! because it is registered to a different bundle: %2!ls!

Application canceled operation: %2!ls!, error: %1!ls!

WiX Toolset BootstrapperPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

95:?:{:);5;&

:):3:6

7.84888

>.?4?8?@?

1"131?1[1{1

7(838>8^8

> ???[?~?

3U5C5O5Y5_5e5

= =$=(=,=

5 5$5(5,5

: :$:(:,:0:

WixBundleExecutePackageCacheFolder

WixBundleProviderKey

NTSuiteWebServer

WindowsFolder

WindowsVolume

[\%c]

.[%d]

.WiX Burn

SOFTWARE\Microsoft\Windows\CurrentVersion

.ComponentId

.keyPath

.language

ApprovedExeForElevation

.ValueName

"%ls" %s

.Attached

DownloadUrl

.FileSize

CertificateRootPublicKeyIdentifier

CertificateRootThumbprint

.ba%d

Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage

.Size

.PerMachine

.RollbackLogPathVariable

.InstallCondition

.PatchTargetCode

.Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

BundleProviderKey

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

%ls.RebootRequired

URLInfoAbout

URLUpdateInfo

ParentKeyName

burn.runonce

ProviderKey

.ExecutableName

AboutUrl

UpdateUrl

.DisableModify

.Filename

8%s\%s

.%s\state.rsm

.RelatedBundle

%ls%hs%ls_u_%ls%ls.%ls

uSOFTWARE\Policies\Microsoft\Windows\Installer

\\.\pipe\%ls

\\.\pipe\%ls.Cache

burn.elevated

burn.unelevated

BurnPipe.%s

s-%ls %ls %ls %u %ls

-q -%ls %ls %ls %u

.open

burn.embedded

burn.log.append

burn.related.detect

burn.related.upgrade

burn.related.addon

burn.related.patch

burn.related.update

burn.passthrough

burn.disable.unelevate

burn.ignoredependencies

burn.ancestors

/passive

passive

.unverified

.PackageCache

.WixBurnMessageWindow

.update\%ls

.InstallArguments

.Repairable

.MsiProperty

.RollbackValue

%s$="%s"

ADDLOCAL="%s"

ADDSOURCE="%s"

ADDDEFAULT="%s"

. REINSTALL="%s"

ADVERTISE="%s"

REMOVE="%s"

wusa.exe

.wuauserv

Imported

.Chain

.%ls -%ls %ls %ls %u

.%ls /pipe %ls

- Attempt to initialize the CRT more than once.

mscoree.dll

f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_downlevel.cpp

user32.dll

desktopcrt140

f:\dd\vctools\crt\core_crt\src\appcrt\internal\winapi_nonmsdk.cpp

__acrt_post_initialize_nonmsdk_dependencies

portuguese-brazilian

AdvApi32.dll

Crypt32.dll

s0xx

%ls[X:X][hu-hu-huThu:hu:hu]%hsd:%ls %ls%ls

\\?\UNC

%ls_uuuuuu%ls%ls%ls

srclient.dll

pMsi.dll

Msxml2.DOMDocument

MSXML.DOMDocument

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

pMicrosoft.Update.AutoUpdate

PendingFileRenameOperations

%u.%u.%u.%u

hXXp://appsyndication.org/2006/appsyn

hu-hu-huThu:hu:hu%cu:u

c:\%original file name%.exe

8.1.923

novapdf.exe

%original file name%.exe_912: