Trojan.Generic.19290791_12e4023491 – Adaware

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.19290791 (B) (Emsisoft), Trojan.Generic.19290791 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 12e4023491001cc40a48838e974e5a75

SHA1: 4f973d51d7bcba9e7b3e9f827c05b9ebae9a9864

SHA256: 454a539933e0b46c098f36c98d6166a44c8704fdf6b2fa7c0c0a3c08df1e9d6a

SSDeep: 196608:7TsqXUc185OiGtjT9erfsa5tcuFNWfPil:fsqEcaOztn/otcuFYn0

Size: 6418432 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-10-12 17:13:25

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:2880
GoogleUpdate.exe:3900
%original file name%.exe:2268
54.0.2840.71_54.0.2840.59_chrome_updater.exe:268
setup.exe:2620
setup.exe:1276
setup.exe:1904
regsvr32.exe:2332
regsvr32.exe:2472
regsvr32.exe:2336
regsvr32.exe:2456
regsvr32.exe:2424
regsvr32.exe:2304
regsvr32.exe:2436
regsvr32.exe:2412
regsvr32.exe:2400
regsvr32.exe:2416
regsvr32.exe:2372

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process GoogleUpdate.exe:3900 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16158 bytes)
%Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16304 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{7450580E-9D4A-43A0-ACBD-336C9A6D6735}-54.0.2840.71_54.0.2840.59_chrome_updater.exe (0 bytes)

The process %original file name%.exe:2268 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (9053 bytes)

The process 54.0.2840.71_54.0.2840.59_chrome_updater.exe:268 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\CR_869F3.tmp\setup.exe (49 bytes)
C:\Windows\Temp\CR_869F3.tmp\SETUP_PATCH.PACKED.7Z (3 bytes)
C:\Windows\Temp\CR_869F3.tmp\CHROME_PATCH.PACKED.7Z (2 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\CR_869F3.tmp\setup.exe (0 bytes)
C:\Windows\Temp\CR_869F3.tmp (0 bytes)
C:\Windows\Temp\CR_869F3.tmp\CHROME_PATCH.PACKED.7Z (0 bytes)

The process setup.exe:2620 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\Crashpad\settings.dat (84 bytes)

The process setup.exe:1276 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_100_percent.pak (1160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hr.pak (618 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ta.pak (1539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogocanary.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\th.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.VisualElementsManifest.xml (411 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\gmail.crx (48 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\youtube.crx (47 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\el.pak (1169 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es-419.pak (651 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\tr.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hi.pak (1333 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ru.pak (1029 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\da.pak (596 bytes)
C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\cs.pak (662 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.exe (1846 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ko.pak (659 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\de.pak (570 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\id.pak (586 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pl.pak (652 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome.dll (41963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\54.0.2840.71.manifest (254 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sv.pak (597 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\manifest.json (954 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome.7z (279369 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es.pak (660 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ms.pak (504 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\wow_helper.exe (160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nb.pak (588 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576 (4 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-GB.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_child.dll (53736 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ro.pak (666 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\it.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hu.pak (692 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-PT.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nl.pak (629 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\vi.pak (741 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\natives_blob.bin (702 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fil.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\uk.pak (1023 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sr.pak (995 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\te.pak (1438 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-BR.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\icudtl.dat (59 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome_patch.diff (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin (4 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fake-bidi.pak (808 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ar.pak (891 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lt.pak (661 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\8DCD.tmp (14 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\d3dcompiler_47.dll (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ml.pak (1669 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ca.pak (653 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bg.pak (1077 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\gu.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ja.pak (777 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sl.pak (613 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\kn.pak (1488 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-TW.pak (538 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl64.exe (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libegl.dll (187 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fi.pak (612 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\resources.pak (2572 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sk.pak (684 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_200_percent.pak (1742 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bn.pak (1383 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fr.pak (700 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\mr.pak (1317 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fa.pak (930 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\am.pak (905 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogo.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (441 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\docs.crx (12 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sw.pak (555 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logo.png (37 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\snapshot_blob.bin (1375 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_watcher.dll (963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\external_extensions.json (5 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\et.pak (576 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logocanary.png (46 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-CN.pak (537 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libglesv2.dll (50 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_elf.dll (758 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Extensions\external_extensions.json (103 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\he.pak (760 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_32.nexe (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\drive.crx (53 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-US.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lv.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_64.nexe (53 bytes)
%Program Files%\Google\Chrome\Temp (4 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (21970 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\chrome.7z (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_16561 (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576 (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_11993\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome_patch.diff (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin (0 bytes)
%Program Files%\Google\Chrome\Temp (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_16561\chrome.VisualElementsManifest.xml (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1276_11993 (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\wow_helper.exe (0 bytes)

The process setup.exe:1904 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\CR_869F3.tmp\setup.exe (1 bytes)
C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
C:\Windows\Temp\scoped_dir1904_31361\setup_patch.diff (6 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\scoped_dir1904_31361\setup_patch.diff (0 bytes)
C:\Windows\Temp\scoped_dir1904_31361 (0 bytes)

The process regsvr32.exe:2332 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2336 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2456 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2424 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2304 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2436 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2412 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2400 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2416 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

The process regsvr32.exe:2372 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Data\dm.dll (823 bytes)

Registry activity

The process GoogleUpdate.exe:2880 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
"fveui.dll,-844" = "BitLocker Data Recovery Agent"
"fveui.dll,-843" = "BitLocker Drive Encryption"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3900 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "7"
"InstallProgressPercent" = "4294967295"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]
"PersistedPingTime" = "131221104743348753"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.71"
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateTime" = "1477636900"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]
"PersistedPingString" = "
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1477636900"
"LastInstallerError" = "0"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerResult" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"DownloadProgressPercent" = "0"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerError" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResult" = "0"?xml>

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResultUIString"
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResult"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerExtraCode1"
"InstallerError"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerError"
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerSuccessLaunchCmdLine"
"LastInstallerSuccessLaunchCmdLine"
"InstallerResult"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerError"
"iid"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

The process 54.0.2840.71_54.0.2840.59_chrome_updater.exe:268 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome-full"

The process setup.exe:1276 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Name" = "Google Chrome"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"IsInstalled" = "1"
"Localized Name" = "Google Chrome"
"Version" = "43,0,0,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoModify" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayIcon" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "-statsdef_1-multi-chrome-full"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"InstallLocation" = "%Program Files%\Google\Chrome\Application"
"VersionMinor" = "71"
"VersionMajor" = "2840"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UninstallArguments" = " --uninstall --multi-install --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Version" = "54.0.2840.71"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"(Default)" = "Google Chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe --uninstall --multi-install --chrome --system-level"

[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"Name" = "Google Chrome binaries"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoRepair" = "1"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"CommandLine" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe --on-os-upgrade --multi-install --chrome --system-level --verbose-logging"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerProgress" = "21"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"StubPath" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level --multi-install --chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayName" = "Google Chrome"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.71"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayVersion" = "54.0.2840.71"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallArguments" = " --uninstall --multi-install --chrome --system-level"
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe"

[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.71"

The process setup.exe:1904 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerProgress" = "10"

The process regsvr32.exe:2332 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2472 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2336 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2456 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2424 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2304 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2436 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2412 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2400 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2416 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]

The process regsvr32.exe:2372 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"(Default)" = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}"

[HKCR\dm.dmsoft\CLSID]
"(Default)" = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR]
"(Default)" = "c:\Data\"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}]
"(Default)" = "dm.dmsoft"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\dm.dmsoft]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}]
"(Default)" = "Idmsoft"

[HKCR\dm.dmsoft\CurVer]
"(Default)" = "dm.dmsoft"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32]
"(Default)" = "c:\Data\dm.dll"

[HKCR\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0]
"(Default)" = "Dm"

[HKCR\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID]
"(Default)" = "dm.dmsoft"

[HKCR\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib]
"Version" = "1.0"

Dropped PE files

MD5	File path
c578b6820bda5689940560147c6e5ffc	c:\Data\dm.dll
503a8048c5558c4bedb95f5d408280e7	c:\Program Files\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe
503a8048c5558c4bedb95f5d408280e7	c:\Program Files\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe
6f4c70c96fedc4e0a79c49d75fb31819	c:\Program Files\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll
01d6c4d58f79447c38992c6615548cff	c:\Program Files\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll
00c36ae47c7e16937834705dda03ef7e	c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome.dll
6848d69d5550119ed5e5df9b334b6537	c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_child.dll
c4b3022907fb6c0748df860dde1e9ee9	c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_elf.dll
3d341f7ee28b0bdf8b8cdca3b0ed97c0	c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_watcher.dll
02e034cd47aa9a633f6aaef348dbbba0	c:\Program Files\Google\Chrome\Application\54.0.2840.71\d3dcompiler_47.dll
98a53cfa1945b99656db4332d89c9328	c:\Program Files\Google\Chrome\Application\54.0.2840.71\libegl.dll
d1df316e69e13e0911ed19c80e8500c8	c:\Program Files\Google\Chrome\Application\54.0.2840.71\libglesv2.dll
a99fb676e5eb1393bb241fde05843127	c:\Program Files\Google\Chrome\Application\54.0.2840.71\nacl64.exe
ab3d3d17ad0174384c0088d397388558	c:\Program Files\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe
ab3d3d17ad0174384c0088d397388558	c:\Program Files\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe
503a8048c5558c4bedb95f5d408280e7	c:\Windows\Temp\CR_869F3.tmp\setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:2880
GoogleUpdate.exe:3900
%original file name%.exe:2268
54.0.2840.71_54.0.2840.59_chrome_updater.exe:268
setup.exe:2620
setup.exe:1276
setup.exe:1904
regsvr32.exe:2332
regsvr32.exe:2472
regsvr32.exe:2336
regsvr32.exe:2456
regsvr32.exe:2424
regsvr32.exe:2304
regsvr32.exe:2436
regsvr32.exe:2412
regsvr32.exe:2400
regsvr32.exe:2416
regsvr32.exe:2372
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16158 bytes)
%Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16304 bytes)
C:\Data\dm.dll (9053 bytes)
C:\Windows\Temp\CR_869F3.tmp\setup.exe (49 bytes)
C:\Windows\Temp\CR_869F3.tmp\SETUP_PATCH.PACKED.7Z (3 bytes)
C:\Windows\Temp\CR_869F3.tmp\CHROME_PATCH.PACKED.7Z (2 bytes)
C:\Windows\Temp\Crashpad\settings.dat (84 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_100_percent.pak (1160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hr.pak (618 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ta.pak (1539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogocanary.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\th.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.VisualElementsManifest.xml (411 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\gmail.crx (48 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\youtube.crx (47 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\el.pak (1169 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es-419.pak (651 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\tr.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hi.pak (1333 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ru.pak (1029 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\da.pak (596 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\cs.pak (662 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\chrome.exe (1846 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ko.pak (659 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\de.pak (570 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\id.pak (586 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pl.pak (652 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome.dll (41963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\54.0.2840.71.manifest (254 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sv.pak (597 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\manifest.json (954 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome.7z (279369 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\es.pak (660 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ms.pak (504 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\wow_helper.exe (160 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nb.pak (588 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-GB.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_child.dll (53736 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ro.pak (666 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\it.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\hu.pak (692 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-PT.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\nl.pak (629 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\vi.pak (741 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\natives_blob.bin (702 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fil.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\uk.pak (1023 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sr.pak (995 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\te.pak (1438 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\pt-BR.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\icudtl.dat (59 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\chrome_patch.diff (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fake-bidi.pak (808 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ar.pak (891 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lt.pak (661 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\8DCD.tmp (14 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\d3dcompiler_47.dll (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ml.pak (1669 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ca.pak (653 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bg.pak (1077 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\gu.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\ja.pak (777 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sl.pak (613 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\kn.pak (1488 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-TW.pak (538 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl64.exe (54 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libegl.dll (187 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fi.pak (612 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\resources.pak (2572 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sk.pak (684 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_200_percent.pak (1742 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\bn.pak (1383 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fr.pak (700 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\mr.pak (1317 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\fa.pak (930 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\am.pak (905 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\smalllogo.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (441 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\docs.crx (12 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\sw.pak (555 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logo.png (37 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\snapshot_blob.bin (1375 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_watcher.dll (963 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\external_extensions.json (5 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\et.pak (576 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\VisualElements\logocanary.png (46 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\zh-CN.pak (537 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\libglesv2.dll (50 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\chrome_elf.dll (758 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Extensions\external_extensions.json (103 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\he.pak (760 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_32.nexe (52 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\default_apps\drive.crx (53 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\en-US.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\Locales\lv.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1276_23576\Chrome-bin\54.0.2840.71\nacl_irt_x86_64.nexe (53 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (21970 bytes)
C:\Windows\Temp\scoped_dir1904_31361\setup_patch.diff (6 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1089674	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	1097728	5081452	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	6180864	464330	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp0	6647808	2231493	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	8880128	6405936	6406144	5.54417	d62ea37305934ff2d63a28fd97608e15
.rsrc	15286272	5744	8192	2.96243	f49c050333f381c65fff839236013a8f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://redirector.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe
hxxp://r2.sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1
hxxp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1
comroute.baibaoyun.com	120.27.136.132

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 2377080

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Connection: keep-alive

HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 2377080..Content-Type: application/octet-stream..Etag: "1013e5"..Server: downloads..Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-Xss-Protection: 1; mode=block..Date: Thu, 27 Oct 2016 07:27:47 GMT..Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"..Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT..Connection: keep-alive......

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=0-8695

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 8696

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 0-8695/2377080

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v....}..v...v...v... ...v... ...v... m..v...v...v... ...v..Rich.v..........PE..L......X.........."......(....#.....X .......@....@..........................0$.......$...@..................................P..P....`..@.#...........#.xS... $.........8............................................P...............................text....'.......(.................. ..`.data........@......................@....idata..t....P.......,..............@..@.rsrc...@.#..`....#..4..............@..@.reloc....... $.......#.............@..B............................................................................................................................................................................................................................................................................................................................................................................ ... .-.-...=.".....". .-.-....."...D.:.P.A.I.(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.B.A.).(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.S.Y.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.C.O.).(.A.;.;.F.A.;.;.;.....).....t.m.p.....\...\.*...*.....*...*.....@...@.c.h.r.o.m.e._.......{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.8.A.6.9.D.3.4.5.-.D.5.6.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.5.b.-.d.b.f.

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=8696-23281

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 14586

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 8696-23281/2377080

Connection: keep-alive

j..u..}...XP@...u'.E.P.u...dP@...t..u...PP@..E..M....x.....TP@..M...k....A..._..].U....,...SVW.u.3.f.E.f.........P@..}....$.@............~OSVP.o........t,.u.......VP..........t.S......VP..........u7.E..`....i..._^[..].VP.E.WP......M......t..E....M..H...h..@.......VP.0........t.h..@.......VP..........t.h..@.......VP............z....u.......VP............_...S......VP............F..... .......h..@.......VP................hp.@.......VP................h..@.......VP.i...............w ......VP.N..............S......VP.5....................PW.Z.........Pj..u..k....E.........U.........e..3.f.E.f.......E.P.u......YY..tuSW...........SP...@..M.W.......t....uM...u.3.f......V.4.@.......VP.....YY..u%V......SP.z........t.......PW.M..o...^_[.M........].U....\...SV.u.3..u........Y..u.........E..].P.0...Y..t}W3..,...h(.@.f.E.f............WP..........tE.u.......WP..........t.h..@.......WP..........t.SVj.......P...........u...xP@..._^[..].U..Q3.j..E..E.Ph..@.h..@.h..............t.f.}.0u.2.......].U....P...SV.u.3.WVf.E......f............SP............3...h..@.......SP.................}..E....P@.Ph{ @.h..@..u..u..u..}..u.....u...TP@..M...p....A........h....W.P...YY..u..E...p........h....3.V.}..,...YY........3.f......f......f......f............h....P.u..E.P...........@..E.....<.........P......h....P.)..............h..@.......h....P................h<.@.......h....P................h..@.......h....P................V......h....P................h..@.......h....P..........tvh`.@.......h....P.k........tYh..@.......h....P.N........t&lt

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=23282-38116

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 14835

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 23282-38116/2377080

Connection: keep-alive

.........d6..T..b..Irmi...{.....3...Rr).%..6^@..PW.c..-":(...sF...:.y[...B.....g...~a.W.t...?2......C.....:..d..7...qV^._..r-M....b..Y......W...m...r?..k[nw.S.....L.....#R..._.t....?....Vj..f.......o].&=U...\s.T5|.y..<...!..E/,.r2.?.w.u.[..'........K3.R......Sp...A.I.r..i.......12.$....>..dA.|`...7...;||.V.knAOk'f&..... .W..V..7...`1fFS9~<......Q>]8Wy.*..)...p/>:.X.G.].J........~..nUE=..uwI}..\.......DtG.<..#8.5M.O.$.1.N.....}..U...]...4.u.y..O0..L...nD...#. .8..Y..&mx.'..U..L..d..$$h..V.r.p..4.GZ......^..[.vF....^[B..Q2.8V...h...K...w........v5..Q=R..J....Y.g..jE|........d..-8........J.d.AN.\r...'..y$.Yf.H&.....=..afy^eC..t.1.Q.S._."Q10.w.$_.l..%O..m..... .t.Oc"W.W...~}...j ...R.2..]Jm....fa.f...F/..vP.......-Y..E09.5.i."..v?9....V5..3...7.w.K_....4..PG.......l..U..9..JM. .n.....L..KY..H.?.&....S....<H.aD..5...l....r.Dj.....g.......=..c.d.b..dO.$vO*Q'"..>.R...nO.>/Wx.!.....TJ_.yk...x&I....... kd......0.xi...>9........\UN.{.Q..Hh......f.E..|....e......v...2@.....T.k.1R..{.l^...W...6...B8....MR..S.(..H|..... ej.S3....).\...M..."$..y^.........I.r... D..2.....R..Va.G{p..)..u#7d$..(8.....Z..4.lJ.3k>..k.nz.|..Y..N........HjYq.A.'{....S>.-.p..\?...*."..x....U..h..%..?...tE7...}#./ .P..Ik......w.^.z7.o..`.F..g.U\..b.p......p..H..9.Qu....MH....K/~O..a".-..q..mXOi..$.m.......9..(I....@x3....wl.....L.j.Mx...Wq.OA.../..K......8..j..-.B.=.I.o.G.%z%.....f.6..(...w...gA...E.............X6....>....W..kx.].A.8......a..3.j./@[.Up$p..S..{U...-q9.;z9.O..-..Z.?.k..0...A. )t....s..G&..Em.^/.k.

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=38117-58971

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 20855

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 38117-58971/2377080

Connection: keep-alive

.#o&._.x.....L.X.........O.!...K...MlF...[L.T..NQW...b.1..~.........^n.13... .9....&v..o..S..k._(.............i,.......o@....,?.D..K.......:..$.d...&.oi.....I>..C2.J......[T:(...q..U.....B....f*..q.`.......!...&8K.a;......#..........u.2#..=.JD.e.E@h8.A.7..`s...mP~.....w....5n.r ^e...a.J..y..........hQt8.....B...wt..}|T...#.|.wL*y.,.Ur1...p..)..........=*i.w.XW..m....=\..Z.|"b.S.z.:.k..Q&...&"(^....mg.....A....\.[.@.G...........S..VI...w...H ..J3..C......Z.N.f.=b..pwvGy......0.v.......(%E.... .....^p..G..;.s.`...I.8..!P|.7g.......}1.....X.:-..gt...f.....yP.[t.\..S4.n.....G..5..j...J...S.q....zA.b.~M.d..).c.^..pn`..3*....7#sw.......'...k.(..X.5.*...8Sx.'V..O.r...15VF..-.s..B.....2...O..3..97~@{...\...).......>...`.o .Q....B..Y..K.....7..D.h..u...a6o.!.*.........f2%B....%#LqKy.RH}.#Vb...:.._[}....@......N.<|[>s...q(z.......^.......t..{..q...D...t.T....._..q.'.t...4b.y...u........@...u)WX.7....?I.............cV..Dzu#.J.1.....$S..@];......*8..."._..D.t.?%i..'3..$.$......6.}.............JE....!..7"{0@...\.......=.{.....s..>1.?.e@........B.....?...B..."....<.L...(.._....?...y.F...6....q.9..|)....i.Pl.znd~q.4..NX8.....1`.g.?....dh..Q....I4T?.....{.qm....K.."v.S.qk...z...e...........H......\u.(.2y..d6.....k.t.Y}.Bl..np.f.."qL../#.|.0..*h.w......SP.d6..B.......A........j..ug\.QQ_..(.v{ggD#.I]...>tN.....2.7...B...7`.d..#..............a.kx.c.P8......<...B1V....2]NSi....?u.4%b.q(./.VU.bf.h}h|...D.CI.... ..f.E8...bT....k@n_.vVn..2...-.....).F...P...[..0.9..j.I~s_...i..m.F5..........a.m..}H....B...A...

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=58972-79579

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 20608

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 58972-79579/2377080

Connection: keep-alive

Ss^.$.5)p..DQ.a!6..g...E:VF.mM?dd@......]...i},........./h.1u.....>d..._.....I~...}x.(.R.[....M:.fR/z..C......D..uLd_.a...G.jt......;....'...zV.n.,..-......c.K..t..Xz......~.SI"."...n.2C.....Q....iD........mH.2........n.i|...7.lQN...j....3=...3i.}5gD@;<.....* ..nw..'.H.9.....}k........:.K..x......`~.~........e...|....K..o.25a.......m5.Q.v...\..x. .....4...^....Y^..2..J./...N.R7....AB} o.o'..x..l... K...o.gFn...G..:.......S.BN~E>.u.P.hm..k.:~f...3.l...J..Ff.\.Ik{)GA....-...9.H..T.R9J.w..cCy.b..G........'IbC...g.X.-...b.{....[...r.B.|..$..........?..q..n..q..!~.].Ea...._.5)...rS.EyX16..............lJ2....)..........X...WQ.../...Br"0..0...1>L....\\...E\...0.Jm...,^......k.V...~...`.^p.Ru.."68...1.u}Y...m....ID.>.!..w...T.|....9.F.`......O....[.N....)zG.`-#.......H8....hi....mYU..-.,.3*...x..!5.1..........vn.z..h]^.....q..._.....v^538.w...Yg....2.!<......M`.z.*...r.k..H.8RGt.:..S...!.@...b.a...........Pi .\.....!k..h..E.d..._&./..d....... .....v.~Wb....|O...T..^{ .U....N2......_.u..V......zX.5..j..J.........N......X...qo..~o.;....-T.a..s."......d...%...&).4....b...r.|Q.b..`...).`..>...!..o`......`...H.^.....L.,..9......Y......b...y=.....1......J.@..m.s......a...'m....KM.v..h....f.....Gq...:.. ......J...y.....-....>.a9.JQ:.........}U.h........1A.....C...s..\....4.E...5.)...us&}.....h..R.}9...!.....4I.n.3...I..~........Q..m....8q.....,UsGRk..%...*..r].B..>.r.B.bEb6.[&.F.b...r..l.=.B.BM[....pP. ..u.G..nBo...Fwc./@z...K..n.E.bz..q..d%t)..u.n....]I.o.(....,...HU..Ad..t?.DI7......3.\;9....>1

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=79580-123287

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 43708

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 79580-123287/2377080

Connection: keep-alive

/n.......8...G..v..0.U.i..~Q...P........o...u.....&...!.|M.......f..Dl.a..6.T...s h....X.......b.h.&a?....xpI.........Pxw[.I.....lZ..w...`nr.%X.....m........~....O..^...k.y2...v.Iz.H?Or..O.....Q.._.jXg\.....a.IBO..l..o....E.>_.98...7...}Dx).{.....#*..>je....h...}..Nl..}..g.f..M.'*....5.w[........aH......r.\o2.........1....{...-Lm....-..QA`q.......2.i.....Z ....0.5.e...F...h.C>......@m....l.r6...Yt..H5..R!..R./...xW..E.l.m.,.(...r::*..X...7..{..t......'.hS..._&e...Ia!.z.a)..a.N.mJrm.p,)...._...s..'...M............0&..J.Da.7Z..o&.].|S.WLC....M.\x!n.-#.]7.5...o....*...../=..0.YJ8....2.6T...n........Si..8W.U..}.....N....$...?. .Q4...23c\.G..j.^e.WS..D?rT..z.....4.......1j.C..$a.5..<.`...P..z.....d......&.m...]...|w$Y............?pR^........O._...I..1t..k....u....a..........T...ms.j1......#.3>?.GS.e...Gq..Qo.....P..M.~...o..?...$upy.......$......yf......B...H.8......9...j..JX.......S.8.*f.t..E.Er=.:;..y..ICz.U.......my..C.8.e.VhN=.B...N..j. .. 8.RJ....Y,.z_.w....<\..!......B.Be...H....z..r.u....%......Iec..7.'..{......^...A..(..o.'Ix.|....A.....$b5...3..f%`7.<g..g.<..[a.?8Ag.5.:...z.6'.....u...7..}R_......h:.o.....9....c.....q:.......4..................X.z..>a...2XN...,..Z.>..R....=La....{..Xt>>.o[e..V...U...E..N...&....Q\ Q.5K:.E.n.[./(..WG.C.Q<.%u,..s..k8.2..#...!YX.m(...kH2."..:.x.....3(....&&i.H7qepw:...E..#t..,6M........n....v&`.....BJ..r^....#0...A..z..e&7<B...u.._....WB..6...u..xP6eN...%...3..ebm#..e9.bTCN:..=.]?...N.....NO.j..p..Z.z.........N......_.2.yZ.....*..t....

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=123288-213184

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 89897

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 123288-213184/2377080

Connection: keep-alive

......r..#..?Zn..q...8.G).H..._.|..R.-8..k..Pf.G...K}!.4..(.D.U?.^.i.e..=7.......[G.pPOX.......G...0.Z.B.........oX.0......w.f...#.....f...@h3.~..H..^.&.......s.$.....q....o...|.......c...(.~..&.!...r...zhf.b....Q.....a&.\`...O.2....Ju.&}..E.9x.J.'....X._x..R..R-......p.~~.w.$.?L.i.:.]..@w..@...a..y;..I....*...GaB...d8oO.Lo.3....L..-.r...2W.....t.az...S.....P....x....X....u.M.....x.iX.L..$}..~9.o}.w.E`.y.-g....i/...<.q.h.d8..n..4...... .......B8....U..G.......E1k}.\o..?.mc.VuL~j,..._V....R.9.....O.,..K}....A>...C.@......h'....WE.z....}...A2......7..gj.{..._$.y#)E....xqJQ&..=....#..........s.z..#v... .....H:>..U.H....'......::.IW....f...@.|..u"-...:..4....{..3.)x..<....,H...j..c.....J.bk.0-s..|?'L$...;r..#..%..I.4<.....n...9S}C.z.#Z..<.5..=..?...0#f...'L_.R..,....5Mqk.`..!d...1..dmW...P....:.FNn..~i....r.>........;......2%.Y......)y.{.;\f.l.|.?...l...f....... ..G[...Fs.......5..C..........#..y..~......J.^.....j..k(.....%x0..Y..! .{....YY.*...W.dH*..H.&......#.5..XR..........-...$P...U(...q7..K8.....K.7...N.,..7.....JF..1i......Q. .*Zx........X..SGt@..j..y..zX.CX.OX.M/-.......0..2g.B.k....h..O.l.#.rd(..C..s...i.|.g...E3RB/..L]....;.9~..[!.p.g.Mu.....W.. ....hb....!M..mk'.-V.yv.ph'...?.vD3E.|.J.L'.0~.).m..u.*......{.._.*.N.....e....Xg<..6...0.".^.y.\..0Is..6|..V...R.........PN4..3....j./..=...$.5...B.Wt..M0NN\.Hk....*.V.W.e`b...e....;..V.v......-...."...}[....P...r...b.E...A..F6..:...@R..2.bL.....%M.;&..... .w...:....S......<d...H..md...^........lD'.w...&......,=Q.IzJ.o..)o...O......a. .

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=213185-395299

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 182115

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 213185-395299/2377080

Connection: keep-alive

...Q..4..At>.lT5../..v..vN~q@..h..5...c`D..J\.V.7..I..ZT.h.F..Vm.C....L...m..$s.....:..T........i....."....c.'.".r.u_...*...4...E,.j...N....0$...........;d.$..o.j"....._->~v.$...........!......O.p....<2...w.m.$..W.,Cp;h...h.. ...X0.#...YA.T.V0W.:F....T...j... ..<..[k.o.fI....=?.%..H.D..d.!9......g0...:.b.*.....BN..7}j.=(:..pU^?.O.psyD....o.`=A.>...}.@.....rkLI...vj.k.-..d....a..wC.l@$"4..V..'=E....Z..j...I ...PW.I.R7t..<K5..L...FvtJ.c.au.4.,.....x.1Z5..0.J.,..*....2.nj...H..;b. .o#.)5......S.V..;.}YB"..F........(.$..x...^u..S.7..o........^.r ^.....\.Q[(...Z.,.3....79...z^j..`u1...P."..av.B.....A.=.!...e.CQaN}...y.;OX.q..T......"..h.....1.aHi...m.n.;-0....E.D.rs.....e..._\l.i.E]:..{......8...W.x.. ....L..._}q.&....f{...T...........9.....C4...Yk......rEE.W....U._'...k<g.n.e!e./E{:3Ee...r..j.Bv0Rr.A`....2..e...6..C.=...<?p>...wW...)......N.]k*y..7.O....q..g..........#...........K..R.v..*..9.B....F..uy."{r.....,..R..n9....6.P.........l.ls..Cw......3F..F..S.tR'?...6......H.'..q.W...{....."...n..g}.}.:..z..IB.....,Y&L..6: I.y{.........~86..F.X...V...b7.%x.5._.T....@.....f).=.Re3(..........P.g'....a.LY..3....L.`.i.,..26......8.5......0w0w....|y....'../.P ....sOl...^.....C..O.....;.....$a.=a.k..M..7o3..Y.=.h..O.V.5.....I.B..........'?.I..b.V=5.s..cF.1^.. q..l..R#5...-.G...M.....b~....].FgP.Ifq&.....l....D ....x...@.4.m....{.|......s.H8%N.?....'.T...u.l0.4...MV....h..s.>...]..o.p6..C.bI.....N.......'0.66!........*.U.;a#..e';.../n.......-C.9......M4k!.PZ..sH..yF....V..a`....<..].D.....|.I

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=395300-761360

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 366061

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 395300-761360/2377080

Connection: keep-alive

:...t.P...|.........JeN.`#...G.p.3...o..s\.J...YG.G)L..V.~.W\\.K....w.......p<..x*4....].......;em..o..P&.....#!....E..<.a...Q2.H.J.....jP.8.z....z...xz....YS....~........OR}.m...<.4.n>.IE....Xx.......q....p........e..G..(W$3. ....Th.g..{....e...&.5..h.~..j.:....X...v.hH....&=e...7F..-Dbl>)#.d.bx.x.L_|.._S.4,...C..y..*...5T.....v..........uK.q..............[..q....M..n.o.....x.........riv..t.e;.^=Vu.....c..23"....44...&8....Ps..........D..U...5.C;<[I.).L.Z5..._n.,.(bd.]."..U..*}....>@.. .>/....,"!.m|}...'t. 3.^t....Et..O.J...h......,.6....`.>h........(q:.`P.....y.p.fuf..W|.....YR..,V.....xQ......../...tC.ug....~j.&sC=............F....'...~D............F.^.m.nL..-..G.[.I[..s.Eex)..`{.....v...7.../.>.-...U.o.m`...*..d_H...t."Vz(O......gR.!..o....t.......-.....w........F.(...Q...P.P.....z...X6-/..;...x..Q........i.l"p0.sP.._.Y.y....dh..R..o....!&..."u...kD...V..l..h......(CS.9(....O....Ed.N..f.... %./.r)......XI..(..b.j`!Xu...........V......F(.\..!_O...|.wz...7..i.>......V..O.. ....Z....e:(._K.X..#.l...W.=.....x.....M3..7.;/j.o.....@Rh..x..f.R.'as)rX...V.>..E..{........2.Sd..Z1m.>`"z~....Y 8..5.....qX4.?.d.........LHU.4.W.~h.>.......[.o.J...4.i.$W.J...gm.r.5...R$..#..-7...3.\m,..O..W}.|..c!..xn.Ld.3...$`.._B.Z.....;.,.r..._..E.]....n....K..5.n.'.</....Y...H~r...R...hOCn.....hM.SX...J{|dt.-..(1.....wuk.B...H..i..$ .D..U...g.....d..2.....|wCo...n..EO..\.\.:........9.A.....h.)..r...p.p.q...u.O{....*.xW...n..5..~.4?.......k....P$.F.j...F.K..../.....*.....4..:....G{......]..

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=761361-1493569

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 732209

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 761361-1493569/2377080

Connection: keep-alive

Xm..Dy.8.T....21..&...M....m.....I,....._......19.4.[\...B...;.e....d..d...& ..2.i@....I6..7.x..e|............[J.M.Z....b....O..b.h=4B...S.&...q....... ...4g.........L]..m...B.;..b.....!.l..L..Eo..B.r..k0..f.T.E.qo.uv.\.d.q".TV7...Z.z!.y/1....i..A......*...rr{G...Y.ybw.P...H...._..^W.x.~LC..!....d..'...I.....T...#.MG.n..........v......0...7.f.j8.Xmt.......d.....?...{.r#E.%`"....~.!..$%..:Lb..2.y.@..>.,.>Ue...WW.....Zt.^4.......iLb*...i$._`...j#....e...~......2...UI....H..a...28.....dako...'.[.W(M.Y.o.y....j..r-..N6..f..F..T...d....rz...fn.).ur..|..!r.U2?.G..*.}...k1t..Z^..a.g>.......w{..........?.(z.3,....m....%...9.....lxU.B|..........M.-.....:...".sz....6....9G.........=6..o..G.t...v.....M..\...K.Zl.T..l.I]..e1M.n.r.,...u.....A...6(]......z ....f..3.zi.Eq.\.3....^|.^...w.^..FD..P.L....'..G........N.......<....c4.f........R.....?a.aR....s.....kb.NH.f.>.8.. z.m.,..../..I..F..H....l.t...f... TY.:&..u.....}.R.....c.._4.O...f.U..Q.4.."x...T...$.<*FtL.L.....a.2x.....7.`m.b...f..Us....mU.u.A...K......Np0....q'.cE...8.b...im:.I'.\.u.`K..6...c....3Q.r....~..Oj^....Co-....;...R...0.....G.,..`T......=tjY.F.M......r?.....J.....:...&.P..."...`P..E..B.....5u.o.......Sh.>.@...-...v..!.O..#p8%...."...........[....&...H\. ..."..0..q. R..RZA..N.=nz....?..Ph.....)..cU..a..}...1..n5.h...... ..vv..Z.z....Y..6....0NAu:"{n.Gl....y..$.T.."...s......G...&J...s....k.9...$.4..W......'M5(......&.w.8j.!....[5.J...9.m..(..=.4....0....L...:J..\...s....Tvs..F.E1...?1>4q.T.!...EV....H...*cV.7.2...{.....H9.z....<.'$

<<< skipped >>>

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT

Range: bytes=1493570-2377079

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: r2---sn-2puapox-ig3l.gvt1.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 883510

Content-Type: application/octet-stream

Etag: "1013e5"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Thu, 27 Oct 2016 07:27:47 GMT

Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"

Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT

Content-Range: bytes 1493570-2377079/2377080

Connection: keep-alive

8....Y.....!......}I.r..4e.o....%x.'..}.`w.p...os...R..x..[....%@.xj%D..T.4W4C.a&.].q=...<s...K.R.....q........Yn........9......A.......d..O.#....m.../.........2Ox_..*;...%L...q...zFb......f]fOC.R.?.ex.3J.3B..e....=.u........aha.c..B..r...E.... 0G..E...=..v.3.n....t.zF8......X..).Fm[q..8......q..).K....~...W..s.cA..$K*.....#..*..n...a'....Z..(w'...!t........x0<.....2.. ....3...:.S.is.. .!u..H.L.....I..A^...H..8..?..A.sl.u.o....0.".............pC...;.Nk.>...3.Q.....*?...z)wlW..e.............$.....f.......R..g...O&..zU..9%U1..`.51.W.K%U....k.q?.L.....b........vkM/do0.%K.D..8..v#t.s........(.L.Q...4.....?......f...6..Kq.O...;<`e......a.....e%....|&.@.M.He.c......#)....T.F=]. |......{r.$p..~...B...#......^..........G...@....>.M......j......9'.t....g.e..S.....2XC.V.:N<=...4.cK..u.An.;.....8...oE... .eVK..9o$D.0..1wY.f.........5....Vj....n..<5y.}.M(.....o.?..RN.O.GZM....o._v.gA.L..u=I.E..2....`V..3k.._.......0H..s.btb..^6q..?<.~r....V.@o....=8MCE.N.......F{......d..Zz!;Wg-.Y....j...B.l.)?.J..|..{3...........F..!.P..P..K...B..r...%.j#,&.. ..!O.;{...Hux^...{Z9`......V.YWp.qG......L..={i...l......d.M.tl....v.k.....X....x..d.i..P.~72.B(..%J.....Wk.........l.".;.O5`{..-..H[J.sf.?..-.H{.....$y.....5.z]..{....4...I...|.k...?e...*.z.r....2j...4R'..;....|.%.`......{.V...1.TV-....l..n1...3..h....../..1[W....h.d,..3.5`. ..x.!.PJ...m.2.......:.5].......t".....9M.Q.:..?....u..?3.Q..yMt.Q......E.........4F ........IAdb.r/.!|....A..d/32w)...C....p........&%../.....c..>......j0.Q*1..]|....v..i....T%..T..,.

<<< skipped >>>

HEAD /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: bg

Host: redirector.gvt1.com

HTTP/1.1 302 Found

Date: Fri, 28 Oct 2016 06:40:36 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1

Content-Type: text/html; charset=UTF-8

Server: ClientMapServer

Content-Length: 734

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

HTTP/1.1 302 Found..Date: Fri, 28 Oct 2016 06:40:36 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477651236&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477636818&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=092925340ED87695D41054DED9F890C1204DB90A.7D8A8B629F13F3050C3324F862564D62A4FAFD59&key=cms1..Content-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 734..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2268:

.text

`.rdata

@.data

.vmp0

`.vmp1

`.rsrc

t$(SSh

~%UVW

u$SShe

Bv=kAv.SCv

wininet.dll

ole32.dll

oleaut32.dll

kernel32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

\Data\ .exe

.rsrc

^.WUh

P.Rl.

%4HS2%S\p

\\%SH

*dY%F

5@\UWSSHh

VE;.WoXI

^x`>x.ht

@.Be$>;

%C:O@V

QE;%x

,>.Ptm|t6

.bKQ~

WudP

DQW%uX

]P.jV

burU.qj1[

.QJY|

7q.vD[NqS

.IY\p,A

UDpH

#W"%c

.zor!

.tb;M0^

4%d,k

?.wk)

z0%cx=n

]/m%C

Q6.ZgT

=%X(>I'(

>_.gsJ

$.CNH

C.kwFt

T.Aga

tW#EBk%X

.Xb?n

<.hvdr>

p.Hx9

%FrG.2?

W?2,%D!s0o

G`.gr

.BMGU

.pV^uI

%d&&'

''&%$$#""!!

N^NO.Os%

_%*.*f I64

SupportedException

tMsg|

MLZ.DLL7(

?CmdT

/'.IN

.MSVCRTg

.PAVMqL

(&07-034/)7

f.DbIn

s:%dW

Eh.dE

keyw

2(%d-

0xX

.Nb~X

gz0\.Kk

zcÃ

ub%Dl*\

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

OLEAUT32.dll

oledlg.dll

SHELL32.dll

USER32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

RegCloseKey

ShellExecuteA

J.jS]3

n};%s

)q4(.id

y.Yc~

vv.Xu

>.iEBq

.Ux2L

u9.ND

;5sD%S

V.Ev~

Z.Ko@*

1%u4=T

3Z?xCdsQL

fH%xJ"

U.Pds,

%.X.

Y.Yfg

#h7Y.JL|

d:W.iL)

Ã…Q!?

O%U3@*

5FJ.FU(

N,Vj.Sa

4.idg8c

bbF%U

uI.mY

.lDMF

A5.La

P.rYe/G

&%sFn

.Ecg[

rV%DS

AE.Nz

X}%UNV

k7.zUU

|k.YHu

[O.zqbgd

g5Ni%C

01%Sd

(Pk.yf

0NE.Jz

>P;.JP

^"U%S

.TS.>

0`%u.

&.pB=

xh.YR

U.Sl)}

me*%F

D.wOz

%SW&H!Z>

.dYF]

Ã½'W

-pRl}

.bt>

ke%D_

0.OW8

.SsYS

;%S:a

Uc%s

n%fO4

%x$qeJH

B\.zS

GC.Ub5

@3^.%c

.utV.

w$%s8

.bXeZ

(%Xv=z

7#.ce

&A.VMwx

%C}QN*po

.VBpooNr

C0[%d*SK

{#.LJ~M9jG=

:.Rk?i

MsW"-x}

#.Nu([

f>'.nNj

:k.MP

.zPTC

.GR# ^

) ]R%FM

.WvftOO

w%S\s

5!.JV

U2_.tb>

N.UKbJr%'

hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

hXXp://wpa.qq.com/msgrd?v=3&uin=346350253&site=qq&menu=yes

windows

dx.mouse.state.api|dx.mouse.position.lock.api

\Data\dm.dll

!!"#$%&'())?

%C%]uSj

Ha.QE

xCmD$L

s.Nd)

A_%.ID,

n.Nn0 b

.hh=@-

T8.Sz

.dTR0

.PWh=j

nL.nP?

webH

NQt%F

.XV LV#

PGPus(.Gz

.ROH=

]v%UO

uÃ¹ u

0k00[ `.kh#

.scwX

?456789:;

!"#$%&'()* ,-./0123

CxImage 6.0.0

a .WO

e processors when executed

>support g

UxTheme.dll

;9HttpCli

7.PAVCExcep=^

.1.2600.441~

PSAPI.DLLU%f

%u%x-

88.185.3

20 4.49.

0.4.10n

129.6.15.29

202.120.

\.\%c

g%s#$A

"LuCBy%d

./*.bmp

log.tx

cpublic.inject.type.54

LL keypadput

k.ap*

.=.minmax

x.cfake`?

defense.szX

.sel/O

on.Leve

mp7%ss

tCPo

wKeyboardD

Scsi%d:

H%d_%

1.2.24

%ct t

: %s=

= (%d/10

gx=%f, gy

%ld, pass

xkey

'%ds=

3%u B

orm.de6

`O%dhx%dv qV

FD=%u, "

'z %4u

iY;kUnkeY

%ld%c$

-t.SSSj

MSVCRT

ntoskrnl.exQ

8)939@9|9

#&$&@'!?

9}%U}

3(Ãd

6,?-.7?`

SAPI.DLLK04e

506:6?6[

8(83888?

>,?0?4?8?

.net4x7

.Crz03

hÃ•@e

:;.ofSb

R.of'z

B{.zS,y

6o.ob#

Ftpf

PIpE

.Sj_^

.vCb'PK

WlCmd

l%u$}0

Jy%s2;J

x-d}X

_~.SO

'.Sj?

.Increm

WinExe&Copy

.DIBi

uDPtoLPNq`n

fo@@UAE@XZ.on

ad.boa

.DD-?J8

1,//2/,/

7G#V%F

(.text

@.tp0

{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'

'Dm.EXE'

val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}

dm.dmsoft = s 'dm.dmsoft'

CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'

CurVer = s 'dm.dmsoft'

ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'

ProgID = s 'dm.dmsoft'

stdole2.tlbWWW

~cmdWd

KeyPress

.aKeyDownWd

MKeyUpWWWd

ShowScrMsgWW

msgWd

SetShowErrorMsgW

>SGetWindowStateWW

U@SetWindowSizeWWWd

SetWindowStateWWd

iRSetKeypadDelayWWd

BkeypadWW

SetExportDictWWWd

keyWd

FindWindowSuperW

qHKeyDownCharW

pOkey_strWd

KeyUpCharWWWd

KeyPressChard

KeyPressStrWd

EnableKeypadPatchWWWd

=PEnableKeypadSyncd

EnableRealKeypadd

GetKeyStateWd

[.ReadFiled

WaitKeyW

!key_coded

joEnumWindowSuperW

urlW

=EnableKeypadMsgWd

EnableMouseMsgWWd

method KeyPressWWW

method KeyDown

method KeyUpWW

method ShowScrMsgW

method SetShowErrorMsg

method GetWindowStateW

method SetWindowSizeWW

method SetWindowStateW

method SetKeypadDelayW

method SetExportDictWW

method FindWindowSuper

method KeyDownChar

method KeyUpCharWW

method KeyPressCharWWW

method KeyPressStr

method EnableKeypadPatchWW

method EnableKeypadSyncWWW

method EnableRealKeypadWWW

method GetKeyState

method WaitKey

method EnumWindowSuper

method EnableKeypadMsg

method EnableMouseMsgW

IMM32.dll

MFC42.DLL

MSVCRT.dll

VERSION.dll

dm.dll

"\Data\dm.dll /s

hXXp://VVV.game2.cn/playGame/code/dtx

&password=

op=login&usercode=

hXXp://VVV.game2.cn/websiteAjax/

&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=getToken&userName=

hXXps://login.360.cn/?func=jQuery11210259506186048403_

&proxy=http://wan.360.cn/psp_jump.html&callback=QiUserJsonp615662574&func=QiUserJsonp615662574

src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=https&o=sso&m=login&lm=0&captFlag=1&rtype=data&validatelm=0&isKeepAlive=1&captchaApp=i360&userName=

hXXps://login.360.cn/

hXXp://dtx.wan.360.cn/game_login.php?channel=521260009&src=newwan-syzt1-dtx&advid=521254815__dtx__S112&server_id=S

hXXp://s1.dtx.g.1360.com/indexLogin.php?

1970-01-01 08:00:00

hXXp://passport.51wan.com/login_index_theLogin_0.html

hXXp://my.51wan.com/gamelogin_wd_serverList_dtx-2.html

-0-.html

hXXp://my.51wan.com/game_toolbar_0_dtx-

hXXp://res.dtx.game2.com.cn/index/index51wan.html?

UserLogin

hXXp://VVV.game2.cn/verifyCode.php

hXXp://passport.360.cn/captcha.php?m=create&app=i360&scene=login&userip=+7+d1+hWWDPiXFBqruKw1g==&level=default&sign=706d82&r=1472615666&_=

hXXp://passport.51wan.com/verify.php?for=login

hXXp://VVV.game2.cn/member/

&src=pcw_wan&from=pcw_wan&charset=utf-8&requestScema=http&o=sso&m=checkNeedCaptcha&account=

hXXp://login.360.cn/?callback=jQuery1121004880054023122077_

hXXp://passport.51wan.com/login_index_needToValidate_0.html?jsoncallback=jQuery182016474190838213354_

hXXp://member.8090yxs.com/login.php?action=checkuser&username=

hXXp://member.8090yxs.com/game/game.php?game=dtx&full=play_gamecode&client=pc&server=s

return Math.floor((1 Math.random()) * 65536).toString(16).substring(1)

&captcha=&autoLogin=1&client_id=1100&xd=http://wan.sogou.com/static/jump.html&token=

hXXps://account.sogou.com/web/login

hXXp://wan.sogou.com/play.do?gid=653&sid=

hXXp://wan.sogou.com/clientplay.do?sid=

hXXp://VVV.dahei.com/websiteAjax/op/login/

hXXp://VVV.dahei.com/joinGame/code/dtx

hXXp://VVV.ao7.ufojoy.com/game/dtx.phtml

form_submit_key_time

form_submit_key_v1

form_submit_key_v2

&url=/game/dtx.phtml

&form_submit_key_v2=

&form_submit_key_v1=

&act=submit&form_submit_key_time=

hXXp://VVV.ao7.ufojoy.com/user/login.phtml

VVV.ao7.ufojoy.com

hXXp://VVV.ao7.ufojoy.com/game/dtx/servers.phtml

.phtml

hXXp://VVV.ao7.ufojoy.com/server/login/

http://res.dtx.game2.com.cn/index/indexufojoy.html?

@.reloc

RSSh C

~$)~()|$

3|$83|$0

3|$@3|$4

|$43|$(#

.QZ^&

xSSSh

FTPjKS

FtPj;S

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

CryptoMaterial: this object does not support precomputation

GeneratableCryptoMaterial: this object does not support key/parameter generation

: this object doesn't support resynchronization

StreamTransformation: this object doesn't support random access

(3-!0,1'8"5.*2$

120.26.81.103

//./%s

XXXXXX

%s|%s

Empty key

[32m>>Connect select ret %d

..\t_baibaoyun\protocol\network\TSocket.cpp

[34m[%s %s %d]

[32m>>Connect field errno :%d err: %s

[32m>>ret:%d,error:%d,len:%d,err:%s

num_key

hXXp://apicom.baibaoyun.com/cloudapi/GeneralExec?arg=

[32m>>close g_sockClient %d

..\t_baibaoyun\protocol\TLogin.cpp

TLogin::clearInfo

ProcessPushMsg ret : %d

[32m>>ProcessPushMsg is in

TLogin::ProcessPushMsg

TLogin::SimpleLogin

%s TSocket::Connect err %d

TLogin::SimpleLogOut

TLogin::PushConnect

%d.%d.%d.%d

KeySize

: this object does't support a special last block

NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes

: this object doesn't support multiple channels

is not a valid key length

InvertibleRSAFunction: computational error during private key operation

for this key

: this key is too short to encrypt any messages

for this public key

EffectiveKeyLength

RC2: effective key length parameter exceeds maximum

?#%X.y

E:\4.0\bbyPlugin\Release\t_baibaoyun_win32.pdb

KERNEL32.dll

IPHLPAPI.DLL

InternetOpenUrlA

WININET.dll

GetCPInfo

GetProcessHeap

t_baibaoyun_win32.dll

generatersakey

generatersakeyW

loginW

msgcallback_login

msgcallback_loginW

msgcallback_loginex

msgcallback_loginexW

msgcallback_push

msgcallback_pushW

.?AVPublicKeyAlgorithm@CryptoPP@@

.?AVPrivateKeyAlgorithm@CryptoPP@@

.?AVPrivateKey@CryptoPP@@

.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@

.?AVPKCS8PrivateKey@CryptoPP@@

.?AVPublicKey@CryptoPP@@

.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@

.?AVX509PublicKey@CryptoPP@@

.?AVHexEncoder@CryptoPP@@

.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC6_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$0A@$0PP@$00$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC5_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$00$0IA@$00$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URC2_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$FixedKeyLength@$0BI@$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UDES_EDE3_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$03$0DI@$00$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UBlowfish_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AV?$FixedKeyLength@$0BA@$03$0A@@CryptoPP@@

.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@

.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@UTEA_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@

.?AVSimpleKeyingInterface@CryptoPP@@

comroute.baibaoyun.com

.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@

.?AVInvalidKeyLength@CryptoPP@@

.PAVRSAFunction@CryptoPP@@

.PAVInvertibleRSAFunction@CryptoPP@@

.PBVPrimeSelector@CryptoPP@@

.PB_W

.PAV?$basic_istream@DU?$char_traits@D@std@@@std@@

.PAV?$basic_ostream@DU?$char_traits@D@std@@@std@@

00x0

9&939&:6:

2%2*2/242>2

5_5K5X5a5

8Â8K8X8a8

6$6)6.646;6

6o7U7y7

0!1)11282

6$71757?7

6$6(6.6:6

= =$=(=,=

5$5*505?5

6!6(6-6;6

2 2$2(2,20242

1.0.0.0

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

user32.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

RegCreateKeyExA

RegOpenKeyExA

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

!Win32 .DLL.

.MPRESS1

.MPRESS2>

>%Crc{

f7.ST

Ah&`%xw

-Qwg}W

.Rg^5

ra(%X

-RL}tAWq

3r.DU

#.jK$

.If//

i5v.dU`

wfd%C

.seH9

H7\Ã›y

%dWA4

.WmO.

Q.HX)

ÃœU2

.ubwO%

?.MK9

d.DHb

.jtv,

Jnx&%D

%d{u2

msgcallback_autologinW

msgcallback_autologin

shell32.dll

program internal error number is %d.

:"%s"

:"%s".

.?AVCCmdTarget@@

.PAVCException@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.exe "

repass

UserChangePass

dm.dmsoft

SetKeypadDelay

SetShowErrorMsg

SetWindowState

,(!73!73!73!73!73!73!73!73!73 @;

.comment {color:green}

.jS.T

SiX^@=65.eB

;.APi

A%x*>l

@%S&)

;%DuH

LSc

A$(d%cn

8.jPs

.jJX[

*e.NaJ

pY-|Ã¾

.YrVUp\

diTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?>

~.agAV

.nn-!*

.tkyt

G:\^(

.RhcD

o.vH|

?h(%do

=7%f__

SOCrt

htu%d

=VR^.uzL

%fPa4

" id="W5M0MpCehiHzreSzNTczkc9d"?>

!.RNi

%x_Xj

GO#.Dx

Z>%0S_

Mm.gS

(j.AKt

`8.zNx:

%cK8R

@9u[%ul

.hr''y

_h@A%s

.yqh(t

E%X[-

\`!%C[8

!%D&&

TW%U8

.mN`SH

.VX1P5

X(U%Ui

.xQCO

usSh:Zq

D-o.OF

eN%6u

.LI[P

123456789

00003333

1.2.18

F%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSWHEEL_ROLLMSG

_Wb.eM3

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WSOCK32.dll

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

msscript.ocx

Y%d

X%d

Height%d

Width%d

RECT(%d, %d)-(%d, %d)

Styles0xX

Control ID%d

Handle0xX

burlywood

\winhlp32.exe

VVV.dywt.com.cn

index.dat

desktop.ini

\StringFileInfo\%s\Comments

\StringFileInfo\%s\ProductVersion

\StringFileInfo\%s\ProductName

\StringFileInfo\%s\OriginalFilename

\StringFileInfo\%s\LegalTrademarks

\StringFileInfo\%s\LegalCopyright

\StringFileInfo\%s\InternalName

\StringFileInfo\%s\FileDescription

\StringFileInfo\%s\CompanyName

\StringFileInfo\%s\FileVersion

000%x

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

.PAVCResourceException@@

.PAVCUserException@@

.PAVCArchiveException@@

c:\%original file name%.exe

.gWSdtb

w=kAv.SCvs

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

USER32.DLL

sice.sys

siwvid.sys

ntice.sys

iceext.sys

syser.sys

sbiedll.dll

3%d-%d-%d

winhttp.dll

activation.php?code=

deactivation.php?hash=

xaK%f.

0r\%u

y}8Url

1.Xr}0

.YS:`

.sM )

K.HrW

/("T.di8T

.Npnr

*.xgd-

=f%SKf

.Ta/.\

o{%CUi

.cF2sQ2

WÃ„e

.bo%q

_.hL*)

.ySfN

%Xcj|

)\.YH

}.zsj

bA.vuW)RZ

eb.ge

F.VmH

Gc.RKJ

.ocx?=!

.Yu_9

k#%Dw

.vzFb

Ãfu

.oqs$

/.tFt

.KL }

.hT!~

/R.QQ

T"r"sQLC

.Iq%?

%6scA

!M%CV

5%oZ%D"85

P%SDQ

e.QM`P

.WJr}G

yZA1:&%f

MExE

a%xbO

1"g%u1

Su\B2e.Mz

}s[#.zm

4TÃ›e

Ã Ue.ed

ZExEY

.Xk1{

q.WH#4s

f%C]f

}.yht

UDpI

[.rX*$57`

%Xh*bZ

t'MZ5.MY

$.cf;

V.hY|

%F T

uTU%X

fR%C-

Fq.rI

%1xHv}

l.zFJ

K.iHAL

=.Kw

[.Ip6

.wa4s

e%D%p

.mg2j

%S6r]Z

w@u%d

R.ZQ#

aH.mbR

f#.fa

Sshn@y

u%Sye

4.Fyo

f%f f

0s.Ds8

*.odB

.ao !

0O1S%

K4UDp

\pVv%D

l:\gB

vq6Q%x'5Qi

%snWY

8.Ã

7.Je2

gZf%xN

vJh

.EOz/6

.Ns};6

.fy_#

b?.Xf;

e.HA6

0|pT%s)R

Pk.tTP

%f*1YCT

W.kiG

.eQO|

[7X:5%X

c:\Zj

%XRmkDC

OG>.vG

Pj{=;.qA
%U4zs
Zt&.zd
%fs13
fMPM.Og@
]-nC}
SHfTP
.eX.V
%\%Dt
.iFOm
.wGerW#
y}%uLr
v?F%X
)*.*!
;.9 l/Jg%F
%cz`7
U.HT0U;
m%dkE
%Sph']
.PY.V
'muc.Wu
.fC*S!J
w;q.nY
 V.oS4
.YzZRm
oQ{%C
-.rcR
$0@.FP
k.fx(x
}.jN~
45%fo#r
=e>%F
%sS}ZW#d
.fc>-
%U@k]
B.xPtU
d[.fO
d.DE.|
%US:O
IS2%FQC
.pk]FF
I%UB0,_r
0#.aaw5
.db.~
%sSN"g

vJh

.EOz/6

.Ns};6

.fy_#

b?.Xf;

e.HA6

0|pT%s)R

Pk.tTP

%f*1YCT

W.kiG

.eQO|

[7X:5%X

c:\Zj

%XRmkDC

OG>.vG

Pj{=;.qA
%U4zs
Zt&.zd
%fs13
fMPM.Og@
]-nC}
SHfTP
.eX.V
%\%Dt
.iFOm
.wGerW#
y}%uLr
v?F%X
)*.*!
;.9 l/Jg%F
%cz`7
U.HT0U;
m%dkE
%Sph']
.PY.V
'muc.Wu
.fC*S!J
w;q.nY
 V.oS4
.YzZRm
oQ{%C
-.rcR
$0@.FP
k.fx(x
}.jN~
45%fo#r
=e>%F
%sS}ZW#d
.fc>-
%U@k]
B.xPtU
d[.fO
d.DE.|
%US:O
IS2%FQC
.pk]FF
I%UB0,_r
0#.aaw5
.db.~
%sSN"g

=.LyJ

HO.aP

_.fW{

%U(x;

u 9.VN

%u8Nr

%XoLH

A{%Dy

;%f~.bc

W.xN_

2;q%C

Z.ag(

,H.bD

Y.cWXM&A!3

jk.eI

V.UzK

o%sA4

0}#:su.tG1

4VE%CK

w;)vÃ‹

CrtJ^

~.NiU

\s.Oz

.CVo(

.bG77

g^4.oz

%U[=o

46f

. Fl%C

*Rs%S

~.drL`FGJ

i.Zp:

1s.%f%

Oyy.sHv

wHh&).Pcm

X}B%F

5.Klf

58%xK

b.GTVE^\

GvW0%7s

3.Lz*

r/.LM

DTw:%S

.SJQi

.eVvc

.Fg.y

HrM.Jx

T..Hv

.yz]S

hhK%x

=5'.gn

.GHg|B

=UuRl;B

&%Dv`

,V%x`

;z`%U

.Qz. nn

Zz%F\j

X.HPk)

iQ.fS

Z%C\@-

u7<.vb>

RQ%fJU

6.lT,R2

;.nnD

^T.us

H-M

Bdy%f%

%F `[

f.Scm

1O$#.FJ(

.qGUV

GmHOy.ui

[Hm%sc

;.ci,

.qid`'

1.WKJL

ZI#.enB*

t=%fN

Z9{I%F

.vry=!\B

.vr@:

wEBT9oO

.xkH_/

l^.Ba

urLb?

L6.inXh

kUdp

Ufr].sW

%fyEmfb^

@sp~%c

%cw#

@H,.Ki

v4,H.nsT=

YN.wc

key4,

]2Ã¿4

MSg."

%X~$_C

rmSG*9

N/G^w%Cn

N.eq=

S%xmT@

(|y.JRqMS

.nW:CI

.Hl[}

'.Oz3

L%x(H

}`xG".sE

.xWH&r

D%D:u

w).OD

n)f%D

N\.Nz

STr%US]X&

h%uIEO

Vn.cMro"

Meb

PLme.fD

{r.aPo

U-%dTT

.vh|R8

.FV!]

Mo .Wk

"lH@.aX

b.LAs

r#.eO0d

Ã²f/w

9.Qw_1

x%S?n

Oy.kOb

9.Bq[

w .aj

.LNewz5R

dfTpH

.yNct

?0SQl

^%dH]

.AJgM

{QU&%C

P.pL.A

HLb.BR

.pPVL

0n%sFx3N0

4.FW|

%S5H2

TJ.Cn@

0_%Um&

Ru.vF

,g%u |aY

E3BSqLW

%xsJ9w

.REuN

AVIFIL32.dll

=~9M%S

p.Tc~

AiU5%uR

%s~dU

v.Wr?tR

OM%U@l7

hmÃ–

;5%sFSZ

.Ju2$uL

.MDQL

LC.AS

vA.fa9~ge

bkEY@

ZMn%U

.JG;C

b.xON

FiÃŒ

I%.Hc

pv%7ucC[IV

.Ã»Z

u.vs'

.WMHk

@%UeB

.DvOt';mA[

c%f~y

C.wfA5

XJS9{.mC=

ZCÃ¼

6%Xi6

urly

.SYh`p

%dMQR/s

.WfG`

x.rTO

.yIOo

y#.eR

xi.iE

%6s6"M

-7}?^

""%s

.Iep0

?.Lj

i.QlL

%A-9g}

Fa-L}

tqp.yze

%FnyK_&2

z#%DR

.sI|u

.kse/

!Q.jG

R.WYc

pB.nCf5

kT8,`ps%f

..wYv

o#.%f

Ekv-T

h2EW%Dm

SC.NJ

,}.lM

z.Yrn

8].yR

6.jZ{

qkP*-b}

=%U%3w

E.YB~|

Q.eW4

|.HJ,H4

OkD%s

KG%s3

m.QZ

u99.wF

.BS'A

%C'0'n

%sBqW

%fgG'

CÃ˜a

:.vN8

/L.cY)

`.kaZ

p\6%U_

.loMX

C_].HzX

J.JB=?KC

w<.qzn>

.OJNNG

33}

_o,.gQ_w!

.TkX2

'*[.aQ

,h]q%c

z3%Xt

|:&%d

EG.vzf

-fd}/

,/%fyf

DAÃœ

v).zY#

8U.uy

id%s{=

d}%F>c&

&f.pA

n%st|

~.bgQ

rO.Naz

%u?XF"

X`.zP

5Y2.wD

=.Qfo

9-.AoD7\

]%.SR

z;S:.sR*

(E.Qi&sBqF

.aAeB

d..sp

"|.wh

.Wehe

W.gp_

~.SO#gLZyz

'A.qO

.tQJ:

Qcc0.Ds?

%xOtw

Ã’BC

.Co7\

Z.Vl>e

-8}[*

B2%xE:

5%u!Ob

v %fk

@%xTo7IM

.BVy}

.WZhM

tx9.txM

L.ol4

4Jb.wI

Pm.wE

Q^Js%C

o.hsMah`

JF*6.qo

cP`Ã™

Keyv

m.ufw

.kA"e

.egj2

.QkQ y6

cFTP

Z:\6!

cS.jE

.iFi]

)#%U=

!G.etF

wcrT

n.fWF

.iie=

0il&?.nW

.dl-O

J.GI$

.Iv*4

.-rmXw}d

%uX~#p{h

.pJdl_

ÃŠ?"y

&.rZD

.sk~e

~X.XO

.mtu"

a&i%cy

*L%SD

j/{.JcV

uDP\>

dD|.dpQ

.Zc{~

Bq%X{4

yP.lxzA

Jw.mD

kf)%s

%fLuF

{-Ã›

m0.vBO

7V.Sf,-

zexe

.md@8ae

.Gw )

.cc/O

!>] ]\]:

\}%xb

9p%ulh

%DGBWF

^WO%X

.hA[N

[%XKj

{%S|I

.TG0n

jmsg

'2.yu

.Lz7hP

-%f{L

.EB'T]

p.OEN

%SL/qc)te

d0%X1

5xK%c

!.bt6M$

0 %uP

%d:I2q

o'%Se

.uf\m

.YBL8

-N}#_

Niru.fVL6

.qoKXXLa R>

C%fSo

_G.my

q!`W]niq}-f}/

S.fG

NT.WO

|Rag

%@/)}]25

8%x)>

:.yi:

4b.Uy

m.PHg=

%uUQis

gOT.gx

/.mdeOB$6

w@n@/.cG2

}O.tg

.lB(o|

N.aI4'

%Dp 9

1CRt3\

A|4URl

HTUDP

W.iiJ

.NXoj

>9I%X

Lss.gh

dÃŸ|

%s4xe

.pnP4

iDq1b.jM

).GRBsQJ .

4.Cj==

%XPof

`T.cl

.mGsn

Z.lrC*86W

p`.TB

{.McZ3

EX.oC

C^.QN

.VkKJ[=?

il.Dr

N.cOE

L4ZS%F

-L.dUeb

9.Ww0

k.Uf-S

&X.jj

FQ.PJ'>l

.gGK~

%FY3$

9d%4uW

Z>a.bgL

.FKG0

Zc.CK

.UJ%k

K\.QP`

.Hp~e

[%.jE

L.Zo`K

.vXbR}k

%sOT8]

=.ejg

C3x(%Dg

%XKSc

$GL.Tw4

G.rY4d

uRLoW

Fzlgo%U

.WIfX

c]B%C

h(.EI

m>.WDU

h.did|

On%1X

.pqvU

2y.Am

.z.FY

z_.SaS

t].eX}

.qT},i

}BL.Ebu

v*;.LS

SsHK@

Kr\.RW

%S^I&

A7_T.nf

sV<.ex>

.^.Mm

S.Ua'm'

U.It

InternetCanonicalizeUrlA

o .yR

LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07

hXXp://pki-ocsp.symauth.com0

ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0

h.lUh

RWTSAPI32.dll

5%FR*

.ZTD@w1

MSVFW32.dll

Udpo

xH`

7.bD $l

.LwvE=

qzq%u

RKERNEL32.dll

RGDI32.dll

RASAPI32.dll

3.uQ)m

n.tFtX

Dh==e.Ht

3, 1233, 0, 0

mscoree.dll

nKERNEL32.DLL

WUSER32.DLL

%s_tmp

errcode : %d,

1.0.0.2

Error at hooking API "%S"

Dumping first %d bytes:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Cannot %s server %s

Error: 0x%X

The procedure entry point %s could not be located in the module %s

Cannot load file %s

Error: %d

WMIADAP.EXE_1812:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

USER32.dll

msvcrt.dll

wbemcomn.dll

OLEAUT32.dll

ole32.dll

loadperf.dll

FEw.AEw]FEw

`.bik

PSSSSSSh

WMIADAP.exe

?CloseSubKey@CRegistry@@AAEXXZ

?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z

?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z

?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z

?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z

?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z

?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z

?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z

?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z

?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z

?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z

?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z

?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z

?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z

?GetCurrentSubKeyCount@CRegistry@@QAEKXZ

?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z

?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z

?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z

?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z

?GetLongestSubKeySize@CRegistry@@QAEKXZ

?GethKey@CRegistry@@QAEPAUHKEY__@@XZ

?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z

?NextSubKey@CRegistry@@QAEKXZ

?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z

?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z

?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z

?OpenSubKey@CRegistry@@AAEKXZ

?RewindSubKeys@CRegistry@@QAEXXZ

?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z

?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z

?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z

?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z

?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z

?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z

?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z

?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z

?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z

?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z

?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z

?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z

?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z

QSSh0

Invalid parameter passed to C runtime function.

ntdll.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

RegEnumKeyW

RegDeleteKeyW

RegQueryInfoKeyW

_amsg_exit

_acmdln

?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z

WMIADAP.pdb

5m6z6

%s_x

%s_x_

Global\WMI_SysEvent_Semaphore_%d

WinMSGWMIADAP

\\.\root\cimv2

WMIADAP Msg window

\\.\root\wmi

PSAPI.DLL

x=%s

Describes all the counters supported via WMI Hi-Performance providers

_new.ini

xx %s%s.ini

xx %s

\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""

WmiApRes.dll

%s\%s

6.1.7600.16385 (win7_rtm.090713-1255)

wmicookr.dll

Windows

Operating System

6.1.7600.16385

SearchProtocolHost.exe_2528:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

%s(%d)

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

0xx%p%S%d

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2176:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

%S(%d)

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610