not-a-virus:AdWare.NSIS.Rocketfuel.a (Kaspersky), Gen:Variant.Adware.Graftor.174400 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b56e5dbd20d532e6ffd1cabbbc17ee0f
SHA1: 5f44a71c979843add1e9ac0dcbb3baf101a593e0
SHA256: 8e2393f6bd55fa706a097f99cb603e4cc518307a3316ad703ce0948dd0dd3782
SSDeep: 6144:NSlBaLRnuP3flEpFHP6b617gcbBy2NxxIH4TYeNB6wG0QPaqHoJLZIuKBL86RbGz:XBuPPlEp1i2dD42lIYPYyiKWuSYM
Size: 400992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:52:06
Analyzed on: Windows7Ada SP1 64-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
GoogleUpdate.exe:2596
GoogleUpdate.exe:1732
GoogleUpdate.exe:2636
GoogleUpdate.exe:1612
GoogleUpdate.exe:1604
GoogleUpdate.exe:1748
GoogleUpdate.exe:1916
GoogleUpdateSetup.exe:2660
%original file name%.exe:1372
GoogleUpdateComRegisterShell64.exe:976
GoogleUpdateComRegisterShell64.exe:1664
GoogleUpdateComRegisterShell64.exe:1020
The Trojan injects its code into the following process(es):
setup.exe:1512
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process GoogleUpdate.exe:2596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_it.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe (1738 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll (32380 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (40 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateHelper.msi (90 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_no.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_is.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll (71 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll (12490 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_te.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_th.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe (21970 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe (4210 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_et.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_da.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdate.dll (49 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_id.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_am.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_de.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_el.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9 (28 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll (79 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll (87 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll (71 bytes)
The process GoogleUpdate.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe (8278 bytes)
%Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe (7345 bytes)
The process GoogleUpdateSetup.exe:2660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files% (x86)\GUMEE34.tmp\goopdateres_gu.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_vi.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_nl.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateBroker.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fa.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-CN.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ja.dll (35 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_cs.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_is.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_kn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateComRegisterShell64.exe (127 bytes)
%Program Files% (x86)\GUTEE35.tmp (6 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ar.dll (37 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ta.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lt.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdate.exe (291 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ro.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ru.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_am.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateWebPlugin.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en-GB.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-TW.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateOnDemand.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_th.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_tr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es-419.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateSetup.exe (7345 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fil.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_da.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_uk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp (28 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_no.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_el.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sw.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_id.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-BR.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ms.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_et.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_te.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler.exe (244 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_it.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ur.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_de.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_iw.dll (36 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_mr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bg.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-PT.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdate.dll (2632 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateHelper.msi (45 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hu.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ml.dll (42 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ca.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ko.dll (35 bytes)
The process setup.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2858020935-2156992550-3658131804-1003\d16af8aafb8de36166d078029ced25a7_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
The process %original file name%.exe:1372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFD.tmp (28110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe (38152 bytes)
Registry activity
The process GoogleUpdate.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.27.5"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"UninstallCmdLine" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe /uninstall"
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "0"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"
"Description" = "Google Update"
[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Path" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe"
[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.27.5"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1431987791"
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\%Program Files% (x86)\Google\Update\1.3.26.9,"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.27.5"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"
[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.27.5"
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1431987791"
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Version" = "1.3.27.5"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
"Path" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
The Trojan deletes the following registry key(s):
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Google.Update3WebControl.3]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
The Trojan deletes the following value(s) in system registry:
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version"
"Description"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"ui"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"mi"
"old-uid"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Vendor"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastCodeRedCheck"
The process GoogleUpdate.exe:1732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"
[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"
[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"
[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"
[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"
[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
The Trojan deletes the following registry key(s):
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1431932400"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"DayOfLastRollCall" = "3059"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastCheckSuccess" = "1431987755"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"RollCallDayStartSec" = "1431932400"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1431932400"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked" = "1431987755"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"pv" = "35.0.1916.153"
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"pv" = "35.0.1916.153"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "3059"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1431932400"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.26.9"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1431932400"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "3059"
"ActivePingDayStartSec" = "1431932400"
[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
"StateValue" = "17"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "3059"
"DayOfLastRollCall" = "3059"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "3059"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "35.0.1916.153"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
[HKCU\Software\Classes\Local Settings\MuiCache\2C]
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableSince"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerResult"
"old-uid"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"dr"
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"
The process GoogleUpdate.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"
[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"
[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"
[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"
[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"
[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"
[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"
[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"
[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"
[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"
[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"
[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"
[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"
[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"
[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"
[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"
[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"
[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"
[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"
[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"
[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"
[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"
[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"
[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"
[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"
[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"
[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"
[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"
[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"
[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"
[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"
[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"
[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"
[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"
[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"
[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"
[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"
[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"
[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"
[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"
[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"
[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"
[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
The Trojan deletes the following registry key(s):
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "1"
"LastStartedAU" = "1431987720"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:1916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"
The process setup.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "35 2A 3F 0E B9 91 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "35 2A 3F 0E B9 91 D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process GoogleUpdateComRegisterShell64.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]
The process GoogleUpdateComRegisterShell64.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]
The process GoogleUpdateComRegisterShell64.exe:1020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
Dropped PE files
MD5 | File path |
---|---|
8715a0d10cffc8dee923957f07daa042 | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe |
6509a96dae25340772b51ac020cb1094 | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe |
0c03fb91e17987eed93f60007b08daa0 | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe |
f6eee6848e933962e12e7b3f25c73c88 | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe |
bb3045b399d898061b926b447c446e05 | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe |
6732c4a894855042fd3618406b6bbd48 | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe |
c990a8ead57da59fa8156cc02d3b7da5 | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe |
0894890f30b5f6510df953bc50b5504f | c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe |
4cfe6eeb44d35c7b16693a97fbc9f368 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdate.dll |
08171157668eebd2383e90eaf3f66aad | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_am.dll |
b5a2589dd3e5b934c78c9ab1954532dd | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll |
083956adf99f8cd0b36b54c93c291c1e | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll |
9bea43ecb11038854eb939256534a669 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll |
1bd2127c632d783af6d7fc49110b1d1f | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll |
7e6aa753aebbf36337fa46b78065a8ef | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll |
48123d9de5a24e6f846811d1818f42dc | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_da.dll |
fd6598856e573171379298199c143226 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_de.dll |
c39b9a29db403893453dcb4a2878db75 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_el.dll |
2a364ab5881dbc31c4cdc33205c900eb | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll |
3028318db29c2fca86e04287c8a96031 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_en.dll |
8d5a00c850396ebb5a6f14fbc74871d9 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll |
b012247e999e95741a3b243b1cc8fdfa | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_es.dll |
0ace6ee20ea149fd959683659f484f0f | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_et.dll |
0bb0f6e59d10c7b8443aa22c40574652 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll |
531969a054efb1a5169eb3677c2a2410 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll |
6bc91c70751ca456a654ac2e3050175a | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll |
11e2c5cc166267d15f281201e67ba2db | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll |
4dd7ee4a31e6052e519114f87bd568b8 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll |
29575adcaee9c75deb47275b2fa85e71 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll |
dd843413bfeeab35e355d2201cd0eaf9 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll |
7806d33bfb2248fd52dbd423b10f1247 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll |
6d4c1b29f1c1f422b679e71147a1dbac | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_id.dll |
fe92c90570e92759eb023b7994cf9564 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_is.dll |
9ac94b9c2c8887be459072761c48087d | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_it.dll |
6db01ce7229e0362b6e8cfb86cf1dc8b | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll |
b6c29a9f24b655407711bbccd9aa3723 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll |
29c4cde0af7453930c8897a4fad83701 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll |
3a162d9c713982cd20db33b6ed58e517 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll |
160f03c5e0369b60d58e40754a54ba00 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll |
fc3bca51a30f97d5737c3776ba6d0b24 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll |
e2c5957d2d671779d73ad8abc49ba015 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll |
d0413005ee471c2cb310bab1fafb33d3 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll |
5835d491f5746b9abbccbdad2cc88f8f | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll |
f8f1f2f2de104fb727627e2efa4b5e92 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll |
c85cee926d55d376126f62b9d577b583 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_no.dll |
3353610afe5ad1f3cbf6160927628a87 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll |
453f3fa552533ff685d139fc5a27f380 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll |
114d38b5e740311753ddff9ad9410aa7 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll |
192b5b83c0d13613e3d832f79a9236dc | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll |
beab86068645905a26bed2bb524470ae | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll |
de812a532f35b968817b412b34c1563b | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll |
4587fd7664101020cf94201451b8ddb0 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll |
57509f1bcd90517078c31d6e05bcb994 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll |
52d5f3a506c6a1a4c25859b55a53d908 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll |
1bd1a95b13f7eba37dc042f05c224ae6 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll |
e012e9ce832b2ced0e69ee3049306f89 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll |
4aad678fcafff8ba048fbd31c83ea147 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_te.dll |
3cdc681a91d505114dd057961b6907c2 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_th.dll |
5719ba1c9893f442c391c99c365ba15b | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll |
047aa0679b6cdf0a9ae2e04d8bab4d08 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll |
6d6868d750c3d1c9e1febf5c5925ce1b | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll |
5e1759e2c88d986697c93a378cc1e1f0 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll |
a79ef631a2196025016902b1538f1098 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll |
7662e0146b639a3bbdb7422e07e53b08 | c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll |
08aceceb47faf053c468d8afe44709ad | c:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll |
f593a6d82c5334be5626f3b9ce8130f3 | c:\Program Files (x86)\Google\Update\1.3.27.5\psmachine.dll |
113cd27882e9d2f3199bb2390ac48f3d | c:\Program Files (x86)\Google\Update\1.3.27.5\psmachine_64.dll |
997726d70e3a8fc1dc81f2a0dd52810a | c:\Program Files (x86)\Google\Update\1.3.27.5\psuser.dll |
b5780847a26ec6d002f69bc718ffd0d6 | c:\Program Files (x86)\Google\Update\1.3.27.5\psuser_64.dll |
c990a8ead57da59fa8156cc02d3b7da5 | c:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe |
c990a8ead57da59fa8156cc02d3b7da5 | c:\Program Files (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe |
5bc24d29ed088faafc207ba3f21aad73 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:2596
GoogleUpdate.exe:1732
GoogleUpdate.exe:2636
GoogleUpdate.exe:1612
GoogleUpdate.exe:1604
GoogleUpdate.exe:1748
GoogleUpdate.exe:1916
GoogleUpdateSetup.exe:2660
%original file name%.exe:1372
GoogleUpdateComRegisterShell64.exe:976
GoogleUpdateComRegisterShell64.exe:1664
GoogleUpdateComRegisterShell64.exe:1020 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_it.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe (1738 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll (32380 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (40 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateHelper.msi (90 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_no.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_is.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll (71 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll (12490 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_te.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_th.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe (21970 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe (4210 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_et.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_da.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdate.dll (49 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_id.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_am.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_de.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_el.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9 (28 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll (79 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll (87 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll (71 bytes)
%Program Files% (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe (8278 bytes)
%Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe (7345 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_gu.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_vi.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_nl.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateBroker.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fa.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-CN.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ja.dll (35 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_cs.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_is.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_kn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateComRegisterShell64.exe (127 bytes)
%Program Files% (x86)\GUTEE35.tmp (6 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ar.dll (37 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ta.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lt.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdate.exe (291 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ro.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ru.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_am.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateWebPlugin.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en-GB.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-TW.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateOnDemand.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_th.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_tr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es-419.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateSetup.exe (7345 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fil.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_da.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_uk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_no.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_el.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sw.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_id.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-BR.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ms.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_et.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_te.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler.exe (244 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_it.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ur.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_de.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_iw.dll (36 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_mr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bg.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-PT.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateHelper.msi (45 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hu.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ml.dll (42 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ca.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ko.dll (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2858020935-2156992550-3658131804-1003\d16af8aafb8de36166d078029ced25a7_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFD.tmp (28110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe (38152 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.11.5
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.11.5
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 1.0.11.5Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.11.5File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.4603 | c3953c262c50b3d94af076321878ec20 |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 253848 | 1024 | 3.25977 | 8304967a23ff32b1b0197005a845ef83 |
.ndata | 290816 | 262144 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 552960 | 26136 | 26624 | 2.67301 | dfcf6ccc6b472eb48939df4b862563ac |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
2445cbe7f7512a037c2ee2d2406e9940
Network Activity
URLs
URL | IP |
---|---|
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=84211eed-2475-4dd6-99b9-c6179b9932ec | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628= | |
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=014c656e-070c-42e4-a618-0b7cd62f7000 | |
hxxp://inst.vertitechnologygroup.com/consent/json/188?nexcb=167f6d1d-be93-4e51-a9cc-3010c16127bb | |
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=842ff0c4-2308-4356-945b-9611b5868b15 | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83 | |
hxxp://tools.l.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe | |
hxxp://r8.sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 | 46.28.246.83 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= | 23.43.139.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83 | 87.245.221.97 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= | 23.43.139.27 |
hxxp://cache.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe | 216.58.209.174 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.221.98 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.221.98 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.221.98 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= | 23.43.139.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc | 87.245.221.97 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.221.98 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.43.139.27 |
tools.google.com | 216.58.209.174 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
HEAD /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 931408
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 931408..Content-Type: application/x-msdos-program..Etag: "53b96"..Server: downloads..Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-Xss-Protection: 1; mode=block..Date: Sat, 09 May 2015 07:40:43 GMT..Alternate-Protocol: 80:quic,p=1..Last-Modified: Mon, 04 May 2015 16:39:00 GMT..Connection: keep-alive..Alternate-Protocol: 80:quic,p=0......
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=0-8794
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 8795
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 0-8794/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...x_..*...xa..*...x^..*...{_..*...][..*..s.u..*...*...*...xe..*...*)..*...]`..*..Rich.*..................PE..L....xDU.................&...........T.......@....@..........................`......X.....@.................................d...x........Q..............P<...@.......A..8...............................@............@...............................text...}$.......&.................. ..`.rdata..LW...@...X...*..............@..@.data...`1..........................@....rsrc....Q.......R..................@..@.reloc.......@......................@..B.........................................................................................................................................................................................................................................................................................................................................t.......A......A......hs4A.. o..Y..............U...}..........j.j.j..H..E.P..(AA..U...E...t$...t....t..."t...Pt...hW.....h......].h.@........V3.VQ..h@A...u....@A.............N...^.U..SW....WS...AA...tDVP..,AA.....t'WS...AA..U.......v.;.s.....4F...Ju.;.r.3...3.f9..D...^_[].V..W.......@j....PW...AA...t.V.....|...Y_^.U..QSVW.....A.j..}..Q...3...C..t<...j..G....Pj.V...AA...t..u......2...Y..u.S...A........C..u.3._^[..]......y....8.A.t..y..t..q... AA..U...u.j..q....@A.]...U...}..t..u.j..q....@A.]...U...U..
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=8795-21861
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 13067
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 8795-21861/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
..]...hW.........V..W.....P..V....:.|.;.u.3...@.....1..j..v.......t'.F..G..F...E....Q.F.PQ.G.P.U........_^.......U..Q.U..M..M..4......M...tI...SV.Y.3.QQQQPSQj...(@A..M...V. ...3.RRVP.E....QSRj...(@A..M.V.e...3.^@[..]...U...U.V....x ..3.A H..@. ...}.R.........^]...hW.........h..........U..V.u.W....9q..Oq..y..~.V...5....-.I.;.}&.....@~............ .....;..L.Q...l..._^]...U..Q..SVW.8.E..O.._....P..u...j.V.....E...t4;..L.F..6RW.p.RV......E..O.....X..<....E._.0^[..]....:....U..V.u.W.........9r.}...~...j.VR.P...t......_^].........U..V.u.W....9q..Oq..y..~.V...5....-.I.;.}&.....@~............ .....;..L.Q...p..._^]...U..QQ..S.E.V..W.K..s..u....P..}...j.W.....E...t4;..L..p.GWSWV......M.....E..A..K..D....E._.0^[..]....B....U..V.u.W.........9r.}...~...j.VR.P...t......_^].........U...M..E.P.u..v...].U..QQ.M.V.=...P.M.......u.....................g.......tuSW..>.M.W................u...u.3...V..T..Y@PVWS.}...P.h.......M.W......u._[.~..t .M..E..E..E.PV.p....e...N..<...^..].h.@....hW.........U..QQSVW............W..S....Y..........u.3...V..S..Y..0.U....M...te.>.t!..:.tG..u.F..V..tAA..M....>.u..U.3.8..D.....t2.. .;.r*SWV.N}.......t..>.u.F...U...V..tAA....U...3....._^[..].U...........A.3..E.S.].V.u.......W..tgj....@A.SV......P..xAA......@A...t.h.@...B..x.......W._...SV.W........YY......W.}....M._^3.[..V....]...hW.........U.....VW.=.@A.3..M..u...V.E....@A..u..E.VPVV.u.h.......AA...u.....u4.u....@A..}...t.W..R..Y...M.VW......u...<AA._^..]....l....U....\..SVW....U..S...jD3.S.p..E..u.P.c`..3..}.........E.P..<@A.
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=21862-37948
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 16087
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 21862-37948/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
..:....U..E...3.B3...FA.>\t..>"u3...u..}..t..F..8"u.....3.3.9E.....E.....I..t...\G....u.....tA9M.u.< t8<.t4..t*...P.4#..Y..t...t.....GF......G....t.F....F.o.....t....G...-....U._^[..t.."..E...]..=T.A..u......V.5`.A.W3...u.........<=t.GV.)#..FY......u..G.j.P........=x.A.YY..t..5`.A.S.>.t>V.."...>=Y.X.t"j.S.s.....YY..t@VSP.{".......uH......>.u..5`.A.V......%`.A...'.3...X.A.....Y[_^..5x.A.......%x.A.......3.PPPPP. ....j.. ...Y...t.j......Y..u..=..A..u.h.....1...h.....'...YY.U...M.3.;...BA.t.@...r.3.].....BA.].U...........A.3..E.V.u.WV.......Y....y...Sj......Y.........j......Y..u..=..A................A...h.LA.h....h..A...".....3.....1...h....h..A.Sf...A...H@A........u.h.LA.Vh..A..`".............h..A..."..@Y..<v5h..A..."..j.h.LA...El.A...-..A... .VQ..".............h.LA.h.......A.V..!.............Wh....V.w!.......u}h. ..h.LA.V.."......Wj...0@A.....tI...tD3.....O.......f9.Ot.A......r.S.......].P......P.. ..YP......PV..D@A.[.M._3.^.|$....].SSSSS......U...E....A.].U...E...x!...~....u.....A.......A....A...]..'.................].U......e...e.....A.VW.N.@......;.t...t......A..f.E.P..T@A..E.3E..E....@A.1E...P@A.1E..E.P..L@A..M..E.3M.3M.3.;.u..O.@.....u.....G...........A.......A._^..].VW...A....A.......t......;.r._^.VW...A....A.......t......;.r._^.U..QW..X@A...3...tuV..f9.t....f9.u....f9.u.SPPP .P..FVWPP..(@A..E...t7P.......Y..t*3.PP.u.SVWPP..(@A...u.S.....Y3.W..\@A.....W..\@A.3.[^_..].U.....A.3...A.t..u...].].%x@A.U.....A.3...A..u.t...]....@A.].U.....A.3...A..u.t...]...|@A.].U.....A.3...A..u..u
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=37949-59919
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 21971
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 37949-59919/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
......3..}.j......Y!}.j.^.u.;5..A.}S...A......tD.@..t.P.....Y...t.G.}....|)...A...... P..8@A....A..4..1...Y...A..$..F...E...................}.j......Y.U.....@A.j....A..7....u.......=..A..YYu.j......Yh.........Y].U....$...j...k....t.j.Y.)...A.....A.....A.....A..5..A..=..A.f....A.f....A.f....A.f....A.f.%..A.f.-|.A......A..E....A..E....A..E....A...........A........A....A.....A.........A.........A.....j.Xk......A.....j.Xk......A..L..j.X.......A..L..h.|A........].j.h..A.........A.95..A.t*j..-...Y.e..Vh..A......YY...A..E................j..g...Y...Q.L$. ..........Y.Z%..Q.L$. ..........Y.D%....u.f.....f.n.f.`.f.a.f.p..SQ.......ux........t0f...f..A.f..A f..A0f..A@f..APf..A`f..Ap......Ku...t7.....t....I.f....I.Ku....t......t.f.~..I.Ju....t...AKu.X[...... .R.....t...AJu....t.f.~..I.Ku.Z.^...U...%..A.....S3.C....A.j...i......L...3.....A.3...V.5..A.W.}......._..O..W..E..M..E...ineI.E.5ntel.5..A....E.5Genu....j...X..j.Y....._..O..W..M..M.tC.E.%.?..=....t#=`...t.=p...t.=P...t.=`...t.=p...u..=..A.....=..A....=..A..}..|5j.3..u.X.......5..A..X..H..M..P..E......t.....=..A...3.......tM.......A......5..A.......t2......t*.......A......5..A.. t... ....A......5..A._^3.[..].U..3...9E.v..M.f9.t.@...;E.r.].j.h..A..(...3..u..}....u..}......................;=D.A.............E..............A...D.....trW.."..Y.u..E......A..D...t(W..#..YP...@A...u....@A....u...t.......0...............u..E.............!.}..u.W..#..Y.............L............j.h8.A..?...3..]..u....u..`.............................;5D.A.........................A...D8....u.......
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=59920-81823
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 21904
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 59920-81823/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
..@..$...@..(.@.L.@.t.@..F.#..G.............r......$...@..I..F.#..G..F.....G..........r......$...@...F.#..G..F..G..F.....G............V........$...@..I...@...@...@...@...@...@...@...@..D...D...D...D...D...D...D...D...D...D...D...D...D...D..............$...@...$.@.,.@.<.@.P.@..D$.^_...F..G..D$.^_..I..F..G..F..G..D$.^_...F..G..F..G..F..G..D$.^_...$....W.....................te..$.....f.o.f.oN.f.oV f.o^0f...f..O.f..W f.._0f.of@f.onPf.ov`f.o~pf..g@f..oPf..w`f...p............Ju...tO.......t.......f.o.f....v....Ju....t*.....t......v....Iu......t.....FGIu.......X^_...$.............. . .Q.......t.....FGIu....t......v....Hu.Y.................U..W.=..A.........}.ww..U........f.n...p..........#...... .3...o.f...f.t.f.t.f...#.u.f...#.........E.........Sf...#...3. .#.I#.[........D._....U...t93.......t....;..D...t G......u.f.n....f.:cG.@.L...B.u._.......#.f...f.t......#........f...#.u.f...f.t@....f.....t.........}.3...............E.......8.t.3......_..U...U.V.u.W.z...u......j.^.0.0...........}..v..M......~.....3.@9E.w..w...j"....0S.^.....~.....t....G..j0Z..@I.....U......x..?5|.....0H.89t....>1u..B...S.....@PSV........3.[_^].U..QQ.E.SVW..x.......P...........................}....E...t.......t....<...%......!..u...u..E.!P.!.f.x..X...<..3.....M.................E..]..s.....x&........................y..}..}..E..s...f.{._^[..].U....0...A.3..E..E.S.].V.E..E.WP.E.P.....YY.E.Pj.j.....u.....f..Z....u..C...E.....E..C..E.P.u.V.......$..u..M..._.s.3.^[.......].3.PP...q.......f..ye.].....3.......E..}.B.}..U.t.G.M.......M..m..E..
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=81824-127857
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 46034
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 81824-127857/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
.............................................................................................................................................................. ................................................................................................................................................................................................................................................................... . . . . . . . . .(.(.(.(.(. . . . . . . . . . . . . . . . . . .H............................................................................................................................................................................................. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....................................................................................................................................................................................................................................................................................................................................................................... !"#$%&'()* ,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................................................................................................................................................................................. !"#$%&'()* ,-./0123456789:;<=>?@ABCDEFGHIJK
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=127858-222054
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 94197
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 127858-222054/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
....=......2?.....$,z..Tq.......N..|.3..,k........l.....8p...|..........9.d.u<uX.....{........;._....b..6p.'V......N{..xJG..h......I..[ .........*.W...s.'.n1DE..NKs.S.d.>..3.".......0.....W0|....K..g. g...U...7...@...]4.&.~....AH...4...T.e..8p.!.#...7M.....sEj.....'.Y.F. .y_*..>m.0.`..@.;.s......d...F...m.y.....K...)"_.~>....w......{%..b..l..s...Y...k.k6....2..v~......b...k.;...tth...;!...iOua~..pR/......[O7....}.[.*.....}Y.....7..j..:.-vi.....F.<lA.aI...E .F1g..2..n.........]...C....\.W...........F...z.<e....Va{}..|.b..]9k...S,..S...w..).........R.P.......{.)..WR.&f.FLB8.. ]3$...EfvF7f..c..!..}.S.i.....;....BcZ..Y.T.....)..o......." ...9..v....'....$B.."*5.y@..~Nn....L ..w...,...,N^....pP..|...z...M_..A.OW.PU......"...i...$.....n.9.!........BT..... ...^U.hbJ..}...)...eJ?e.....d...SQ.....Dz.>.....#...,P....D..c....g.0.L.5$....A..#.....Xw.5...=..*E.... i.......n.Az`.Y...r.N/..z.S. .U...P.`C.c.S^..K.Oz..[r..T.;6.....:B2.u[....}...(1.....$.......P..u..-.y........v....A.$(nao.......H.h=.lR^.....Gm.. qD...'..O....N.X......3..j.?.4n..O..=H...P?w.7K.....Y..`...U.9.\...a..Z%............@...;.r...7.%..q>%.Z.....(Y..@...&W35 0.a...|..7'q...#.P.z..u%..j...(..q.. .f.z....m /V4?...c.....Uh.....Z,.eV..2....'.....B2...t(B.PY~br..u...bM'}.O8.pN`.v-#a...o6L......g.../.v.!...e.4G4.}.k....c..........b..,V{...qY.P.$e.5.....W..(. /-...;..5.kEZ.l...P...4......$@D-&..JY.....V|.`25gC:...h....p..]....@.nc.m..Zd(Y3.......W.u....&....G-...ci..Z.:...9.k......u].Y..Q..%.W;V......2... &......$.L..<....:M.|.......k
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=222055-411151
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 189097
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 222055-411151/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
.6,.LE'.G.p....@0.r.xqU..'C/:.911.....PD.."<]!.hpv..G..~8n.&..............E..n~..$)?...nU.;l...HBu..0=Q.\...H$]>0B............j......,...G..V..k}..y../.......2......)..1.W..P..".&y..R.f..G.......p.>T9......?...Z/..tl.sn...^*...J.........z.=>..A?>..4|.G.....6.4R..>...9SW...n.J*.........\]..v..!...J}......A..4... Rm.'...E...~Z4io.".{.^:.%..j.>. .j`^.,.0..Ix.7.E....lKY.A..[.;K...Y.ZD.s.2. _X.nM......O..F.>.#..B..&d}.BL......Y..3U.#..;..>........k......w.....hM...V.%....o...........N....>7.4.....Bxl....Y....&_.`.x.R.).F..T...s..>.S_.'5Y.*...v..|.`>.f.7.6GG....XZ....bD8....Pj....#...6.....<.Z....Y..nWX... }....e..(N.......Q^.......6~.zSa>..`.@8......&... .*..O....jmvC...%.;.{R..W1..6..a.q:...h.u.Y..mq..[......G>s......F..w....J._.1..F|....m..i...d........|v3.n....?T..G...r./. .I,..P....n..S.j-.}..Z.Z.x.O..l.sen.L.../.bb)7........B..2..l..m..M.......;.....Cc.K..l.'$...9C.C#.od..tc..%....p,B[b...:RJ....G..T..1.'......5p..a...-\(...........&....m...|....x.&0V.b..>o...dM.H..5v.tP.....w.2j.]jZL0.,..D......SDR.m.Y.^.\],...;...o..Y.ME._R.d(}...%...d.g..:J.........D../.?....|.}7R. .......Xma..9..<;........6..g...$V.....A......T.,.....!.-_:..G%.ID./..-.|.k..... ........z..D?N...F. @{..o....G....U:..G.... ....rM....jh*rce-..]......J.M-.. ...h..fx.t.].....qq......F...HY.)........p.......8p........4G..t.Q.q...!..]..R.<&=A..[.O..[I..63.2.p...=}a..h'..Y......:/.4.......I.m....J.....DJI...D.m..d.FM....^.......8sSm#2o.c.|0.f.....".W.....SR.v....R0.J:....x.K.`0.o../....$...b:[z..
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=411152-789699
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 378548
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 411152-789699/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
/.....bba.............Q....c.T..I0. ..>j...<... .~...A.$.T6`.W.d....sV...0Y.k...<q..olE....N......F.mXk.q...]Gjl...U.Z<.F..4.R......)`..v...@...:..E..G..^: ......<.4............t. =c.h.?.MT.o...<...r..) 7J.p...D. ..)gn;[...-..}...w........u.d@..;.s.....'...n.}lm@../L..MZ |..\..&d......=.z...#7......#...L...c..*............/..=~.'..=.'B\3R.?ol..|kH.Bm.Ck.]......N...S...3.......:.U.y@....=.........B..(.. E.U..JO=P..y....m......Q...t8q.,.*D.w2.......F...G.....I..Z...7 .c?...~....=.....j*..I.H.j..I.*..5e..jS.f.I.M..5..........Z._.......Wjs.q....|I..4.P......F.....Ej.8=....O...FM.. .To.u....".]..[.|........_.P...y....9.'....r....J .Z...PF...C..^..[.....}J.>.k'.>.~kjT.....0....... ...TX..?D..e....HXPG.T{Y..L]..^..f.8.>J[,..x.G....l.|.c.IpJ.. .~... ..c..}.W...vW..4..:M..&7w.H4.o.".J...yY..>,.....7...nh.$..U......<...:..5_.......`o...}{...H...'c.X.1_ei4...a.[.._..9e............q..p$..i.b.....A.kzt...r. ....o.h.[yaK.(.v.6...F...M.<?..;)i...8JPh..-.....V.}F.?L.y<.@.....@E..[......]-.......{....2S!X...'.|R....QM3 ........<-../..Y.S}.....]h....g<.._j(.P...Zk.......8c..QDrP2'...D.-...j..m@..."..,..'.z.4j.V.. .....y..k......y..1........!:5..?|.'.a....f......z.\........./..]r.:u"|&.TWa.v.#..N.\.6I.Y...-.........,..Z..1..@.....Q../.(....*..=.:...N.z...'.D....<@.F....=..s8:<......).^l....I......N).. .......-..t../...:.WFH.f.....U.f=...BgK..nK|..y..... 1...vzQ...n.T.z..J....r.N...s...4 .....$../.O...{nxT..j..v..L...#.:1......4n.."!....#a..r:.EQ....y=..dj........y..w.m.d...E.1...
<<< skipped >>>
GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=789700-931407
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com
HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 141708
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 789700-931407/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
q...H.."........G.To..n.....kT.p.>....G\.D............W..;6%N..y.[6..{.z....._.`S..".Cy.8....a.....y..L.....`..u../......)....f0......s'MNiX...CF"3,.;..~..=..;3..........d.......*4ou.....M....2Q.!..>z.....a..`..l1.V..J^!0W..s...n....c. ....U.............Y..V...i.>..hi=.(&.F..`......=....t.NX.}JX........_G.i....U....oS....w._.n.......rE Io./.....xJj.........Y.....8.....[. ..,.%....a.'j/j.jg.....%..l..............6...P.RQA..bXM.OzqR:...Mm.m..L.@...........0.=.e...^x.;W......J..nEm......*z.....H..............(.. ..?.P.v..6.a"P..mG./`w*.S...F;j.t.%R.z#.b....Kv.($...'....g.3.H.....yK.m.....I..&..EQ.......<4..%n..J.P%7.....1.4....TK...)W.=1....m.Xa.>@:z....x*..OdeBA.Y....\.........G2j.7...9..U.U0..vr..as..N/.[?x..@...f.....O..O...Px#..g]D.;....qI..{&BpNZ;w...S..Nh. .\U^w:.[.y..#....q....n.Z8#..d......UhSp..<-.^...P..#...APuc.y..YL...\:....q...C..X.T....9.fn..II......2.C....&T.x...*.r...<..).........6.>.l"s....$......(..__.)...........&x"....^..9.gv....0..H...\..}........c....>.4:.S. ?...i...X.z.!\..sR.j,..._..... ...8YZ`.!.^.......|......S...t.. ..T.w............d.....7{..Dl...S.....y.x!..q......@..D`...J...V......<....X...:..).......3.K......u[B..).M..uD(.z...{t...5F@x..2.'.p....N..#Z..OH....8..8.....$..E...E.W..yx@4.@..J..:.|`..wx...F)...t..P....%......;8..e..M..^uG.5Tme........A..<$:P..u........Z.zX...1=.|^-....."..2.....-D...?....y.....-`<..^...../!!..(a.B0.c.i...=.(...;.Q..=/..{Cj.iQ...!..a.2..O>zZ........Z{.w&.<D.F.)...x.. 8..F..h......F.|-#.Y....Ody,..3.=..b^...*.r.j
<<< skipped >>>
HEAD /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: cache.pack.google.com
HTTP/1.1 302 Found
Date: Mon, 18 May 2015 22:22:38 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 623
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
HTTP/1.1 302 Found..Date: Mon, 18 May 2015 22:22:38 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1..Content-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 623..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic,p=1..
POST /consent/json/188?nexcb=167f6d1d-be93-4e51-a9cc-3010c16127bb HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1536
Connection: Keep-Alive
Cache-Control: no-cache
a=8729E68030ABF3FE817009D0E6609A30233C2F11B12E5E814E8BB3DCE495A738462773D58BE650C1843214342590585D23E8A86D57D1EE41A8530B8811EBE282B5469EFE7D23D18371DFC6595D00E8892577D5B9A56444FC14048B3282D562901D4EC42FCE7FA0166986EC514ADB64DF074EE5A870F7F132A78F63F03BF78E6251FCFD8953575FB9362C0BB688A5857494E6AFB60588347CFF26D88B7EF2137EB230D2D2F6C639589E2FF2DA24B3942AF9DC0D67AA88404A46600DAFE80069E99B67D71FF4889A4C11602A753E689EEDEB3EBCD81B08A3E9D357B0FC4BEEE7B9712D187F0BAC6F933D45E38EDC0B5559E28589E9EB63148B5C20D3AC74979B374E9FA0C11DF9347E1A2A746CBF5312149F9DFFCA72F97A5FD7E8100D10B2C57FF3610E5CA724EF806CA3901A26C104A3FA7F066A08CE84027FA7C65E6194C44D2990A2C41598AFB31CCBDF5FCEAFCB8F0E526800EE260C246E08D1FACFADCEA00AF016FA528C269CE3C1EED3587A7D6453A70622D4C01678487AFDC8484401169A1A&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMoQ53SPkjfHSKzMRhY6UgU00GjEjn4W1O9KG
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:56 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:56 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
Content-Length: 0
Connection: keep-alive
....
POST /evt/?nexcb=842ff0c4-2308-4356-945b-9611b5868b15 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1582
Connection: Keep-Alive
Cache-Control: no-cache
a=8723A8C161F7ABBD90471EDBFA769F002465230EB93849D90ECDE1DEE490A7246D0E7FC3C5DD79E69F675F626AD4050749ACB96E49C7E547CA732AED13E1E4F6940DBDC74D69D2B57DC9C6595D3AECD11E41E48687165BD05933BC04CBC47FDB4B11E435FF6DAA1369CAB10F40B33F8C2553F9A173F0A769F8B66BF27AAAC94211BCBBD715004ADB74130CB090F3DE2BCBA2F1A31FDA1270E13494DA2BE0177ED378948BB0D13B598D29EF902FB2DB2EF9C4691AEADF021E4A775CE9FF020F92D82BC713A59CC27E454413773E76DEFAE90EBCD81B0DADCDFB00E7E93DB7C2BB266B5D5A02FF34C00B45E2DCD9057171B5D29C9FE1354D9E385DE0A8709BDD605BFAABE524FB34605A3D765CBF53121191B9D79D25EC0C06F2EA474B5597CC2CA832385FE37DD8A650D7E36561E41FB5B46804091AECB34E2EF2D36C2E98D64B70FBD78A45DCFAA3199EEA31BF8BDB8C5C501D44B46655756700D9AFCAAEC9F35FA417F801DF71C7E2C2EDD40D7C293401F35424DEC217704F27AC9C4D440117994DC6FE3B2FD05BAD6902BBF28F01CC14E800FB83D904132A&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMo
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:56 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:56 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300, must-revalidate..Content-Language: en..Content-Type: text/html..Date: Mon, 18 May 2015 22:21:56 GMT..Expires: 0..Last-Modified: Mon, 18 May 2015 22:21:56 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: User-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..Content-Length: 0..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=328291, public, no-transform, must-revalidate
Last-Modified: Fri, 15 May 2015 17:35:11 GMT
Expires: Fri, 22 May 2015 17:35:11 GMT
Date: Mon, 18 May 2015 22:26:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0........C...4N...@..6...v...20150515173511Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.8........c..uU..$.;.....20150515173511Z....20150522173511Z0...*.H..............L...NI}..* >........K.J..RH..\..f...jN..,.%.....ye'..#...Q?..EUs..`q..]G9....(...~.m..5.....2G."{.d_L...a....,.-8%6z..u..E.....z^.%b.=.....yV.x7...|e.>.<.HJ-.D._yHM.j!..w..2...-..o...*U.plj[...hd......>V. ....K.'|.,.6....C.W..4.G.3.:?..w..~.|...b..-..f.0....50..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certificate 30.."0...*.H.............0..........6..]......w';.r........I..c..4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I...B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=604301, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 22:15:43 GMT
Expires: Mon, 25 May 2015 22:15:43 GMT
Date: Mon, 18 May 2015 22:26:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....20150518221543Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#....M....=....x..":...K.....20150518221543Z....20150525221543Z0...*.H.............i.`._..84...".FlP.T.LzX../f.....&..f...X.>.Ig.N4*....d......=....|q. p....J...m[.V.Kz....2.c.Zj\.s...^}...............'H.7i.u.nD..J.....Jw.yI....vGi......_........o*z..Z....cH[...w.8.....K.}.1..=|.(.l.e.CC77..l.kR.....?.x...>...o3d.....JQ.tS3v....<...3f.\.....0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://w..
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
Accept-Ranges: bytes
ETag: "dde36a309c58d01:0"
Server: Microsoft-IIS/8.0
VTag: 43879645100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:25:56 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......40... .....7......150604224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL.."k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3...v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<~..v.w....
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
Accept-Ranges: bytes
ETag: "cf2633d6957d01:0"
Server: Microsoft-IIS/8.0
VTag: 43853244400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:25:56 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......20... .....7......150602222607Z0...*.H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..).........._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P.#..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=351582, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 00:04:54 GMT
Expires: Sat, 23 May 2015 00:04:54 GMT
Date: Mon, 18 May 2015 22:26:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150516000454Z0s0q0I0... ...................F....0.yV......{&.K......&.......c.. ..T.............20150516000454Z....20150523000454Z0...*.H...............t...H$.HE.NJ......o...7....K...U.....t..p.......q......g...>...w.z..#.....aa$ .Xt..B".>c...~..mP...I] ..53e]......Z.N)=.....K....(.....W.N..........j..... ..l...L\..*..A..y.E....C..d........M..$....f.;{.....Q.B. ..O....Z@..XxJQ0k>.....)..e..>.. ..{..........0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Mon, 18 May 2015 22:21:55 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..Cache-Control: max-age=86400..Date: Mon, 18 May 2015 22:21:55 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=586327, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 17:15:12 GMT
Expires: Mon, 25 May 2015 17:15:12 GMT
Date: Mon, 18 May 2015 22:26:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150518171512Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5..........^.3@..cL.1.......20150518171512Z....20150525171512Z0...*.H............."...S...P......,;...X..d]..1Do......c...i.{g..'...K...1...5.E.6.I.F.. .......2...-Dy2"..PPF.n....A"6:A4>..G.,.ei...'.......2Jt^.....1CP...F..@......:6.q...U '...hJ..W_\.J.Z..= ..i......l_S...a......p..e..]....B......v .M.x.S..1S..P%...........w.....w..sp;....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=600018, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 21:05:30 GMT
Expires: Mon, 25 May 2015 21:05:30 GMT
Date: Mon, 18 May 2015 22:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150518210530Z0s0q0I0... ...................F....0.yV......{&.K......&..........'pB.....@j.......20150518210530Z....20150525210530Z0...*.H................^.M...a..b....0....}......Q.^..E.#s5'mX...Mj.X$1,....k...v\.....9....k.L":d.l..%.0......-..JGH.c&TCn.MD..K..w.9..a....=.3;E...a...../.l.R.....b.1..^x.-...5..1...w%By.s...N4...u2>.ai Z..X...%..........S.7.._...$[.^.....'LTY.M....R..cO.A...m.;k.....;.........0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=595511, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 19:50:23 GMT
Expires: Mon, 25 May 2015 19:50:23 GMT
Date: Mon, 18 May 2015 22:26:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150518195023Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150518195023Z....20150525195023Z0...*.H..............MI......._.3}...$.f?....]..._j..a.....H...E.H..A....}..o.w.C6...0.)j.._..N...7.....0s..j.V.{B.6....O..4...n..p..;}a?.lh.....t.w.Uph.....i`....U\.sQ.P..5..S.DNt\./W.....T..]r.O.".Lp....4....qO.J..G._..> ...R..... ...[y..02..|.......R..>....bl....".Ov.S@......#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:26:27 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache-Control: max-age=900..Date: Mon, 18 May 2015 22:26:27 GMT..Connection: keep-alive..
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 279782516600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:26:35 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......Z0... .....7......150712164223Z0...*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w... ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...
POST /evt/?nexcb=84211eed-2475-4dd6-99b9-c6179b9932ec HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1576
Connection: Keep-Alive
Cache-Control: no-cache
a=8723A8C061F7AEBD90471EDBFA769F0024652319E86E1CC401D2F9DAFAA3B433400B73DED88927A6927840636AD0124A10E3BF6C54FDE257A848089967C3C8B6911DB7D26767D48568C8CC5C1316DBB40748F3848E774CCD3250932883D779C25C21E523D268A60E749E93081E8C399C385AFEEB27B4D532A6856DEB6DE08C0103ABB9D0604015ED630F19BC8CEED62880F1ADD54898377CF027D88B7E95442DE83CC5D0A4C639588079AAD121A39770ADD66D1AECC0171D00775CBAEC0412C685728312B587FC570F732C657A36D8FAE95DCFA75C3A92DFBF40B29A66F5E0A735730D095E8923C2683393BFC3631008D489DFB0AD7416FF6F1BCDAE63D78D672884BED21BE970205C3D760FCC2C5526AEAB93DD709F5744D0F6545305C4905ABF305B29921EC2C031AE823E22CB53F4EF09534F37EAA0013BFE917F28C1E5693ACCE898019CAFD57DE9F842CAFACDFA4A0B2E0BB82C04286B0ED0ABCBFB9AFC0CA71AFF06DB71C7E1C4BFD30E7C2D6402F10273DDC24A744B78FE931B105912C91A92F86F2B820CF16F52BAF78E5C9B13EB5BA9D4D6&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMoQ53SPk
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:50 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:50 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
0..HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300, must-revalidate..Content-Language: en..Content-Type: text/html..Date: Mon, 18 May 2015 22:21:50 GMT..Expires: 0..Last-Modified: Mon, 18 May 2015 22:21:50 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: User-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..transfer-encoding: chunked..Connection: keep-alive..0......
POST /evt/?nexcb=014c656e-070c-42e4-a618-0b7cd62f7000 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1590
Connection: Keep-Alive
Cache-Control: no-cache
a=8723A8C061F7ACBD90471EDBFA769F002465230EB93849815886B3D6E68FB6375E147FC3E9C273FAD13F1E3C79D41A1952BBEB2C1584E85FFC7F20A41ECEC9EDA22E92805C60C08B6AD7DD714C2DF19B2461CEEB821C51C53B39B604C3F64EF00909FA28C474B81245D5BB130E9739816A71E3AD67EBF134AE9527AE2E92D75F50E1FC9315004ABC234E5A8591EFD121D6B0F4E9438B2D30A172AEDC3CB34C2DE63CC5D0C58268038D29EF8968F5826AFF943246B9CC001F54645EBBF3150DC7C934954CE597C8730C3436646252F6A8BA1FFCCF1938C588AA24CFBB6EF5F1F7662F7E521CAE73913445E2DCD9631008C3A3FF92AD7416FF631ECFE834C2FA6008A0AAD64CBF3744726F254DFF441024F9FC86B90DBE5F44C1A6070F769FD27DEF63075FE37DD8C031AE951402E953F4EF095F4A35ACF71709F283732499955224C9FF9219F8D2F14ADCDC42CAFAADE82B227C50EC227837324F89FAC1A6C5F50CF21AF9018C7893B6C6BE840B7D7E3206F20523DDC117734E2CFC9A191B0C11CD4ACAAC3F2F815BFE3E53E0A7DC0CC040E85AAD818557417A3E1A9666&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopIyQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jGn0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/jegwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4l8SvbFzLp0F5WD13RoPX+8Mav5zKrW
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:55 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:55 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300, must-revalidate..Content-Language: en..Content-Type: text/html..Date: Mon, 18 May 2015 22:21:55 GMT..Expires: 0..Last-Modified: Mon, 18 May 2015 22:21:55 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: User-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..Content-Length: 0..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=329712, public, no-transform, must-revalidate
Last-Modified: Fri, 15 May 2015 18:00:38 GMT
Expires: Fri, 22 May 2015 18:00:38 GMT
Date: Mon, 18 May 2015 22:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150515180038Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150515180038Z....20150522180038Z0...*.H.....................K..(...v..g..$...JG^]....e.TT{..o.A.;.vA....\!.0>...(...\.?M...r\..:...#2.M'..b.f...A/...<..W9...M.o{..=.C-~E(..........}...9.........NH...].......r..............T.p.=.}..._......S......^vih.Fc...'...E. .u. ..|.D.[./....../uJ&...\....EzB.}..S..Z.M`....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=404818, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 14:50:04 GMT
Expires: Sat, 23 May 2015 14:50:04 GMT
Date: Mon, 18 May 2015 22:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..20150516145004Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150516145004Z....20150523145004Z0...*.H.................T.....j....../.....i....A.......\.<2.Lg.....kBq......\..."}.HO6..%M..k....g.#..U......I..T"...~..%s.&).i...._.!.K.0W....n....V..&.....m.G.......l|....p...l7.`..0............n......-4X..K..^.uN....U.X.:3...e..H-..K..Y9.Q.)p]......H='jn............n.).l....#0...0...0..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.............m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C.Q.i~rl..<..krS..8.B..o].y..L.4...iB@..s.....mw.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Mon, 18 May 2015 22:22:26 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..Cache-Control: max-age=604800..Date: Mon, 18 May 2015 22:22:26 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=405089, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 14:50:06 GMT
Expires: Sat, 23 May 2015 14:50:06 GMT
Date: Mon, 18 May 2015 22:21:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150516145006Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150516145006Z....20150523145006Z0...*.H......................v q....?.J.........o.....Q_.?6....t:....2..g.....7.=./...a...cr*N*.mE...R(6N...W......`FS.M..Z.Du.....Zr........(>......W.N...Aa..;..Xe=.`h....!D..............:dx......[...........D#".....2..&...`.]n.!.`.]......=Q.........w....L.Fl.?....(5=...j.Y.....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5.N.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=492498, public, no-transform, must-revalidate
Last-Modified: Sun, 17 May 2015 15:10:13 GMT
Expires: Sun, 24 May 2015 15:10:13 GMT
Date: Mon, 18 May 2015 22:21:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....20150517151013Z0s0q0I0... ...................F....0.yV......{&.K......&......./SSn........K..o....20150517151013Z....20150524151013Z0...*.H..............Il.C9ZS...4dUC....K.H.%..;r.O.."...s.Au...i.."Pr.f.h..1.b.....hj.wkl...Il.)...3}...hQ}.*....va........8....2..&.....'...d..oN.....i.M..c...o..7..Z.......I.jIg.Y..E4M...4.H......zC~..iA1.....s.$.=.."..bMg....../......4..nQs...4z.~./9.N..W...u.". C......-.;....0...0...0............F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H..............-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1372:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe" /hostpath="c:\%original file name%.exe"
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe" /hostpath="c:\%original file name%.exe"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe
T.lnaG
T.lnaG
.Vp]A
.Vp]A
_/0.ok;^
_/0.ok;^
nssCAFE.tmp
nssCAFE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nssCAFC.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nssCAFC.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
"$.11112#
"$.11112#
pfTPPPPPE*&
pfTPPPPPE*&
Nullsoft Install System v2.46
Nullsoft Install System v2.46
1.0.11.5
1.0.11.5
setup.exe_1512:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
%u>8V
%u>8V
PSSSSSSh
PSSSSSSh
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
operator
operator
1.0.11.5
1.0.11.5
ux
ux
1.3.6.1.4.1.311.2.1.12
1.3.6.1.4.1.311.2.1.12
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
keybd_event
keybd_event
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
CryptGetKeyParam
CryptGetKeyParam
CryptDestroyKey
CryptDestroyKey
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
CryptImportPublicKeyInfo
CryptImportPublicKeyInfo
CryptMsgClose
CryptMsgClose
CertGetNameStringW
CertGetNameStringW
CertFreeCertificateContext
CertFreeCertificateContext
CertFindCertificateInStore
CertFindCertificateInStore
CertCloseStore
CertCloseStore
CryptMsgGetParam
CryptMsgGetParam
PFXImportCertStore
PFXImportCertStore
CRYPT32.dll
CRYPT32.dll
WINTRUST.dll
WINTRUST.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
FindCloseUrlCache
InternetCrackUrlW
InternetCrackUrlW
HttpSendRequestW
HttpSendRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpOpenRequestW
HttpOpenRequestW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
WININET.dll
WININET.dll
RPCRT4.dll
RPCRT4.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
.?AV?$CAtlExeModuleT@VInstallerModule@@@ATL@@
.?AV?$CAtlExeModuleT@VInstallerModule@@@ATL@@
.?AV?$IDispEventImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
"$.11112#
"$.11112#
pfTPPPPPE*&
pfTPPPPPE*&
8-8E8q8}8
8-8E8q8}8
="=9=]=|=
="=9=]=|=
8"9(9,90949
8"9(9,90949
>*?/?9?|?
>*?/?9?|?
> ?$?(?,?
> ?$?(?,?
; ;$;(;,;0;
; ;$;(;,;0;
: :<:>
: :<:>
mscoree.dll
mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
4f8e4a92-ce56-489d-a291-f4c00708a10c
4f8e4a92-ce56-489d-a291-f4c00708a10c
https
https
kernel32.dll
kernel32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe