Trojan.Win32.Agent.vpau (Kaspersky), Trojan.Generic.7719771 (B) (Emsisoft), Trojan.Generic.7719771 (AdAware), mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR, TrojanDropperPolymorph1.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4704e6c8f118a401f9905f818c5dc007
SHA1: a6834f7af79b64e8624904d665ce5a08b939b583
SHA256: 54224df4f58b2c69f858e3ba98a2fbd61bc538df1c40ecf11f66eb0dfb74835b
SSDeep: 24576:5jdtAEM5KtSclaUz6Fw/jr9QOKtsccKww BR78W mb8pL/zRj4zgsy/ZbFdM:RdU4c ZJ9nJBBB8pLlj4zgR/J
Size: 1137662 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2012-08-15 13:02:15
Analyzed on: WindowsXP SP3 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
GoogleUpdate.exe:1308
GoogleUpdate.exe:1988
GoogleUpdate.exe:756
A5OINK8SAER9Y.exe:1684
%original file name%.exe:468
The Worm injects its code into the following process(es):
GoogleUpdate.exe:1812
GoogleUpdate.exe:316
svchost.exe:868
svchost.exe:1180
svchost.exe:1480
svchost.exe:328
File activity
The process GoogleUpdate.exe:1308 makes changes in the file system.
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\Install (0 bytes)
The process GoogleUpdate.exe:316 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_et.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_iw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en-GB.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateSetup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ml.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ur.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sl.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_nl.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_gu.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_de.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-BR.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ca.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_no.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ko.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_mr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fi.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es-419.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler64.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_is.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_vi.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_tr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ta.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sw.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_am.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_kn.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ms.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ja.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fr.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-PT.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lv.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_uk.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateHelper.msi (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sk.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_it.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bn.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fa.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bg.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateBroker.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ru.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ro.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pl.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_cs.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_el.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fil.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_da.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-TW.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_th.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_te.dll (29 bytes)
%WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (970 bytes)
%WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (918 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-CN.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hi.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lt.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_id.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hu.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ar.dll (26 bytes)
The process A5OINK8SAER9Y.exe:1684 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files%\GUMD.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files%\GUMD.tmp\goopdateres_gu.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_sv.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fil.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_hr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_kn.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_th.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_sl.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fr.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files%\GUMD.tmp\goopdateres_ar.dll (26 bytes)
%Program Files%\GUMD.tmp\goopdateres_en.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_lt.dll (28 bytes)
%Program Files%\GUMD.tmp\psmachine.dll (157 bytes)
%Program Files%\GUMD.tmp\goopdateres_ur.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_it.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_uk.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_no.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_am.dll (25 bytes)
%Program Files%\GUMD.tmp\goopdateres_ja.dll (24 bytes)
%Program Files%\GUMD.tmp\goopdateres_mr.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_hi.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files%\GUMD.tmp\goopdateres_ml.dll (31 bytes)
%Program Files%\GUMD.tmp\goopdateres_cs.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ta.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_ms.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ko.dll (23 bytes)
%Program Files%\GUMD.tmp\goopdateres_te.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_pl.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_de.dll (31 bytes)
%Program Files%\GUMD.tmp\GoogleUpdate.exe (116 bytes)
%Program Files%\GUMD.tmp\goopdateres_es.dll (31 bytes)
%Program Files%\GUMD.tmp\psuser.dll (157 bytes)
%Program Files%\GUMD.tmp\goopdateres_bg.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_bn.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ru.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_el.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_is.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_sk.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleCrashHandler.exe (180 bytes)
%Program Files%\GUMD.tmp\goopdateres_hu.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_et.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_id.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_da.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_lv.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_ca.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files%\GUMD.tmp\goopdateres_iw.dll (26 bytes)
%Program Files%\GUMD.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files%\GUMD.tmp\goopdateres_sr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdate.dll (1990 bytes)
%Program Files%\GUMD.tmp\goopdateres_vi.dll (28 bytes)
%Program Files%\GUTE.tmp (25429 bytes)
%Program Files%\GUMD.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUMD.tmp\goopdateres_ro.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_nl.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_fa.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_tr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fi.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleCrashHandler64.exe (233 bytes)
%Program Files%\GUMD.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_sw.dll (29 bytes)
The Worm deletes the following file(s):
%Program Files%\GUMD.tmp (0 bytes)
The process %original file name%.exe:468 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.bat (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.txt (158 bytes)
%Documents and Settings%\%current user%\Application Data\Trion\svchost.exe (17563 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.txt (0 bytes)
Registry activity
The process GoogleUpdate.exe:1308 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 7A E0 34 D4 E6 4C C8 73 7C 4B C4 80 A2 D8 9E"
[HKCU\Software\Google\Update\proxy]
"source" = "direct"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"
"iid"
[HKCU\Software\Google\Update]
"old-uid"
"uid"
The process GoogleUpdate.exe:1812 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 83 9D A7 6B 9C 7D BB BE 00 98 92 3D D2 D3 12"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Google\Update]
"eulaaccepted"
The process GoogleUpdate.exe:316 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"
[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdate.exe"
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"
"Version" = "3"
[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"brand" = "CHMB"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update"
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll"
[HKCU\Software\Classes\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "0"
[HKCU\Software\Google\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe"
[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.21.111"
[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"iid" = "{21247E6F-D9B5-2BDB-08EC-CFCF0FB3788C}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKCU\Software\Google\Update]
"Version" = "1.3.21.111"
[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"
[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"
[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"InstallTime" = "1400777004"
[HKCU\Software\Classes\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKCU\Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"
"pv" = "1.3.21.111"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 16 77 69 18 78 5E 37 4C B8 62 24 28 4D 09 BE"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update]
"GoogleUpdate.exe" = "Google Installer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."
[HKCU\Software\Google\Update]
"UninstallCmdLine" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /uninstall"
[HKCU\Software\Classes\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"
[HKCU\Software\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateOnDemand.exe"
[HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
"ProductName" = "Google Update"
[HKCU\Software\Classes\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"
[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKCU\Software\Google\Update]
"eulaaccepted"
"ui"
[HKCU\Software\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKCU\Software\Google\Update]
"old-uid"
"LastChecked"
"uid"
The process GoogleUpdate.exe:1988 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 1F 37 54 49 19 61 DD 8B 42 8E 96 BD 64 A9 C2"
[HKCU\Software\Google\Update\proxy]
"source" = "direct"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Google\Update\network\secure]
"c"
"sk"
The process GoogleUpdate.exe:756 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{2F0E2680-9FF5-43C0-B76E-114A56E93598}"
[HKCU\Software\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKCU\Software\Classes\Google.OneClickProcessLauncherUser.1.0]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"
[HKCU\Software\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassUser.1.0"
[HKCU\Software\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCU\Software\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherUser.1.0"
[HKCU\Software\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{E67BE843-BBBE-4484-95FB-05271AE86750}"
[HKCU\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"
[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"
[HKCU\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}]
"(Default)" = "PSFactoryBuffer"
[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassUser"
[HKCU\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCU\Software\Classes\GoogleUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCU\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCU\Software\Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InProcServer32]
"ThreadingModel" = "Both"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}]
"CLSID" = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"
[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{022105BD-948A-40C9-AB42-A3300DDF097F}"
[HKCU\Software\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCU\Software\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe"
[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassUser.1.0"
[HKCU\Software\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCU\Software\Classes\GoogleUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{22181302-A8A6-4F84-A541-E5CBFC70CC43}"
[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCU\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}]
"(Default)" = "IAppWeb"
[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll"
[HKCU\Software\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\NumMethods]
"(Default)" = "40"
[HKCU\Software\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCU\Software\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}]
"(Default)" = "Google Update Legacy On Demand"
[HKCU\Software\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll"
[HKCU\Software\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 B4 32 C5 04 72 6C 6F 69 72 A7 5B AE 34 78 02"
[HKCU\Software\Classes\GoogleUpdate.Update3WebUser\CLSID]
"(Default)" = "{22181302-A8A6-4F84-A541-E5CBFC70CC43}"
[HKCU\Software\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCU\Software\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{2F0E2680-9FF5-43C0-B76E-114A56E93598}"
[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogUser.1.0"
[HKCU\Software\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogUser.1.0"
[HKCU\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCU\Software\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}]
"(Default)" = "Update3COMClass"
[HKCU\Software\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCU\Software\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
[HKCU\Software\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\GoogleUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"
[HKCU\Software\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogUser"
[HKCU\Software\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCU\Software\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCU\Software\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll"
[HKCU\Software\Classes\Google.OneClickProcessLauncherUser\CurVer]
"(Default)" = "Google.OneClickProcessLauncherUser.1.0"
[HKCU\Software\Classes\Google.OneClickProcessLauncherUser]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassUser"
[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{022105BD-948A-40C9-AB42-A3300DDF097F}"
[HKCU\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCU\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCU\Software\Classes\GoogleUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"
[HKCU\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassUser.1.0"
[HKCU\Software\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}\NumMethods]
"(Default)" = "14"
[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherUser"
[HKCU\Software\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}]
"Policy" = "3"
[HKCU\Software\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCU\Software\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32]
"ThreadingModel" = "Both"
[HKCU\Software\Classes\Google.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"
[HKCU\Software\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCU\Software\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"
[HKCU\Software\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\GoogleUpdate.Update3WebUser\CurVer]
"(Default)" = "GoogleUpdate.Update3WebUser.1.0"
[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCU\Software\Classes\GoogleUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"
[HKCU\Software\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCU\Software\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCU\Software\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebUser.1.0"
[HKCU\Software\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCU\Software\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{E67BE843-BBBE-4484-95FB-05271AE86750}"
[HKCU\Software\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe"
[HKCU\Software\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{FB994D36-B312-46CE-A40B-CF63980641F9}"
[HKCU\Software\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCU\Software\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebUser"
[HKCU\Software\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}]
"(Default)" = "IApp"
[HKCU\Software\Classes\GoogleUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCU\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassUser.1.0"
[HKCU\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCU\Software\Classes\Google.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{51F9E8EF-59D7-475B-A106-C7EA6F30C119}"
The Worm deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32]
[HKCU\Software\Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}]
[HKCU\Software\Classes\CLSID\{CD221623-4F9A-4FA5-A9EE-A77EC8F0E7BD}]
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Google\Update\network\secure]
"c"
"sk"
The process A5OINK8SAER9Y.exe:1684 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F A2 21 91 18 03 6E 55 E2 1F E7 D9 23 E2 D1 FF"
The process %original file name%.exe:468 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 5F 1C 43 C7 4B 87 35 94 49 50 C7 BA FB 1B 2D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Trion]
"svchost.exe" = "miroita extrapolee e'bahissant"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WVRTF.bat" = "WVRTF"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
85be3f1c136d7831bddd3bbfa082634b | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Trion\svchost.exe |
85be3f1c136d7831bddd3bbfa082634b | c:\Documents and Settings\"%CurrentUserName%"\Application Data\neast.exe |
d566847532183a720a0177565014cb73 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe |
9414138f54b6aebd2b56d928a7902da9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler64.exe |
506708142bc63daba64f2d3ad1dcd5bf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdate.exe |
d22e82fe9070c88ae7abb63f6b3bd989 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateBroker.exe |
a44b0728944f85152c38eea338099ca2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe |
0b644c116f593b37d758c54aeb2d31bc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateSetup.exe |
59448f6b68454ba3dc14b2f974877a49 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdate.dll |
546d1309300d34e26258250b0237a41e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_am.dll |
97c514498960c733edfc27f0bb433a9a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ar.dll |
e691027f0a7d09f0bc43a5bac5a910db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bg.dll |
93b6ad89179261fb7981519050c6f98e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bn.dll |
71da486e08da70e831502cfc592dc92d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ca.dll |
40307f06c61b492a201e48d296ddc5b4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_cs.dll |
647c395e913ab77a8eecc6fcde2a697a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_da.dll |
5754d0b13a2f04db41177c935a688550 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_de.dll |
162c0f89c4722baa6762c20170a29296 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_el.dll |
93bbc13d3017cef9fcb5ae5347ab8b90 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en-GB.dll |
991477032670c1e9123d17a596c9273a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en.dll |
3012f71a127e406ab610374f9afdd21a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es-419.dll |
af3b0e72a870ae24b517791f88ea227f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es.dll |
c18d261a0b0089f1600dad48379ef32c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_et.dll |
bc55189a9287d75641df24e445f92f84 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fa.dll |
83d46ed1519b71ae50378b056b19612b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fi.dll |
5e8567cca02fb179fc8fd61317cb976f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fil.dll |
1b614fb14253987b73707f8e88dd35b0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fr.dll |
d2ad7b377532c405643ac0ed0562cb68 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_gu.dll |
5db21f573bf61e68fc0642939cfed36c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hi.dll |
8a6ec219e31c8b4c769fce8afdf298a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hr.dll |
8fd615dfd67b5f286c40d300a885ea46 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hu.dll |
2aefdd4b4e4083979371012a8cf81512 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_id.dll |
4839d4ddab3d82cabe3b824421868306 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_is.dll |
1daa942d1b4efb104a8514618a5ff5a5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_it.dll |
d257c967abcb956dd1a84ebf3d7781e8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_iw.dll |
ceaeb50a019b6b359c09bc7da8e52cf3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ja.dll |
ff68341cdf9ea3b99087fe8340f77a31 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_kn.dll |
3ea0cf29356d4053e0c0ac75a1e02faa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ko.dll |
024310d759adae5607e819481395d007 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lt.dll |
3561e10e4a11bd53961a1bcc344e4c84 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lv.dll |
37bbf240a1ce7a05aeb66ebbbef481cb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ml.dll |
88cbf05783cd03939075f4ef5da8e11c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_mr.dll |
3e0cb244ab90dc66e0370fe87e103434 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ms.dll |
157cc720416962f4ebc44bc76be038d8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_nl.dll |
21c6d0761a197011c7a3e8095d7ed48c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_no.dll |
e399f22dff0debdffdec4d5a3a7b27c7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pl.dll |
b1d2107fc0d8a00e792c9a7580d8a717 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-BR.dll |
3ece49f6194f96668faa12c386d678e0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-PT.dll |
872131902e445f0b19f92bc9c1d85147 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ro.dll |
9076ceb5d9a93b002e728364173d7bc9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ru.dll |
4b971f7bf3efd828ee450cce21ceb04f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sk.dll |
2d0e24cf439c7f0d998c22309260fab1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sl.dll |
9b1a18026f8813657d38b093bed063ef | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sr.dll |
3d22ecf707c139c62db75285afe966c7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sv.dll |
1de5d22cf5ad59a27c83f9493813f996 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sw.dll |
f71d8c8a5a959227c35feee6eb9611bc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ta.dll |
4d9d46c43587d8b1cc537b18262e27e1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_te.dll |
16b95da17c7ba91e522c8995a4d97e50 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_th.dll |
5eeb5774b5196ccb313ad065b89f7900 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_tr.dll |
ca854e5f435b1b6365124e7f4b128d38 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_uk.dll |
ae05add7511db9bd497787f316d76c8b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ur.dll |
1d753e31799cd442f105e246a9f566d9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_vi.dll |
41ecc522f94751f1855ae4dabcfcd4e1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-CN.dll |
1a1ce3d26ae4aa6810613506446f1ed3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-TW.dll |
1e6b52abdf4082374de9d43cbd2f7e08 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll |
f9e8217039f98f360f57481ab37ffae7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\psmachine.dll |
b9fc5d3ed3803ec5b134c980752ab5e6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll |
506708142bc63daba64f2d3ad1dcd5bf | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Google\Update\GoogleUpdate.exe |
0b644c116f593b37d758c54aeb2d31bc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\A5OINK8SAER9Y.exe |
d566847532183a720a0177565014cb73 | c:\Program Files\GUMD.tmp\GoogleCrashHandler.exe |
9414138f54b6aebd2b56d928a7902da9 | c:\Program Files\GUMD.tmp\GoogleCrashHandler64.exe |
506708142bc63daba64f2d3ad1dcd5bf | c:\Program Files\GUMD.tmp\GoogleUpdate.exe |
d22e82fe9070c88ae7abb63f6b3bd989 | c:\Program Files\GUMD.tmp\GoogleUpdateBroker.exe |
a44b0728944f85152c38eea338099ca2 | c:\Program Files\GUMD.tmp\GoogleUpdateOnDemand.exe |
0b644c116f593b37d758c54aeb2d31bc | c:\Program Files\GUMD.tmp\GoogleUpdateSetup.exe |
59448f6b68454ba3dc14b2f974877a49 | c:\Program Files\GUMD.tmp\goopdate.dll |
546d1309300d34e26258250b0237a41e | c:\Program Files\GUMD.tmp\goopdateres_am.dll |
97c514498960c733edfc27f0bb433a9a | c:\Program Files\GUMD.tmp\goopdateres_ar.dll |
e691027f0a7d09f0bc43a5bac5a910db | c:\Program Files\GUMD.tmp\goopdateres_bg.dll |
93b6ad89179261fb7981519050c6f98e | c:\Program Files\GUMD.tmp\goopdateres_bn.dll |
71da486e08da70e831502cfc592dc92d | c:\Program Files\GUMD.tmp\goopdateres_ca.dll |
40307f06c61b492a201e48d296ddc5b4 | c:\Program Files\GUMD.tmp\goopdateres_cs.dll |
647c395e913ab77a8eecc6fcde2a697a | c:\Program Files\GUMD.tmp\goopdateres_da.dll |
5754d0b13a2f04db41177c935a688550 | c:\Program Files\GUMD.tmp\goopdateres_de.dll |
162c0f89c4722baa6762c20170a29296 | c:\Program Files\GUMD.tmp\goopdateres_el.dll |
93bbc13d3017cef9fcb5ae5347ab8b90 | c:\Program Files\GUMD.tmp\goopdateres_en-GB.dll |
991477032670c1e9123d17a596c9273a | c:\Program Files\GUMD.tmp\goopdateres_en.dll |
3012f71a127e406ab610374f9afdd21a | c:\Program Files\GUMD.tmp\goopdateres_es-419.dll |
af3b0e72a870ae24b517791f88ea227f | c:\Program Files\GUMD.tmp\goopdateres_es.dll |
c18d261a0b0089f1600dad48379ef32c | c:\Program Files\GUMD.tmp\goopdateres_et.dll |
bc55189a9287d75641df24e445f92f84 | c:\Program Files\GUMD.tmp\goopdateres_fa.dll |
83d46ed1519b71ae50378b056b19612b | c:\Program Files\GUMD.tmp\goopdateres_fi.dll |
5e8567cca02fb179fc8fd61317cb976f | c:\Program Files\GUMD.tmp\goopdateres_fil.dll |
1b614fb14253987b73707f8e88dd35b0 | c:\Program Files\GUMD.tmp\goopdateres_fr.dll |
d2ad7b377532c405643ac0ed0562cb68 | c:\Program Files\GUMD.tmp\goopdateres_gu.dll |
5db21f573bf61e68fc0642939cfed36c | c:\Program Files\GUMD.tmp\goopdateres_hi.dll |
8a6ec219e31c8b4c769fce8afdf298a9 | c:\Program Files\GUMD.tmp\goopdateres_hr.dll |
8fd615dfd67b5f286c40d300a885ea46 | c:\Program Files\GUMD.tmp\goopdateres_hu.dll |
2aefdd4b4e4083979371012a8cf81512 | c:\Program Files\GUMD.tmp\goopdateres_id.dll |
4839d4ddab3d82cabe3b824421868306 | c:\Program Files\GUMD.tmp\goopdateres_is.dll |
1daa942d1b4efb104a8514618a5ff5a5 | c:\Program Files\GUMD.tmp\goopdateres_it.dll |
d257c967abcb956dd1a84ebf3d7781e8 | c:\Program Files\GUMD.tmp\goopdateres_iw.dll |
ceaeb50a019b6b359c09bc7da8e52cf3 | c:\Program Files\GUMD.tmp\goopdateres_ja.dll |
ff68341cdf9ea3b99087fe8340f77a31 | c:\Program Files\GUMD.tmp\goopdateres_kn.dll |
3ea0cf29356d4053e0c0ac75a1e02faa | c:\Program Files\GUMD.tmp\goopdateres_ko.dll |
024310d759adae5607e819481395d007 | c:\Program Files\GUMD.tmp\goopdateres_lt.dll |
3561e10e4a11bd53961a1bcc344e4c84 | c:\Program Files\GUMD.tmp\goopdateres_lv.dll |
37bbf240a1ce7a05aeb66ebbbef481cb | c:\Program Files\GUMD.tmp\goopdateres_ml.dll |
88cbf05783cd03939075f4ef5da8e11c | c:\Program Files\GUMD.tmp\goopdateres_mr.dll |
3e0cb244ab90dc66e0370fe87e103434 | c:\Program Files\GUMD.tmp\goopdateres_ms.dll |
157cc720416962f4ebc44bc76be038d8 | c:\Program Files\GUMD.tmp\goopdateres_nl.dll |
21c6d0761a197011c7a3e8095d7ed48c | c:\Program Files\GUMD.tmp\goopdateres_no.dll |
e399f22dff0debdffdec4d5a3a7b27c7 | c:\Program Files\GUMD.tmp\goopdateres_pl.dll |
b1d2107fc0d8a00e792c9a7580d8a717 | c:\Program Files\GUMD.tmp\goopdateres_pt-BR.dll |
3ece49f6194f96668faa12c386d678e0 | c:\Program Files\GUMD.tmp\goopdateres_pt-PT.dll |
872131902e445f0b19f92bc9c1d85147 | c:\Program Files\GUMD.tmp\goopdateres_ro.dll |
9076ceb5d9a93b002e728364173d7bc9 | c:\Program Files\GUMD.tmp\goopdateres_ru.dll |
4b971f7bf3efd828ee450cce21ceb04f | c:\Program Files\GUMD.tmp\goopdateres_sk.dll |
2d0e24cf439c7f0d998c22309260fab1 | c:\Program Files\GUMD.tmp\goopdateres_sl.dll |
9b1a18026f8813657d38b093bed063ef | c:\Program Files\GUMD.tmp\goopdateres_sr.dll |
3d22ecf707c139c62db75285afe966c7 | c:\Program Files\GUMD.tmp\goopdateres_sv.dll |
1de5d22cf5ad59a27c83f9493813f996 | c:\Program Files\GUMD.tmp\goopdateres_sw.dll |
f71d8c8a5a959227c35feee6eb9611bc | c:\Program Files\GUMD.tmp\goopdateres_ta.dll |
4d9d46c43587d8b1cc537b18262e27e1 | c:\Program Files\GUMD.tmp\goopdateres_te.dll |
16b95da17c7ba91e522c8995a4d97e50 | c:\Program Files\GUMD.tmp\goopdateres_th.dll |
5eeb5774b5196ccb313ad065b89f7900 | c:\Program Files\GUMD.tmp\goopdateres_tr.dll |
ca854e5f435b1b6365124e7f4b128d38 | c:\Program Files\GUMD.tmp\goopdateres_uk.dll |
ae05add7511db9bd497787f316d76c8b | c:\Program Files\GUMD.tmp\goopdateres_ur.dll |
1d753e31799cd442f105e246a9f566d9 | c:\Program Files\GUMD.tmp\goopdateres_vi.dll |
41ecc522f94751f1855ae4dabcfcd4e1 | c:\Program Files\GUMD.tmp\goopdateres_zh-CN.dll |
1a1ce3d26ae4aa6810613506446f1ed3 | c:\Program Files\GUMD.tmp\goopdateres_zh-TW.dll |
1e6b52abdf4082374de9d43cbd2f7e08 | c:\Program Files\GUMD.tmp\npGoogleUpdate3.dll |
f9e8217039f98f360f57481ab37ffae7 | c:\Program Files\GUMD.tmp\psmachine.dll |
b9fc5d3ed3803ec5b134c980752ab5e6 | c:\Program Files\GUMD.tmp\psuser.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:1308
GoogleUpdate.exe:1988
GoogleUpdate.exe:756
A5OINK8SAER9Y.exe:1684
%original file name%.exe:468 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_et.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_iw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en-GB.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateSetup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ml.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ur.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sl.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_nl.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_gu.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_de.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-BR.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ca.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_no.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ko.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_mr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fi.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es-419.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler64.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_is.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_vi.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_tr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ta.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sw.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_am.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_kn.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ms.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ja.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fr.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_es.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pt-PT.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lv.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_uk.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateHelper.msi (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sk.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_it.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bn.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fa.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_bg.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdateBroker.exe (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ru.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ro.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_pl.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_cs.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_el.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_fil.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_da.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_sr.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-TW.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_en.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_th.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_te.dll (29 bytes)
%WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (970 bytes)
%WinDir%\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (918 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_zh-CN.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hi.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_lt.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_id.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_hu.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\1.3.21.111\goopdateres_ar.dll (26 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateBroker.exe (59 bytes)
%Program Files%\GUMD.tmp\goopdateres_gu.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_sv.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fil.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_hr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_kn.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_th.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_sl.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fr.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_pt-BR.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_zh-TW.dll (21 bytes)
%Program Files%\GUMD.tmp\goopdateres_ar.dll (26 bytes)
%Program Files%\GUMD.tmp\goopdateres_en.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_lt.dll (28 bytes)
%Program Files%\GUMD.tmp\psmachine.dll (157 bytes)
%Program Files%\GUMD.tmp\goopdateres_ur.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_it.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_uk.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_no.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_am.dll (25 bytes)
%Program Files%\GUMD.tmp\goopdateres_ja.dll (24 bytes)
%Program Files%\GUMD.tmp\goopdateres_mr.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_hi.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateOnDemand.exe (59 bytes)
%Program Files%\GUMD.tmp\goopdateres_ml.dll (31 bytes)
%Program Files%\GUMD.tmp\goopdateres_cs.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ta.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_ms.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ko.dll (23 bytes)
%Program Files%\GUMD.tmp\goopdateres_te.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_pl.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_de.dll (31 bytes)
%Program Files%\GUMD.tmp\GoogleUpdate.exe (116 bytes)
%Program Files%\GUMD.tmp\goopdateres_es.dll (31 bytes)
%Program Files%\GUMD.tmp\psuser.dll (157 bytes)
%Program Files%\GUMD.tmp\goopdateres_bg.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_bn.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_ru.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_el.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_is.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_sk.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleCrashHandler.exe (180 bytes)
%Program Files%\GUMD.tmp\goopdateres_hu.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_et.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_id.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_es-419.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_da.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_lv.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_ca.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateHelper.msi (25 bytes)
%Program Files%\GUMD.tmp\goopdateres_iw.dll (26 bytes)
%Program Files%\GUMD.tmp\goopdateres_en-GB.dll (28 bytes)
%Program Files%\GUMD.tmp\goopdateres_zh-CN.dll (21 bytes)
%Program Files%\GUMD.tmp\GoogleUpdateSetup.exe (5441 bytes)
%Program Files%\GUMD.tmp\goopdateres_sr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdate.dll (1990 bytes)
%Program Files%\GUMD.tmp\goopdateres_vi.dll (28 bytes)
%Program Files%\GUTE.tmp (25429 bytes)
%Program Files%\GUMD.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUMD.tmp\goopdateres_ro.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_nl.dll (30 bytes)
%Program Files%\GUMD.tmp\goopdateres_fa.dll (27 bytes)
%Program Files%\GUMD.tmp\goopdateres_tr.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_fi.dll (29 bytes)
%Program Files%\GUMD.tmp\GoogleCrashHandler64.exe (233 bytes)
%Program Files%\GUMD.tmp\goopdateres_pt-PT.dll (29 bytes)
%Program Files%\GUMD.tmp\goopdateres_sw.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.bat (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WVRTF.txt (158 bytes)
%Documents and Settings%\%current user%\Application Data\Trion\svchost.exe (17563 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe /c" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 782336 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 786432 | 393216 | 391680 | 5.39803 | a5aea7f61c087045e96627e1f7ba6369 |
.rsrc | 1179648 | 8192 | 5120 | 3.6644 | d3817cbaabb037719554f051cfb88800 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://tools.l.google.com/service/update2 | |
hxxp://tools.l.google.com/service/update2?w=6:kBkzqI4jJyMi8KhhKEcTwtwvqm5ZHo_yZ-YfsjMTl7PATAKMBq6gC1FVn1e57EgisvtFAd9zaUFDyNgcWHbXAVlmuEwr1dhTgby64ssO1JW5_9laE3sQqggOZoFLw2vKTi3-Jh_mpd-C6LObeNZ22CeDYDIPe8sh566xaJDwNOiews3HCjZzWQ4suS33b7YaVAnXz7H7JduwtRh6z1RxeqpxxKqJzjZ1k7sM4F7zBDRJBVHavGEXeRSwocxoU_HOXQLJgFE51Qby6MtS0aoRUyyS6lkDLDVG8HpRIxCk9yg3rmiEj6mjfED0X2Cc9GcK4KhdyRiweXzMaGyPDOz3tA | |
hxxp://redirector.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe | |
hxxp://r8.sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1 | |
hxxp://r8.sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1 | |
hxxp://tools.google.com/service/update2 | 74.125.143.102 |
hxxp://tools.google.com/service/update2?w=6:kBkzqI4jJyMi8KhhKEcTwtwvqm5ZHo_yZ-YfsjMTl7PATAKMBq6gC1FVn1e57EgisvtFAd9zaUFDyNgcWHbXAVlmuEwr1dhTgby64ssO1JW5_9laE3sQqggOZoFLw2vKTi3-Jh_mpd-C6LObeNZ22CeDYDIPe8sh566xaJDwNOiews3HCjZzWQ4suS33b7YaVAnXz7H7JduwtRh6z1RxeqpxxKqJzjZ1k7sM4F7zBDRJBVHavGEXeRSwocxoU_HOXQLJgFE51Qby6MtS0aoRUyyS6lkDLDVG8HpRIxCk9yg3rmiEj6mjfED0X2Cc9GcK4KhdyRiweXzMaGyPDOz3tA | 74.125.143.102 |
hxxp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1 | 185.2.108.19 |
hxxp://cache.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe | 173.194.71.138 |
hxxp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1 | 185.2.108.19 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /service/update2?w=6:kBkzqI4jJyMi8KhhKEcTwtwvqm5ZHo_yZ-YfsjMTl7PATAKMBq6gC1FVn1e57EgisvtFAd9zaUFDyNgcWHbXAVlmuEwr1dhTgby64ssO1JW5_9laE3sQqggOZoFLw2vKTi3-Jh_mpd-C6LObeNZ22CeDYDIPe8sh566xaJDwNOiews3HCjZzWQ4suS33b7YaVAnXz7H7JduwtRh6z1RxeqpxxKqJzjZ1k7sM4F7zBDRJBVHavGEXeRSwocxoU_HOXQLJgFE51Qby6MtS0aoRUyyS6lkDLDVG8HpRIxCk9yg3rmiEj6mjfED0X2Cc9GcK4KhdyRiweXzMaGyPDOz3tA HTTP/1.1
User-Agent: Google Update/1.3.21.111;winhttp;cup
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
If-Match: "t_DrlU6FN5dkjNRz2w_YJatTwqY"
Host: tools.google.com
Content-Length: 518
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.21.111" shell_version="1.3.21.103" ismachine="0" sessionid="{B52B1E18-BD56-411D-B250-AB43636A079D}" installsource="taggedmi" requestid="{4A86BA68-A203-4A36-8828-A1430AF58F45}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{8A69D345-D564-463C-AFF1-A69D9E530F96}" version="" nextversion="" lang="en" brand="CHMB" client="" installage="-1" iid="{21247E6F-D9B5-2BDB-08EC-CFCF0FB3788C}"><updatecheck/></app></request>
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 22 May 2014 16:43:32 GMT
Set-Cookie: c=ANcH4TKrj7LXuIEN6Q8zdKvxr7odaG8fwMPAjhdwWa5-WyEV_oiQimVnyATQcicLxqznR9ChmAh2mpxpf0zD-UgNMB5kWZGiLA
ETag: "02m8nGfdKqb9nxNW1XIiWUFacCI"
Content-Type: text/xml; charset=UTF-8
X-Daynum: 2698
X-Daystart: 35012
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic
Transfer-Encoding: chunked
437..<?xml version="1.0" encoding="UTF-8"?><response protocol="3.0" server="prod"><daystart elapsed_days="2698" elapsed_seconds="35012"/><app appid="{8A69D345-D564-463C-AFF1-A69D9E530F96}" status="ok"><updatecheck status="ok"><urls><url codebase="hXXp://cache.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/"/><url codebase="hXXp://VVV.google.com/dl/chrome/win/D49A7790200F64CE/"/><url codebase="hXXps://dl.google.com/chrome/win/D49A7790200F64CE/"/><url codebase="hXXp://dl.google.com/chrome/win/D49A7790200F64CE/"/><url codebase="hXXp://google.com/dl/chrome/win/D49A7790200F64CE/"/></urls><manifest version="35.0.1916.114"><packages><package fp="2.35.0.1916.114" hash="BFD4gUIxRsRNJjewFw7LqqCZWh0=" name="35.0.1916.114_chrome_installer.exe" required="true" size="38382160"/></packages><actions><action arguments="--multi-install --chrome --verbose-logging --do-not-launch-chrome" event="install" run="35.0.1916.114_chrome_installer.exe"/><action Version="35.0.1916.114" event="postinstall" onsuccess="exitsilentlyonlaunchcmd"/></actions></manifest></updatecheck></app></response>..0..
<<
<<< skipped >>>
POST /service/update2 HTTP/1.1
User-Agent: Google Update/1.3.21.111;winhttp
X-Last-HR: 0x80072f94
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: tools.google.com
Content-Length: 565
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.21.111" shell_version="1.3.21.103" ismachine="0" sessionid="{B52B1E18-BD56-411D-B250-AB43636A079D}" installsource="taggedmi" requestid="{192EB7DE-EC66-4E84-B41B-1D6CB0B2BBE7}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" version="" nextversion="1.3.21.111" lang="en" brand="CHMB" client="" iid="{21247E6F-D9B5-2BDB-08EC-CFCF0FB3788C}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0"/></app></request>
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Thu, 22 May 2014 16:43:31 GMT
Content-Type: text/xml; charset=UTF-8
X-Daynum: 2698
X-Daystart: 35011
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 80:quic
Transfer-Encoding: chunked
e9..<?xml version="1.0" encoding="UTF-8"?><response protocol="3.0" server="prod"><daystart elapsed_days="2698" elapsed_seconds="35011"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok"><event status="ok"/></app></response>..0..HTTP/1.1 200 OK..Cache-Control: no-cache, no-store, max-age=0, must-revalidate..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Date: Thu, 22 May 2014 16:43:31 GMT..Content-Type: text/xml; charset=UTF-8..X-Daynum: 2698..X-Daystart: 35011..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Server: GSE..Alternate-Protocol: 80:quic..Transfer-Encoding: chunked..e9..<?xml version="1.0" encoding="UTF-8"?><response protocol="3.0" server="prod"><daystart elapsed_days="2698" elapsed_seconds="35011"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" status="ok"><event status="ok"/></app></response>..0..
HEAD /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1 HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: r8---sn-bpb5oxu-3c2e.c.pack.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 38382160
Content-Type: application/x-msdos-program
Etag: "42f4f"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 15 May 2014 14:37:26 GMT
Last-Modified: Wed, 14 May 2014 15:41:00 GMT
Connection: keep-alive
Alternate-Protocol: 80:quic
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 38382160..Content-Type: application/x-msdos-program..Etag: "42f4f"..Server: downloads..Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-Xss-Protection: 1; mode=block..Date: Thu, 15 May 2014 14:37:26 GMT..Last-Modified: Wed, 14 May 2014 15:41:00 GMT..Connection: keep-alive..Alternate-Protocol: 80:quic......
GET /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1 HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: r8---sn-bpb5oxu-3c2e.c.pack.google.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 38382160
Content-Type: application/x-msdos-program
Etag: "42f4f"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 15 May 2014 14:37:26 GMT
Last-Modified: Wed, 14 May 2014 15:41:00 GMT
Connection: keep-alive
Alternate-Protocol: 80:quic
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.....s...s...s.......s...r.3.s.&~....s.&~....s...s...s.&~....s.Rich..s.........................PE..L.....rS.................&...DI......,.......@....@...........................I.....YCJ.....................................T0..P....P..\BI..........nI.P<...........................................................................................text....%.......&.................. ..`.data........@......................@....rsrc...\BI..P...DI..*..............@..@.................................................................................................................................................................................................................................................................................................................................................................................................................................................1...1...1..x1.......1...1...1...1...2...2...2..42..J2..V2..b2..p2...2...2...2...2...2...2...2...3..&3..23..H3..^3..p3...3...3...3...3...3...3...3...3...4...4...4..>4..R4..n4...4...4...4...4...4...4.......4........................rS........0...t...t.......{.8.A.6.9.D.3.4.5.-.D.5.6.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.F.D.A.7.1.E.6.F.-.A.C.4.C.-.4.a.0.0.-.8.B.7.0.-.9.9.5.8.A.6.8.9.0.6.B.F.}.....{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.
<<
<<< skipped >>>
HEAD /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cache.pack.google.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 22 May 2014 16:43:37 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 584
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
HTTP/1.1 302 Found..Date: Thu, 22 May 2014 16:43:37 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791417&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=7EEF21E23BA864491FB2D14418A91567DE2E6A55.0BE67118D118D358F4481C68C4E6DF0BA7AD0446&key=cms1..Content-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 584..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic......
GET /edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
User-Agent: Microsoft BITS/6.7
Host: cache.pack.google.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 22 May 2014 16:43:41 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 584
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Date: Thu, 22 May 2014 16:43:41 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, must-revalidate..Location: hXXp://r8---sn-bpb5oxu-3c2e.c.pack.google.com/edgedl/chrome/win/D49A7790200F64CE/35.0.1916.114_chrome_installer.exe?cms_redirect=yes&expire=1400791421&ip=193.138.244.231&ipbits=0&ir=1&ms=nvh&mt=1400776467&mv=u&mws=yes&sparams=expire,ip,ipbits&signature=29F52B0A45FD40660437423C3383BDDA1D662F33.3210D801AEF8D66ACC5F4BC0E01DA161ADA94503&key=cms1..Content-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 584..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Protocol: 80:quic..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1
<<
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_868:
.rsrc
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
SetTcpEntry
SetTcpEntry
getTCPConnections
getTCPConnections
dnsapi.dll
dnsapi.dll
kernel32.dll
kernel32.dll
ws2_32.dll
ws2_32.dll
NTDLL.DLL
NTDLL.DLL
VBA6.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
.text
`.data
`.data
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
ilmioip.it
ilmioip.it
http://www.ilmioip.it
http://www.ilmioip.it
avp.exe
avp.exe
127.0.0.1
127.0.0.1
update.exe
update.exe
avast.setup
avast.setup
avgmfapx.exe
avgmfapx.exe
guardxup.exe
guardxup.exe
mcupdmgr.exe
mcupdmgr.exe
FPAVServer.exe
FPAVServer.exe
drwupsrv.exe
drwupsrv.exe
BullGuardUpdate.exe
BullGuardUpdate.exe
fshoster32.exe
fshoster32.exe
Upgrader.exe
Upgrader.exe
ALUpdate.exe
ALUpdate.exe
62.67.184
62.67.184
84.233.19
84.233.19
89.202.14
89.202.14
93.184.71
93.184.71
89.202.15
89.202.15
89.202.149
89.202.149
178.77.12
178.77.12
92.51.171
92.51.171
80.237.15
80.237.15
46.163.12
46.163.12
83.169.60
83.169.60
217.115.1
217.115.1
ekrn.exe
ekrn.exe
AVKProxy.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
WatchIt!.exe
svchost.exe_868_rwx_00400000_0000C000:
.rsrc
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
SetTcpEntry
SetTcpEntry
getTCPConnections
getTCPConnections
dnsapi.dll
dnsapi.dll
kernel32.dll
kernel32.dll
ws2_32.dll
ws2_32.dll
NTDLL.DLL
NTDLL.DLL
VBA6.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
.text
`.data
`.data
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
ilmioip.it
ilmioip.it
http://www.ilmioip.it
http://www.ilmioip.it
avp.exe
avp.exe
127.0.0.1
127.0.0.1
update.exe
update.exe
avast.setup
avast.setup
avgmfapx.exe
avgmfapx.exe
guardxup.exe
guardxup.exe
mcupdmgr.exe
mcupdmgr.exe
FPAVServer.exe
FPAVServer.exe
drwupsrv.exe
drwupsrv.exe
BullGuardUpdate.exe
BullGuardUpdate.exe
fshoster32.exe
fshoster32.exe
Upgrader.exe
Upgrader.exe
ALUpdate.exe
ALUpdate.exe
62.67.184
62.67.184
84.233.19
84.233.19
89.202.14
89.202.14
93.184.71
93.184.71
89.202.15
89.202.15
89.202.149
89.202.149
178.77.12
178.77.12
92.51.171
92.51.171
80.237.15
80.237.15
46.163.12
46.163.12
83.169.60
83.169.60
217.115.1
217.115.1
ekrn.exe
ekrn.exe
AVKProxy.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
WatchIt!.exe
svchost.exe_1180:
.rsrc
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
SetTcpEntry
SetTcpEntry
getTCPConnections
getTCPConnections
dnsapi.dll
dnsapi.dll
kernel32.dll
kernel32.dll
ws2_32.dll
ws2_32.dll
NTDLL.DLL
NTDLL.DLL
VBA6.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
.text
`.data
`.data
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
ilmioip.it
ilmioip.it
http://www.ilmioip.it
http://www.ilmioip.it
avp.exe
avp.exe
127.0.0.1
127.0.0.1
update.exe
update.exe
avast.setup
avast.setup
avgmfapx.exe
avgmfapx.exe
guardxup.exe
guardxup.exe
mcupdmgr.exe
mcupdmgr.exe
FPAVServer.exe
FPAVServer.exe
drwupsrv.exe
drwupsrv.exe
BullGuardUpdate.exe
BullGuardUpdate.exe
fshoster32.exe
fshoster32.exe
Upgrader.exe
Upgrader.exe
ALUpdate.exe
ALUpdate.exe
62.67.184
62.67.184
84.233.19
84.233.19
89.202.14
89.202.14
93.184.71
93.184.71
89.202.15
89.202.15
89.202.149
89.202.149
178.77.12
178.77.12
92.51.171
92.51.171
80.237.15
80.237.15
46.163.12
46.163.12
83.169.60
83.169.60
217.115.1
217.115.1
ekrn.exe
ekrn.exe
AVKProxy.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
WatchIt!.exe
svchost.exe_1180_rwx_00400000_0000C000:
.rsrc
.rsrc
C:\Windows\SysWOW64\msvbvm60.dll\3
C:\Windows\SysWOW64\msvbvm60.dll\3
iphlpapi.dll
iphlpapi.dll
GetExtendedTcpTable
GetExtendedTcpTable
SetTcpEntry
SetTcpEntry
getTCPConnections
getTCPConnections
dnsapi.dll
dnsapi.dll
kernel32.dll
kernel32.dll
ws2_32.dll
ws2_32.dll
NTDLL.DLL
NTDLL.DLL
VBA6.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
.text
.text
`.data
`.data
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
ilmioip.it
ilmioip.it
http://www.ilmioip.it
http://www.ilmioip.it
avp.exe
avp.exe
127.0.0.1
127.0.0.1
update.exe
update.exe
avast.setup
avast.setup
avgmfapx.exe
avgmfapx.exe
guardxup.exe
guardxup.exe
mcupdmgr.exe
mcupdmgr.exe
FPAVServer.exe
FPAVServer.exe
drwupsrv.exe
drwupsrv.exe
BullGuardUpdate.exe
BullGuardUpdate.exe
fshoster32.exe
fshoster32.exe
Upgrader.exe
Upgrader.exe
ALUpdate.exe
ALUpdate.exe
62.67.184
62.67.184
84.233.19
84.233.19
89.202.14
89.202.14
93.184.71
93.184.71
89.202.15
89.202.15
89.202.149
89.202.149
178.77.12
178.77.12
92.51.171
92.51.171
80.237.15
80.237.15
46.163.12
46.163.12
83.169.60
83.169.60
217.115.1
217.115.1
ekrn.exe
ekrn.exe
AVKProxy.exe
AVKProxy.exe
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
WatchIt!.exe
WatchIt!.exe
svchost.exe_1480:
`.rsrc
`.rsrc
DetectWindows
DetectWindows
advapi32.dll
advapi32.dll
ntdll.dll
ntdll.dll
VBA6.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
shell32.dll
shell32.dll
ShellExecuteEx
ShellExecuteEx
lz32.dll
lz32.dll
.text
.text
`.data
`.data
.rsrc
.rsrc
Svchost*1*|OFF|*appdata*Trion\*svchost.exe*
Svchost*1*|OFF|*appdata*Trion\*svchost.exe*
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
WScript.Shell
WScript.Shell
explorer.exe
explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Scripting.FileSystemObject
Scripting.FileSystemObject
Explorer.exe,
Explorer.exe,
a.exe
a.exe
svchost.exe_1480_rwx_00400000_0000B000:
`.rsrc
`.rsrc
DetectWindows
DetectWindows
advapi32.dll
advapi32.dll
ntdll.dll
ntdll.dll
VBA6.DLL
VBA6.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
shell32.dll
shell32.dll
ShellExecuteEx
ShellExecuteEx
lz32.dll
lz32.dll
.text
.text
`.data
`.data
.rsrc
.rsrc
Svchost*1*|OFF|*appdata*Trion\*svchost.exe*
Svchost*1*|OFF|*appdata*Trion\*svchost.exe*
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
WScript.Shell
WScript.Shell
explorer.exe
explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Scripting.FileSystemObject
Scripting.FileSystemObject
Explorer.exe,
Explorer.exe,
a.exe
a.exe
svchost.exe_328:
`.rsrc
`.rsrc
WebHide
WebHide
bss_server.usrReverseRelay
bss_server.usrReverseRelay
tmrWebHide
tmrWebHide
bss_server.Socket
bss_server.Socket
bss_server.usrRelay
bss_server.usrRelay
mswinsck.ocx
mswinsck.ocx
MSWinsockLib.Winsock
MSWinsockLib.Winsock
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
modLaunchWeb
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
winmm.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
avicap32.dll
avicap32.dll
advpack.dll
advpack.dll
GetAsyncKeyState
GetAsyncKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
SHFileOperationA
SHFileOperationA
CreatePipe
CreatePipe
PSAPI.DLL
PSAPI.DLL
GetTcpTable
GetTcpTable
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
WinInet.dll
WinInet.dll
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
keybd_event
keybd_event
AddMsg
AddMsg
CHAT_ADDMSG
CHAT_ADDMSG
VBA6.DLL
VBA6.DLL
C:\Windows\SysWow64\MSVBVM60.DLL\3
C:\Windows\SysWow64\MSVBVM60.DLL\3
ws2_32.dll
ws2_32.dll
olepro32.dll
olepro32.dll
GdiplusShutdown
GdiplusShutdown
RemotePort
RemotePort
LocalPort
LocalPort
WSOCK32.DLL
WSOCK32.DLL
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ntdll.dll
ntdll.dll
03C:\Windows\SysWOW64\ieframe.oca
03C:\Windows\SysWOW64\ieframe.oca
4^tmrTCP
4^tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
tmrUDP
UDPSocket
UDPSocket
UDPFlood
UDPFlood
ole32.dll
ole32.dll
crypt32.dll
crypt32.dll
oleaut32.dll
oleaut32.dll
RegOpenKeyA
RegOpenKeyA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
txtPassword
imgLoginPressed
imgLoginPressed
imgLogin
imgLogin
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
gdi32.dll
gdi32.dll
InternetOpenUrlA
InternetOpenUrlA
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpOpenFileA
FtpGetDirectory
FtpGetDirectory
Http_DownloadFile
Http_DownloadFile
FtpGetFileSize
FtpGetFileSize
FtpDeleteFileA
FtpDeleteFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpRenameFileA
FtpDownload
FtpDownload
FtpUpload
FtpUpload
cmdShowfiles
cmdShowfiles
msvbvm60.dll
msvbvm60.dll
tmrTCP
tmrTCP
?8??8??8??8??8?
?8??8??8??8??8?
2>e%Xdq
2>e%Xdq
uMsg
uMsg
strMsg
strMsg
MsgNum
MsgNum
AllMsgs
AllMsgs
lngPort
lngPort
URL_TARGET
URL_TARGET
Port
Port
Password
Password
WebURL
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Binds socket to specific port and adapter
Occurs after a send operation has completed
Occurs after a send operation has completed
.text
.text
`.data
`.data
.rsrc
.rsrc
.rsrch
.rsrch
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
http\shell\open\command
http\shell\open\command
127.0.0.1
127.0.0.1
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
\nir_cmd.bss monitor on
PORT
PORT
TRANSFERPORT
TRANSFERPORT
\rsout.tmp
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Keylog
Wscript.Shell
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
\winlogon.exe
iexplore.exe
iexplore.exe
ADVAPI32.dll
ADVAPI32.dll
http://www.facebook.com/?ref=home
http://www.facebook.com/?ref=home
http://www.facebook.com
http://www.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
WebCamCapture
\Vuze\Azureus.exe
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\MSWINSCK.OCX
\cmd.exe
\cmd.exe
\data.dat
\data.dat
\steam\steam.exe
\steam\steam.exe
nkey
nkey
dkey
dkey
regsvr32.exe
regsvr32.exe
\pws_mail.bss
\pws_mail.bss
\pws_mess.bss
\pws_mess.bss
\pws_cdk.bss
\pws_cdk.bss
\pws_ff.bss
\pws_ff.bss
\pws_chro.bss
\pws_chro.bss
\nir_cmd.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
00000000
winmgmts:\\.\root\cimv2
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
Select * from Win32_Keyboard
api.ipinfodb.com
api.ipinfodb.com
GET /v2/ip_query.php?key=
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
GET /v2/ip_query_country.php?key=
Portable
Portable
winmgmts:\\.\root\SecurityCenter
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.bmp
\wallpaper.jpg
\wallpaper.jpg
WScript.Shell
WScript.Shell
WinServer 2003, Web Edition
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
__oxFrame.class__
Scripting.FileSystemObject
Scripting.FileSystemObject
Autorun.ini
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Address family not supported by protocol family.
Operation already in progress.
Operation already in progress.
Operation now in progress.
Operation now in progress.
Socket operation on nonsocket.
Socket operation on nonsocket.
Operation not supported.
Operation not supported.
Protocol family not supported.
Protocol family not supported.
Protocol not supported.
Protocol not supported.
Socket type not supported.
Socket type not supported.
Winsock.dll version out of range.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedData
/stext mess.dat
/stext mess.dat
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
\mess.dat
\mess.dat
/stext mail.dat
/stext mail.dat
\mail.dat
\mail.dat
/stext ffpw.dat
/stext ffpw.dat
\ffpw.dat
\ffpw.dat
Web Site
Web Site
Password
Password
/stext chro.dat
/stext chro.dat
\chro.dat
\chro.dat
Action URL
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
\dump.txt
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
255.255.255.255
finalizarprocessoportas
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bps1.exe
bhookpl.dll
bhookpl.dll
bnfa.exe
bnfa.exe
drvloadn.dll
drvloadn.dll
drvloadx.dll
drvloadx.dll
VNCHooks.dll
VNCHooks.dll
xr4tdwa.exe
xr4tdwa.exe
shutdown.exe
shutdown.exe
TCnRawKeyBoard
TCnRawKeyBoard
HuntHTTPDownload
HuntHTTPDownload
autorun.inf
autorun.inf
https://onlineeast#.bankofamerica.com
https://onlineeast#.bankofamerica.com
winlogon.exe
winlogon.exe
moz_logins
moz_logins
WEBCAMLIVE
WEBCAMLIVE
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
\system32\userinit.exe,
notepad.exe
notepad.exe
\system32\userinit.exe
\system32\userinit.exe
steam.exe
steam.exe
hl.exe
hl.exe
\rspad.dat
\rspad.dat
@*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
@*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
svchost.exe_328_rwx_00400000_0007B000:
`.rsrc
`.rsrc
WebHide
WebHide
bss_server.usrReverseRelay
bss_server.usrReverseRelay
tmrWebHide
tmrWebHide
bss_server.Socket
bss_server.Socket
bss_server.usrRelay
bss_server.usrRelay
mswinsck.ocx
mswinsck.ocx
MSWinsockLib.Winsock
MSWinsockLib.Winsock
ieframe.dll
ieframe.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
modLaunchWeb
modLaunchWeb
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
C:\Windows\SysWOW64\ieframe.dll
winmm.dll
winmm.dll
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
kernel32.dll
kernel32.dll
avicap32.dll
avicap32.dll
advpack.dll
advpack.dll
GetAsyncKeyState
GetAsyncKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyState
GetKeyState
SHFileOperationA
SHFileOperationA
CreatePipe
CreatePipe
PSAPI.DLL
PSAPI.DLL
GetTcpTable
GetTcpTable
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
WinInet.dll
WinInet.dll
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
keybd_event
keybd_event
AddMsg
AddMsg
CHAT_ADDMSG
CHAT_ADDMSG
VBA6.DLL
VBA6.DLL
C:\Windows\SysWow64\MSVBVM60.DLL\3
C:\Windows\SysWow64\MSVBVM60.DLL\3
ws2_32.dll
ws2_32.dll
olepro32.dll
olepro32.dll
GdiplusShutdown
GdiplusShutdown
RemotePort
RemotePort
LocalPort
LocalPort
WSOCK32.DLL
WSOCK32.DLL
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ntdll.dll
ntdll.dll
03C:\Windows\SysWOW64\ieframe.oca
03C:\Windows\SysWOW64\ieframe.oca
4^tmrTCP
4^tmrTCP
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
tmrUDP
tmrUDP
UDPSocket
UDPSocket
UDPFlood
UDPFlood
ole32.dll
ole32.dll
crypt32.dll
crypt32.dll
oleaut32.dll
oleaut32.dll
RegOpenKeyA
RegOpenKeyA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
txtPassword
txtPassword
imgLoginPressed
imgLoginPressed
imgLogin
imgLogin
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
gdi32.dll
gdi32.dll
InternetOpenUrlA
InternetOpenUrlA
FtpGetFileA
FtpGetFileA
FtpPutFileA
FtpPutFileA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpOpenFileA
FtpGetDirectory
FtpGetDirectory
Http_DownloadFile
Http_DownloadFile
FtpGetFileSize
FtpGetFileSize
FtpDeleteFileA
FtpDeleteFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpRenameFileA
FtpRenameFileA
FtpDownload
FtpDownload
FtpUpload
FtpUpload
cmdShowfiles
cmdShowfiles
msvbvm60.dll
msvbvm60.dll
tmrTCP
tmrTCP
?8??8??8??8??8?
?8??8??8??8??8?
2>e%Xdq
2>e%Xdq
uMsg
uMsg
strMsg
strMsg
MsgNum
MsgNum
AllMsgs
AllMsgs
lngPort
lngPort
URL_TARGET
URL_TARGET
Port
Port
Password
Password
WebURL
WebURL
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port to be connected to on the remote computer
Returns/Sets the port used on the local computer
Returns/Sets the port used on the local computer
Binds socket to specific port and adapter
Binds socket to specific port and adapter
Occurs after a send operation has completed
Occurs after a send operation has completed
.text
.text
`.data
`.data
.rsrc
.rsrc
.rsrch
.rsrch
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
http\shell\open\command
http\shell\open\command
127.0.0.1
127.0.0.1
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
{00020404-0000-0000-C000-000000000046}
{00020404-0000-0000-C000-000000000046}
\nir_cmd.bss speak text
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
\nir_cmd.bss monitor on
PORT
PORT
TRANSFERPORT
TRANSFERPORT
\rsout.tmp
\rsout.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Keylog
Keylog
Wscript.Shell
Wscript.Shell
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
\winlogon.exe
iexplore.exe
iexplore.exe
ADVAPI32.dll
ADVAPI32.dll
http://www.facebook.com/?ref=home
http://www.facebook.com/?ref=home
http://www.facebook.com
http://www.facebook.com
Windows Firewall/Internet Connection Sharing (ICS)
Windows Firewall/Internet Connection Sharing (ICS)
WebCamCapture
WebCamCapture
\Vuze\Azureus.exe
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
\LimeWire\LimeWire.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\MSWINSCK.OCX
\MSWINSCK.OCX
\cmd.exe
\cmd.exe
\data.dat
\data.dat
\steam\steam.exe
\steam\steam.exe
nkey
nkey
dkey
dkey
regsvr32.exe
regsvr32.exe
\pws_mail.bss
\pws_mail.bss
\pws_mess.bss
\pws_mess.bss
\pws_cdk.bss
\pws_cdk.bss
\pws_ff.bss
\pws_ff.bss
\pws_chro.bss
\pws_chro.bss
\nir_cmd.bss
\nir_cmd.bss
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
:*:Enabled:Windows Messanger" /f
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2
00000000
00000000
winmgmts:\\.\root\cimv2
winmgmts:\\.\root\cimv2
Select * from Win32_Keyboard
Select * from Win32_Keyboard
api.ipinfodb.com
api.ipinfodb.com
GET /v2/ip_query.php?key=
GET /v2/ip_query.php?key=
&timezone=off HTTP/1.1
&timezone=off HTTP/1.1
Host: api.ipinfodb.com
Host: api.ipinfodb.com
GET /v2/ip_query_country.php?key=
GET /v2/ip_query_country.php?key=
Portable
Portable
winmgmts:\\.\root\SecurityCenter
winmgmts:\\.\root\SecurityCenter
\wallpaper.bmp
\wallpaper.bmp
\wallpaper.jpg
\wallpaper.jpg
WScript.Shell
WScript.Shell
WinServer 2003, Web Edition
WinServer 2003, Web Edition
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
__oxFrame.class__
__oxFrame.class__
Scripting.FileSystemObject
Scripting.FileSystemObject
Autorun.ini
Autorun.ini
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Address family not supported by protocol family.
Address family not supported by protocol family.
Operation already in progress.
Operation already in progress.
Operation now in progress.
Operation now in progress.
Socket operation on nonsocket.
Socket operation on nonsocket.
Operation not supported.
Operation not supported.
Protocol family not supported.
Protocol family not supported.
Protocol not supported.
Protocol not supported.
Socket type not supported.
Socket type not supported.
Winsock.dll version out of range.
Winsock.dll version out of range.
CSocketMaster.SocketExists
CSocketMaster.SocketExists
CSocketMaster.PostSocket
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ConnectToIP
CSocketMaster.ResolveIfHostname
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedData
/stext mess.dat
/stext mess.dat
abe2869f-9b47-4cd9-a358-c22904dba7f7
abe2869f-9b47-4cd9-a358-c22904dba7f7
\mess.dat
\mess.dat
/stext mail.dat
/stext mail.dat
\mail.dat
\mail.dat
/stext ffpw.dat
/stext ffpw.dat
\ffpw.dat
\ffpw.dat
Web Site
Web Site
Password
Password
/stext chro.dat
/stext chro.dat
\chro.dat
\chro.dat
Action URL
Action URL
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
Windows
Windows
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
\dump.txt
\dump.txt
\uTorrent\uTorrent.exe /DIRECTORY
\uTorrent\uTorrent.exe /DIRECTORY
255.255.255.255
255.255.255.255
finalizarprocessoportas
finalizarprocessoportas
CONNECT %s:%i HTTP/1.0
CONNECT %s:%i HTTP/1.0
SOFTWARE\Classes\http\shell\open\command
SOFTWARE\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Classes\http\shell\open\command
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
code.is.a.winner
code.is.a.winner
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId
bps1.exe
bps1.exe
bhookpl.dll
bhookpl.dll
bnfa.exe
bnfa.exe
drvloadn.dll
drvloadn.dll
drvloadx.dll
drvloadx.dll
VNCHooks.dll
VNCHooks.dll
xr4tdwa.exe
xr4tdwa.exe
shutdown.exe
shutdown.exe
TCnRawKeyBoard
TCnRawKeyBoard
HuntHTTPDownload
HuntHTTPDownload
autorun.inf
autorun.inf
https://onlineeast#.bankofamerica.com
https://onlineeast#.bankofamerica.com
winlogon.exe
winlogon.exe
moz_logins
moz_logins
WEBCAMLIVE
WEBCAMLIVE
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\system32\userinit.exe,
\system32\userinit.exe,
notepad.exe
notepad.exe
\system32\userinit.exe
\system32\userinit.exe
steam.exe
steam.exe
hl.exe
hl.exe
\rspad.dat
\rspad.dat
@*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
@*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
A5OINK8SAER9Y.exe_1684:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
mi_exe_stub.pdb
mi_exe_stub.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
_acmdln
_acmdln
_amsg_exit
_amsg_exit
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
zcÁ
zcÁ
]".kaJ
]".kaJ
0bc;%uU$
0bc;%uU$
Í}X
Í}X
h_%uT
h_%uT
76.jqx
76.jqx
`iXo%F
`iXo%F
u4V%Sdk
u4V%Sdk
-.OA@
-.OA@
8RsQl
8RsQl
p.nA3'
p.nA3'
[.Wi]
[.Wi]
C%xlZ&)$
C%xlZ&)$
2\.UI
2\.UI
`.AQ9.Y
`.AQ9.Y
Ëei
Ëei
0w.ck2
0w.ck2
eW.Xq
eW.Xq
.xc*P
.xc*P
G.Nf8va
G.Nf8va
.KL@o
.KL@o
-~{%f
-~{%f
:?I2.yS
:?I2.yS
NC$%f?
NC$%f?
Vj.SB
Vj.SB
(l.Nb
(l.Nb
6''oe-Z}@nz!
6''oe-Z}@nz!
!.Ac-t
!.Ac-t
nr %c
nr %c
#Q.xdEi
#Q.xdEi
B,k
B,k
(y.Bnp
(y.Bnp
3uy%f
3uy%f
fv?%f
fv?%f
.HK_2R{8
.HK_2R{8
3.Ou8t
3.Ou8t
M=-KMp}
M=-KMp}
$A.TaK
$A.TaK
fcRT
fcRT
--!.cr
--!.cr
Ush.BO
Ush.BO
.ck-[~
.ck-[~
/-k'.Rl
/-k'.Rl
%Fj(qX
%Fj(qX
.Ih5lk
.Ih5lk
1%F]A
1%F]A
/oCmd
/oCmd
.gulh|
.gulh|
rxB%U
rxB%U
.QZ:ZdLfe
.QZ:ZdLfe
###7777_{
###7777_{
###____777
###____777
###````87{
###````87{
<requestedExecutionLevel level="asInvoker" />
<requestedExecutionLevel level="asInvoker" />
<!--The ID below indicates application support for Windows Vista -->
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<!--The ID below indicates application support for Windows 7 -->
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
GoogleUpdateSetup.exe
GoogleUpdateSetup.exe
/%s %s /%s
/%s %s /%s
Windows 2000 Service Pack 4
Windows 2000 Service Pack 4
Windows 2000
Windows 2000
lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi
lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi
m Windows 2000 Service Pack 4 nebo nov
m Windows 2000 Service Pack 4 nebo nov
ver Windows 2000 Service Pack 4 eller bedre.
ver Windows 2000 Service Pack 4 eller bedre.
r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h
r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h
Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.
Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.
Windows 2000 Service Pack 4:n tai uudemman.
Windows 2000 Service Pack 4:n tai uudemman.
cessite Windows
cessite Windows
je Windows 2000 Service Pack 4-et vagy frissebb verzi
je Windows 2000 Service Pack 4-et vagy frissebb verzi
krefst Windows 2000
krefst Windows 2000
Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.
Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.
Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.
Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.
Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.
Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.
. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.
. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.
o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.
o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.
it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar
it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar
ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.
ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.
m Windows 2000 Service Pack 4 alebo nov
m Windows 2000 Service Pack 4 alebo nov
ver Windows 2000 Service Pack 4 eller b
ver Windows 2000 Service Pack 4 eller b
kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras
kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras
Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.
Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.
na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej
na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej
uab rakendust Windows 2000 hoolduspakett 4 v
uab rakendust Windows 2000 hoolduspakett 4 v
ama Windows
ama Windows
Windows 2000
Windows 2000
u Windows 2000 G
u Windows 2000 G
Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.
Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.
Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.
Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.
. Windows 2000
. Windows 2000
Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.
Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.
n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.
n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.
o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.
o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.
n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.
n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.
1.3.21.111
1.3.21.111
GoogleUpdate.exe_316:
.text
.text
`.data
`.data
.text/DE
.text/DE
@.rsrc
@.rsrc
@.reloc
@.reloc
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
kernel32.dll
kernel32.dll
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GoogleUpdate_unsigned.pdb
GoogleUpdate_unsigned.pdb
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
<requestedExecutionLevel level="asInvoker" />
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<!--The ID below indicates application support for Windows 7 -->
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
###7777_{
###7777_{
###____777
###____777
###````87{
###````87{
%Program Files%\GUMD.tmp\GoogleUpdate.exe
%Program Files%\GUMD.tmp\GoogleUpdate.exe
goopdate.dll
goopdate.dll
GoogleUpdate.exe
GoogleUpdate.exe
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
1.3.21.103
1.3.21.103
2007-2010
2007-2010
2007-2010
2007-2010
GoogleUpdate.exe_1812:
.text
.text
`.data
`.data
.text/DE
.text/DE
@.rsrc
@.rsrc
@.reloc
@.reloc
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
kernel32.dll
kernel32.dll
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GoogleUpdate_unsigned.pdb
GoogleUpdate_unsigned.pdb
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
<requestedExecutionLevel level="asInvoker" />
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<!--The ID below indicates application support for Windows 7 -->
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
###7777_{
###7777_{
###____777
###____777
###````87{
###````87{
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
goopdate.dll
goopdate.dll
GoogleUpdate.exe
GoogleUpdate.exe
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
1.3.21.103
1.3.21.103
2007-2010
2007-2010
2007-2010
2007-2010
GoogleUpdate.exe_1308:
.text
.text
`.data
`.data
.text/DE
.text/DE
@.rsrc
@.rsrc
@.reloc
@.reloc
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
kernel32.dll
kernel32.dll
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
GoogleUpdate_unsigned.pdb
GoogleUpdate_unsigned.pdb
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
<requestedExecutionLevel level="asInvoker" />
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
<!--The ID below indicates application support for Windows 7 -->
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
###7777_{
###7777_{
###____777
###____777
###````87{
###````87{
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
goopdate.dll
goopdate.dll
GoogleUpdate.exe
GoogleUpdate.exe
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
Software\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
1.3.21.103
1.3.21.103
2007-2010
2007-2010
2007-2010
2007-2010