MD5: 8999f61d881af2692ffdf997c3dd9b12
SHA1: 5b979284da0e8cd0303e73f1996c8c94a2bcfe51
SHA256: acadfdb541359df22e0877eece55ab2428cb9edb39b976a5e8e4ec0b5d003b4b
SSDeep: 24576:svo8KGBgeFDuRbTOvOdUcY/sz4bVJSAjq9Zp1tDlM8hmwzDao:svo8KGBgeFCTOGdUcYkkSBXDvXD1
Size: 1224192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-11 10:37:03
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:1804
GoogleUpdate.exe:4052
GoogleUpdate.exe:3432
GoogleUpdate.exe:3372
GoogleUpdate.exe:2496
GoogleUpdate.exe:956
GoogleUpdate.exe:3776
LocalLeu_xUsaz_.exe:1692
%original file name%.exe:1672
58.0.3029.81_chrome_installer.exe:1548
chrome.exe:2132
chrome.exe:2444
chrome.exe:772
chrome.exe:2980
chrome.exe:4024
chrome.exe:1252
chrome.exe:1560
chrome.exe:3656
chrome.exe:3044
chrome.exe:1864
LocalcLUQGCIkej.exe:3168
netsh.exe:2512
setup.exe:896

The Trojan injects its code into the following process(es):

chrome.exe:3336
chrome.exe:2164
google .com:2384

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:4052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\Install\{B74FE026-17E8-4904-9667-2D3852869078}\58.0.3029.81_chrome_installer.exe (354602 bytes)
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\58.0.3029.81\58.0.3029.81_chrome_installer.exe (333797 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59 (0 bytes)
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6FAAFEA9-4C4F-4738-A271-70DB52143773}-58.0.3029.81_chrome_installer.exe (0 bytes)

The process GoogleUpdate.exe:3776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUMF298.tmp\goopdateres_fr.dll (49 bytes)
%Program Files%\GUMF298.tmp\goopdate.dll (49 bytes)

The process LocalLeu_xUsaz_.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com (845 bytes)

The process %original file name%.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLeu_xUsaz_.exe (341 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalcLUQGCIkej.exe (1978 bytes)

The process 58.0.3029.81_chrome_installer.exe:1548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\CHROME.PACKED.7Z (50572 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\setup.exe (19187 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\SETUP.EX_ (528 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\CHROME.PACKED.7Z (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\setup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\SETUP.EX_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp (0 bytes)

The process chrome.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\58.0.3029.81\chrome_watcher.dll (483 bytes)

The process chrome.exe:3336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\58.0.3029.81\chrome_child.dll (5823 bytes)

The process chrome.exe:2164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\237913a104effca4_0 (2591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal (2220 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (3291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\86bc378bba217ded_0 (2797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal (3450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_NMuVASeqeiXvjJG (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\A19.tmp (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\ADF3.tmp (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\LOG (609 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\1e16adeb2b036d0a_0 (2309 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History-journal (5380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_oKfHm82bqcxe79d (576 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_LcWou9LFWCczIwD (2480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (13444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\99f80f27ba259469_0 (1806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\989d58c926ac97d7_0 (2737 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_1 (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e6af3213c3ae0b2d_0 (3367 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\4552cf74d5ebf7e9_0 (1689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6D57.tmp (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (5378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (613 bytes)
%Program Files%\Google\Chrome\Application\58.0.3029.81\chrome_elf.dll (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt.tmp (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e2042f2bac3c4012_0 (2272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6E33.tmp (644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History (1028 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\000003.log (84 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\index-dir\temp-index (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYPV4OB5WE6HGB4LBXN1.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\index (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_4YCVY53c0jARZG7 (2798 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_0 (3624 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_VB6EvbDyScxCYFx (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (11276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_akTSmiihSHa9pLC (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db (988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000019 (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (10985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (13264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (7080 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (107088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (38683 bytes)
%Program Files%\Google\Chrome\Application\58.0.3029.81\chrome.dll (5823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\70d3d608533f515e_0 (4798 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies (806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\a8bde667debcd4b0_0 (2123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\temp-index (504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6E34.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\6D36.tmp (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (33564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (35462 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\fdf2cfeb8ad0eeac_0 (1751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log (712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\1157fee2e2dc1968_0 (1873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 (58 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor (4792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015 (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (33552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6D56.tmp (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Favicons (1016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\70d3d608533f515e_0 (5064 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y5RFNC6FA9W5QZ0MG6U0.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000004.log (524 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\49CC.tmp (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF144fb5.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF150a0e.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF146e2d.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF144df0.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RF145994.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\280F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF14adeb.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\LOG.old~RF1450dd.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF1450ae.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\todelete_22240cf83da4ff0d (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF144fa5.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\2820.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt~RF145f7d.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF146d52.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF146d33.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\index-dir\the-real-index~RF14addb.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\9D40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\todelete_0d37cd25b85b07ec (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF146e2d.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt~RF14733c.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF14a285.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF14adac.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1446fe.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RF14cec3.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF146d52.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Last Session (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF144855.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\9D41.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\49CC.tmp (0 bytes)

The process LocalcLUQGCIkej.exe:3168 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUMF298.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUMF298.tmp\goopdateres_pl.dll (46 bytes)
%Program Files%\GUMF298.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateBroker.exe (95 bytes)
%Program Files%\GUMF298.tmp\goopdateres_te.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ms.dll (45 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ml.dll (48 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sw.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ta.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_es.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sk.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_iw.dll (43 bytes)
%Program Files%\GUMF298.tmp\goopdateres_en.dll (44 bytes)
%Program Files%\GUMF298.tmp\goopdateres_lv.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ar.dll (43 bytes)
%Program Files%\GUMF298.tmp\psuser.dll (191 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateSetup.exe (7385 bytes)
%Program Files%\GUMF298.tmp\goopdateres_da.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_no.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fil.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ja.dll (42 bytes)
%Program Files%\GUMF298.tmp\goopdateres_tr.dll (45 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdate.exe (309 bytes)
%Program Files%\GUMF298.tmp\goopdateres_et.dll (45 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateWebPlugin.exe (95 bytes)
%Program Files%\GUMF298.tmp\goopdateres_mr.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_pt-BR.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_nl.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_el.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_bn.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ur.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_vi.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUMF298.tmp\goopdateres_gu.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_es-419.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_kn.dll (47 bytes)
%Program Files%\GUMF298.tmp (28 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ko.dll (41 bytes)
%Program Files%\GUTF299.tmp (6 bytes)
%Program Files%\GUMF298.tmp\goopdateres_lt.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sv.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_is.dll (45 bytes)
%Program Files%\GUMF298.tmp\psmachine.dll (191 bytes)
%Program Files%\GUMF298.tmp\goopdateres_bg.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_zh-TW.dll (39 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fr.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_de.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_pt-PT.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ru.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_uk.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_zh-CN.dll (39 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateComRegisterShell64.exe (137 bytes)
%Program Files%\GUMF298.tmp\goopdateres_en-GB.dll (44 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sr.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ca.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_th.dll (44 bytes)
%Program Files%\GUMF298.tmp\goopdateres_cs.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fi.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_id.dll (45 bytes)
%Program Files%\GUMF298.tmp\goopdateres_am.dll (44 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sl.dll (46 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateOnDemand.exe (95 bytes)
%Program Files%\GUMF298.tmp\goopdateres_hi.dll (45 bytes)
%Program Files%\GUMF298.tmp\psuser_64.dll (222 bytes)
%Program Files%\GUMF298.tmp\psmachine_64.dll (222 bytes)
%Program Files%\GUMF298.tmp\goopdateres_hr.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fa.dll (44 bytes)
%Program Files%\GUMF298.tmp\GoogleCrashHandler.exe (252 bytes)
%Program Files%\GUMF298.tmp\goopdateres_it.dll (47 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ro.dll (46 bytes)
%Program Files%\GUMF298.tmp\goopdateres_hu.dll (46 bytes)

The Trojan deletes the following file(s):

%Program Files%\GUMF298.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUMF298.tmp (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdate.dll (0 bytes)
%Program Files%\GUMF298.tmp\psuser.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUMF298.tmp\psmachine.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUTF299.tmp (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUMF298.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUMF298.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUMF298.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUMF298.tmp\goopdateres_hu.dll (0 bytes)

The process google .com:2384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea2d80f6b4b7963e05f3bc65a43c8821.exe (673 bytes)

The process setup.exe:896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ca.pak (329 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\gu.pak (651 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\en-GB.pak (271 bytes)
%Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\setup.exe (8281 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\libglesv2.dll (2 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\libegl.dll (87 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sr.pak (499 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\de.pak (287 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\snapshot_blob.bin (1 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fr.pak (350 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\id.pak (294 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\pl.pak (327 bytes)
C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_child.dll (56723 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome.dll (34482 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\logocanary.png (22 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements (4 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\icudtl.dat (10 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ta.pak (773 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\smalllogocanary.png (7 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ms.pak (254 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\hu.pak (346 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_child.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\external_extensions.json (1 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sl.pak (310 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\hi.pak (668 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\nl.pak (316 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\nacl64.exe (6 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fil.pak (334 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\cs.pak (333 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\resources.pak (2610 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\uk.pak (516 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\zh-CN.pak (270 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\nacl_irt_x86_32.nexe (3 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\youtube.crx (23 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ro.pak (334 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fa.pak (467 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sv.pak (300 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\hr.pak (310 bytes)
%Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\chrmstp.exe (8281 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\lt.pak (334 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\chrome.7z (276214 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ja.pak (391 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\et.pak (289 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\it.pak (320 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59 (8 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\zh-TW.pak (270 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\he.pak (384 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Extensions\external_extensions.json (99 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\en-US.pak (271 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sk.pak (344 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\tr.pak (324 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\d3dcompiler_47.dll (3 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\bn.pak (694 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_watcher.dll (480 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\chrome_installer.log (12642 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\te.pak (723 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\pt-BR.pak (321 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\am.pak (455 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\401D.tmp (15 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_elf.dll (433 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ru.pak (517 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\natives_blob.bin (262 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\es.pak (332 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ko.pak (330 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome.exe.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ar.pak (450 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sw.pak (281 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_200_percent.pak (723 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\vi.pak (372 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\logo.png (17 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\el.pak (587 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\bg.pak (543 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\58.0.3029.81.manifest (224 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\es-419.pak (326 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\kn.pak (748 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\da.pak (300 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_100_percent.pak (455 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\nb.pak (296 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\chrome.VisualElementsManifest.xml (407 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\docs.crx (4 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fi.pak (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\lv.pak (335 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales (8 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\eventlog_provider.dll (12 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\nacl_irt_x86_64.nexe (4 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\drive.crx (25 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps (4 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\mr.pak (662 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\manifest.json (950 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\smalllogo.png (7 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\pt-PT.pak (325 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (219 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\chrome.exe (977 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ml.pak (838 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin (4 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\th.pak (651 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\gmail.crx (24 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (8323 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Chrome\Temp\scoped_dir_896_6772 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\youtube.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\natives_blob.bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\chrome.7z (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\uk.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\he.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\el.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\bg.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\nacl64.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\hi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sv.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ca.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_200_percent.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific\win_x86 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\resources.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\smalllogo.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\pt-BR.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\en-US.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\gu.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sk.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_watcher.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\nacl_irt_x86_64.nexe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\da.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\pl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\lt.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\smalllogocanary.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ko.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\te.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Temp (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\pt-PT.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\snapshot_blob.bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Extensions\external_extensions.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\en-GB.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\et.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\de.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\libglesv2.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\mr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\d3dcompiler_47.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ro.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\logocanary.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\setup.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ru.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ar.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\kn.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_child.dll (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_896_6772\chrome.VisualElementsManifest.xml (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\vi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59 (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_896_5901 (0 bytes)
%Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fake-bidi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\zh-TW.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\gmail.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\docs.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\id.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fil.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ms.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\drive.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ta.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\nb.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\am.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fa.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\cs.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Extensions (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ja.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\chrmstp.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\libegl.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\it.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\nl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\54.0.2840.59.manifest (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\hr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\tr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_100_percent.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ml.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\bn.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\es-419.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\lv.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\es.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\icudtl.dat (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\zh-CN.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\nacl_irt_x86_32.nexe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sw.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_elf.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\logo.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\manifest.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\external_extensions.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\th.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\hu.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_896_5901\chrome.exe (0 bytes)

Registry activity

The process GoogleUpdate.exe:1804 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:4052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"InstallProgressPercent" = "95"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"
"browser" = "4"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "3"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{2EEEF44C-DD87-488F-B3E9-9E31B65B4007}]
"PersistedPingTime" = "131374249389786006"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerError" = "2"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{2EEEF44C-DD87-488F-B3E9-9E31B65B4007}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"iid" = "{37BB583C-611D-C0BC-537F-CF98DA48B40C}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{054A8259-AB66-4835-8699-EADF51F4FE7E}]
"PersistedPingString" = ""

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"lang" = "fr"
"LastInstallerResult" = "0"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{054A8259-AB66-4835-8699-EADF51F4FE7E}]
"PersistedPingTime" = "131374249355314229"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ping_freshness" = "{5BFB4245-E5AB-4516-8777-4C915E4FCDE4}"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastInstallerError" = "2"
"LastCheckSuccess" = "1492951354"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"DownloadProgressPercent" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\cohort]
"Name" = "Stable Installs Only"
"(Default)" = "1:gu/i19:j39@0.05"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"
"usagestats" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"
"LastInstallerResult" = "0"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{2EEEF44C-DD87-488F-B3E9-9E31B65B4007}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{054A8259-AB66-4835-8699-EADF51F4FE7E}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableSince"
"eulaaccepted"
"InstallerError"
"UpdateAvailableCount"
"InstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerError"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"eulaaccepted"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastInstallerResultUIString"
"InstallerResult"
"iid"
"tttoken"
"ap"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastInstallerError"
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"
"LastInstallerExtraCode1"

The process GoogleUpdate.exe:3432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
"eulaaccepted"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats"

The process GoogleUpdate.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:956 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"iid" = "{37BB583C-611D-C0BC-537F-CF98DA48B40C}"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"eulaaccepted"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats"

The process LocalLeu_xUsaz_.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 58.0.3029.81_chrome_installer.exe:1548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome-full"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "-full"

The process chrome.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Chrome\BrowserExitCodes]
"2164-13137424955358629" = "259"

The process chrome.exe:2164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "0"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "1"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid_installdate" = "0"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"mfehgcgbbipciphmccgaenjidiccnmng" = "1DC828FC71893905C8EF7491DA4A223A309F9A65F2AA1E8B27EB0335357060D6"
"apdfllckaahabafndbhieahigkjlhalf" = "4B1337E12EB6116569B013109DCC1F6FA5365488395F1DC8F284A89454DFE9BA"
"pkedcjkdefgpdelpbcmbmeomcjbeemfm" = "DD75F4A01E692C523E384EDC4B8C28BD3E9E1747978F8BCEBA72FB989FCF8F6C"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"software_reporter.prompt_seed" = "5DEE273EB35EA611CC8B05C11339971195988DF2D6800BA04068186F87D707FE"
"HomePage" = "4927C32345C390D3C2585C40287699F259C49BEE9192DAB7104F17AA633628F9"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"bepbmhgboaologfdajaanbcjmnhjmhfn" = "154FF1ECE5E955318D75C167E8A1E4B5AD686ECB55C4578D41DE7FBA1EB1A631"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"neajdppkdcdipfabeoofebfddakdcjhd" = "4C7DC7C3942F96EC66F23A38CB19045A20F8A5F341C61A6F5702FDE439674EAE"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "0"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid_enableddate" = "0"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"safebrowsing.incidents_sent" = "B346F9147F0583630A2688A0683537FBA094EE4100E50E305686DD491008A268"
"session.restore_on_startup" = "F0A52AE7661810668D8E08055085183CED86CFFEFBABF4487438382CFB901D65"
"session.startup_urls" = "7C30C31B08C15195FCA3F9D8B98ECFDEFBFC1AFCC54E7964D0DCB176331BCB68"

[HKCU\Software\Google\Chrome\BLBeacon]
"Version" = "58.0.3029.81"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"browser.show_home_button" = "5345858319222558DD668E1523DE4B89C249EFA449863F6917C244D08FDD99A8"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"kmendfapggjehodndflmmgagdbamhnfd" = "A098AB06256361D3CA20EE6DA40A50CDD3D0AF19B376D9FF9E802ADD8AB04DD0"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"gfdkimpbcpahaombhbimeihdjnejgicl" = "DC647C5E05C0C3EFA2C30C24D0B19ABC0104FE655CB0E4B4A98EF4C5633DDAE1"
"nmmhkkegccagdldgiimedpiccmgmieda" = "89D010D2DA99FEAF4457953B4637882A3D28069A07CBBAAD5E5865B122376C21"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"settings_reset_prompt.last_triggered_for_startup_urls" = "3BE9C80F4B2EFE6B406EE62D0CBB404679873B6C13BE6B2EA373FEFFC0187180"
"google.services.last_username" = "35DCC78B635F9EA705EAA01B61C07356D702C74B011988036A925D0A8B56FC9F"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"mfffpogegjflfpflabcdkioaeobkgjik" = "077BBC21628028EEB3E3FAF3D63B19CD2175B0CBDBB3645399F8791DE76B860D"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"prefs.preference_reset_time" = "C4055A17280FBB3B2950B15B5826BF53448DA1A9BE6745455425486792E5EA32"
"settings_reset_prompt.prompt_wave" = "34EE47987513300F16FFDDE04C4D700EBF43B948C1DCD5125D3C529C62545064"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"pjkljhegncpnkpknbcohdijeoejaedia" = "51BA9E3F6D883D008377B9B70542F68323B13018EF6B11E1846425727ACAF35F"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"google.services.account_id" = "366D929451F2F626937028C81058757FD73C1CD25B577B6F75D6DCC35043B40A"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"ahfgeienlihckogmohjhadlkjgocpleb" = "A8974EFB53C5B2F75A33F09DF52DFFA6AC407DBA33A8A2F35A5E723814E4C879"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"mhjfbmdgcfjbbpaeojofohoefgiehjai" = "B9DFBDF7B4DF3E09A965EA7E98AD0A75BF2160606D01D16756FCAB93FA3269F2"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"google.services.last_account_id" = "2BE18804583E4ABEB264E73CF1EF974E69DB818364E5802542F41C44F1787FF3"
"search_provider_overrides" = "82133C6B8BE9C44D8F2476EB29EC800275A854A6B746A4707927EB151F4034D4"
"settings_reset_prompt.last_triggered_for_default_search" = "5E384B99DC10515F47BBC9BF48E423CB4C7B7CD43D7268209D1A5F1C99A0D899"

[HKCU\Software\Google\Chrome\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "0"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"nkeimhogjdpnpccoofpliimaahmaaome" = "B6A411B9EEE119BED7DB8ADFC763F5C961CD963B70DC9251F3FFA0AC2FDB74FB"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"lastrun" = "13137424955998230"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"google.services.username" = "2F571C280DA9B0905DC3683526617D8510C049B03FAB0A3F4DE7A470ED52D469"
"default_search_provider_data.template_url_data" = "4369562BF77A2ACF6EB84944136A955206E601F2197BAC482894A16D090369D5"

[HKCU\Software\Google\Chrome\BLBeacon]
"failed_count" = "0"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"software_reporter.prompt_version" = "7DD0AFAE10A07459AC8D6024EE95B1D0D3186DE614BC6855ADBD75A462740731"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"felcaaldnbdncclmgdcncolpebgiejap" = "1CE4B3FEF412CABE2793A2395EFC6A388F6B6B92C9D8F90FFF8D21DA72040A9D"

[HKCU\Software\Google\Chrome]
"UsageStatsInSample" = "0"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"aapocclcgogkmnckokdopfmhonfmgoek" = "1D447311EA05C44F7A19ADA993711677E4BD021C7592BFF8CCE4DE352C26BB00"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid" = ""

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"eemcgdkfndhakfknompkggombfjjjeno" = "36FD91C15D12F15A440BD9F8869E6ACFB7A0497041DFB3383F9B3C3DB8382A0E"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"homepage_is_newtabpage" = "D2AB4FC90DF81D5771D709024E019D947F2F7C48B215D61898335B0FE8A39AB7"
"pinned_tabs" = "1019B42475EDDCE449D9567C5AE4A20AA55A2400280BA3BB7554F2894896740E"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"aohghmighlieiainnegkcijnfilokake" = "1A84FF512CA0D78288B487F86EA2D64FA2E7C672BA4AA9C77DE40CAE5286EC05"
"ghbmnnjooekpmoecnnnilnnbdlolhkhi" = "42912E93D387F9D869FC037F50466D63F7CA062204EA2211EFC8D2ED37C3D4C9"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"aggregate" = "sum()"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"aggregate" = "sum()"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"blpcfgokakmgnkcojhhkbfbldkacnbeo" = "2B67C5C823BEF8467AEC9E5AE199CB1C7B14D1190F0AE25CC619767AF21980EC"

[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"settings_reset_prompt.last_triggered_for_homepage" = "FBF3077DE788CC8F8D527282830EA8ECD0BC1F07F7B756F1C93439C81522303E"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
[HKCU\Software\Google\Chrome\PreReadFieldTrial]
[HKCU\Software\Google\Chrome\BrowserExitCodes]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"extensions.settings"

[HKCU\Software\Google\Chrome\BrowserExitCodes]
"2164-13137424955358629"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"experiment_labels"

The process chrome.exe:3656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@C:\Windows\system32]
"FXSRESM.dll,-120" = "Fax recipient"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"@sendmail.dll,-21" = "Desktop (create shortcut)"
"@sendmail.dll,-4" = "Mail recipient"
"@zipfldr.dll,-10148" = "Compressed (zipped) folder"
"LanguageList" = "en-US, en"

The process netsh.exe:2512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"eapqec.dll,-103" = "Microsoft Corporation"
"eapqec.dll,-102" = "1.0"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"tsgqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-3" = "Microsoft Corporation"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-4" = "1.0"
"tsgqec.dll,-102" = "1.0"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-102" = "Microsoft Corporation"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"

The process google .com:2384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ea2d80f6b4b7963e05f3bc65a43c8821" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com .."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ea2d80f6b4b7963e05f3bc65a43c8821" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com .."

The process setup.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"https" = "ChromeHTML"

[HKCR\.xht\OpenWithProgids]
"ChromeHTML" = ""

[HKCR\.shtml\OpenWithProgids]
"ChromeHTML" = ""

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"ParameterMessageFile" = "%Program Files%\Google\Chrome\Application\58.0.3029.81\eventlog_provider.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome]
"(Default)" = "Google Chrome"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".webp" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"irc" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKCR\.webp\OpenWithProgids]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"tel" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Name" = "Google Chrome"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".xht" = "ChromeHTML"
".pdf" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"ShowIconsCommand" = "%Program Files%\Google\Chrome\Application\chrome.exe --show-icons"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"IsInstalled" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities]
"ApplicationIcon" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\Startmenu]
"StartMenuInternet" = "Google Chrome"

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"CategoryCount" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"ftp" = "ChromeHTML"
"nntp" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Localized Name" = "Google Chrome"
"Version" = "43,0,0,0"

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"EventMessageFile" = "%Program Files%\Google\Chrome\Application\58.0.3029.81\eventlog_provider.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoModify" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities]
"ApplicationName" = "Google Chrome"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayIcon" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"http" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".htm" = "ChromeHTML"
".shtml" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "100"

[HKCR\ChromeHTML]
"(Default)" = "Chrome HTML Document"

[HKCR\.htm\OpenWithProgids]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerProgress" = "18"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"IconsVisible" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"VersionMinor" = "81"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"news" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"VersionMajor" = "3029"

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"CategoryMessageFile" = "%Program Files%\Google\Chrome\Application\58.0.3029.81\eventlog_provider.dll"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"mailto" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Version" = "58.0.3029.81"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"sms" = "ChromeHTML"

[HKLM\SOFTWARE\RegisteredApplications]
"google chrome" = "Software\Clients\StartMenuInternet\Google Chrome\Capabilities"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"(Default)" = "Google Chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"UninstallString" = "%Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\setup.exe --uninstall --system-level --verbose-logging"

[HKCR\.xhtml\OpenWithProgids]
"ChromeHTML" = ""

[HKCR\.svg\OpenWithProgIds]
"ChromeHTML" = ""

[HKCR\.html\OpenWithProgids]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"smsto" = "ChromeHTML"
"mms" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"HideIconsCommand" = "%Program Files%\Google\Chrome\Application\chrome.exe --hide-icons"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoRepair" = "1"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"CommandLine" = "%Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\setup.exe --on-os-upgrade --system-level --verbose-logging"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"InstallLocation" = "%Program Files%\Google\Chrome\Application"

[HKCR\ChromeHTML\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKCR\ChromeHTML\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKCR\.pdf\OpenWithProgIds]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".html" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"webcal" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"StubPath" = "%Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayName" = "Google Chrome"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"pv" = "58.0.3029.81"

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayVersion" = "58.0.3029.81"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallArguments" = " --uninstall --system-level --verbose-logging"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".xhtml" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallString" = "%Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\setup.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"urn" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"Path" = "%Program Files%\Google\Chrome\Application"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"ReinstallCommand" = "%Program Files%\Google\Chrome\Application\chrome.exe --make-default-browser"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities]
"ApplicationDescription" = "Google Chrome est un navigateur Web qui exécute des applications et des pages Web en un temps record. Il est rapide, stable et simple à utiliser. Naviguez sur Internet en toute sécurité grâce à la protection intégrée de Google Chrome contre le phishing et les logiciels malveillants."

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".svg" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: Google Chrome2017.Scr
Internal Name: Google Chrome2017.Scr
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://redirector.gvt1.com/edgedl/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe	216.58.214.238
hxxp://r3.sn-2puapox-ig3e.gvt1.com/edgedl/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe?cms_redirect=yes&expire=1492965741&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1492951173&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=2B86C0E76280094B4295D528BB2EB352ED9D4336.045F1C3FA64C9474A9F25E70EAEDF23F7A7F6AA0&key=cms1
hxxp://r3---sn-2puapox-ig3e.gvt1.com/edgedl/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe?cms_redirect=yes&expire=1492965741&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1492951173&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=2B86C0E76280094B4295D528BB2EB352ED9D4336.045F1C3FA64C9474A9F25E70EAEDF23F7A7F6AA0&key=cms1	185.43.249.14
accounts.youtube.com	216.58.214.238
translate.googleapis.com	216.58.207.74
www.google.com	172.217.20.164
www.gstatic.com	216.58.214.227
ssl.gstatic.com	216.58.214.227
www.google.com.ua	172.217.20.163
tools.google.com	216.58.207.78
docs.google.com	216.58.214.238
accounts.google.com	172.217.20.173
apis.google.com	216.58.214.238
fonts.gstatic.com	216.58.214.227
mohameddz16.ddns.net	41.100.186.253
clients4.google.com	216.58.214.238

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

HEAD /edgedl/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: fg

Host: redirector.gvt1.com

HTTP/1.1 302 Found

Date: Sun, 23 Apr 2017 12:42:21 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://r3---sn-2puapox-ig3e.gvt1.com/edgedl/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe?cms_redirect=yes&expire=1492965741&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1492951173&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=2B86C0E76280094B4295D528BB2EB352ED9D4336.045F1C3FA64C9474A9F25E70EAEDF23F7A7F6AA0&key=cms1

Content-Type: text/html; charset=UTF-8

Server: ClientMapServer

Content-Length: 635

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN
HTTP/1.1 302 Found..Date: Sun, 23 Apr 2017 12:42:21 GMT..Pragma: no-ca
che..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Location: hXXp://r3---sn-2puapox-ig3e.gvt1.com/edgedl
/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe?cms_redirect=y
es&expire=1492965741&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig
3e&ms=nvh&mt=1492951173&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,i
pbits,mm,mn,ms,mv,pl,shardbypass&signature=2B86C0E76280094B4295D528BB2
EB352ED9D4336.045F1C3FA64C9474A9F25E70EAEDF23F7A7F6AA0&key=cms1..Conte
nt-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-Le
ngth: 635..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGI
N..

HEAD /edgedl/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe?cms_redirect=yes&expire=1492965741&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1492951173&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=2B86C0E76280094B4295D528BB2EB352ED9D4336.045F1C3FA64C9474A9F25E70EAEDF23F7A7F6AA0&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: fg

Host: r3---sn-2puapox-ig3e.gvt1.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 43845736

Content-Type: application/octet-stream

Etag: "12b8c6"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sun, 23 Apr 2017 07:00:25 GMT

Alt-Svc: quic=":443"; ma=2592000; v="37,36,35"

Last-Modified: Wed, 19 Apr 2017 05:06:43 GMT

Connection: keep-alive
....


GET /edgedl/release2/bWE4q6DLAW8/58.0.3029.81_chrome_installer.exe?cms_redirect=yes&expire=1492965741&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1492951173&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=2B86C0E76280094B4295D528BB2EB352ED9D4336.045F1C3FA64C9474A9F25E70EAEDF23F7A7F6AA0&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Wed, 19 Apr 2017 05:06:43 GMT

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

X-HTTP-Attempts: 1

X-GoogleUpdate-Interactivity: fg

Host: r3---sn-2puapox-ig3e.gvt1.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 43845736

Content-Type: application/octet-stream

Etag: "12b8c6"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Sun, 23 Apr 2017 07:00:25 GMT

Alt-Svc: quic=":443"; ma=2592000; v="37,36,35"

Last-Modified: Wed, 19 Apr 2017 05:06:43 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......^.LN.."...".
..".w.#..."...#."."...'..."... ..."......."......."... ...".Rich.."...
......................PE..L......X.........."......&..........J5......
.@....@.......................................@.......................
...........P..P....`..p...............h>..............8............
................................P...............................text..
..%.......&.................. ..`.data........@......................@
....idata..z....P.......*..............@..@.rsrc...p....`.......2.....
.........@..@.reloc..............................@..B.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................{.8.A.6.9.D.3.4.5.-.D.5
.6.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.4.e.a.1.6.a
.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.5.b.-.d.b.f.4.a.2.0.0.8.c.2.0.}.....{.4
.D.C.8.B.4.C.A.-.1.B.D.A.-.4.8.3.e.-.B.5.F.A.-.D.3.C.1.2.E.1.5.B.6.2.D
.}.....G.o.o.g.l.e.U.p.d.a.t.e.I.s.M.a.c.h.i.n.e...-.-.s.y.s.t.e.m.-.l
.e.v.e.l.....-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.l.e.a.n.u.p...-.-.c.h.r
.o.m.e.-.f.r.a.m.e.........-.-.m.u.l.t.i.-.i.n.s.t.a.l.l...%.W.I.N.D.I
.R.%.\.s.y.s.t.e.m.3.2.\.c.a.b.i.n.e.t...d.l.l.......%.S.Y.S.T.E.M
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

tGHt.Ht&

kernel32.dll

1.2.3

Visual C   CRT: Not enough memory to complete call to strerror.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

USER32.DLL

GetProcessHeap

KERNEL32.dll

GetCPInfo

GetConsoleOutputCP

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

mscorlib.dll

mscoree.dll

KERNEL32.DLL

google .com_2384_rwx_001F1000_00001000:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

;.JSE;.WSF;.WSH;.MSC

PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SystemRoot=C:\Windows

windir=C:\Windows

windows_tracing_flags=3

windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com

ComSpec=C:\Windows\system32\cmd.exe

OS=Windows_NT

Path=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\Program Files\Wireshark

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

SearchProtocolHost.exe_540:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

chrome.exe_2164:

.text

`.rdata

@.data

.didat

.rsrc

@.reloc

D$,j.Xf

PVSSh

j.Yf;

_tcPVj@

.PjRW

dbghelp.dll

ole32.dll

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

InitOnceExecuteOnce

operator

operator ""

?#%X.y

%S#[k

?OLEAUT32.dll

POWRPROF.dll

user32.dll

c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc

c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded

Could not find exported function

%s: option `%s' is ambiguous (could be `--%s' or `--%s')

%s: invalid option -- `-%c'

%s: argument required for option `

--%s'

0.8.0

%ls (%s) %s

hXXps://crashpad.chromium.org/

hXXps://crashpad.chromium.org/bug/new

Report %ls bugs to

%s home page: <%s>

%ls: %s

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

PlatformFile.UnknownErrors.Windows

Histogram: %s recorded %d samples

(flags = 0x%x)

.thunks

.syzygy

TrackedObjects.GetRetiredOrCreateThreadData

Histogram.InconsistentCountLow

Histogram.InconsistentCountHigh

UMA.PersistentAllocator.

.UsedPct

.Errors

c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc

(%d = %3.1f%%)

Collections of histograms for %s

c:\b\build\slave\win-pgo\build\src\base\metrics\statistics_recorder.cc

UMA.CreatePersistentHistogram.Result

UMA.NegativeSamples.Reason

-Windows NT

Dictionary keys must be quoted.

Unsupported encoding. JSON must be UTF-8.

Line: %i, column: %i, %s

58.0.3029.81

widevinecdmadapter.dll

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc

Failed to write to application's ClientState key

Removed incremental installer failure key; switching to channel:

Removed multi-install failure key; switching to channel:

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc

iexplore.exe

googlechrome

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc

c:\b\build\slave\win-pgo\build\src\components\browser_watcher\watcher_client_win.cc

user_experience_metrics.reporting_enabled

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc

x-x-x-xx-xxxxxx

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc

Crashpad.ExceptionEncountered

Crashpad.CrashUpload.Skipped

Crashpad.CrashUpload.AttemptSuccessful

Crashpad.CrashReportSize

Crashpad.CrashReportPending

Crashpad.HandlerCrash.ExceptionCode.Win

Crashpad.HandlerLifetimeMilestone

Crashpad.ExceptionCode.Win

Crashpad.ExceptionCaptureResult

--annotation=KEY=VALUE set a process annotation in each crash report

--database=PATH store the crash report database at PATH

HANDLE_pipe,

--pipe-name=PIPE communicate with the client over PIPE

--url=URL send crash reports to this Breakpad server URL,

pipe-name

duplicate key

--annotation requires KEY=VALUE

--initial-client-data and --pipe-name are incompatible

--initial-client-data or --pipe-name is required

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc

SetProcessShutdownParameters

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc

reserved key

PrepareNewCrashReport failed

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc

FinishedWritingCrashReport failed

kernel32.dll

c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc

NtCreateKey

NtOpenKey

GetCertificate

GetCertificateSize

SetOPMSigningKeyAndSequenceNumbers

GetCertificateByHandle

GetCertificateSizeByHandle

CreateNamedPipeW

NtOpenKeyEx

Database Pruning: Failed to remove report

PruneCrashReportDatabase: Failed to get pending reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc

PruneCrashReportDatabase: Failed to get completed reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc

::GetNamedPipeClientProcessId

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc

ConnectNamedPipe

ImpersonateNamedPipeClient

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc

%s: %s (0x%x)

WinHttpCloseHandle

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc

Crashpad/0.8.0

%s: error 0x%x while retrieving error 0x%x

WinHttpOpenRequest

WinHttpAddRequestHeaders

WinHttpOpen

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpReceiveResponse

WinHttpQueryHeaders

HTTP status %d

WinHttpReadData

WinHttpSendRequest

WinHttpWriteData

--%s%sContent-Disposition: form-data; name="%s"

; filename="%s"%s

Content-Type: %s%s

multipart/form-data; boundary=%s

%%x

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc

WaitNamedPipe

SetNamedPipeHandleState

TransactNamedPipe

TransactNamedPipe: expected

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc

<failed to retrieve error message (0x%x)>

(0xx)

%s (%d)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc

%s.%s,%s,%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc

%s %d.%d.%d.%s%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc

Reading x64 process from x86 process not supported

0x%llx   0x%llx (%s)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc

C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLB

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.cfguard

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$vtableC

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.didat$2

.didat$3

.didat$4

.didat$6

.didat$7

.edata

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.didat$5

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

chrome.exe

SignalChromeElf

SignalInitializeCrashReporting

chrome_elf.dll

RegOpenKeyExW

RegCreateKeyExW

RegCloseKey

ADVAPI32.dll

CreateIoCompletionPort

GetWindowsDirectoryW

GetProcessHandleCount

KERNEL32.dll

PSAPI.DLL

ShellExecuteExW

SHELL32.dll

CloseWindowStation

CreateWindowStationW

GetProcessWindowStation

SetProcessWindowStation

USER32.dll

VERSION.dll

WINMM.dll

GetCPInfo

PeekNamedPipe

DisconnectNamedPipe

WaitNamedPipeW

USERENV.dll

WINHTTP.dll

.?AU_Crt_new_delete@std@@

a.IDATx

%F?????????3 

ÿFFFFFFFFFFFFFFF?B%

:1----16

Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12

:BBBBBBBBBB>>-.jdddcccca

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="58.0.3029.81" version="58.0.3029.81" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

5%6U6

M:\;{<

> ?$?(?,?0?4?8?<?

<\<!>(>0>8>@>

; ;$;(;,;0;4;8;

0 0$0(0,0

< <<<@<\<`<|<

lKERNEL32.DLL

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

nchrome_watcher.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Ndebug.log

Kernel32.dll

ntdll.dll

Chrome_MessageWindow

shell32.dll

pepflashplayer.dll

script.log

resources.pak

chrome

Chrome

chrome_child.dll

chrome.dll

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Browse the web

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

-chromeframe

-chrome

Google Chrome Canary

{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}

ChromeCanary

Chrome Canary HTML Document

ChromeSSHTM

{1BEAC3E3-B852-44F4-B468-8906C062422E}

hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1

Google Chrome

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Chrome HTML Document

{8A69D345-D564-463c-AFF1-A69D9E530F96}

{5C65F4B0-3651-4514-B207-D10CB699B14B}

ChromeHTML

SOFTWARE\Policies\Google\Chrome

0.0.0.0-devel

${windows}

advapi32.dll

ywtsapi32.dll

reports

settings.dat

ALPC Port

t\Sessions\%d\AppContainerNamedObjects\%ls

sHKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_DATA

HKEY_USERS

pipe\

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

gdi32.dll

xntdll.dll

\\.\pipe

winhttp.dll

%Program Files%\Google\Chrome\Application\chrome.exe

chrome_exe

chrome.exe_2132:

.text

`.rdata

@.data

.didat

.rsrc

@.reloc

D$,j.Xf

PVSSh

j.Yf;

_tcPVj@

.PjRW

dbghelp.dll

ole32.dll

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

InitOnceExecuteOnce

operator

operator ""

?#%X.y

%S#[k

?OLEAUT32.dll

POWRPROF.dll

user32.dll

c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc

c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded

Could not find exported function

%s: option `%s' is ambiguous (could be `--%s' or `--%s')

%s: invalid option -- `-%c'

%s: argument required for option `

--%s'

0.8.0

%ls (%s) %s

hXXps://crashpad.chromium.org/

hXXps://crashpad.chromium.org/bug/new

Report %ls bugs to

%s home page: <%s>

%ls: %s

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

PlatformFile.UnknownErrors.Windows

Histogram: %s recorded %d samples

(flags = 0x%x)

.thunks

.syzygy

TrackedObjects.GetRetiredOrCreateThreadData

Histogram.InconsistentCountLow

Histogram.InconsistentCountHigh

UMA.PersistentAllocator.

.UsedPct

.Errors

c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc

(%d = %3.1f%%)

Collections of histograms for %s

c:\b\build\slave\win-pgo\build\src\base\metrics\statistics_recorder.cc

UMA.CreatePersistentHistogram.Result

UMA.NegativeSamples.Reason

-Windows NT

Dictionary keys must be quoted.

Unsupported encoding. JSON must be UTF-8.

Line: %i, column: %i, %s

58.0.3029.81

widevinecdmadapter.dll

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc

Failed to write to application's ClientState key

Removed incremental installer failure key; switching to channel:

Removed multi-install failure key; switching to channel:

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc

iexplore.exe

googlechrome

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc

c:\b\build\slave\win-pgo\build\src\components\browser_watcher\watcher_client_win.cc

user_experience_metrics.reporting_enabled

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc

x-x-x-xx-xxxxxx

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc

Crashpad.ExceptionEncountered

Crashpad.CrashUpload.Skipped

Crashpad.CrashUpload.AttemptSuccessful

Crashpad.CrashReportSize

Crashpad.CrashReportPending

Crashpad.HandlerCrash.ExceptionCode.Win

Crashpad.HandlerLifetimeMilestone

Crashpad.ExceptionCode.Win

Crashpad.ExceptionCaptureResult

--annotation=KEY=VALUE set a process annotation in each crash report

--database=PATH store the crash report database at PATH

HANDLE_pipe,

--pipe-name=PIPE communicate with the client over PIPE

--url=URL send crash reports to this Breakpad server URL,

pipe-name

duplicate key

--annotation requires KEY=VALUE

--initial-client-data and --pipe-name are incompatible

--initial-client-data or --pipe-name is required

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc

SetProcessShutdownParameters

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc

reserved key

PrepareNewCrashReport failed

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc

FinishedWritingCrashReport failed

kernel32.dll

c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc

NtCreateKey

NtOpenKey

GetCertificate

GetCertificateSize

SetOPMSigningKeyAndSequenceNumbers

GetCertificateByHandle

GetCertificateSizeByHandle

CreateNamedPipeW

NtOpenKeyEx

Database Pruning: Failed to remove report

PruneCrashReportDatabase: Failed to get pending reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc

PruneCrashReportDatabase: Failed to get completed reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc

::GetNamedPipeClientProcessId

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc

ConnectNamedPipe

ImpersonateNamedPipeClient

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc

%s: %s (0x%x)

WinHttpCloseHandle

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc

Crashpad/0.8.0

%s: error 0x%x while retrieving error 0x%x

WinHttpOpenRequest

WinHttpAddRequestHeaders

WinHttpOpen

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpReceiveResponse

WinHttpQueryHeaders

HTTP status %d

WinHttpReadData

WinHttpSendRequest

WinHttpWriteData

--%s%sContent-Disposition: form-data; name="%s"

; filename="%s"%s

Content-Type: %s%s

multipart/form-data; boundary=%s

%%x

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc

WaitNamedPipe

SetNamedPipeHandleState

TransactNamedPipe

TransactNamedPipe: expected

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc

<failed to retrieve error message (0x%x)>

(0xx)

%s (%d)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc

%s.%s,%s,%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc

%s %d.%d.%d.%s%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc

Reading x64 process from x86 process not supported

0x%llx   0x%llx (%s)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc

C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLB

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.cfguard

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$vtableC

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.didat$2

.didat$3

.didat$4

.didat$6

.didat$7

.edata

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.didat$5

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

chrome.exe

SignalChromeElf

SignalInitializeCrashReporting

chrome_elf.dll

RegOpenKeyExW

RegCreateKeyExW

RegCloseKey

ADVAPI32.dll

CreateIoCompletionPort

GetWindowsDirectoryW

GetProcessHandleCount

KERNEL32.dll

PSAPI.DLL

ShellExecuteExW

SHELL32.dll

CloseWindowStation

CreateWindowStationW

GetProcessWindowStation

SetProcessWindowStation

USER32.dll

VERSION.dll

WINMM.dll

GetCPInfo

PeekNamedPipe

DisconnectNamedPipe

WaitNamedPipeW

USERENV.dll

WINHTTP.dll

.?AU_Crt_new_delete@std@@

a.IDATx

%F?????????3 

ÿFFFFFFFFFFFFFFF?B%

:1----16

Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12

:BBBBBBBBBB>>-.jdddcccca

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="58.0.3029.81" version="58.0.3029.81" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

5%6U6

M:\;{<

> ?$?(?,?0?4?8?<?

<\<!>(>0>8>@>

; ;$;(;,;0;4;8;

0 0$0(0,0

< <<<@<\<`<|<

lKERNEL32.DLL

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

nchrome_watcher.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Ndebug.log

Kernel32.dll

ntdll.dll

Chrome_MessageWindow

shell32.dll

pepflashplayer.dll

script.log

resources.pak

chrome

Chrome

chrome_child.dll

chrome.dll

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Browse the web

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

-chromeframe

-chrome

Google Chrome Canary

{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}

ChromeCanary

Chrome Canary HTML Document

ChromeSSHTM

{1BEAC3E3-B852-44F4-B468-8906C062422E}

hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1

Google Chrome

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Chrome HTML Document

{8A69D345-D564-463c-AFF1-A69D9E530F96}

{5C65F4B0-3651-4514-B207-D10CB699B14B}

ChromeHTML

SOFTWARE\Policies\Google\Chrome

0.0.0.0-devel

${windows}

advapi32.dll

ywtsapi32.dll

reports

settings.dat

ALPC Port

t\Sessions\%d\AppContainerNamedObjects\%ls

sHKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_DATA

HKEY_USERS

pipe\

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

gdi32.dll

xntdll.dll

\\.\pipe

winhttp.dll

%Program Files%\Google\Chrome\Application\chrome.exe

chrome_exe

chrome.exe_772:

.text

`.rdata

@.data

.didat

.rsrc

@.reloc

D$,j.Xf

PVSSh

j.Yf;

_tcPVj@

.PjRW

dbghelp.dll

ole32.dll

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

InitOnceExecuteOnce

operator

operator ""

?#%X.y

%S#[k

?OLEAUT32.dll

POWRPROF.dll

user32.dll

c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc

c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded

Could not find exported function

%s: option `%s' is ambiguous (could be `--%s' or `--%s')

%s: invalid option -- `-%c'

%s: argument required for option `

--%s'

0.8.0

%ls (%s) %s

hXXps://crashpad.chromium.org/

hXXps://crashpad.chromium.org/bug/new

Report %ls bugs to

%s home page: <%s>

%ls: %s

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

PlatformFile.UnknownErrors.Windows

Histogram: %s recorded %d samples

(flags = 0x%x)

.thunks

.syzygy

TrackedObjects.GetRetiredOrCreateThreadData

Histogram.InconsistentCountLow

Histogram.InconsistentCountHigh

UMA.PersistentAllocator.

.UsedPct

.Errors

c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc

(%d = %3.1f%%)

Collections of histograms for %s

c:\b\build\slave\win-pgo\build\src\base\metrics\statistics_recorder.cc

UMA.CreatePersistentHistogram.Result

UMA.NegativeSamples.Reason

-Windows NT

Dictionary keys must be quoted.

Unsupported encoding. JSON must be UTF-8.

Line: %i, column: %i, %s

58.0.3029.81

widevinecdmadapter.dll

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc

Failed to write to application's ClientState key

Removed incremental installer failure key; switching to channel:

Removed multi-install failure key; switching to channel:

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc

iexplore.exe

googlechrome

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc

c:\b\build\slave\win-pgo\build\src\components\browser_watcher\watcher_client_win.cc

user_experience_metrics.reporting_enabled

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc

x-x-x-xx-xxxxxx

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc

Crashpad.ExceptionEncountered

Crashpad.CrashUpload.Skipped

Crashpad.CrashUpload.AttemptSuccessful

Crashpad.CrashReportSize

Crashpad.CrashReportPending

Crashpad.HandlerCrash.ExceptionCode.Win

Crashpad.HandlerLifetimeMilestone

Crashpad.ExceptionCode.Win

Crashpad.ExceptionCaptureResult

--annotation=KEY=VALUE set a process annotation in each crash report

--database=PATH store the crash report database at PATH

HANDLE_pipe,

--pipe-name=PIPE communicate with the client over PIPE

--url=URL send crash reports to this Breakpad server URL,

pipe-name

duplicate key

--annotation requires KEY=VALUE

--initial-client-data and --pipe-name are incompatible

--initial-client-data or --pipe-name is required

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc

SetProcessShutdownParameters

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc

reserved key

PrepareNewCrashReport failed

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc

FinishedWritingCrashReport failed

kernel32.dll

c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc

NtCreateKey

NtOpenKey

GetCertificate

GetCertificateSize

SetOPMSigningKeyAndSequenceNumbers

GetCertificateByHandle

GetCertificateSizeByHandle

CreateNamedPipeW

NtOpenKeyEx

Database Pruning: Failed to remove report

PruneCrashReportDatabase: Failed to get pending reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc

PruneCrashReportDatabase: Failed to get completed reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc

::GetNamedPipeClientProcessId

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc

ConnectNamedPipe

ImpersonateNamedPipeClient

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc

%s: %s (0x%x)

WinHttpCloseHandle

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc

Crashpad/0.8.0

%s: error 0x%x while retrieving error 0x%x

WinHttpOpenRequest

WinHttpAddRequestHeaders

WinHttpOpen

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpReceiveResponse

WinHttpQueryHeaders

HTTP status %d

WinHttpReadData

WinHttpSendRequest

WinHttpWriteData

--%s%sContent-Disposition: form-data; name="%s"

; filename="%s"%s

Content-Type: %s%s

multipart/form-data; boundary=%s

%%x

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc

WaitNamedPipe

SetNamedPipeHandleState

TransactNamedPipe

TransactNamedPipe: expected

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc

<failed to retrieve error message (0x%x)>

(0xx)

%s (%d)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc

%s.%s,%s,%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc

%s %d.%d.%d.%s%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc

Reading x64 process from x86 process not supported

0x%llx   0x%llx (%s)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc

C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLB

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.cfguard

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$vtableC

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.didat$2

.didat$3

.didat$4

.didat$6

.didat$7

.edata

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.didat$5

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

chrome.exe

SignalChromeElf

SignalInitializeCrashReporting

chrome_elf.dll

RegOpenKeyExW

RegCreateKeyExW

RegCloseKey

ADVAPI32.dll

CreateIoCompletionPort

GetWindowsDirectoryW

GetProcessHandleCount

KERNEL32.dll

PSAPI.DLL

ShellExecuteExW

SHELL32.dll

CloseWindowStation

CreateWindowStationW

GetProcessWindowStation

SetProcessWindowStation

USER32.dll

VERSION.dll

WINMM.dll

GetCPInfo

PeekNamedPipe

DisconnectNamedPipe

WaitNamedPipeW

USERENV.dll

WINHTTP.dll

.?AU_Crt_new_delete@std@@

a.IDATx

%F?????????3 

ÿFFFFFFFFFFFFFFF?B%

:1----16

Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12

:BBBBBBBBBB>>-.jdddcccca

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="58.0.3029.81" version="58.0.3029.81" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

5%6U6

M:\;{<

> ?$?(?,?0?4?8?<?

<\<!>(>0>8>@>

; ;$;(;,;0;4;8;

0 0$0(0,0

< <<<@<\<`<|<

lKERNEL32.DLL

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

nchrome_watcher.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Ndebug.log

Kernel32.dll

ntdll.dll

Chrome_MessageWindow

shell32.dll

pepflashplayer.dll

script.log

resources.pak

chrome

Chrome

chrome_child.dll

chrome.dll

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Browse the web

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

-chromeframe

-chrome

Google Chrome Canary

{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}

ChromeCanary

Chrome Canary HTML Document

ChromeSSHTM

{1BEAC3E3-B852-44F4-B468-8906C062422E}

hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1

Google Chrome

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Chrome HTML Document

{8A69D345-D564-463c-AFF1-A69D9E530F96}

{5C65F4B0-3651-4514-B207-D10CB699B14B}

ChromeHTML

SOFTWARE\Policies\Google\Chrome

0.0.0.0-devel

${windows}

advapi32.dll

ywtsapi32.dll

reports

settings.dat

ALPC Port

t\Sessions\%d\AppContainerNamedObjects\%ls

sHKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_DATA

HKEY_USERS

pipe\

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

gdi32.dll

xntdll.dll

\\.\pipe

winhttp.dll

%Program Files%\Google\Chrome\Application\chrome.exe

chrome_exe

chrome.exe_3336:

.text

`.rdata

@.data

.didat

.rsrc

@.reloc

D$,j.Xf

PVSSh

j.Yf;

_tcPVj@

.PjRW

dbghelp.dll

ole32.dll

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

InitOnceExecuteOnce

operator

operator ""

?#%X.y

%S#[k

?OLEAUT32.dll

POWRPROF.dll

user32.dll

c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc

c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

RelaunchChromeBrowserWithNewCommandLineIfNeeded

Could not find exported function

%s: option `%s' is ambiguous (could be `--%s' or `--%s')

%s: invalid option -- `-%c'

%s: argument required for option `

--%s'

0.8.0

%ls (%s) %s

hXXps://crashpad.chromium.org/

hXXps://crashpad.chromium.org/bug/new

Report %ls bugs to

%s home page: <%s>

%ls: %s

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

PlatformFile.UnknownErrors.Windows

Histogram: %s recorded %d samples

(flags = 0x%x)

.thunks

.syzygy

TrackedObjects.GetRetiredOrCreateThreadData

Histogram.InconsistentCountLow

Histogram.InconsistentCountHigh

UMA.PersistentAllocator.

.UsedPct

.Errors

c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc

(%d = %3.1f%%)

Collections of histograms for %s

c:\b\build\slave\win-pgo\build\src\base\metrics\statistics_recorder.cc

UMA.CreatePersistentHistogram.Result

UMA.NegativeSamples.Reason

-Windows NT

Dictionary keys must be quoted.

Unsupported encoding. JSON must be UTF-8.

Line: %i, column: %i, %s

58.0.3029.81

widevinecdmadapter.dll

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc

Failed to write to application's ClientState key

Removed incremental installer failure key; switching to channel:

Removed multi-install failure key; switching to channel:

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc

iexplore.exe

googlechrome

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc

c:\b\build\slave\win-pgo\build\src\components\browser_watcher\watcher_client_win.cc

user_experience_metrics.reporting_enabled

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc

x-x-x-xx-xxxxxx

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc

Crashpad.ExceptionEncountered

Crashpad.CrashUpload.Skipped

Crashpad.CrashUpload.AttemptSuccessful

Crashpad.CrashReportSize

Crashpad.CrashReportPending

Crashpad.HandlerCrash.ExceptionCode.Win

Crashpad.HandlerLifetimeMilestone

Crashpad.ExceptionCode.Win

Crashpad.ExceptionCaptureResult

--annotation=KEY=VALUE set a process annotation in each crash report

--database=PATH store the crash report database at PATH

HANDLE_pipe,

--pipe-name=PIPE communicate with the client over PIPE

--url=URL send crash reports to this Breakpad server URL,

pipe-name

duplicate key

--annotation requires KEY=VALUE

--initial-client-data and --pipe-name are incompatible

--initial-client-data or --pipe-name is required

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc

SetProcessShutdownParameters

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc

reserved key

PrepareNewCrashReport failed

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc

FinishedWritingCrashReport failed

kernel32.dll

c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc

NtCreateKey

NtOpenKey

GetCertificate

GetCertificateSize

SetOPMSigningKeyAndSequenceNumbers

GetCertificateByHandle

GetCertificateSizeByHandle

CreateNamedPipeW

NtOpenKeyEx

Database Pruning: Failed to remove report

PruneCrashReportDatabase: Failed to get pending reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc

PruneCrashReportDatabase: Failed to get completed reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc

::GetNamedPipeClientProcessId

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc

ConnectNamedPipe

ImpersonateNamedPipeClient

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc

%s: %s (0x%x)

WinHttpCloseHandle

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc

Crashpad/0.8.0

%s: error 0x%x while retrieving error 0x%x

WinHttpOpenRequest

WinHttpAddRequestHeaders

WinHttpOpen

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpReceiveResponse

WinHttpQueryHeaders

HTTP status %d

WinHttpReadData

WinHttpSendRequest

WinHttpWriteData

--%s%sContent-Disposition: form-data; name="%s"

; filename="%s"%s

Content-Type: %s%s

multipart/form-data; boundary=%s

%%x

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc

WaitNamedPipe

SetNamedPipeHandleState

TransactNamedPipe

TransactNamedPipe: expected

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc

<failed to retrieve error message (0x%x)>

(0xx)

%s (%d)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc

%s.%s,%s,%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc

%s %d.%d.%d.%s%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc

Reading x64 process from x86 process not supported

0x%llx   0x%llx (%s)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc

C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLB

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.cfguard

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$vtableC

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.didat$2

.didat$3

.didat$4

.didat$6

.didat$7

.edata

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.didat$5

.tls$

.tls$ZZZ

.rsrc$01

.rsrc$02

chrome.exe

SignalChromeElf

SignalInitializeCrashReporting

chrome_elf.dll

RegOpenKeyExW

RegCreateKeyExW

RegCloseKey

ADVAPI32.dll

CreateIoCompletionPort

GetWindowsDirectoryW

GetProcessHandleCount

KERNEL32.dll

PSAPI.DLL

ShellExecuteExW

SHELL32.dll

CloseWindowStation

CreateWindowStationW

GetProcessWindowStation

SetProcessWindowStation

USER32.dll

VERSION.dll

WINMM.dll

GetCPInfo

PeekNamedPipe

DisconnectNamedPipe

WaitNamedPipeW

USERENV.dll

WINHTTP.dll

.?AU_Crt_new_delete@std@@

a.IDATx

%F?????????3 

ÿFFFFFFFFFFFFFFF?B%

:1----16

Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12

:BBBBBBBBBB>>-.jdddcccca

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="58.0.3029.81" version="58.0.3029.81" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

5%6U6

M:\;{<

> ?$?(?,?0?4?8?<?

<\<!>(>0>8>@>

; ;$;(;,;0;4;8;

0 0$0(0,0

< <<<@<\<`<|<

lKERNEL32.DLL

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

nchrome_watcher.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Ndebug.log

Kernel32.dll

ntdll.dll

Chrome_MessageWindow

shell32.dll

pepflashplayer.dll

script.log

resources.pak

chrome

Chrome

chrome_child.dll

chrome.dll

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

Browse the web

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

-chromeframe

-chrome

Google Chrome Canary

{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}

ChromeCanary

Chrome Canary HTML Document

ChromeSSHTM

{1BEAC3E3-B852-44F4-B468-8906C062422E}

hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1

Google Chrome

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Chrome HTML Document

{8A69D345-D564-463c-AFF1-A69D9E530F96}

{5C65F4B0-3651-4514-B207-D10CB699B14B}

ChromeHTML

SOFTWARE\Policies\Google\Chrome

0.0.0.0-devel

${windows}

advapi32.dll

ywtsapi32.dll

reports

settings.dat

ALPC Port

t\Sessions\%d\AppContainerNamedObjects\%ls

sHKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_DATA

HKEY_USERS

pipe\

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

gdi32.dll

xntdll.dll

\\.\pipe

winhttp.dll

%Program Files%\Google\Chrome\Application\chrome.exe

chrome_exe

SearchFilterHost.exe_3852:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

chrome.exe_3336_rwx_03B86000_00079000:

u.SQR

chrome.exe_3336_rwx_07686000_00079000:

WebK

chrome.exe_3336_rwx_0A686000_00079000:

u.SQR

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   GoogleUpdate.exe:1804
   GoogleUpdate.exe:4052
   GoogleUpdate.exe:3432
   GoogleUpdate.exe:3372
   GoogleUpdate.exe:2496
   GoogleUpdate.exe:956
   GoogleUpdate.exe:3776
   LocalLeu_xUsaz_.exe:1692
   %original file name%.exe:1672
   58.0.3029.81_chrome_installer.exe:1548
   chrome.exe:2132
   chrome.exe:2444
   chrome.exe:772
   chrome.exe:2980
   chrome.exe:4024
   chrome.exe:1252
   chrome.exe:1560
   chrome.exe:3656
   chrome.exe:3044
   chrome.exe:1864
   LocalcLUQGCIkej.exe:3168
   netsh.exe:2512
   setup.exe:896
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Google\Update\Install\{B74FE026-17E8-4904-9667-2D3852869078}\58.0.3029.81_chrome_installer.exe (354602 bytes)
   %Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\58.0.3029.81\58.0.3029.81_chrome_installer.exe (333797 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_fr.dll (49 bytes)
   %Program Files%\GUMF298.tmp\goopdate.dll (49 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com (845 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLeu_xUsaz_.exe (341 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalcLUQGCIkej.exe (1978 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\CHROME.PACKED.7Z (50572 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\setup.exe (19187 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_E420F.tmp\SETUP.EX_ (528 bytes)
   %Program Files%\Google\Chrome\Application\58.0.3029.81\chrome_watcher.dll (483 bytes)
   %Program Files%\Google\Chrome\Application\58.0.3029.81\chrome_child.dll (5823 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (221 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\237913a104effca4_0 (2591 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal (2220 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (3291 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\86bc378bba217ded_0 (2797 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal (3450 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_NMuVASeqeiXvjJG (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\A19.tmp (145 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\ADF3.tmp (70 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\LOG (609 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\1e16adeb2b036d0a_0 (2309 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History-journal (5380 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 (58 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_oKfHm82bqcxe79d (576 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_LcWou9LFWCczIwD (2480 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (13444 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\99f80f27ba259469_0 (1806 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (72 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG (616 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\989d58c926ac97d7_0 (2737 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_1 (98 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e6af3213c3ae0b2d_0 (3367 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\4552cf74d5ebf7e9_0 (1689 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6D57.tmp (160 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (5378 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (613 bytes)
   %Program Files%\Google\Chrome\Application\58.0.3029.81\chrome_elf.dll (434 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt.tmp (316 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e2042f2bac3c4012_0 (2272 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6E33.tmp (644 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\000003.log (84 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\index-dir\temp-index (192 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYPV4OB5WE6HGB4LBXN1.temp (196 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_4YCVY53c0jARZG7 (2798 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\fa813c9ad67834ac_0 (3624 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_VB6EvbDyScxCYFx (172 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (11276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_akTSmiihSHa9pLC (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000019 (42 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (10985 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (13264 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (7080 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (107088 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (38683 bytes)
   %Program Files%\Google\Chrome\Application\58.0.3029.81\chrome.dll (5823 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\70d3d608533f515e_0 (4798 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\a8bde667debcd4b0_0 (2123 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\temp-index (504 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG (495 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6E34.tmp (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\6D36.tmp (145 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (33564 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (490 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (240 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (35462 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\a585e860-e327-4317-8549-e16a90e7a919\fdf2cfeb8ad0eeac_0 (1751 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log (712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\1157fee2e2dc1968_0 (1873 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 (58 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015 (61 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 (17 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (33552 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\6D56.tmp (70 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\70d3d608533f515e_0 (5064 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y5RFNC6FA9W5QZ0MG6U0.temp (196 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (534 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000004.log (524 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\49CC.tmp (1 bytes)
   %Program Files%\GUMF298.tmp\npGoogleUpdate3.dll (838 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_pl.dll (46 bytes)
   %Program Files%\GUMF298.tmp\GoogleCrashHandler64.exe (550 bytes)
   %Program Files%\GUMF298.tmp\GoogleUpdateBroker.exe (95 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_te.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ms.dll (45 bytes)
   %Program Files%\GUMF298.tmp\GoogleUpdateHelper.msi (40 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ml.dll (48 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_sw.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ta.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_es.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_sk.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_iw.dll (43 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_en.dll (44 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_lv.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ar.dll (43 bytes)
   %Program Files%\GUMF298.tmp\psuser.dll (191 bytes)
   %Program Files%\GUMF298.tmp\GoogleUpdateSetup.exe (7385 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_da.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_no.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_fil.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ja.dll (42 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_tr.dll (45 bytes)
   %Program Files%\GUMF298.tmp\GoogleUpdate.exe (309 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_et.dll (45 bytes)
   %Program Files%\GUMF298.tmp\GoogleUpdateWebPlugin.exe (95 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_mr.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_pt-BR.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_nl.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_el.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_bn.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ur.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_vi.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_gu.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_es-419.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_kn.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ko.dll (41 bytes)
   %Program Files%\GUTF299.tmp (6 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_lt.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_sv.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_is.dll (45 bytes)
   %Program Files%\GUMF298.tmp\psmachine.dll (191 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_bg.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_zh-TW.dll (39 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_de.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_pt-PT.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ru.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_uk.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_zh-CN.dll (39 bytes)
   %Program Files%\GUMF298.tmp\GoogleUpdateComRegisterShell64.exe (137 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_en-GB.dll (44 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_sr.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ca.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_th.dll (44 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_cs.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_fi.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_id.dll (45 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_am.dll (44 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_sl.dll (46 bytes)
   %Program Files%\GUMF298.tmp\GoogleUpdateOnDemand.exe (95 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_hi.dll (45 bytes)
   %Program Files%\GUMF298.tmp\psuser_64.dll (222 bytes)
   %Program Files%\GUMF298.tmp\psmachine_64.dll (222 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_hr.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_fa.dll (44 bytes)
   %Program Files%\GUMF298.tmp\GoogleCrashHandler.exe (252 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_it.dll (47 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_ro.dll (46 bytes)
   %Program Files%\GUMF298.tmp\goopdateres_hu.dll (46 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea2d80f6b4b7963e05f3bc65a43c8821.exe (673 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ca.pak (329 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\gu.pak (651 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\en-GB.pak (271 bytes)
   %Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\setup.exe (8281 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\libglesv2.dll (2 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\libegl.dll (87 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sr.pak (499 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\de.pak (287 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\snapshot_blob.bin (1 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fr.pak (350 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\id.pak (294 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\pl.pak (327 bytes)
   C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_child.dll (56723 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome.dll (34482 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\logocanary.png (22 bytes)
   %Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements (4 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\icudtl.dat (10 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ta.pak (773 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\smalllogocanary.png (7 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ms.pak (254 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\hu.pak (346 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_child.dll.sig (1 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\external_extensions.json (1 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sl.pak (310 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\hi.pak (668 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\nl.pak (316 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\nacl64.exe (6 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fil.pak (334 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\cs.pak (333 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\resources.pak (2610 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\uk.pak (516 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\zh-CN.pak (270 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\nacl_irt_x86_32.nexe (3 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\youtube.crx (23 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ro.pak (334 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fa.pak (467 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sv.pak (300 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\hr.pak (310 bytes)
   %Program Files%\Google\Chrome\Application\58.0.3029.81\Installer\chrmstp.exe (8281 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\lt.pak (334 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\chrome.7z (276214 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ja.pak (391 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\et.pak (289 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\it.pak (320 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\zh-TW.pak (270 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\he.pak (384 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Extensions\external_extensions.json (99 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\en-US.pak (271 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sk.pak (344 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\tr.pak (324 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\d3dcompiler_47.dll (3 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\bn.pak (694 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome.dll.sig (1 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_watcher.dll (480 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\chrome_installer.log (12642 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\te.pak (723 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\pt-BR.pak (321 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\am.pak (455 bytes)
   %Program Files%\Google\Chrome\Application\SetupMetrics\401D.tmp (15 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_elf.dll (433 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ru.pak (517 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\natives_blob.bin (262 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\es.pak (332 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ko.pak (330 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome.exe.sig (1 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ar.pak (450 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\sw.pak (281 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_200_percent.pak (723 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\vi.pak (372 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\logo.png (17 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\el.pak (587 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.sig (1 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\bg.pak (543 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\58.0.3029.81.manifest (224 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\es-419.pak (326 bytes)
   C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\kn.pak (748 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\da.pak (300 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\chrome_100_percent.pak (455 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\nb.pak (296 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\chrome.VisualElementsManifest.xml (407 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\docs.crx (4 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\fi.pak (308 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\lv.pak (335 bytes)
   %Program Files%\Google\Chrome\Application\54.0.2840.59\Locales (8 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\eventlog_provider.dll (12 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\nacl_irt_x86_64.nexe (4 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\drive.crx (25 bytes)
   %Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps (4 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\mr.pak (662 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\manifest.json (950 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll.sig (1 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\VisualElements\smalllogo.png (7 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\pt-PT.pak (325 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\chrome.exe (977 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\ml.pak (838 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\Locales\th.pak (651 bytes)
   %Program Files%\Google\Chrome\Temp\source896_31353\Chrome-bin\58.0.3029.81\default_apps\gmail.crx (24 bytes)
   %Program Files%\Google\Chrome\Application\chrome.exe (8323 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "ea2d80f6b4b7963e05f3bc65a43c8821" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com .."
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "ea2d80f6b4b7963e05f3bc65a43c8821" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\google .com .."

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.