Skip to main content

Gen.Variant.Adware.Graftor.174400_b56e5dbd20


not-a-virus:AdWare.NSIS.Rocketfuel.a (Kaspersky), Gen:Variant.Adware.Graftor.174400 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b56e5dbd20d532e6ffd1cabbbc17ee0f

SHA1: 5f44a71c979843add1e9ac0dcbb3baf101a593e0

SHA256: 8e2393f6bd55fa706a097f99cb603e4cc518307a3316ad703ce0948dd0dd3782

SSDeep: 6144:NSlBaLRnuP3flEpFHP6b617gcbBy2NxxIH4TYeNB6wG0QPaqHoJLZIuKBL86RbGz:XBuPPlEp1i2dD42lIYPYyiKWuSYM

Size: 400992 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:52:06

Analyzed on: Windows7Ada SP1 64-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:2596
GoogleUpdate.exe:1732
GoogleUpdate.exe:2636
GoogleUpdate.exe:1612
GoogleUpdate.exe:1604
GoogleUpdate.exe:1748
GoogleUpdate.exe:1916
GoogleUpdateSetup.exe:2660
%original file name%.exe:1372
GoogleUpdateComRegisterShell64.exe:976
GoogleUpdateComRegisterShell64.exe:1664
GoogleUpdateComRegisterShell64.exe:1020

The Trojan injects its code into the following process(es):

setup.exe:1512

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process GoogleUpdate.exe:2596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_it.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe (1738 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll (32380 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (40 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateHelper.msi (90 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_no.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_is.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll (71 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll (12490 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_te.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_th.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe (21970 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe (4210 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_et.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_da.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdate.dll (49 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_id.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_am.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_de.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_el.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9 (28 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll (79 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll (87 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll (71 bytes)

The process GoogleUpdate.exe:1612 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe (8278 bytes)
%Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe (7345 bytes)

The process GoogleUpdateSetup.exe:2660 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GUMEE34.tmp\goopdateres_gu.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_vi.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_nl.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateBroker.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fa.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-CN.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ja.dll (35 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_cs.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_is.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_kn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateComRegisterShell64.exe (127 bytes)
%Program Files% (x86)\GUTEE35.tmp (6 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ar.dll (37 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ta.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lt.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdate.exe (291 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ro.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ru.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_am.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateWebPlugin.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en-GB.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-TW.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateOnDemand.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_th.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_tr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es-419.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateSetup.exe (7345 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fil.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_da.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_uk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp (28 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_no.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_el.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sw.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_id.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-BR.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ms.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_et.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_te.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler.exe (244 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_it.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ur.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_de.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_iw.dll (36 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_mr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bg.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-PT.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdate.dll (2632 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateHelper.msi (45 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hu.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ml.dll (42 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ca.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ko.dll (35 bytes)

The process setup.exe:1512 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2858020935-2156992550-3658131804-1003\d16af8aafb8de36166d078029ced25a7_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)

The process %original file name%.exe:1372 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFD.tmp (28110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe (38152 bytes)

Registry activity

The process GoogleUpdate.exe:2596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"UninstallCmdLine" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe /uninstall"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"
"Description" = "Google Update"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Path" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe"

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1431987791"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\%Program Files% (x86)\Google\Update\1.3.26.9,"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.27.5"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1431987791"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Version" = "1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
"Path" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Google.Update3WebControl.3]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]

The Trojan deletes the following value(s) in system registry:

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version"
"Description"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"ui"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"mi"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Vendor"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastCodeRedCheck"

The process GoogleUpdate.exe:1732 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"DayOfLastRollCall" = "3059"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastCheckSuccess" = "1431987755"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked" = "1431987755"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"pv" = "35.0.1916.153"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"pv" = "35.0.1916.153"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "3059"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.26.9"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "3059"
"ActivePingDayStartSec" = "1431932400"

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
"StateValue" = "17"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "3059"
"DayOfLastRollCall" = "3059"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "3059"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "35.0.1916.153"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
[HKCU\Software\Classes\Local Settings\MuiCache\2C]
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableSince"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerResult"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

The process GoogleUpdate.exe:1604 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"

[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1748 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "1"
"LastStartedAU" = "1431987720"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process setup.exe:1512 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "35 2A 3F 0E B9 91 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "35 2A 3F 0E B9 91 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process GoogleUpdateComRegisterShell64.exe:976 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]

The process GoogleUpdateComRegisterShell64.exe:1664 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]

The process GoogleUpdateComRegisterShell64.exe:1020 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]

Dropped PE files

MD5 File path
8715a0d10cffc8dee923957f07daa042c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe
6509a96dae25340772b51ac020cb1094c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe
0c03fb91e17987eed93f60007b08daa0c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe
f6eee6848e933962e12e7b3f25c73c88c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe
bb3045b399d898061b926b447c446e05c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe
6732c4a894855042fd3618406b6bbd48c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe
c990a8ead57da59fa8156cc02d3b7da5c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe
0894890f30b5f6510df953bc50b5504fc:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe
4cfe6eeb44d35c7b16693a97fbc9f368c:\Program Files (x86)\Google\Update\1.3.27.5\goopdate.dll
08171157668eebd2383e90eaf3f66aadc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_am.dll
b5a2589dd3e5b934c78c9ab1954532ddc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll
083956adf99f8cd0b36b54c93c291c1ec:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll
9bea43ecb11038854eb939256534a669c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll
1bd2127c632d783af6d7fc49110b1d1fc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll
7e6aa753aebbf36337fa46b78065a8efc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll
48123d9de5a24e6f846811d1818f42dcc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_da.dll
fd6598856e573171379298199c143226c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_de.dll
c39b9a29db403893453dcb4a2878db75c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_el.dll
2a364ab5881dbc31c4cdc33205c900ebc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll
3028318db29c2fca86e04287c8a96031c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_en.dll
8d5a00c850396ebb5a6f14fbc74871d9c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll
b012247e999e95741a3b243b1cc8fdfac:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_es.dll
0ace6ee20ea149fd959683659f484f0fc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_et.dll
0bb0f6e59d10c7b8443aa22c40574652c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll
531969a054efb1a5169eb3677c2a2410c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll
6bc91c70751ca456a654ac2e3050175ac:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll
11e2c5cc166267d15f281201e67ba2dbc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll
4dd7ee4a31e6052e519114f87bd568b8c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll
29575adcaee9c75deb47275b2fa85e71c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll
dd843413bfeeab35e355d2201cd0eaf9c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll
7806d33bfb2248fd52dbd423b10f1247c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll
6d4c1b29f1c1f422b679e71147a1dbacc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_id.dll
fe92c90570e92759eb023b7994cf9564c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_is.dll
9ac94b9c2c8887be459072761c48087dc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_it.dll
6db01ce7229e0362b6e8cfb86cf1dc8bc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll
b6c29a9f24b655407711bbccd9aa3723c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll
29c4cde0af7453930c8897a4fad83701c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll
3a162d9c713982cd20db33b6ed58e517c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll
160f03c5e0369b60d58e40754a54ba00c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll
fc3bca51a30f97d5737c3776ba6d0b24c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll
e2c5957d2d671779d73ad8abc49ba015c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll
d0413005ee471c2cb310bab1fafb33d3c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll
5835d491f5746b9abbccbdad2cc88f8fc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll
f8f1f2f2de104fb727627e2efa4b5e92c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll
c85cee926d55d376126f62b9d577b583c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_no.dll
3353610afe5ad1f3cbf6160927628a87c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll
453f3fa552533ff685d139fc5a27f380c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll
114d38b5e740311753ddff9ad9410aa7c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll
192b5b83c0d13613e3d832f79a9236dcc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll
beab86068645905a26bed2bb524470aec:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll
de812a532f35b968817b412b34c1563bc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll
4587fd7664101020cf94201451b8ddb0c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll
57509f1bcd90517078c31d6e05bcb994c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll
52d5f3a506c6a1a4c25859b55a53d908c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll
1bd1a95b13f7eba37dc042f05c224ae6c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll
e012e9ce832b2ced0e69ee3049306f89c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll
4aad678fcafff8ba048fbd31c83ea147c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_te.dll
3cdc681a91d505114dd057961b6907c2c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_th.dll
5719ba1c9893f442c391c99c365ba15bc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll
047aa0679b6cdf0a9ae2e04d8bab4d08c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll
6d6868d750c3d1c9e1febf5c5925ce1bc:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll
5e1759e2c88d986697c93a378cc1e1f0c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll
a79ef631a2196025016902b1538f1098c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll
7662e0146b639a3bbdb7422e07e53b08c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll
08aceceb47faf053c468d8afe44709adc:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll
f593a6d82c5334be5626f3b9ce8130f3c:\Program Files (x86)\Google\Update\1.3.27.5\psmachine.dll
113cd27882e9d2f3199bb2390ac48f3dc:\Program Files (x86)\Google\Update\1.3.27.5\psmachine_64.dll
997726d70e3a8fc1dc81f2a0dd52810ac:\Program Files (x86)\Google\Update\1.3.27.5\psuser.dll
b5780847a26ec6d002f69bc718ffd0d6c:\Program Files (x86)\Google\Update\1.3.27.5\psuser_64.dll
c990a8ead57da59fa8156cc02d3b7da5c:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe
c990a8ead57da59fa8156cc02d3b7da5c:\Program Files (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe
5bc24d29ed088faafc207ba3f21aad73c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:2596
    GoogleUpdate.exe:1732
    GoogleUpdate.exe:2636
    GoogleUpdate.exe:1612
    GoogleUpdate.exe:1604
    GoogleUpdate.exe:1748
    GoogleUpdate.exe:1916
    GoogleUpdateSetup.exe:2660
    %original file name%.exe:1372
    GoogleUpdateComRegisterShell64.exe:976
    GoogleUpdateComRegisterShell64.exe:1664
    GoogleUpdateComRegisterShell64.exe:1020

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_it.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll (69 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll (72 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe (1954 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll (77 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe (1738 bytes)
    C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll (32380 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll (69 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll (79 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (40 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psuser.dll (1954 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll (1954 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateHelper.msi (90 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll (3778 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_no.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll (86 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_is.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll (71 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es.dll (86 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psuser_64.dll (3778 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll (12490 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_te.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_th.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe (21970 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe (1738 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe (4210 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_et.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_da.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll (79 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdate.dll (49 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_id.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_am.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe (3778 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_de.dll (86 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_el.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe (1738 bytes)
    %Program Files% (x86)\Google\Update\1.3.26.9 (28 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll (79 bytes)
    C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll (87 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe (1738 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll (71 bytes)
    %Program Files% (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe (8278 bytes)
    %Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe (7345 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_gu.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_vi.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_nl.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psuser_64.dll (213 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateBroker.exe (88 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_lv.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_bn.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fa.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-CN.dll (33 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psmachine.dll (183 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sl.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ja.dll (35 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_cs.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fr.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_is.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_kn.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateComRegisterShell64.exe (127 bytes)
    %Program Files% (x86)\GUTEE35.tmp (6 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ar.dll (37 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ta.dll (41 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_lt.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdate.exe (291 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ro.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ru.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_es.dll (41 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_am.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_hr.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateWebPlugin.exe (88 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_en-GB.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sr.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-TW.dll (33 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateOnDemand.exe (88 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_th.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_tr.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_es-419.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateSetup.exe (7345 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fil.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_da.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sv.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_uk.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sk.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_no.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_pl.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_el.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sw.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_id.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-BR.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fi.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ms.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_et.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_te.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler.exe (244 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_it.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ur.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psmachine_64.dll (213 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_de.dll (41 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_iw.dll (36 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_mr.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_bg.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-PT.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateHelper.msi (45 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_hu.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psuser.dll (183 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ml.dll (42 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_hi.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ca.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ko.dll (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2858020935-2156992550-3658131804-1003\d16af8aafb8de36166d078029ced25a7_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFD.tmp (28110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe (38152 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.11.5
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.11.5
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: 1.0.11.5Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.11.5File Description: Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623130235524.4603c3953c262c50b3d94af076321878ec20
.rdata28672449646083.59163f179218a059068529bdb4637ef5fa28e
.data3686425384810243.259778304967a23ff32b1b0197005a845ef83
.ndata29081626214400d41d8cd98f00b204e9800998ecf8427e
.rsrc55296026136266242.67301dfcf6ccc6b472eb48939df4b862563ac

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
2445cbe7f7512a037c2ee2d2406e9940

Network Activity

URLs

URL IP
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=84211eed-2475-4dd6-99b9-c6179b9932ec
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628=
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=014c656e-070c-42e4-a618-0b7cd62f7000
hxxp://inst.vertitechnologygroup.com/consent/json/188?nexcb=167f6d1d-be93-4e51-a9cc-3010c16127bb
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=842ff0c4-2308-4356-945b-9611b5868b15
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83
hxxp://tools.l.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe
hxxp://r8.sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628=23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=23.43.139.27
hxxp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms146.28.246.83
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf8387.245.221.97
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=23.43.139.27
hxxp://cache.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe216.58.209.174
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl87.245.221.98
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl87.245.221.98
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl87.245.221.98
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc87.245.221.97
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl87.245.221.98
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=23.43.139.27
tools.google.com216.58.209.174

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 931408

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 931408..Content-Type: application/x-msdos-program..Etag: "53b96"..Server: downloads..Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-Xss-Protection: 1; mode=block..Date: Sat, 09 May 2015 07:40:43 GMT..Alternate-Protocol: 80:quic,p=1..Last-Modified: Mon, 04 May 2015 16:39:00 GMT..Connection: keep-alive..Alternate-Protocol: 80:quic,p=0......

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=0-8794

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 8795

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 0-8794/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...x_..*...xa..*...x^..*...{_..*...][..*..s.u..*...*...*...xe..*...*)..*...]`..*..Rich.*..................PE..L....xDU.................&...........T.......@....@..........................`......X.....@.................................d...x........Q..............P<...@.......A..8...............................@............@...............................text...}$.......&.................. ..`.rdata..LW...@...X...*..............@..@.data...`1..........................@....rsrc....Q.......R..................@..@.reloc.......@......................@..B.........................................................................................................................................................................................................................................................................................................................................t.......A......A......hs4A.. o..Y..............U...}..........j.j.j..H..E.P..(AA..U...E...t$...t....t..."t...Pt...hW.....h......].h.@........V3.VQ..h@A...u....@A.............N...^.U..SW....WS...AA...tDVP..,AA.....t'WS...AA..U.......v.;.s.....4F...Ju.;.r.3...3.f9..D...^_[].V..W.......@j....PW...AA...t.V.....|...Y_^.U..QSVW.....A.j..}..Q...3...C..t<...j..G....Pj.V...AA...t..u......2...Y..u.S...A........C..u.3._^[..]......y....8.A.t..y..t..q... AA..U...u.j..q....@A.]...U...}..t..u.j..q....@A.]...U...U..

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=8795-21861

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 13067

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 8795-21861/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

..]...hW.........V..W.....P..V....:.|.;.u.3...@.....1..j..v.......t'.F..G..F...E....Q.F.PQ.G.P.U........_^.......U..Q.U..M..M..4......M...tI...SV.Y.3.QQQQPSQj...(@A..M...V. ...3.RRVP.E....QSRj...(@A..M.V.e...3.^@[..]...U...U.V....x ..3.A H..@. ...}.R.........^]...hW.........h..........U..V.u.W....9q..Oq..y..~.V...5....-.I.;.}&.....@~............ .....;..L.Q...l..._^]...U..Q..SVW.8.E..O.._....P..u...j.V.....E...t4;..L.F..6RW.p.RV......E..O.....X..<....E._.0^[..]....:....U..V.u.W.........9r.}...~...j.VR.P...t......_^].........U..V.u.W....9q..Oq..y..~.V...5....-.I.;.}&.....@~............ .....;..L.Q...p..._^]...U..QQ..S.E.V..W.K..s..u....P..}...j.W.....E...t4;..L..p.GWSWV......M.....E..A..K..D....E._.0^[..]....B....U..V.u.W.........9r.}...~...j.VR.P...t......_^].........U...M..E.P.u..v...].U..QQ.M.V.=...P.M.......u.....................g.......tuSW..>.M.W................u...u.3...V..T..Y@PVWS.}...P.h.......M.W......u._[.~..t .M..E..E..E.PV.p....e...N..<...^..].h.@....hW.........U..QQSVW............W..S....Y..........u.3...V..S..Y..0.U....M...te.>.t!..:.tG..u.F..V..tAA..M....>.u..U.3.8..D.....t2.. .;.r*SWV.N}.......t..>.u.F...U...V..tAA....U...3....._^[..].U...........A.3..E.S.].V.u.......W..tgj....@A.SV......P..xAA......@A...t.h.@...B..x.......W._...SV.W........YY......W.}....M._^3.[..V....]...hW.........U.....VW.=.@A.3..M..u...V.E....@A..u..E.VPVV.u.h.......AA...u.....u4.u....@A..}...t.W..R..Y...M.VW......u...<AA._^..]....l....U....\..SVW....U..S...jD3.S.p..E..u.P.c`..3..}.........E.P..<@A.

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=21862-37948

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 16087

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 21862-37948/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

..:....U..E...3.B3...FA.>\t..>"u3...u..}..t..F..8"u.....3.3.9E.....E.....I..t...\G....u.....tA9M.u.< t8<.t4..t*...P.4#..Y..t...t.....GF......G....t.F....F.o.....t....G...-....U._^[..t.."..E...]..=T.A..u......V.5`.A.W3...u.........<=t.GV.)#..FY......u..G.j.P........=x.A.YY..t..5`.A.S.>.t>V.."...>=Y.X.t"j.S.s.....YY..t@VSP.{".......uH......>.u..5`.A.V......%`.A...'.3...X.A.....Y[_^..5x.A.......%x.A.......3.PPPPP. ....j.. ...Y...t.j......Y..u..=..A..u.h.....1...h.....'...YY.U...M.3.;...BA.t.@...r.3.].....BA.].U...........A.3..E.V.u.WV.......Y....y...Sj......Y.........j......Y..u..=..A................A...h.LA.h....h..A...".....3.....1...h....h..A.Sf...A...H@A........u.h.LA.Vh..A..`".............h..A..."..@Y..<v5h..A..."..j.h.LA...El.A...-..A... .VQ..".............h.LA.h.......A.V..!.............Wh....V.w!.......u}h. ..h.LA.V.."......Wj...0@A.....tI...tD3.....O.......f9.Ot.A......r.S.......].P......P.. ..YP......PV..D@A.[.M._3.^.|$....].SSSSS......U...E....A.].U...E...x!...~....u.....A.......A....A...]..'.................].U......e...e.....A.VW.N.@......;.t...t......A..f.E.P..T@A..E.3E..E....@A.1E...P@A.1E..E.P..L@A..M..E.3M.3M.3.;.u..O.@.....u.....G...........A.......A._^..].VW...A....A.......t......;.r._^.VW...A....A.......t......;.r._^.U..QW..X@A...3...tuV..f9.t....f9.u....f9.u.SPPP .P..FVWPP..(@A..E...t7P.......Y..t*3.PP.u.SVWPP..(@A...u.S.....Y3.W..\@A.....W..\@A.3.[^_..].U.....A.3...A.t..u...].].%x@A.U.....A.3...A..u.t...]....@A.].U.....A.3...A..u.t...]...|@A.].U.....A.3...A..u..u

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=37949-59919

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 21971

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 37949-59919/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

......3..}.j......Y!}.j.^.u.;5..A.}S...A......tD.@..t.P.....Y...t.G.}....|)...A...... P..8@A....A..4..1...Y...A..$..F...E...................}.j......Y.U.....@A.j....A..7....u.......=..A..YYu.j......Yh.........Y].U....$...j...k....t.j.Y.)...A.....A.....A.....A..5..A..=..A.f....A.f....A.f....A.f....A.f.%..A.f.-|.A......A..E....A..E....A..E....A...........A........A....A.....A.........A.........A.....j.Xk......A.....j.Xk......A..L..j.X.......A..L..h.|A........].j.h..A.........A.95..A.t*j..-...Y.e..Vh..A......YY...A..E................j..g...Y...Q.L$. ..........Y.Z%..Q.L$. ..........Y.D%....u.f.....f.n.f.`.f.a.f.p..SQ.......ux........t0f...f..A.f..A f..A0f..A@f..APf..A`f..Ap......Ku...t7.....t....I.f....I.Ku....t......t.f.~..I.Ju....t...AKu.X[...... .R.....t...AJu....t.f.~..I.Ku.Z.^...U...%..A.....S3.C....A.j...i......L...3.....A.3...V.5..A.W.}......._..O..W..E..M..E...ineI.E.5ntel.5..A....E.5Genu....j...X..j.Y....._..O..W..M..M.tC.E.%.?..=....t#=`...t.=p...t.=P...t.=`...t.=p...u..=..A.....=..A....=..A..}..|5j.3..u.X.......5..A..X..H..M..P..E......t.....=..A...3.......tM.......A......5..A.......t2......t*.......A......5..A.. t... ....A......5..A._^3.[..].U..3...9E.v..M.f9.t.@...;E.r.].j.h..A..(...3..u..}....u..}......................;=D.A.............E..............A...D.....trW.."..Y.u..E......A..D...t(W..#..YP...@A...u....@A....u...t.......0...............u..E.............!.}..u.W..#..Y.............L............j.h8.A..?...3..]..u....u..`.............................;5D.A.........................A...D8....u.......

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=59920-81823

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 21904

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 59920-81823/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

..@..$...@..(.@.L.@.t.@..F.#..G.............r......$...@..I..F.#..G..F.....G..........r......$...@...F.#..G..F..G..F.....G............V........$...@..I...@...@...@...@...@...@...@...@..D...D...D...D...D...D...D...D...D...D...D...D...D...D..............$...@...$.@.,.@.<.@.P.@..D$.^_...F..G..D$.^_..I..F..G..F..G..D$.^_...F..G..F..G..F..G..D$.^_...$....W.....................te..$.....f.o.f.oN.f.oV f.o^0f...f..O.f..W f.._0f.of@f.onPf.ov`f.o~pf..g@f..oPf..w`f...p............Ju...tO.......t.......f.o.f....v....Ju....t*.....t......v....Iu......t.....FGIu.......X^_...$.............. . .Q.......t.....FGIu....t......v....Hu.Y.................U..W.=..A.........}.ww..U........f.n...p..........#...... .3...o.f...f.t.f.t.f...#.u.f...#.........E.........Sf...#...3. .#.I#.[........D._....U...t93.......t....;..D...t G......u.f.n....f.:cG.@.L...B.u._.......#.f...f.t......#........f...#.u.f...f.t@....f.....t.........}.3...............E.......8.t.3......_..U...U.V.u.W.z...u......j.^.0.0...........}..v..M......~.....3.@9E.w..w...j"....0S.^.....~.....t....G..j0Z..@I.....U......x..?5|.....0H.89t....>1u..B...S.....@PSV........3.[_^].U..QQ.E.SVW..x.......P...........................}....E...t.......t....<...%......!..u...u..E.!P.!.f.x..X...<..3.....M.................E..]..s.....x&........................y..}..}..E..s...f.{._^[..].U....0...A.3..E..E.S.].V.E..E.WP.E.P.....YY.E.Pj.j.....u.....f..Z....u..C...E.....E..C..E.P.u.V.......$..u..M..._.s.3.^[.......].3.PP...q.......f..ye.].....3.......E..}.B.}..U.t.G.M.......M..m..E..

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=81824-127857

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 46034

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 81824-127857/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

.............................................................................................................................................................. ................................................................................................................................................................................................................................................................... . . . . . . . . .(.(.(.(.(. . . . . . . . . . . . . . . . . . .H............................................................................................................................................................................................. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....................................................................................................................................................................................................................................................................................................................................................................... !"#$%&'()* ,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................................................................................................................................................................................. !"#$%&'()* ,-./0123456789:;<=>?@ABCDEFGHIJK

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=127858-222054

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 94197

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 127858-222054/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

....=......2?.....$,z..Tq.......N..|.3..,k........l.....8p...|..........9.d.u<uX.....{........;._....b..6p.'V......N{..xJG..h......I..[ .........*.W...s.'.n1DE..NKs.S.d.>..3.".......0.....W0|....K..g. g...U...7...@...]4.&.~....AH...4...T.e..8p.!.#...7M.....sEj.....'.Y.F. .y_*..>m.0.`..@.;.s......d...F...m.y.....K...)"_.~>....w......{%..b..l..s...Y...k.k6....2..v~......b...k.;...tth...;!...iOua~..pR/......[O7....}.[.*.....}Y.....7..j..:.-vi.....F.<lA.aI...E .F1g..2..n.........]...C....\.W...........F...z.<e....Va{}..|.b..]9k...S,..S...w..).........R.P.......{.)..WR.&f.FLB8.. ]3$...EfvF7f..c..!..}.S.i.....;....BcZ..Y.T.....)..o......." ...9..v....'....$B.."*5.y@..~Nn....L ..w...,...,N^....pP..|...z...M_..A.OW.PU......"...i...$.....n.9.!........BT..... ...^U.hbJ..}...)...eJ?e.....d...SQ.....Dz.>.....#...,P....D..c....g.0.L.5$....A..#.....Xw.5...=..*E.... i.......n.Az`.Y...r.N/..z.S. .U...P.`C.c.S^..K.Oz..[r..T.;6.....:B2.u[....}...(1.....$.......P..u..-.y........v....A.$(nao.......H.h=.lR^.....Gm.. qD...'..O....N.X......3..j.?.4n..O..=H...P?w.7K.....Y..`...U.9.\...a..Z%............@...;.r...7.%..q>%.Z.....(Y..@...&W35 0.a...|..7'q...#.P.z..u%..j...(..q.. .f.z....m /V4?...c.....Uh.....Z,.eV..2....'.....B2...t(B.PY~br..u...bM'}.O8.pN`.v-#a...o6L......g.../.v.!...e.4G4.}.k....c..........b..,V{...qY.P.$e.5.....W..(. /-...;..5.kEZ.l...P...4......$@D-&..JY.....V|.`25gC:...h....p..]....@.nc.m..Zd(Y3.......W.u....&....G-...ci..Z.:...9.k......u].Y..Q..%.W;V......2... &......$.L..<....:M.|.......k

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=222055-411151

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 189097

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 222055-411151/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

.6,.LE'.G.p....@0.r.xqU..'C/:.911.....PD.."<]!.hpv..G..~8n.&..............E..n~..$)?...nU.;l...HBu..0=Q.\...H$]>0B............j......,...G..V..k}..y../.......2......)..1.W..P..".&y..R.f..G.......p.>T9......?...Z/..tl.sn...^*...J.........z.=>..A?>..4|.G.....6.4R..>...9SW...n.J*.........\]..v..!...J}......A..4... Rm.'...E...~Z4io.".{.^:.%..j.>. .j`^.,.0..Ix.7.E....lKY.A..[.;K...Y.ZD.s.2. _X.nM......O..F.>.#..B..&d}.BL......Y..3U.#..;..>........k......w.....hM...V.%....o...........N....>7.4.....Bxl....Y....&_.`.x.R.).F..T...s..>.S_.'5Y.*...v..|.`>.f.7.6GG....XZ....bD8....Pj....#...6.....<.Z....Y..nWX... }....e..(N.......Q^.......6~.zSa>..`.@8......&... .*..O....jmvC...%.;.{R..W1..6..a.q:...h.u.Y..mq..[......G>s......F..w....J._.1..F|....m..i...d........|v3.n....?T..G...r./. .I,..P....n..S.j-.}..Z.Z.x.O..l.sen.L.../.bb)7........B..2..l..m..M.......;.....Cc.K..l.'$...9C.C#.od..tc..%....p,B[b...:RJ....G..T..1.'......5p..a...-\(...........&....m...|....x.&0V.b..>o...dM.H..5v.tP.....w.2j.]jZL0.,..D......SDR.m.Y.^.\],...;...o..Y.ME._R.d(}...%...d.g..:J.........D../.?....|.}7R. .......Xma..9..<;........6..g...$V.....A......T.,.....!.-_:..G%.ID./..-.|.k..... ........z..D?N...F. @{..o....G....U:..G.... ....rM....jh*rce-..]......J.M-.. ...h..fx.t.].....qq......F...HY.)........p.......8p........4G..t.Q.q...!..]..R.<&=A..[.O..[I..63.2.p...=}a..h'..Y......:/.4.......I.m....J.....DJI...D.m..d.FM....^.......8sSm#2o.c.|0.f.....".W.....SR.v....R0.J:....x.K.`0.o../....$...b:[z..

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=411152-789699

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 378548

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 411152-789699/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

/.....bba.............Q....c.T..I0. ..>j...<... .~...A.$.T6`.W.d....sV...0Y.k...<q..olE....N......F.mXk.q...]Gjl...U.Z<.F..4.R......)`..v...@...:..E..G..^: ......<.4............t. =c.h.?.MT.o...<...r..) 7J.p...D. ..)gn;[...-..}...w........u.d@..;.s.....'...n.}lm@../L..MZ |..\..&d......=.z...#7......#...L...c..*............/..=~.'..=.'B\3R.?ol..|kH.Bm.Ck.]......N...S...3.......:.U.y@....=.........B..(.. E.U..JO=P..y....m......Q...t8q.,.*D.w2.......F...G.....I..Z...7 .c?...~....=.....j*..I.H.j..I.*..5e..jS.f.I.M..5..........Z._.......Wjs.q....|I..4.P......F.....Ej.8=....O...FM.. .To.u....".]..[.|........_.P...y....9.'....r....J .Z...PF...C..^..[.....}J.>.k'.>.~kjT.....0....... ...TX..?D..e....HXPG.T{Y..L]..^..f.8.>J[,..x.G....l.|.c.IpJ.. .~... ..c..}.W...vW..4..:M..&7w.H4.o.".J...yY..>,.....7...nh.$..U......<...:..5_.......`o...}{...H...'c.X.1_ei4...a.[.._..9e............q..p$..i.b.....A.kzt...r. ....o.h.[yaK.(.v.6...F...M.<?..;)i...8JPh..-.....V.}F.?L.y<.@.....@E..[......]-.......{....2S!X...'.|R....QM3 ........<-../..Y.S}.....]h....g<.._j(.P...Zk.......8c..QDrP2'...D.-...j..m@..."..,..'.z.4j.V.. .....y..k......y..1........!:5..?|.'.a....f......z.\........./..]r.:u"|&.TWa.v.#..N.\.6I.Y...-.........,..Z..1..@.....Q../.(....*..=.:...N.z...'.D....<@.F....=..s8:<......).^l....I......N).. .......-..t../...:.WFH.f.....U.f=...BgK..nK|..y..... 1...vzQ...n.T.z..J....r.N...s...4 .....$../.O...{nxT..j..v..L...#.:1......4n.."!....#a..r:.EQ....y=..dj........y..w.m.d...E.1...

<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT

Range: bytes=789700-931407

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r8---sn-2apm-f5fd.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 141708

Content-Type: application/x-msdos-program

Etag: "53b96"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sat, 09 May 2015 07:40:43 GMT

Alternate-Protocol: 80:quic,p=1

Last-Modified: Mon, 04 May 2015 16:39:00 GMT

Content-Range: bytes 789700-931407/931408

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0

q...H.."........G.To..n.....kT.p.>....G\.D............W..;6%N..y.[6..{.z....._.`S..".Cy.8....a.....y..L.....`..u../......)....f0......s'MNiX...CF"3,.;..~..=..;3..........d.......*4ou.....M....2Q.!..>z.....a..`..l1.V..J^!0W..s...n....c. ....U.............Y..V...i.>..hi=.(&.F..`......=....t.NX.}JX........_G.i....U....oS....w._.n.......rE Io./.....xJj.........Y.....8.....[. ..,.%....a.'j/j.jg.....%..l..............6...P.RQA..bXM.OzqR:...Mm.m..L.@...........0.=.e...^x.;W......J..nEm......*z.....H..............(.. ..?.P.v..6.a"P..mG./`w*.S...F;j.t.%R.z#.b....Kv.($...'....g.3.H.....yK.m.....I..&..EQ.......<4..%n..J.P%7.....1.4....TK...)W.=1....m.Xa.>@:z....x*..OdeBA.Y....\.........G2j.7...9..U.U0..vr..as..N/.[?x..@...f.....O..O...Px#..g]D.;....qI..{&BpNZ;w...S..Nh. .\U^w:.[.y..#....q....n.Z8#..d......UhSp..<-.^...P..#...APuc.y..YL...\:....q...C..X.T....9.fn..II......2.C....&T.x...*.r...<..).........6.>.l"s....$......(..__.)...........&x"....^..9.gv....0..H...\..}........c....>.4:.S. ?...i...X.z.!\..sR.j,..._..... ...8YZ`.!.^.......|......S...t.. ..T.w............d.....7{..Dl...S.....y.x!..q......@..D`...J...V......<....X...:..).......3.K......u[B..).M..uD(.z...{t...5F@x..2.'.p....N..#Z..OH....8..8.....$..E...E.W..yx@4.@..J..:.|`..wx...F)...t..P....%......;8..e..M..^uG.5Tme........A..<$:P..u........Z.zX...1=.|^-....."..2.....-D...?....y.....-`<..^...../!!..(a.B0.c.i...=.(...;.Q..=/..{Cj.iQ...!..a.2..O>zZ........Z{.w&.<D.F.)...x.. 8..F..h......F.|-#.Y....Ody,..3.=..b^...*.r.j

<<< skipped >>>

HEAD /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: cache.pack.google.com

HTTP/1.1 302 Found

Date: Mon, 18 May 2015 22:22:38 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1

Content-Type: text/html; charset=UTF-8

Server: ClientMapServer

Content-Length: 623

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=1

HTTP/1.1 302 Found..Date: Mon, 18 May 2015 22:22:38 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1..Content-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 623..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..

POST /consent/json/188?nexcb=167f6d1d-be93-4e51-a9cc-3010c16127bb HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Host: inst.vertitechnologygroup.com

Content-Length: 1536

Connection: Keep-Alive

Cache-Control: no-cache

a=8729E68030ABF3FE817009D0E6609A30233C2F11B12E5E814E8BB3DCE495A738462773D58BE650C1843214342590585D23E8A86D57D1EE41A8530B8811EBE282B5469EFE7D23D18371DFC6595D00E8892577D5B9A56444FC14048B3282D562901D4EC42FCE7FA0166986EC514ADB64DF074EE5A870F7F132A78F63F03BF78E6251FCFD8953575FB9362C0BB688A5857494E6AFB60588347CFF26D88B7EF2137EB230D2D2F6C639589E2FF2DA24B3942AF9DC0D67AA88404A46600DAFE80069E99B67D71FF4889A4C11602A753E689EEDEB3EBCD81B08A3E9D357B0FC4BEEE7B9712D187F0BAC6F933D45E38EDC0B5559E28589E9EB63148B5C20D3AC74979B374E9FA0C11DF9347E1A2A746CBF5312149F9DFFCA72F97A5FD7E8100D10B2C57FF3610E5CA724EF806CA3901A26C104A3FA7F066A08CE84027FA7C65E6194C44D2990A2C41598AFB31CCBDF5FCEAFCB8F0E526800EE260C246E08D1FACFADCEA00AF016FA528C269CE3C1EED3587A7D6453A70622D4C01678487AFDC8484401169A1A&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMoQ53SPkjfHSKzMRhY6UgU00GjEjn4W1O9KG

HTTP/1.1 404 Not Found

Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Cache-Control: max-age=300, must-revalidate

Content-Language: en

Content-Type: text/html

Date: Mon, 18 May 2015 22:21:56 GMT

Expires: 0

Last-Modified: Mon, 18 May 2015 22:21:56 GMT

Pragma: no-cache

Server: Apache/2.2.15

Vary: User-Agent,Accept-Encoding

VTG-Country: UA

X-Powered-By: PHP/5.3.3

Content-Length: 0

Connection: keep-alive

....

POST /evt/?nexcb=842ff0c4-2308-4356-945b-9611b5868b15 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Host: inst.vertitechnologygroup.com

Content-Length: 1582

Connection: Keep-Alive

Cache-Control: no-cache

a=8723A8C161F7ABBD90471EDBFA769F002465230EB93849D90ECDE1DEE490A7246D0E7FC3C5DD79E69F675F626AD4050749ACB96E49C7E547CA732AED13E1E4F6940DBDC74D69D2B57DC9C6595D3AECD11E41E48687165BD05933BC04CBC47FDB4B11E435FF6DAA1369CAB10F40B33F8C2553F9A173F0A769F8B66BF27AAAC94211BCBBD715004ADB74130CB090F3DE2BCBA2F1A31FDA1270E13494DA2BE0177ED378948BB0D13B598D29EF902FB2DB2EF9C4691AEADF021E4A775CE9FF020F92D82BC713A59CC27E454413773E76DEFAE90EBCD81B0DADCDFB00E7E93DB7C2BB266B5D5A02FF34C00B45E2DCD9057171B5D29C9FE1354D9E385DE0A8709BDD605BFAABE524FB34605A3D765CBF53121191B9D79D25EC0C06F2EA474B5597CC2CA832385FE37DD8A650D7E36561E41FB5B46804091AECB34E2EF2D36C2E98D64B70FBD78A45DCFAA3199EEA31BF8BDB8C5C501D44B46655756700D9AFCAAEC9F35FA417F801DF71C7E2C2EDD40D7C293401F35424DEC217704F27AC9C4D440117994DC6FE3B2FD05BAD6902BBF28F01CC14E800FB83D904132A&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMo

HTTP/1.1 404 Not Found

Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Cache-Control: max-age=300, must-revalidate

Content-Language: en

Content-Type: text/html

Date: Mon, 18 May 2015 22:21:56 GMT

Expires: 0

Last-Modified: Mon, 18 May 2015 22:21:56 GMT

Pragma: no-cache

Server: Apache/2.2.15

Vary: User-Agent,Accept-Encoding

VTG-Country: UA

X-Powered-By: PHP/5.3.3

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300, must-revalidate..Content-Language: en..Content-Type: text/html..Date: Mon, 18 May 2015 22:21:56 GMT..Expires: 0..Last-Modified: Mon, 18 May 2015 22:21:56 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: User-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..Content-Length: 0..Connection: keep-alive..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1552

content-transfer-encoding: binary

Cache-Control: max-age=328291, public, no-transform, must-revalidate

Last-Modified: Fri, 15 May 2015 17:35:11 GMT

Expires: Fri, 22 May 2015 17:35:11 GMT

Date: Mon, 18 May 2015 22:26:44 GMT

Connection: keep-alive

0..........0..... .....0......0...0........C...4N...@..6...v...20150515173511Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150515173511Z....20150522173511Z0...*.H..............L...NI}..* >........K.J..RH..\..f...jN..,.%.....ye'..#...Q?..EUs..`q..]G9....(...~.m..5.....2G."{.d_L...a....,.-8%6z..u..E.....z^.%b.=.....yV.x7...|e.>.<.HJ-.D._yHM.j!..w..2...-..o...*U.plj[...hd......>V. ....K.'|.,.6....C.W..4.G.3.:?..w..~.|...b..-..f.0....50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=604301, public, no-transform, must-revalidate

Last-Modified: Mon, 18 May 2015 22:15:43 GMT

Expires: Mon, 25 May 2015 22:15:43 GMT

Date: Mon, 18 May 2015 22:26:44 GMT

Connection: keep-alive

0..........0..... .....0......0...0......%bn.$..5.......?'4....20150518221543Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150518221543Z....20150525221543Z0...*.H.............i.`._..84...".FlP.T.LzX../f.....&..f...X.>.Ig.N4*....d......=....|q. p....J...m[.V.Kz....2.c.Zj\.s...^}...............'H.7i.u.nD..J.....Jw.yI....vGi......_........o*z..Z....cH[...w.8.....K.}.1..=|.(.l.e.CC77..l.kR.....?.x...>...o3d.....JQ.tS3v....<...3f.\.....0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://w..

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT

Accept-Ranges: bytes

ETag: "dde36a309c58d01:0"

Server: Microsoft-IIS/8.0

VTag: 43879645100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 561

Cache-Control: max-age=900

Date: Mon, 18 May 2015 22:25:56 GMT

Connection: keep-alive

0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......40... .....7......150604224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL.."k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3...v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<~..v.w....

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT

Accept-Ranges: bytes

ETag: "cf2633d6957d01:0"

Server: Microsoft-IIS/8.0

VTag: 43853244400000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 550

Cache-Control: max-age=900

Date: Mon, 18 May 2015 22:25:56 GMT

Connection: keep-alive

0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......20... .....7......150602222607Z0...*.H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..).........._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P.#..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=351582, public, no-transform, must-revalidate

Last-Modified: Sat, 16 May 2015 00:04:54 GMT

Expires: Sat, 23 May 2015 00:04:54 GMT

Date: Mon, 18 May 2015 22:26:32 GMT

Connection: keep-alive

0..........0..... .....0......0...0......N$p...v....1.;..vn....20150516000454Z0s0q0I0... ...................F....0.yV......{&.K......&.......c.. ..T.............20150516000454Z....20150523000454Z0...*.H...............t...H$.HE.NJ......o...7....K...U.....t..p.......q......g...>...w.z..#.....aa$ .Xt..B".>c...~..mP...I] ..53e]......Z.N)=.....K....(.....W.N..........j..... ..l...L\..*..A..y.E....C..d........M..$....f.;{.....Q.B. ..O....Z@..XxJQ0k>.....)..e..>.. ..{..........0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT

If-None-Match: "804047d4e66d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT

ETag: "804047d4e66d01:0"

Cache-Control: max-age=86400

Date: Mon, 18 May 2015 22:21:55 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Mon, 18 May 2015 22:21:55 GMT..Connection: keep-alive..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=586327, public, no-transform, must-revalidate

Last-Modified: Mon, 18 May 2015 17:15:12 GMT

Expires: Mon, 25 May 2015 17:15:12 GMT

Date: Mon, 18 May 2015 22:26:44 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150518171512Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150518171512Z....20150525171512Z0...*.H............."...S...P......,;...X..d]..1Do......c...i.{g..'...K...1...5.E.6.I.F.. .......2...-Dy2"..PPF.n....A"6:A4>..G.,.ei...'.......2Jt^.....1CP...F..@......:6.q...U '...hJ..W_\.J.Z..= ..i......l_S...a......p..e..]....B......v .M.x.S..1S..P%...........w.....w..sp;....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=600018, public, no-transform, must-revalidate

Last-Modified: Mon, 18 May 2015 21:05:30 GMT

Expires: Mon, 25 May 2015 21:05:30 GMT

Date: Mon, 18 May 2015 22:26:30 GMT

Connection: keep-alive

0..........0..... .....0......0...0......N$p...v....1.;..vn....20150518210530Z0s0q0I0... ...................F....0.yV......{&.K......&..........'pB.....@j.......20150518210530Z....20150525210530Z0...*.H................^.M...a..b....0....}......Q.^..E.#s5'mX...Mj.X$1,....k...v\.....9....k.L":d.l..%.0......-..JGH.c&TCn.MD..K..w.9..a....=.3;E...a...../.l.R.....b.1..^x.-...5..1...w%By.s...N4...u2>.ai Z..X...%..........S.7.._...$[.^.....'LTY.M....R..cO.A...m.;k.....;.........0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=595511, public, no-transform, must-revalidate

Last-Modified: Mon, 18 May 2015 19:50:23 GMT

Expires: Mon, 25 May 2015 19:50:23 GMT

Date: Mon, 18 May 2015 22:26:35 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150518195023Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150518195023Z....20150525195023Z0...*.H..............MI......._.3}...$.f?....]..._j..a.....H...E.H..A....}..o.w.C6...0.)j.._..N...7.....0s..j.V.{B.6....O..4...n..p..;}a?.lh.....t.w.Uph.....i`....U\.sQ.P..5..S.DNt\./W.....T..]r.O.".Lp....4....qO.J..G._..> ...R..... ...[y..02..|.......R..>....bl....".Ov.S@......#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H

<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT

If-None-Match: "a1132b8ef65d01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT

ETag: "a1132b8ef65d01:0"

Cache-Control: max-age=900

Date: Mon, 18 May 2015 22:26:27 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache-Control: max-age=900..Date: Mon, 18 May 2015 22:26:27 GMT..Connection: keep-alive..

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT

Accept-Ranges: bytes

ETag: "2711f7277076d01:0"

Server: Microsoft-IIS/8.5

VTag: 279782516600000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Mon, 18 May 2015 22:26:35 GMT

Connection: keep-alive

0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...

POST /evt/?nexcb=84211eed-2475-4dd6-99b9-c6179b9932ec HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Host: inst.vertitechnologygroup.com

Content-Length: 1576

Connection: Keep-Alive

Cache-Control: no-cache

a=8723A8C061F7AEBD90471EDBFA769F0024652319E86E1CC401D2F9DAFAA3B433400B73DED88927A6927840636AD0124A10E3BF6C54FDE257A848089967C3C8B6911DB7D26767D48568C8CC5C1316DBB40748F3848E774CCD3250932883D779C25C21E523D268A60E749E93081E8C399C385AFEEB27B4D532A6856DEB6DE08C0103ABB9D0604015ED630F19BC8CEED62880F1ADD54898377CF027D88B7E95442DE83CC5D0A4C639588079AAD121A39770ADD66D1AECC0171D00775CBAEC0412C685728312B587FC570F732C657A36D8FAE95DCFA75C3A92DFBF40B29A66F5E0A735730D095E8923C2683393BFC3631008D489DFB0AD7416FF6F1BCDAE63D78D672884BED21BE970205C3D760FCC2C5526AEAB93DD709F5744D0F6545305C4905ABF305B29921EC2C031AE823E22CB53F4EF09534F37EAA0013BFE917F28C1E5693ACCE898019CAFD57DE9F842CAFACDFA4A0B2E0BB82C04286B0ED0ABCBFB9AFC0CA71AFF06DB71C7E1C4BFD30E7C2D6402F10273DDC24A744B78FE931B105912C91A92F86F2B820CF16F52BAF78E5C9B13EB5BA9D4D6&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMoQ53SPk

HTTP/1.1 404 Not Found

Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Cache-Control: max-age=300, must-revalidate

Content-Language: en

Content-Type: text/html

Date: Mon, 18 May 2015 22:21:50 GMT

Expires: 0

Last-Modified: Mon, 18 May 2015 22:21:50 GMT

Pragma: no-cache

Server: Apache/2.2.15

Vary: User-Agent,Accept-Encoding

VTG-Country: UA

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive

0..HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300, must-revalidate..Content-Language: en..Content-Type: text/html..Date: Mon, 18 May 2015 22:21:50 GMT..Expires: 0..Last-Modified: Mon, 18 May 2015 22:21:50 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: User-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..transfer-encoding: chunked..Connection: keep-alive..0......

POST /evt/?nexcb=014c656e-070c-42e4-a618-0b7cd62f7000 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Host: inst.vertitechnologygroup.com

Content-Length: 1590

Connection: Keep-Alive

Cache-Control: no-cache

a=8723A8C061F7ACBD90471EDBFA769F002465230EB93849815886B3D6E68FB6375E147FC3E9C273FAD13F1E3C79D41A1952BBEB2C1584E85FFC7F20A41ECEC9EDA22E92805C60C08B6AD7DD714C2DF19B2461CEEB821C51C53B39B604C3F64EF00909FA28C474B81245D5BB130E9739816A71E3AD67EBF134AE9527AE2E92D75F50E1FC9315004ABC234E5A8591EFD121D6B0F4E9438B2D30A172AEDC3CB34C2DE63CC5D0C58268038D29EF8968F5826AFF943246B9CC001F54645EBBF3150DC7C934954CE597C8730C3436646252F6A8BA1FFCCF1938C588AA24CFBB6EF5F1F7662F7E521CAE73913445E2DCD9631008C3A3FF92AD7416FF631ECFE834C2FA6008A0AAD64CBF3744726F254DFF441024F9FC86B90DBE5F44C1A6070F769FD27DEF63075FE37DD8C031AE951402E953F4EF095F4A35ACF71709F283732499955224C9FF9219F8D2F14ADCDC42CAFAADE82B227C50EC227837324F89FAC1A6C5F50CF21AF9018C7893B6C6BE840B7D7E3206F20523DDC117734E2CFC9A191B0C11CD4ACAAC3F2F815BFE3E53E0A7DC0CC040E85AAD818557417A3E1A9666&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW

HTTP/1.1 404 Not Found

Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Cache-Control: max-age=300, must-revalidate

Content-Language: en

Content-Type: text/html

Date: Mon, 18 May 2015 22:21:55 GMT

Expires: 0

Last-Modified: Mon, 18 May 2015 22:21:55 GMT

Pragma: no-cache

Server: Apache/2.2.15

Vary: User-Agent,Accept-Encoding

VTG-Country: UA

X-Powered-By: PHP/5.3.3

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300, must-revalidate..Content-Language: en..Content-Type: text/html..Date: Mon, 18 May 2015 22:21:55 GMT..Expires: 0..Last-Modified: Mon, 18 May 2015 22:21:55 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: User-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..Content-Length: 0..Connection: keep-alive..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1453

content-transfer-encoding: binary

Cache-Control: max-age=329712, public, no-transform, must-revalidate

Last-Modified: Fri, 15 May 2015 18:00:38 GMT

Expires: Fri, 22 May 2015 18:00:38 GMT

Date: Mon, 18 May 2015 22:26:30 GMT

Connection: keep-alive

0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150515180038Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150515180038Z....20150522180038Z0...*.H.....................K..(...v..g..$...JG^]....e.TT{..o.A.;.vA....\!.0>...(...\.?M...r\..:...#2.M'..b.f...A/...<..W9...M.o{..=.C-~E(..........}...9.........NH...].......r..............T.p.=.}..._......S......^vih.Fc...'...E. .u. ..|.D.[./....../uJ&...\....EzB.}..S..Z.M`....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=404818, public, no-transform, must-revalidate

Last-Modified: Sat, 16 May 2015 14:50:04 GMT

Expires: Sat, 23 May 2015 14:50:04 GMT

Date: Mon, 18 May 2015 22:26:30 GMT

Connection: keep-alive

0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150516145004Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150516145004Z....20150523145004Z0...*.H.................T.....j....../.....i....A.......\.<2.Lg.....kBq......\..."}.HO6..%M..k....g.#..U......I..T"...~..%s.&).i...._.!.K.0W....n....V..&.....m.G.......l|....p...l7.`..0............n......-4X..K..^.uN....U.X.:3...e..H-..K..Y9.Q.)p]......H='jn............n.).l....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT

If-None-Match: "80b4d90ca4fd01:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT

ETag: "80b4d90ca4fd01:0"

Cache-Control: max-age=604800

Date: Mon, 18 May 2015 22:22:26 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Mon, 18 May 2015 22:22:26 GMT..Connection: keep-alive..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=405089, public, no-transform, must-revalidate

Last-Modified: Sat, 16 May 2015 14:50:06 GMT

Expires: Sat, 23 May 2015 14:50:06 GMT

Date: Mon, 18 May 2015 22:21:55 GMT

Connection: keep-alive

0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150516145006Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150516145006Z....20150523145006Z0...*.H......................v q....?.J.........o.....Q_.?6....t:....2..g.....7.=./...a...cr*N*.mE...R(6N...W......`FS.M..Z.Du.....Zr........(>......W.N...Aa..;..Xe=.`h....!D..............:dx......[...........D#".....2..&...`.]n.!.`.]......=Q.........w....L.Fl.?....(5=...j.Y.....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5.N.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=492498, public, no-transform, must-revalidate

Last-Modified: Sun, 17 May 2015 15:10:13 GMT

Expires: Sun, 24 May 2015 15:10:13 GMT

Date: Mon, 18 May 2015 22:21:55 GMT

Connection: keep-alive

0..........0..... .....0......0...0......N$p...v....1.;..vn....20150517151013Z0s0q0I0... ...................F....0.yV......{&.K......&......./SSn........K..o....20150517151013Z....20150524151013Z0...*.H..............Il.C9ZS...4dUC....K.H.%..;r.O.."...s.Au...i.."Pr.f.h..1.b.....hj.wkl...Il.)...3}...hQ}.*....va........8....2..&.....'...d..oN.....i.M..c...o..7..Z.......I.jIg.Y..E4M...4.H......zC~..iA1.....s.$.=.."..bMg....../......4..nQs...4z.~./9.N..W...u.". C......-.;....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1372:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

unpacking data: %d%%

unpacking data: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe" /hostpath="c:\%original file name%.exe"

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe" /hostpath="c:\%original file name%.exe"

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe

T.lnaG

T.lnaG

.Vp]A

.Vp]A

_/0.ok;^

_/0.ok;^

nssCAFE.tmp

nssCAFE.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp

c:\%original file name%.exe

c:\%original file name%.exe

%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nssCAFC.tmp

ers\"%CurrentUserName%"\AppData\Local\Temp\nssCAFC.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

"$.11112#

"$.11112#

pfTPPPPPE*&

pfTPPPPPE*&

Nullsoft Install System v2.46

Nullsoft Install System v2.46

1.0.11.5

1.0.11.5

setup.exe_1512:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

%u>8V

%u>8V

PSSSSSSh

PSSSSSSh

?#%X.y

?#%X.y

GetProcessWindowStation

GetProcessWindowStation

operator

operator

1.0.11.5

1.0.11.5

ux

ux

1.3.6.1.4.1.311.2.1.12

1.3.6.1.4.1.311.2.1.12

KERNEL32.dll

KERNEL32.dll

EnumWindows

EnumWindows

keybd_event

keybd_event

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

CryptGetKeyParam

CryptGetKeyParam

CryptDestroyKey

CryptDestroyKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegCloseKey

RegCloseKey

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHLWAPI.dll

SHLWAPI.dll

URLDownloadToFileW

URLDownloadToFileW

urlmon.dll

urlmon.dll

CryptImportPublicKeyInfo

CryptImportPublicKeyInfo

CryptMsgClose

CryptMsgClose

CertGetNameStringW

CertGetNameStringW

CertFreeCertificateContext

CertFreeCertificateContext

CertFindCertificateInStore

CertFindCertificateInStore

CertCloseStore

CertCloseStore

CryptMsgGetParam

CryptMsgGetParam

PFXImportCertStore

PFXImportCertStore

CRYPT32.dll

CRYPT32.dll

WINTRUST.dll

WINTRUST.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

DeleteUrlCacheEntryW

DeleteUrlCacheEntryW

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

FindCloseUrlCache

FindCloseUrlCache

InternetCrackUrlW

InternetCrackUrlW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpOpenRequestW

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestA

WININET.dll

WININET.dll

RPCRT4.dll

RPCRT4.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

.?AV?$CAtlExeModuleT@VInstallerModule@@@ATL@@

.?AV?$CAtlExeModuleT@VInstallerModule@@@ATL@@

.?AV?$IDispEventImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@

.?AV?$IDispEventImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@

.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

"$.11112#

"$.11112#

pfTPPPPPE*&

pfTPPPPPE*&

8-8E8q8}8

8-8E8q8}8

="=9=]=|=

="=9=]=|=

8"9(9,90949

8"9(9,90949

>*?/?9?|?

>*?/?9?|?

> ?$?(?,?

> ?$?(?,?

; ;$;(;,;0;

; ;$;(;,;0;

: :<:>

: :<:>

mscoree.dll

mscoree.dll

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- floating point support not loaded

- floating point support not loaded

USER32.DLL

USER32.DLL

4f8e4a92-ce56-489d-a291-f4c00708a10c

4f8e4a92-ce56-489d-a291-f4c00708a10c

https

https

kernel32.dll

kernel32.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe