Gen.Variant.Barys.39_48fea17d07

by malwarelabrobot on July 8th, 2017 in Malware Descriptions.

Gen:Variant.Barys.39 (B) (Emsisoft), Gen:Variant.Barys.39 (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, VirTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 48fea17d071d077e3a9dad595057e848
SHA1: bbfc27cee1795cdf0260b252c89313d9d6894013
SHA256: 76b66932f7bc5e05f5fe33c5bab9c02f1b1f2da92c7eb9195d8d9a7e96c03f17
SSDeep: 49152:VnsHyjtk2MYC5GDFiRDN2 HBNRj/inCXDIshZTDRLB7ZT:Vnsmtk2aAUDlhNRj/inCzIMNT
Size: 1902080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:2784
GoogleUpdate.exe:3384
GoogleUpdate.exe:2600
GoogleUpdate.exe:2556
GoogleUpdate.exe:1860
GoogleUpdate.exe:560
GoogleUpdate.exe:3016
GoogleUpdate.exe:1240
%original file name%.exe:1760
chrome.exe:3776
chrome.exe:140
chrome.exe:904
chrome.exe:3680
chrome.exe:3684
chrome.exe:240
chrome.exe:684
chrome.exe:2800
chrome.exe:1684
chrome.exe:3676
chrome.exe:936
._cache_%original file name%.exe:316
59.0.3071.115_chrome_installer.exe:1388
setup.exe:1368

The Trojan injects its code into the following process(es):

chrome.exe:3820
chrome.exe:912
Synaptics.exe:1776

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:2784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.5\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdate.dll (49 bytes)

The process GoogleUpdate.exe:2600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUM7EB0.tmp\goopdateres_tr.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_fr.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ml.dll (46 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_et.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\psuser.dll (1281 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_de.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_en-GB.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ko.dll (38 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_sr.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdateComRegisterShell64.exe (673 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_en.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_lt.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_da.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_es-419.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ca.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\npGoogleUpdate3.dll (4815 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_bn.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\psmachine_64.dll (1281 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_hu.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_es.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdateBroker.exe (601 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_sl.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ja.dll (39 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_sk.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ms.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_el.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdate.exe (673 bytes)
%Program Files%\Google\Update\1.3.33.5\psmachine.dll (1281 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_th.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_id.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_fa.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_te.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_uk.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_kn.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_cs.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleCrashHandler.exe (1425 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_it.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_tr.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_bg.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_pl.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_sw.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ur.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_am.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_no.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdateWebPlugin.exe (601 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdate.dll (11518 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_nl.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_mr.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_is.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ro.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_gu.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe (601 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleCrashHandler64.exe (2105 bytes)
%Program Files%\Google\Update\1.3.33.5\GoogleUpdateCore.exe (4185 bytes)
%Program Files%\Google\Update\1.3.33.5\psuser_64.dll (1281 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ta.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_fi.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_hr.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ru.dll (42 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_hi.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_fil.dll (44 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_ar.dll (41 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_iw.dll (40 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_sv.dll (43 bytes)
%Program Files%\Google\Update\1.3.33.5\goopdateres_vi.dll (42 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5 (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)

The process GoogleUpdate.exe:2556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.5\psmachine.dll (208 bytes)

The process GoogleUpdate.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\guiB96F.tmp (118 bytes)
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\59.0.3071.115\59.0.3071.115_chrome_installer.exe (335720 bytes)
%Program Files%\Google\Update\Install\{99D26E4D-0150-4928-9F38-079C57715099}\59.0.3071.115_chrome_installer.exe (356565 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{DF72C1F3-2304-4045-AAE2-4B4AF1A92250}-59.0.3071.115_chrome_installer.exe (0 bytes)
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59 (0 bytes)
%Program Files%\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe (0 bytes)
%Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4} (0 bytes)
%Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe (0 bytes)

The process GoogleUpdate.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.5\goopdateres_tr.dll (45 bytes)

The process %original file name%.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\SOFTWARE (33521 bytes)
C:\ (4 bytes)
C:\ProgramData\Synaptics\Synaptics.exe (14796 bytes)
C:\$Directory (96 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (27103 bytes)
C:\ProgramData\Synaptics\RCX7F1D.tmp (136247 bytes)

The process chrome.exe:904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma (4 bytes)

The process chrome.exe:2800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\59.0.3071.115\chrome_watcher.dll (507 bytes)

The process chrome.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log (349 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal (2220 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\be271b16-4967-41d8-b2da-76f04e6519c0.tmp (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal (3450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\237913a104effca4_0 (2591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\LOG (609 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History-journal (13452 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_0 (3767 bytes)
%Program Files%\Google\Chrome\Application\59.0.3071.115\chrome_elf.dll (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (13444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\269f7f45e848c91c_1 (908 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\f9a13a1d-2658-4fbf-aebe-1fb961e492b7.tmp (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data (2560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG (621 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BFYFVE9PRD77F8U25LJZ.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\index-dir\temp-index (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt.tmp (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (2379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\04c3cc8d-f783-4544-a1e3-22852d70d998.tmp (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Favicons (1016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History (5928 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\000003.log (116 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\ced75f65-da8e-415d-89ae-fcdba13848c8.tmp (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1 (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\7f3e5c44-92be-4d21-87f5-813ceec751ee.tmp (644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\f52eadfc4c4c9939_0 (1478 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\3da63c61c13c216f_0 (3669 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\4552cf74d5ebf7e9_0 (1689 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_12807EEA10A7EC60FDD176C775E04F82 (788 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\725f5e67-80d1-4c6f-82c8-38453444be44.tmp (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (10458 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\index (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db (988 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\temp-index (5448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (13896 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (3784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (48460 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (27810 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\cfcee90a-e33f-4a51-9c30-4f3f6edc1f43.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (20002 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (12178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002 (97 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\7d2a6b99-5993-4e06-9469-f06083020582.tmp (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TY0EQQ6VKUB6KDMHWS4U.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (33564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (7962 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\7df8a1ae1073cc82_0 (3129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\4301b8f7-af49-43e9-938c-54072ee50286.tmp (160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log (1017 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012 (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs-journal (8937 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\72691ae0-ae74-4a04-a758-d48446eef2ca.tmp (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor (5627 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\03ed3ea933b3eca9_0 (1419 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 (42 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (28456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies (1103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\fdf2cfeb8ad0eeac_0 (1811 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\b4e9f0cd8bb23778_1 (968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs (346 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (231 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF704ff.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e83c.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e7bf.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF73f7f.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\3B92.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\3B91.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\cfcee90a-e33f-4a51-9c30-4f3f6edc1f43.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e7ee.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF73a03.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG.old~RF6eff9.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RF6f298.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF7c956.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\d97c2f4e-511f-45b3-b92e-cf0f3a4831da.tmp (0 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\20170707183304.pma (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt~RF70750.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\525fccae-52e6-4012-8ff5-471a46c02451.tmp (0 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\20161013130810.pma (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\LOG.old~RF6e7af.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt~RF6f314.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\index-dir\the-real-index~RF741ef.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF704ff.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e9c2.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF74143.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF6df46.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e7ce.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF706d3.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\18BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF6e771.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF7a1ab.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6ea2f.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e687.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF70482.TMP (0 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\20161028102133.pma (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e713.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\3B93.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e8c8.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RF767a7.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF6e60a.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RF6df46.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF6df56.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF75060.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000003.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Last Session (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF6e8a9.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF7a1ab.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e668.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index~RF6e771.TMP (0 bytes)

The process ._cache_%original file name%.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUM7EB0.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM7EB0.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM7EB0.tmp (32 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\psuser.dll (206 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM7EB0.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM7EB0.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUT7EB1.tmp (7 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ca.dll (44 bytes)

The Trojan deletes the following file(s):

%Program Files%\GUM7EB0.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM7EB0.tmp (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\psuser.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUT7EB1.tmp (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM7EB0.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM7EB0.tmp\goopdateres_ca.dll (0 bytes)

The process 59.0.3071.115_chrome_installer.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\SETUP.EX_ (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\setup.exe (19563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\CHROME.PACKED.7Z (51087 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\SETUP.EX_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\setup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\CHROME.PACKED.7Z (0 bytes)

The process setup.exe:1368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\zh-CN.pak (237 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\vi.pak (326 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\en-GB.pak (237 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sw.pak (241 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\lv.pak (293 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_child.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\da.pak (261 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\external_extensions.json (1 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\es-419.pak (282 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\nacl_irt_x86_32.nexe (3 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_elf.dll (430 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\bn.pak (604 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\zh-TW.pak (237 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\a7298fba-db36-40bd-8ad2-a1efe0034a52.tmp (14 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\cs.pak (290 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Extensions\external_extensions.json (99 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\kn.pak (652 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\drive.crx (25 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome.dll (33616 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\gu.pak (568 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\chrome.exe (1 bytes)
C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ms.pak (217 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\pt-BR.pak (279 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\swiftshader\libglesv2.dll (2 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\59.0.3071.115.manifest (226 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ru.pak (453 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\libegl.dll (86 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\eventlog_provider.dll (12 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\smalllogo.png (7 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sk.pak (300 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\hu.pak (301 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome.exe.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ar.pak (393 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\hr.pak (270 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\nb.pak (257 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ko.pak (288 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\resources.pak (16 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\hi.pak (583 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\bg.pak (464 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\docs.crx (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fa.pak (406 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\el.pak (512 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\mr.pak (578 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\uk.pak (450 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59 (8 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\it.pak (277 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales (8 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\pt-PT.pak (284 bytes)
%Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\chrmstp.exe (8657 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fil.pak (292 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\logocanary.png (22 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\lt.pak (292 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\nacl_irt_x86_64.nexe (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\swiftshader\libegl.dll (112 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\et.pak (252 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\chrome.7z (272250 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\icudtl.dat (10 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\d3dcompiler_47.dll (3 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fr.pak (304 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\libglesv2.dll (2 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ml.pak (732 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\youtube.crx (23 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sl.pak (270 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ca.pak (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\chrome_installer.log (12861 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\gmail.crx (24 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (217 bytes)
%Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\setup.exe (8657 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ja.pak (340 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\tr.pak (281 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\snapshot_blob.bin (1 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\VisualElements (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\pl.pak (286 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sv.pak (261 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\de.pak (246 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ro.pak (289 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\nl.pak (274 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\he.pak (334 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\th.pak (567 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\logo.png (17 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\manifest.json (950 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ta.pak (675 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\en-US.pak (237 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\natives_blob.bin (239 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sr.pak (432 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71 (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\am.pak (398 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales (8 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\nacl64.exe (6 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_watcher.dll (504 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116 (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\es.pak (287 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_100_percent.pak (458 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome.dll.sig (1 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fi.pak (267 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\te.pak (629 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_child.dll (57832 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_200_percent.pak (728 bytes)
%Program Files%\Google\Chrome\Temp (4 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\chrome.VisualElementsManifest.xml (410 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\id.pak (257 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\smalllogocanary.png (7 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (7386 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\youtube.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\natives_blob.bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\en-US.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\uk.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\bn.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps\docs.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\he.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\da.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\mr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\pt-BR.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\el.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\bg.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\nacl64.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\hi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\VisualElements\logo.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sv.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1368_31188\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\kn.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ca.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_200_percent.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\resources.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific\win_x86 (0 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\resources.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\smalllogo.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\et.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ja.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\hr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\pt-BR.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\en-US.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\chrome_child.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\gu.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\nl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sk.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\vi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\sr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\sv.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_watcher.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\hu.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\hi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\nacl_irt_x86_64.nexe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\VisualElements (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\da.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\pl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\lt.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\smalllogocanary.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\es-419.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ko.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\VisualElements\smalllogo.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\te.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\lt.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps\youtube.crx (0 bytes)
%Program Files%\Google\Chrome\Temp (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\pt-PT.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\zh-CN.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\snapshot_blob.bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Extensions\external_extensions.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\uk.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\el.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\pt-PT.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\en-GB.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Extensions\external_extensions.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\icudtl.dat (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\et.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ms.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\de.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\chrome_100_percent.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\libglesv2.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\mr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ro.pak (0 bytes)
C:\Windows\Temp\guiB96F.tmp (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\logocanary.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\chrome.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\pl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\setup.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ru.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\id.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1368_16549\chrome.VisualElementsManifest.xml (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ar.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\kn.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1368_31188 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\te.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\VisualElements\logocanary.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\it.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ru.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\bg.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\es.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\zh-TW.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_child.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\cs.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Extensions (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\vi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\WidevineCdm\manifest.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\snapshot_blob.bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\d3dcompiler_47.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\sw.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fake-bidi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrome.7z (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\fr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ta.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\gmail.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\docs.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\fa.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\id.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\natives_blob.bin (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fil.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\chrome_200_percent.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\zh-TW.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ms.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\nacl_irt_x86_32.nexe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\drive.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ta.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\nb.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ca.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\am.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\nacl_irt_x86_64.nexe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\fa.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\chrome_watcher.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\d3dcompiler_47.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\cs.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Extensions (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ja.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps\drive.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\chrmstp.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\54.0.2840.71.manifest (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\libegl.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\gu.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\nb.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\it.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\nl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\54.0.2840.59.manifest (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\WidevineCdm (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\hr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\fake-bidi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\sk.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\sl.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ro.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps\external_extensions.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\tr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_100_percent.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\ml.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\nacl64.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\bn.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\am.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ar.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps\gmail.crx (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\he.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\es-419.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\de.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\fil.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\lv.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\es.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\icudtl.dat (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\en-GB.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ml.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\zh-CN.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\nacl_irt_x86_32.nexe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\sw.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\source1368_32116 (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\th.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\fi.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\ko.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome_elf.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements\logo.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\WidevineCdm\manifest.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\libglesv2.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\VisualElements\smalllogocanary.png (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\libegl.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\chrome_elf.dll (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps\external_extensions.json (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\th.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\lv.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Locales\tr.pak (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Locales\hu.pak (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1368_16549 (0 bytes)

The process Synaptics.exe:1776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0EMQLVCV.txt (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_12807EEA10A7EC60FDD176C775E04F82 (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ALZUFNWE.txt (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_B06F3AB2BEBC83E8764E9B220066791E (1432 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\v86Vgjk.ini (132 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_12807EEA10A7EC60FDD176C775E04F82 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCX82D6.tmp (137517 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCX82C5.tmp (137517 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\O18zWu6h.ico (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_B06F3AB2BEBC83E8764E9B220066791E (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB674.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\O18zWu6h.exe (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB675.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (624 bytes)
C:\Users\"%CurrentUserName%"\Downloads\dotNetFx35setup.exe (25426 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB674.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\O18zWu6h.ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ALZUFNWE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\O18zWu6h.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB675.tmp (0 bytes)

Registry activity

The process GoogleUpdate.exe:2784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"opt_in_uid_generated" = "01 00 00 00 00 00 00 00"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKLM\SOFTWARE\Google\Update]
"uid-num-rotations" = "1"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKLM\SOFTWARE\Google\Update\uid]
"AFBWOETE" = ""

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKLM\SOFTWARE\Google\Update]
"UID" = "{8BCC0720-1DFD-4A1C-8B27-E63CB3CC7576}"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_major_version" = "06 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update]
"uid-create-time" = "1499441563"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]

The process GoogleUpdate.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "04 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"
"windows_major_version" = "06 00 00 00 00 00 00 00"
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "04 00 00 00 00 00 00 00"

The process GoogleUpdate.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_install_total" = "01 00 00 00 00 00 00 00"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Timings]
"setup_install_task_ms" = "01 00 00 00 00 00 00 00 69 00 00 00 00 00 00 00"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "06 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Timings]
"setup_lock_acquire_ms" = "01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.5"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{0A51F3DC-8067-489D-898B-E5D4382616F9}]
"PersistedPingTime" = "131439151637318255"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_install_service_succeeded" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Timings]
"setup_phase2_ms" = "01 00 00 00 00 00 00 00 20 02 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_should_install_total" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_install_service_and_task_succeeded" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_install_task_succeeded" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_do_self_install_total" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{0A51F3DC-8067-489D-898B-E5D4382616F9}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.5"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_install_succeeded" = "01 00 00 00 00 00 00 00"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Timings]
"setup_install_google_update_total_ms" = "01 00 00 00 00 00 00 00 AD 03 00 00 00 00 00 00"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Timings]
"setup_files_ms" = "01 00 00 00 00 00 00 00 55 01 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "06 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Timings]
"setup_install_service_ms" = "01 00 00 00 00 00 00 00 B3 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_do_self_install_succeeded" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.5"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_major_version" = "06 00 00 00 00 00 00 00"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"iid" = "{5399C892-85E3-CF66-E51E-3E544E615E8D}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.5"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_files_total" = "01 00 00 00 00 00 00 00"
"setup_files_verification_succeeded" = "01 00 00 00 00 00 00 00"
"setup_subsequent_install_should_install_true" = "01 00 00 00 00 00 00 00"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.5"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "1"

[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_subsequent_install_total" = "01 00 00 00 00 00 00 00"
"setup_install_service_task_total" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"setup_should_install_true_newer" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Güncelleme"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{0A51F3DC-8067-489D-898B-E5D4382616F9}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKLM\SOFTWARE\Google\Update]
"ui"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Google\Update]
"mi"

The process GoogleUpdate.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateBroker.exe"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-1004"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateBroker.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-1004"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-1004"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-3000"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\psmachine.dll"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_major_version" = "06 00 00 00 00 00 00 00"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateBroker.exe"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-1004"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\CLSID\{667ABD49-6DCA-4B5D-A1F8-F1243CB404B0}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\psmachine.dll"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe"

[HKCR\CLSID\{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\psmachine.dll"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\CLSID\{667ABD49-6DCA-4B5D-A1F8-F1243CB404B0}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\CLSID\{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-1004"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateBroker.exe"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-3000"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-3000"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.5\goopdate.dll,-3000"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{75BC6B63-B6F3-4F56-BD5B-26A290AD0F3C}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{667ABD49-6DCA-4B5D-A1F8-F1243CB404B0}\InprocHandler32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{667ABD49-6DCA-4B5D-A1F8-F1243CB404B0}]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]

The process GoogleUpdate.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "03 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"
"windows_major_version" = "06 00 00 00 00 00 00 00"
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "03 00 00 00 00 00 00 00"

The process GoogleUpdate.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"InstallProgressPercent" = "95"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "08 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{6535C21B-C6A9-40D6-A995-3DCD19246C6C}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.71"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"browser" = "4"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "08 00 00 00 00 00 00 00"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{6766101B-754A-4619-A25C-82D0E08128AA}]
"PersistedPingTime" = "131439151675694026"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerError" = "2"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"worker_download_total" = "01 00 00 00 00 00 00 00"
"worker_package_cache_put_total" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{6535C21B-C6A9-40D6-A995-3DCD19246C6C}]
"PersistedPingTime" = "131439151642934265"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{6766101B-754A-4619-A25C-82D0E08128AA}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"iid" = "{5399C892-85E3-CF66-E51E-3E544E615E8D}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "x64-stable-statsdef_1"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"lang" = "tr"
"LastInstallerResult" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"worker_package_cache_put_succeeded" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ping_freshness" = "{300F643B-AEC9-425C-B262-134779B0080A}"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_major_version" = "06 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"cup_ecdsa_trusted" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastInstallerError" = "2"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"worker_download_succeeded" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Timings]
"updatecheck_succeeded_ms" = "01 00 00 00 00 00 00 00 BA 0C 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastCheckSuccess" = "1499441584"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"worker_install_execute_total" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"DownloadProgressPercent" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\cohort]
"Name" = "Stable Installs Only"
"(Default)" = "1:gu/i19:"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"cup_ecdsa_total" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"
"usagestats" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"
"LastInstallerResult" = "0"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{6535C21B-C6A9-40D6-A995-3DCD19246C6C}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{6766101B-754A-4619-A25C-82D0E08128AA}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"eulaaccepted"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"eulaaccepted"
"LastInstallerResultUIString"
"InstallerSuccessLaunchCmdLine"
"LastInstallerSuccessLaunchCmdLine"
"InstallerResult"
"iid"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"
"LastInstallerError"
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerExtraCode1"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerError"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerResult"
"LastInstallerError"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"
"LastInstallerExtraCode1"

The process GoogleUpdate.exe:3016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "07 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"
"windows_major_version" = "06 00 00 00 00 00 00 00"
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "07 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E]
"LanguageList" = "en-US, en"

The process GoogleUpdate.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "05 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Booleans]
"is_system_install" = "01 00 00 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "1"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Integers]
"windows_major_version" = "06 00 00 00 00 00 00 00"
"omaha_version" = "05 00 21 00 03 00 01 00"

[HKLM\SOFTWARE\Google\Update\UsageStats\Daily\Counts]
"goopdate_main" = "05 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats"

The process %original file name%.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"msinfo32.exe,-100" = "System Information"
"AccessibilityCpl.dll,-10" = "Ease of Access Center"
"gameux.dll,-10082" = "Games Explorer"
"gameux.dll,-10061" = "Spider Solitaire"
"pmcsnap.dll,-700" = "Print Management"
"wdc.dll,-10021" = "Performance Monitor"
"mblctr.exe,-1008" = "Windows Mobility Center"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"mycomput.dll,-300" = "Computer Management"
"SyncCenter.dll,-3000" = "Sync Center"
"miguiresource.dll,-101" = "Event Viewer"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0]
"powershell.exe,-101" = "Windows PowerShell ISE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10060" = "Solitaire"
"ie4uinit.exe,-737" = "Internet Explorer (No Add-ons)"
"odbcint.dll,-1310" = "Data Sources (ODBC)"
"gameux.dll,-10103" = "Internet Spades"
"MdSched.exe,-4001" = "Windows Memory Diagnostic"
"gameux.dll,-10059" = "Mahjong Titans"
"wucltux.dll,-1" = "Windows Update"
"dfrgui.exe,-103" = "Disk Defragmenter"
"filemgmt.dll,-2204" = "Services"
"gameux.dll,-10102" = "Internet Backgammon"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\migwiz]
"wet.dll,-588" = "Windows Easy Transfer"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"NetProjW.dll,-501" = "Connect to a Network Projector"
"rstrui.exe,-100" = "System Restore"
"SoundRecorder.exe,-100" = "Sound Recorder"
"gameux.dll,-10055" = "FreeCell"
"gameux.dll,-10209" = "More Games from Microsoft"
"wsecedit.dll,-718" = "Local Security Policy"
"gameux.dll,-10056" = "Hearts"
"gameux.dll,-10057" = "Minesweeper"
"gameux.dll,-10054" = "Chess Titans"
"comres.dll,-3410" = "Component Services"
"msra.exe,-100" = "Windows Remote Assistance"
"wdc.dll,-10030" = "Resource Monitor"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Common Files\Microsoft Shared\Ink]
"ShapeCollector.exe,-298" = "Personalize Handwriting Recognition"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Windows Journal]
"Journal.exe,-3074" = "Windows Journal"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"FXSRESM.dll,-114" = "Windows Fax and Scan"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\DVD Maker]
"DVDMaker.exe,-61403" = "Windows DVD Maker"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\Speech\SpeechUX]
"sapi.cpl,-5555" = "Windows Speech Recognition"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"displayswitch.exe,-320" = "Connect to a Projector"
"iscsicpl.dll,-5001" = "iSCSI Initiator"
"sdcpl.dll,-101" = "Backup and Restore"
"msconfig.exe,-126" = "System Configuration"
"recdisc.exe,-2000" = "Create a System Repair Disc"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Common Files\Microsoft Shared\Ink]
"mip.exe,-291" = "Math Input Panel"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Windows Sidebar]
"sidebar.exe,-1005" = "Desktop Gadget Gallery"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10058" = "Purble Place"
"AuthFWGP.dll,-20" = "Windows Firewall with Advanced Security"
"XpsRchVw.exe,-102" = "XPS Viewer"
"miguiresource.dll,-201" = "Task Scheduler"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\migwiz]
"wet.dll,-591" = "Windows Easy Transfer Reports"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10101" = "Internet Checkers"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Common Files\Microsoft Shared\Ink]
"TipTsf.dll,-80" = "Tablet PC Input Panel"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synaptics Pointing Device Driver" = "C:\ProgramData\Synaptics\Synaptics.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process chrome.exe:684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E]
"@sendmail.dll,-21" = "Desktop (create shortcut)"
"@sendmail.dll,-4" = "Mail recipient"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E\@C:\Windows\system32]
"FXSRESM.dll,-120" = "Fax recipient"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E]
"LanguageList" = "en-US, en"
"@zipfldr.dll,-10148" = "Compressed (zipped) folder"

The process chrome.exe:2800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Chrome\BrowserExitCodes]
"912-13143915185837034" = "259"

The process chrome.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "0"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E\@%systemroot%\system32]
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid_installdate" = "1476353291"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"mfehgcgbbipciphmccgaenjidiccnmng" = "1DC828FC71893905C8EF7491DA4A223A309F9A65F2AA1E8B27EB0335357060D6"
"apdfllckaahabafndbhieahigkjlhalf" = "4B1337E12EB6116569B013109DCC1F6FA5365488395F1DC8F284A89454DFE9BA"
"pkedcjkdefgpdelpbcmbmeomcjbeemfm" = "DD75F4A01E692C523E384EDC4B8C28BD3E9E1747978F8BCEBA72FB989FCF8F6C"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"software_reporter.prompt_seed" = "5DEE273EB35EA611CC8B05C11339971195988DF2D6800BA04068186F87D707FE"
"HomePage" = "4927C32345C390D3C2585C40287699F259C49BEE9192DAB7104F17AA633628F9"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "1"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"neajdppkdcdipfabeoofebfddakdcjhd" = "BD5F64E53FAFBA0E8F6C43729FFD7EA82BE58DADE0397F071BC3AFD52CA5F4C8"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"usagestats" = "1"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid_enableddate" = "1499441586"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\LastWasDefault]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"safebrowsing.incidents_sent" = "B346F9147F0583630A2688A0683537FBA094EE4100E50E305686DD491008A268"
"session.restore_on_startup" = "F0A52AE7661810668D8E08055085183CED86CFFEFBABF4487438382CFB901D65"
"session.startup_urls" = "7C30C31B08C15195FCA3F9D8B98ECFDEFBFC1AFCC54E7964D0DCB176331BCB68"

[HKCU\Software\Google\Chrome\BLBeacon]
"Version" = "59.0.3071.115"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"browser.show_home_button" = "5345858319222558DD668E1523DE4B89C249EFA449863F6917C244D08FDD99A8"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"kmendfapggjehodndflmmgagdbamhnfd" = "7EB6FCFF7F1400C82ABD0A1D930FD94E6ECFD248F95DF27C9B3CBD8EC29BE072"
"gfdkimpbcpahaombhbimeihdjnejgicl" = "874FA3D697C21A5F6D0AD5CF2D7D1CF8FB9C9F5FE631A5CBD6FE9054B4BD532C"
"nmmhkkegccagdldgiimedpiccmgmieda" = "782DC184B767A740A8FB718D0C941355DAA2AE74146F175F6537C9CD2CA0B3AC"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"settings_reset_prompt.last_triggered_for_startup_urls" = "3BE9C80F4B2EFE6B406EE62D0CBB404679873B6C13BE6B2EA373FEFFC0187180"
"google.services.last_username" = "35DCC78B635F9EA705EAA01B61C07356D702C74B011988036A925D0A8B56FC9F"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"mfffpogegjflfpflabcdkioaeobkgjik" = "077BBC21628028EEB3E3FAF3D63B19CD2175B0CBDBB3645399F8791DE76B860D"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"prefs.preference_reset_time" = "C4055A17280FBB3B2950B15B5826BF53448DA1A9BE6745455425486792E5EA32"
"settings_reset_prompt.prompt_wave" = "34EE47987513300F16FFDDE04C4D700EBF43B948C1DCD5125D3C529C62545064"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"pjkljhegncpnkpknbcohdijeoejaedia" = "51BA9E3F6D883D008377B9B70542F68323B13018EF6B11E1846425727ACAF35F"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"google.services.account_id" = "366D929451F2F626937028C81058757FD73C1CD25B577B6F75D6DCC35043B40A"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"ahfgeienlihckogmohjhadlkjgocpleb" = "A8974EFB53C5B2F75A33F09DF52DFFA6AC407DBA33A8A2F35A5E723814E4C879"
"mhjfbmdgcfjbbpaeojofohoefgiehjai" = "B9DFBDF7B4DF3E09A965EA7E98AD0A75BF2160606D01D16756FCAB93FA3269F2"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"google.services.last_account_id" = "2BE18804583E4ABEB264E73CF1EF974E69DB818364E5802542F41C44F1787FF3"
"search_provider_overrides" = "82133C6B8BE9C44D8F2476EB29EC800275A854A6B746A4707927EB151F4034D4"
"settings_reset_prompt.last_triggered_for_default_search" = "5E384B99DC10515F47BBC9BF48E423CB4C7B7CD43D7268209D1A5F1C99A0D899"

[HKCU\Software\Google\Chrome\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E\@%systemroot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid" = "acd2c769-b82b-408d-87f0-ba68583f7e5b"
"lastrun" = "13143915186398635"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"google.services.username" = "2F571C280DA9B0905DC3683526617D8510C049B03FAB0A3F4DE7A470ED52D469"
"default_search_provider_data.template_url_data" = "4369562BF77A2ACF6EB84944136A955206E601F2197BAC482894A16D090369D5"

[HKCU\Software\Google\Chrome\BLBeacon]
"failed_count" = "0"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"software_reporter.prompt_version" = "7DD0AFAE10A07459AC8D6024EE95B1D0D3186DE614BC6855ADBD75A462740731"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E\@%systemroot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"felcaaldnbdncclmgdcncolpebgiejap" = "1CE4B3FEF412CABE2793A2395EFC6A388F6B6B92C9D8F90FFF8D21DA72040A9D"

[HKCU\Software\Google\Chrome]
"UsageStatsInSample" = "1"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"aapocclcgogkmnckokdopfmhonfmgoek" = "1D447311EA05C44F7A19ADA993711677E4BD021C7592BFF8CCE4DE352C26BB00"
"nkeimhogjdpnpccoofpliimaahmaaome" = "B6A411B9EEE119BED7DB8ADFC763F5C961CD963B70DC9251F3FFA0AC2FDB74FB"
"eemcgdkfndhakfknompkggombfjjjeno" = "36FD91C15D12F15A440BD9F8869E6ACFB7A0497041DFB3383F9B3C3DB8382A0E"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"homepage_is_newtabpage" = "D2AB4FC90DF81D5771D709024E019D947F2F7C48B215D61898335B0FE8A39AB7"
"pinned_tabs" = "1019B42475EDDCE449D9567C5AE4A20AA55A2400280BA3BB7554F2894896740E"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"aohghmighlieiainnegkcijnfilokake" = "1A84FF512CA0D78288B487F86EA2D64FA2E7C672BA4AA9C77DE40CAE5286EC05"
"ghbmnnjooekpmoecnnnilnnbdlolhkhi" = "42912E93D387F9D869FC037F50466D63F7CA062204EA2211EFC8D2ED37C3D4C9"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E\@%systemroot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"aggregate" = "sum()"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"aggregate" = "sum()"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E\@%systemroot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"blpcfgokakmgnkcojhhkbfbldkacnbeo" = "2B67C5C823BEF8467AEC9E5AE199CB1C7B14D1190F0AE25CC619767AF21980EC"

[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"settings_reset_prompt.last_triggered_for_homepage" = "FBF3077DE788CC8F8D527282830EA8ECD0BC1F07F7B756F1C93439C81522303E"

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
"bepbmhgboaologfdajaanbcjmnhjmhfn" = "154FF1ECE5E955318D75C167E8A1E4B5AD686ECB55C4578D41DE7FBA1EB1A631"

The Trojan deletes the following registry key(s):

[HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings]
[HKCU\Software\Google\Chrome\PreReadFieldTrial]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Google\Chrome\PreferenceMACs\Default]
"extensions.settings"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"experiment_labels"

[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\FirstNotDefault]
"S-1-5-21-732923889-1296844034-1208581001-1000"

The process 59.0.3071.115_chrome_installer.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome-full"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "x64-stable-statsdef_1-full"

The process setup.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"ShowIconsCommand" = "%Program Files%\Google\Chrome\Application\chrome.exe --show-icons"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"ftp" = "ChromeHTML"

[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Localized Name" = "Google Chrome"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities]
"ApplicationName" = "Google Chrome"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid" = "ChromeHTML"

[HKCR\.shtml\OpenWithProgids]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"http" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid" = "ChromeHTML"

[HKCR\.html]
"(Default)" = "ChromeHTML"

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"CategoryMessageFile" = "%Program Files%\Google\Chrome\Application\59.0.3071.115\eventlog_provider.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"VersionMinor" = "115"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\Startmenu]
"StartMenuInternet" = "Google Chrome"

[HKCR\https\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"(Default)" = "Google Chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"UninstallString" = "%Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\setup.exe --uninstall --system-level --verbose-logging"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".html" = "ChromeHTML"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCR\.svg\OpenWithProgIds]
"ChromeHTML" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"pv" = "59.0.3071.115"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities]
"ApplicationIcon" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayVersion" = "59.0.3071.115"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".xhtml" = "ChromeHTML"

[HKCU\Software\Classes\.xht]
"(Default)" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities]
"ApplicationDescription" = "Google Chrome, web sayfalarını ve uygulamaları yıldırım hızıyla çalıştıran bir web tarayıcısıdır. Hızlı, dengeli ve kullanımı kolaydır. Kötü amaçlı yazılımlara ve e-dolandırıcılığa karşı Google Chrome'un içinde yerleşik olarak bulunan koruma özellikleriyle web'de daha güvenli bir şekilde gezinin."

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".svg" = "ChromeHTML"

[HKCU\Software\Classes\.html]
"(Default)" = "ChromeHTML"

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome]
"(Default)" = "Google Chrome"

[HKCU\Software\Classes\.shtml]
"(Default)" = "ChromeHTML"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"tel" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".htm" = "ChromeHTML"

[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"nntp" = "ChromeHTML"

[HKCR\https\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Version" = "43,0,0,0"

[HKCR\.xht\OpenWithProgids]
"ChromeHTML" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid" = "ChromeHTML"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKCR\ChromeHTML]
"(Default)" = "Chrome HTML Document"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"ReinstallCommand" = "%Program Files%\Google\Chrome\Application\chrome.exe --make-default-browser"

[HKCR\ftp]
"URL Protocol" = ""

[HKCR\HTTP\shell]
"(Default)" = "open"

[HKCR\https]
"URL Protocol" = ""

[HKCR\.webp\OpenWithProgids]
"ChromeHTML" = ""

[HKCU\Software\Classes\.xhtml]
"(Default)" = "ChromeHTML"

[HKCR\.html\OpenWithProgids]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"smsto" = "ChromeHTML"
"mms" = "ChromeHTML"

[HKCR\ChromeHTML\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"StubPath" = "%Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".pdf" = "ChromeHTML"

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"TypesSupported" = "7"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallArguments" = " --uninstall --system-level --verbose-logging"

[HKCR\.pdf\OpenWithProgIds]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerResult" = "0"

[HKCR\HTTP]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"urn" = "ChromeHTML"

[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Publisher" = "Google Inc."

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".xht" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Name" = "Google Chrome"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"irc" = "ChromeHTML"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "x64-stable-statsdef_1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".shtml" = "ChromeHTML"

[HKCR\.htm\OpenWithProgids]
"ChromeHTML" = ""

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerProgress" = "18"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"IconsVisible" = "1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"news" = "ChromeHTML"
"mailto" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Version" = "59.0.3071.115"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "ChromeHTML"

[HKCR\.xhtml\OpenWithProgids]
"ChromeHTML" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\FileAssociations]
".webp" = "ChromeHTML"

[HKCU\Software\Classes\.htm]
"(Default)" = "ChromeHTML"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKCR\.shtml]
"(Default)" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"webcal" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayName" = "Google Chrome"

[HKCR\.htm]
"(Default)" = "ChromeHTML"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe]
"Path" = "%Program Files%\Google\Chrome\Application"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"https" = "ChromeHTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"ParameterMessageFile" = "%Program Files%\Google\Chrome\Application\59.0.3071.115\eventlog_provider.dll"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "Google Chrome"

[HKCR\HTTP\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"IsInstalled" = "1"

[HKLM\System\CurrentControlSet\services\eventlog\Application\Chrome]
"CategoryCount" = "1"
"EventMessageFile" = "%Program Files%\Google\Chrome\Application\59.0.3071.115\eventlog_provider.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoModify" = "1"
"DisplayIcon" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "47"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"InstallLocation" = "%Program Files%\Google\Chrome\Application"
"VersionMajor" = "3071"

[HKCR\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\Capabilities\URLAssociations]
"sms" = "ChromeHTML"

[HKLM\SOFTWARE\RegisteredApplications]
"google chrome" = "Software\Clients\StartMenuInternet\Google Chrome\Capabilities"

[HKCR\ftp\shell]
"(Default)" = "open"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid" = "ChromeHTML"

[HKCR\.xhtml]
"(Default)" = "ChromeHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\InstallInfo]
"HideIconsCommand" = "%Program Files%\Google\Chrome\Application\chrome.exe --hide-icons"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"CommandLine" = "%Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\setup.exe --on-os-upgrade --system-level --verbose-logging"

[HKCR\.xht]
"(Default)" = "ChromeHTML"

[HKCR\ChromeHTML\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "Google Chrome"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe -- %1"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallString" = "%Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\setup.exe"

[HKCR\https\DefaultIcon]
"(Default)" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid" = "ChromeHTML"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"

The process Synaptics.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\32\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Synaptics_RASMANCS]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
35970940c48d67bd3197d7043acdfd69 c:\Program Files\Google\Chrome\Application\59.0.3071.115\Installer\chrmstp.exe
35970940c48d67bd3197d7043acdfd69 c:\Program Files\Google\Chrome\Application\59.0.3071.115\Installer\setup.exe
701d05dcf645b7afbf780da3addb3c0d c:\Program Files\Google\Chrome\Application\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll
34d6c619590c89f30686cf414108c31b c:\Program Files\Google\Chrome\Application\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll
d46ff51f9ae42d95e7dd1db85578ef22 c:\Program Files\Google\Chrome\Application\59.0.3071.115\chrome.dll
7de0f1af0936b25731414c700521b2ce c:\Program Files\Google\Chrome\Application\59.0.3071.115\chrome_child.dll
46b3ea441bd0327e2ec9cab6afbca77b c:\Program Files\Google\Chrome\Application\59.0.3071.115\chrome_elf.dll
7ed87207d8d542be1ba65104066eb468 c:\Program Files\Google\Chrome\Application\59.0.3071.115\chrome_watcher.dll
cfc39f97ff3b32d4e9da845fd46035ec c:\Program Files\Google\Chrome\Application\59.0.3071.115\d3dcompiler_47.dll
382fbc6f6406cf9aa6f2d73ae7ec632a c:\Program Files\Google\Chrome\Application\59.0.3071.115\eventlog_provider.dll
f7534343ebcc5f85ca3726c1defe2acd c:\Program Files\Google\Chrome\Application\59.0.3071.115\libegl.dll
8ee0d1acdf0156f21707e9ef6bd33951 c:\Program Files\Google\Chrome\Application\59.0.3071.115\libglesv2.dll
a29c22a96ac2fcf7c8ae61653f0f05ac c:\Program Files\Google\Chrome\Application\59.0.3071.115\nacl64.exe
efe5837916db11700212287103421472 c:\Program Files\Google\Chrome\Application\59.0.3071.115\swiftshader\libegl.dll
decf597e8fd39acab004286050c89bb1 c:\Program Files\Google\Chrome\Application\59.0.3071.115\swiftshader\libglesv2.dll
33e6e5822e22a5e1dea523c06155fd07 c:\Program Files\Google\Update\1.3.33.5\GoogleCrashHandler.exe
27beaf3f308ed2276f3863c2f2597556 c:\Program Files\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
0545a3eb959cfa4790d267bfb8c1aca4 c:\Program Files\Google\Update\1.3.33.5\GoogleUpdate.exe
dbaaf8874f12f558d1fd8663f15f56a5 c:\Program Files\Google\Update\1.3.33.5\GoogleUpdateBroker.exe
17baa87ff75f6c977ac98c5097d9ba0d c:\Program Files\Google\Update\1.3.33.5\GoogleUpdateComRegisterShell64.exe
5c9960660dc2d5c8a94ffa7a8174a0ba c:\Program Files\Google\Update\1.3.33.5\GoogleUpdateCore.exe
7c80696a40af823f7ef092afbc69c485 c:\Program Files\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe
217fa3c034f28cd0f607dac3bab41b87 c:\Program Files\Google\Update\1.3.33.5\GoogleUpdateSetup.exe
82e32ee99017185483e9108f1ae1ed47 c:\Program Files\Google\Update\1.3.33.5\GoogleUpdateWebPlugin.exe
123f6b219749c870ae8fd6a4c0242036 c:\Program Files\Google\Update\1.3.33.5\goopdate.dll
10bfe7cb388c3b6b593a1056321f80d7 c:\Program Files\Google\Update\1.3.33.5\goopdateres_am.dll
0ccc0cf086f3afc923303915ca6a484e c:\Program Files\Google\Update\1.3.33.5\goopdateres_ar.dll
172b6960d9a97ec52a424a55c04724be c:\Program Files\Google\Update\1.3.33.5\goopdateres_bg.dll
89b6d99c4b188db3264237c79e6da31b c:\Program Files\Google\Update\1.3.33.5\goopdateres_bn.dll
fb6e0c52a191ba0ed08403b93df7eaa1 c:\Program Files\Google\Update\1.3.33.5\goopdateres_ca.dll
1d1eff03ace4142911240bb037a0e7b0 c:\Program Files\Google\Update\1.3.33.5\goopdateres_cs.dll
3bebb2503b61a2dcdca8b820e1fa82fa c:\Program Files\Google\Update\1.3.33.5\goopdateres_da.dll
fa08e1647daec00ea258ea0eb33fe354 c:\Program Files\Google\Update\1.3.33.5\goopdateres_de.dll
f7d59497d3f46951887e254673b9fd41 c:\Program Files\Google\Update\1.3.33.5\goopdateres_el.dll
328ee5b74fd7afb7a9c4a63e9c4d555c c:\Program Files\Google\Update\1.3.33.5\goopdateres_en-GB.dll
1ae3171a4985cda0a28de972c95d8621 c:\Program Files\Google\Update\1.3.33.5\goopdateres_en.dll
e24681b2c5e78cc156ebd1a6c08ff4a5 c:\Program Files\Google\Update\1.3.33.5\goopdateres_es-419.dll
f423dd6416b9e880bafbc1b5c9bc6593 c:\Program Files\Google\Update\1.3.33.5\goopdateres_es.dll
8300ff2af023287125514a8a5b585b25 c:\Program Files\Google\Update\1.3.33.5\goopdateres_et.dll
c1fe7621a522c570f69c8222851f604f c:\Program Files\Google\Update\1.3.33.5\goopdateres_fa.dll
c1b5d6adacbcd3620120ed9d99ae34fd c:\Program Files\Google\Update\1.3.33.5\goopdateres_fi.dll
2f1477dc230f05001fe625ced9134cb7 c:\Program Files\Google\Update\1.3.33.5\goopdateres_fil.dll
8af0f387e58ca9de563b1654ecac3e23 c:\Program Files\Google\Update\1.3.33.5\goopdateres_fr.dll
71e2d6152517059659ef17915a78a0a3 c:\Program Files\Google\Update\1.3.33.5\goopdateres_gu.dll
2498af92e4668f9c6b4329b06ed91cdf c:\Program Files\Google\Update\1.3.33.5\goopdateres_hi.dll
0ca34b02a60ab8ee2730c2cafd0b48fe c:\Program Files\Google\Update\1.3.33.5\goopdateres_hr.dll
faf8d96cfe273c8707c50978eee00d36 c:\Program Files\Google\Update\1.3.33.5\goopdateres_hu.dll
39f957eae97d2dcd8a3803433131d053 c:\Program Files\Google\Update\1.3.33.5\goopdateres_id.dll
2ebcb5bde7e0c7adc30030d332a74580 c:\Program Files\Google\Update\1.3.33.5\goopdateres_is.dll
b3a5557cc01873378bf9bd0fa57461bc c:\Program Files\Google\Update\1.3.33.5\goopdateres_it.dll
7fb7ea38bcceca093a9a5b23d90d0044 c:\Program Files\Google\Update\1.3.33.5\goopdateres_iw.dll
1c0c56cdf98aea328d6036b0de636d55 c:\Program Files\Google\Update\1.3.33.5\goopdateres_ja.dll
44fe5a6c80a02aa1303b4e21763e06d0 c:\Program Files\Google\Update\1.3.33.5\goopdateres_kn.dll
dba0f167e34c4e2373d3f4f6fc053404 c:\Program Files\Google\Update\1.3.33.5\goopdateres_ko.dll
83ebdf0ad809f4175b7746f4864911a5 c:\Program Files\Google\Update\1.3.33.5\goopdateres_lt.dll
b3d475cc7da2d863a67aa74dc3ecda3a c:\Program Files\Google\Update\1.3.33.5\goopdateres_lv.dll
2f992e0d6d7330be1e9f35c0ea1154ac c:\Program Files\Google\Update\1.3.33.5\goopdateres_ml.dll
739a960cd5be279ecd96c5a4ab81235a c:\Program Files\Google\Update\1.3.33.5\goopdateres_mr.dll
2a743841c191aeeb6c9c4a96d657c3f6 c:\Program Files\Google\Update\1.3.33.5\goopdateres_ms.dll
afe380074172bdc6dc969d644a08fa2b c:\Program Files\Google\Update\1.3.33.5\goopdateres_nl.dll
36e0dda995ba8a2bcd7a487a6d7665aa c:\Program Files\Google\Update\1.3.33.5\goopdateres_no.dll
b4b0c2551a9d1a1d2d851d12c2f504a5 c:\Program Files\Google\Update\1.3.33.5\goopdateres_pl.dll
bc443688ef8cd34792da15a77338820d c:\Program Files\Google\Update\1.3.33.5\goopdateres_pt-BR.dll
88b3666b95a037eb2f2b22203535f402 c:\Program Files\Google\Update\1.3.33.5\goopdateres_pt-PT.dll
afe834fea84c59602eef8fb088b0aa70 c:\Program Files\Google\Update\1.3.33.5\goopdateres_ro.dll
12e39adb507539766ffa03245fc5ed14 c:\Program Files\Google\Update\1.3.33.5\goopdateres_ru.dll
4f92054b2379bfce0438f45e90551727 c:\Program Files\Google\Update\1.3.33.5\goopdateres_sk.dll
85502db8cea63c95a3c785592ed299d1 c:\Program Files\Google\Update\1.3.33.5\goopdateres_sl.dll
3dd86e42df0bef705f06dc3d590d5baf c:\Program Files\Google\Update\1.3.33.5\goopdateres_sr.dll
9816c400bf3503e55015540e12db225b c:\Program Files\Google\Update\1.3.33.5\goopdateres_sv.dll
92cb3f92ea3f9369444c8c336eb42e7c c:\Program Files\Google\Update\1.3.33.5\goopdateres_sw.dll
e614fb9e9928dd310ff9524c9f37580e c:\Program Files\Google\Update\1.3.33.5\goopdateres_ta.dll
52931f51985b017f00f2e636edc78612 c:\Program Files\Google\Update\1.3.33.5\goopdateres_te.dll
f12816564eaee8c3e53b332b3280e5d4 c:\Program Files\Google\Update\1.3.33.5\goopdateres_th.dll
df004ec336fb9126f36d5a015a18cb0c c:\Program Files\Google\Update\1.3.33.5\goopdateres_tr.dll
9eb7bf024cf8c84a5a51e1bfe1245656 c:\Program Files\Google\Update\1.3.33.5\goopdateres_uk.dll
dd692b098b36df802cd460ac0d7ae515 c:\Program Files\Google\Update\1.3.33.5\goopdateres_ur.dll
65dbe83954781fc76ce76369f73f4a5e c:\Program Files\Google\Update\1.3.33.5\goopdateres_vi.dll
6e78b59b7894dbce374388d378833aaa c:\Program Files\Google\Update\1.3.33.5\goopdateres_zh-CN.dll
f0f7061c7aedcfcef35f80a24f6fa802 c:\Program Files\Google\Update\1.3.33.5\goopdateres_zh-TW.dll
2d45a8274592d965edfb62accb1150b1 c:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll
f1e4a3e75124fddb64bd3f7136de6df3 c:\Program Files\Google\Update\1.3.33.5\psmachine.dll
44e586c638e009898adfabb6cd9ff565 c:\Program Files\Google\Update\1.3.33.5\psmachine_64.dll
b634a3c880691939de61dbf26fff3ee4 c:\Program Files\Google\Update\1.3.33.5\psuser.dll
8474419098fbe58b6a61705b7dcb7215 c:\Program Files\Google\Update\1.3.33.5\psuser_64.dll
821d74e844f938562f17078d1bd61a24 c:\Program Files\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\59.0.3071.115\59.0.3071.115_chrome_installer.exe
821d74e844f938562f17078d1bd61a24 c:\Program Files\Google\Update\Install\{99D26E4D-0150-4928-9F38-079C57715099}\59.0.3071.115_chrome_installer.exe
ffb7babfb8ce697ced00cd0cad70c0c4 c:\ProgramData\Synaptics\Synaptics.exe
ffb7babfb8ce697ced00cd0cad70c0c4 c:\Users\All Users\Synaptics\Synaptics.exe
35970940c48d67bd3197d7043acdfd69 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Synaptics
Product Name: Synaptics Pointing Device Driver
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.4
File Description: Synaptics Pointing Device Driver
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 629740 629760 4.55603 33fbe30e8a64654287edd1bf05ae7c8c
DATA 634880 11860 12288 3.36497 1f5e19e7d20c1d128443d738ac7bc610
BSS 647168 4581 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 655360 10818 11264 3.40982 21ff53180b390dc06e3a1adf0e57a073
.tls 667648 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 671744 57 512 0.543857 a92cf494c617731a527994013429ad97
.reloc 675840 43392 43520 4.62615 dcd1b1c3f3d28d444920211170d1e8e6
.rsrc 720896 1203336 1203712 5.42362 ef204bb5598cf774a8f24a09155d6158

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://tools.l.google.com/edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe
hxxp://r2.sn-2puapox-ig3e.gvt1.com/edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe?cms_redirect=yes&expire=1499455969&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1499441334&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=0A478F3CFC0B40A05E00283A05E0B0F2EF694411.35B6472E3B4A3EEC82BEB9B7C9AEB4EB68DFCC84&key=cms1
hxxp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 50.23.197.94
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98=
hxxp://redirector.gvt1.com/edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe 216.58.214.238
hxxp://crl.geotrust.com/crls/secureca.crl 23.46.117.163
hxxp://r2---sn-2puapox-ig3e.gvt1.com/edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe?cms_redirect=yes&expire=1499455969&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1499441334&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=0A478F3CFC0B40A05E00283A05E0B0F2EF694411.35B6472E3B4A3EEC82BEB9B7C9AEB4EB68DFCC84&key=cms1 185.43.249.13
hxxp://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= 23.46.123.27
accounts.youtube.com 216.58.214.238
www.google.com 216.58.214.228
www.gstatic.com 216.58.214.227
ssl.gstatic.com 216.58.214.227
www.google.com.ua 216.58.214.227
clients4.google.com 216.58.214.238
docs.google.com 216.58.214.238
translate.googleapis.com 216.58.214.234
apis.google.com 216.58.214.238
fonts.gstatic.com 216.58.214.227
accounts.google.com 216.58.214.237
xred.mooo.com 178.18.201.117
tools.google.com 216.58.214.238
clientservices.googleapis.com 216.58.214.227


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE ISearchTech.com XXXPornToolbar Activity (MyApp)

Traffic

HEAD /edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe?cms_redirect=yes&expire=1499455969&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1499441334&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=0A478F3CFC0B40A05E00283A05E0B0F2EF694411.35B6472E3B4A3EEC82BEB9B7C9AEB4EB68DFCC84&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: age=-1; cnt=1
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: fg
X-GoogleUpdate-Updater: Omaha-1.3.33.5
Host: r2---sn-2puapox-ig3e.gvt1.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 44096616
Content-Type: application/octet-stream
Etag: "14ad53"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Fri, 07 Jul 2017 06:08:16 GMT
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,36,35"
Last-Modified: Fri, 23 Jun 2017 03:57:55 GMT
Connection: keep-alive
....


GET /edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe?cms_redirect=yes&expire=1499455969&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1499441334&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=0A478F3CFC0B40A05E00283A05E0B0F2EF694411.35B6472E3B4A3EEC82BEB9B7C9AEB4EB68DFCC84&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 23 Jun 2017 03:57:55 GMT
User-Agent: Microsoft BITS/7.5
X-Old-UID: age=-1; cnt=1
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: fg
X-GoogleUpdate-Updater: Omaha-1.3.33.5
Host: r2---sn-2puapox-ig3e.gvt1.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 44096616
Content-Type: application/octet-stream
Etag: "14ad53"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Fri, 07 Jul 2017 06:08:16 GMT
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,36,35"
Last-Modified: Fri, 23 Jun 2017 03:57:55 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......^.LN.."...".
..".w.#..."...#."."...'..."... ..."......."......."... ...".Rich.."...
......................PE..L....xLY.........."......&...t......;5......
.@....@.................................'.....@.......................
...........P..P....`...h..............h>..............8............
................................P...............................text..
..%.......&.................. ..`.data........@......................@
....idata..z....P.......*..............@..@.rsrc....h...`...j...2.....
.........@..@.reloc..............................@..B.................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................{.8.A.6.9.D.3.4.5.-.D.5
.6.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.4.e.a.1.6.a
.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.5.b.-.d.b.f.4.a.2.0.0.8.c.2.0.}.....{.4
.D.C.8.B.4.C.A.-.1.B.D.A.-.4.8.3.e.-.B.5.F.A.-.D.3.C.1.2.E.1.5.B.6.2.D
.}.....G.o.o.g.l.e.U.p.d.a.t.e.I.s.M.a.c.h.i.n.e...-.-.s.y.s.t.e.m.-.l
.e.v.e.l.....-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.l.e.a.n.u.p...-.-.c.h.r
.o.m.e.-.f.r.a.m.e.........-.-.m.u.l.t.i.-.i.n.s.t.a.l.l...%.W.I.N.D.I
.R.%.\.s.y.s.t.e.m.3.2.\.c.a.b.i.n.e.t...d.l.l.......%.S.Y.S.T.E.M
<<< skipped >>>


GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 07 Jul 2017 15:32:55 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
76..xred.mooo.com|178.18.201.117|hXXp://freedns.afraid.org/dynamic/upd
ate.php?bUxTREVRbG1pZlBtWWg0V0lqWmVESm43OjEyOTUxNjgz..0..HTTP/1.1 200 
OK..Server: nginx..Date: Fri, 07 Jul 2017 15:32:55 GMT..Content-Type: 
text/plain; charset=utf-8..Transfer-Encoding: chunked..Connection: kee
p-alive..Vary: Accept-Encoding..X-Cache: MISS..76..xred.mooo.com|178.1
8.201.117|hXXp://freedns.afraid.org/dynamic/update.php?bUxTREVRbG1pZlB
tWWg0V0lqWmVESm43OjEyOTUxNjgz..0..



GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "f4e252ffdf9fe4987799c2b2b1f63758:1499441421"
Last-Modified: Fri, 07 Jul 2017 15:30:21 GMT
Date: Fri, 07 Jul 2017 15:33:48 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170707152300Z..170717152300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............Sk.H.R.i.....
....4.....mW.L~.x-.....6X"...%..i7.n8.L.....J.5X.!i#...........RDq...8
.>..G..5WqO.v.@.o4.8.%..V..Z..=...~.E.e...k.iHTTP/1.1 200 OK..Serve
r: Apache..ETag: "f4e252ffdf9fe4987799c2b2b1f63758:1499441421"..Last-M
odified: Fri, 07 Jul 2017 15:30:21 GMT..Date: Fri, 07 Jul 2017 15:33:4
8 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: appl
ication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equi
fax1-0 ..U...$Equifax Secure Certificate Authority..170707152300Z..170
717152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H.......
.....Sk.H.R.i.........4.....mW.L~.x-.....6X"...%..i7.n8.L.....J.5X.!i#
...........RDq...8.>..G..5WqO.v.@.o4.8.%..V..Z..=...~.E.e...k.i..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.1



HEAD /edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: age=-1; cnt=1
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: fg
X-GoogleUpdate-Updater: Omaha-1.3.33.5
Host: redirector.gvt1.com


HTTP/1.1 302 Found
Date: Fri, 07 Jul 2017 15:32:49 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r2---sn-2puapox-ig3e.gvt1.com/edgedl/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe?cms_redirect=yes&expire=1499455969&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3e&ms=nvh&mt=1499441334&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=0A478F3CFC0B40A05E00283A05E0B0F2EF694411.35B6472E3B4A3EEC82BEB9B7C9AEB4EB68DFCC84&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 637
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
HTTP/1.1 302 Found..Date: Fri, 07 Jul 2017 15:32:49 GMT..Pragma: no-ca
che..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Location: hXXp://r2---sn-2puapox-ig3e.gvt1.com/edgedl
/release2/ANffLad--dNb/59.0.3071.115_chrome_installer.exe?cms_redirect
=yes&expire=1499455969&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-
ig3e&ms=nvh&mt=1499441334&mv=u&pl=22&shardbypass=yes&sparams=expire,ip
,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=0A478F3CFC0B40A05E00283A0
5E0B0F2EF694411.35B6472E3B4A3EEC82BEB9B7C9AEB4EB68DFCC84&key=cms1..Con
tent-Type: text/html; charset=UTF-8..Server: ClientMapServer..Content-
Length: 637..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORI
GIN..







The Trojan connects to the servers at the folowing location(s):







Synaptics.exe_1776:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
Uh=%C
ssHorizontal
OnKeyDowntgC
OnKeyPress(gC
OnKeyUpLfC
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
AutoHotkeys<
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
OnActionExecute
TOrtusShellFolder
TOrtusShellSpecialFolder
OrtusShellGlobal
*TOrtusShellChangeNotifierAssocChangedEvent
(TOrtusShellChangeNotifierAttributesEvent
$TOrtusShellChangeNotifierCreateEvent
$TOrtusShellChangeNotifierDeleteEvent
&TOrtusShellChangeNotifierDriveAddEvent
)TOrtusShellChangeNotifierDriveAddGUIEvent
*TOrtusShellChangeNotifierDriveRemovedEvent
'TOrtusShellChangeNotifierFreeSpaceEvent
 TOrtusShellChangeNotifierMediaInsertedEvent
*TOrtusShellChangeNotifierMediaRemovedEvent
#TOrtusShellChangeNotifierMkDirEvent
&TOrtusShellChangeNotifierNetShareEvent
(TOrtusShellChangeNotifierNetUnshareEvent
*TOrtusShellChangeNotifierRenameFolderEvent
(TOrtusShellChangeNotifierRenameItemEvent
#TOrtusShellChangeNotifierRmDirEvent
.TOrtusShellChangeNotifierServerDisconnectEvent
'TOrtusShellChangeNotifierUpdateDirEvent
)TOrtusShellChangeNotifierUpdateImageEvent
(TOrtusShellChangeNotifierUpdateItemEvent
TOrtusShellChangeNotifierItem
TCustomOrtusShellChangeNotifier
OrtusShellChangeNotifier
TOrtusShellChangeNotifierFolder
TOrtusShellChangeNotifierFolders
TOrtusShellChangeNotifier
MsgId_OrtusShellChangeNotifier
SHELL32.DLL
Unknown (Windows
shell32.dll
{374DE290-123F-4565-9164-39C4925E467B}
Software\Microsoft\Windows\CurrentVersion\Run
\StringFileInfo\%0.4x%0.4x\%s
cmd.exe /C
00-00-00-00-00-00
Uh.ZG
$000000.tmp
ole32.dll
Excel.Application
.xlsm
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password<
0.0.0.1
TIdTCPStream
End of stream: %s at %d
TIdTCPConnection
TIdTCPConnectiond!H
IdTCPConnection
EIdTCPConnectionError
EIdObjectTypeNotSupported
TIdTCPClient
TIdTCPClient`CH
IdTCPClient
BoundPort
PortU
%s <%s>
=?WINDOWS
Indy 9.00.10
atLogin
IdSMTP
TIdSMTP
Password
AUTH LOGIN
LOGIN
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile<
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertErrorl'I
EIdOSSLLoadingKeyError
TRootKey
RootKey
MonitoredKey
WatchSubKeys
\libeay32.dll
\ssleay32.dll
\SSLLibrary.ddl
afraid.org/api
GetCMDAccess
Synaptics.exe
Synaptics.dll
.xlsx
smtp.gmail.com
ShellExecute=
autorun.inf
PORT
EXEURL1
cachex.ini
xred.mooo.com
hXXp://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
INIURL1
hXXps://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
INIURL2
hXXps://VVV.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
INIURL3
hXXp://xred.site50.net/syn/SUpdate.ini
hXXps://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
EXEURL2
hXXps://VVV.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
EXEURL3
hXXp://xred.site50.net/syn/Synaptics.rar
SSLURL1
hXXps://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
SSLURL2
hXXps://VVV.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
SSLURL3
hXXp://xred.site50.net/syn/SSLLibrary.dll
xredline2@gmail.com;xredline3@gmail.com
PASSWORD
xredline1@gmail.com
KEYBOARDHOOK
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TCP Client -> Aktif
TCP Client -> Pasif
Keyboard Hook -> Active
Keyboard Hook -> Deactive
#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%<!"%$%&%(%*% %-%/%1%3%5%7%9%;$=%?%A%D%F%H%J%K%L%M%N%O%R%U%X%[%^%_%`%a%b%d%f%h%i%j%k%l%m%o%s% !,!
P%S%V%Y%\%
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123456789:;<=>?
&'()* ,-./0123456789:;<=>?
TBv}.Bv
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegNotifyChangeKeyValue
RegFlushKey
RegCreateKeyExA
GetCPInfo
CreatePipe
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
ShellExecuteExA
wininet.dll
InternetOpenUrlA
wsock32.dll
netapi32.dll
; ;$;(;,;0;4;8;<;@;
3"3*323:3
? ?$?(?,?0?4?8?<?@?`?
= =$=(=<=
8#8'8 8/83888
8,9094989<9
:#:': :/:4:
:|;5<:<?=
7 8$8(8,8
8)9-91989
9-:1:5:<:
:2;6;:;@;
2 2$2(2,20282`2
8(8-858`8
3 3$3(3,3034383<3\3|3
9 9$929|9
5_5K5b5
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
.edata
KBHks.dll
7 7$7,777
KWindows
(OrtusShellChangeNotifier
UrlMon
#IdSMTP
IdTCPStream
 IdTCPServer
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
[Content_Types].xml
_rels/.rels
xl/_rels/workbook.xml.rels
xl/workbook.xml
xl/vbaProject.bin
T@:.xx
xl/theme/theme1.xml
xl/styles.xml
xl/worksheets/sheet1.xml
docProps/core.xml
docProps/app.xml
[Content_Types].xmlPK
_rels/.relsPK
xl/_rels/workbook.xml.relsPK
xl/workbook.xmlPK
xl/vbaProject.binPK
xl/theme/theme1.xmlPK
xl/styles.xmlPK
xl/worksheets/sheet1.xmlPK
docProps/core.xmlPK
docProps/app.xmlPK
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
%s is not a valid service.
Socket Error # %d
Operation would block.
Operation now in progress.
Object type not supported.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
@ Outside address*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
JPEG error #%d
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
File "%s" not found
No help keyword specified.
Alt  Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Cannot open file "%s". %s
Unable to write to %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid GUID value!'%s' is not a valid boolean value
I/O error %d
1.0.0.4
1.0.0.0

SearchProtocolHost.exe_796:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_2064:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

GoogleCrashHandler.exe_3164:




.text
`.rdata
@.data
.gfids
@.rsrc
@.reloc
PVSShT
PSSSSSSh
Dw.AEw
Fv.SCv
operator
operator ""
%S#[k
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
address family not supported
broken pipe
function not supported
InitOnceExecuteOnce
?#%X.y
base\logging.cc
CreateMutexExW
TiB Address: %x
Actual stack pointer: %x
TiB stack base: %x
TiB stack limit: %x
Segment: %x
The process has an executable mapping which contains a overlapping instruction shellode spray pattern.
Crashing address: %x
Crashing segment base: %x
Offset of JMP->CALL->POP: %x
RegCreateKeyTransactedW
GoogleCrashHandler_unsigned.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
GetProcessHeap
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
ADVAPI32.dll
GetCPInfo
ole32.dll
SHELL32.dll
GetProcessWindowStation
EnumWindows
CreateWindowStationW
SetProcessWindowStation
CloseWindowStation
NETAPI32.dll
RPCRT4.dll
SHLWAPI.dll
USERENV.dll
VERSION.dll
DisconnectNamedPipe
CreateNamedPipeW
ConnectNamedPipe
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel level="asInvoker" />
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
###7777_{
###____777
###````87{
4%4)4/454
1=1%2U2c2
01i1r1y1
> >$>(>,>
2#2>2^2~2
= =$=(=,=
1,3034383
3 3$3(3,3034383<3
0 0$0(0,000
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
kernel32.dll
GoogleUpdate.exe
X-HTTP-Attempts
X-Last-HTTP-Status-Code
%u.%u.%u.%u
%s\%s
[Started process][%u]
LC_REPORT
[d/d/d d:d:d.d]
[%s][%u:%u]
GoogleUpdate.log
LOG_SYSTEM: [%s]: ERROR - Cannot create ETW log writer
LOG_SYSTEM: [%s]: ERROR - Cannot create log writer to %s
LOG_SYSTEM: [%s]: ERROR - Calling the logging system after it has been shut down
GoogleUpdate.ini
LOG_SYSTEM: [%s]: Could not acquire logging mutex %s
LOG_SYSTEM: [%s]: Could not create logging file %s
PendingFileRenameOperations
HKEY_CLASSES_ROOT
HKEY_USERS
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
Exception %x in %s %s %u
%hs:%d
WINDOWS
{C4F406E5-F024-4e3f-89A7-D5AB7663C3CD}
[CrashHandler][Preparing dump][%d-bit][pid %d]
[CrashHandler][Instance is already running][%d-bit][%d]
[CrashHandler][Failed to init crash dir][0xx]
[CrashHandler][Failed to start Breakpad][0xx]
[StartCrashReporter failed][0xx]
-full.dmp
[OpenCustomInfoFile failed][0xx]
[CrashHandler][Upload deferred][Crash ID %d]
[StartCrashUploader() failed][0xx]
[CrashHandler][Dump handled][%d-bit][is_system %d]
[CrashHandler][Deleted Stale Crash][filename %s][custom data %s]
Excessive executable mappings found
{A0C1F415-D2CE-4ddc-9B48-14E56FD55162}
x-x-x-xx-xxxxxx
verifier.dll
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
%s\%s-full.dmp
\\.\pipe\GoogleCrashServices
[GetCrashPipeName][GetProcessUser failed][0xx]
[Failed to get current thread token][0xx]
[Failed to get default DACL][0xx]
[Failed to setup pipe security]
[Failed to add pipe security DACL][%#x]
[StartProcessWithNoExceptionHandler][%s]
.google.com
Google\CrashReports
{C68009EA-1163-4498-8E93-D5C4E317D8CE}
{D19BAF17-7C87-467E-8D63-6C4B1C836373}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards
%s=%s
\\.\%s
report
%s %s
/%s %s
/%s %s
/%s "%s"
/%s %s %s /%s %s
Advapi32.dll
ProxyPort
ProxyPacUrl
source_url_index
%Program Files%\Google\Update\1.3.33.5\GoogleCrashHandler.exe
1.3.33.5

chrome.exe_912:




.text
`.rdata
@.data
.didat
.rsrc
@.reloc
D$,j.Xf
PVSSh
SSh W4
j.Yf;
_tcPVj@
.PjRW
Cv.TBv_-Av%
w.SCv
dbghelp.dll
ole32.dll
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
address family not supported
broken pipe
function not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
POWRPROF.dll
user32.dll
c:\b\c\b\win_pgo\src\chrome\app\chrome_exe_main_win.cc
c:\b\c\b\win_pgo\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\c\b\win_pgo\src\base\debug\activity_tracker.cc
Histogram: %s recorded %d samples
(flags = 0x%x)
x-x-x-x-2llx
.thunks
.syzygy
TrackedObjects.GetRetiredOrCreateThreadData
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
UMA.PersistentAllocator.
.UsedPct
.Errors
c:\b\c\b\win_pgo\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
Collections of histograms for %s
c:\b\c\b\win_pgo\src\base\metrics\statistics_recorder.cc
UMA.CreatePersistentHistogram.Result
UMA.NegativeSamples.Reason
-Windows NT
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
59.0.3071.115
widevinecdmadapter.dll
c:\b\c\b\win_pgo\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
c:\b\c\b\win_pgo\src\chrome\installer\util\channel_info.cc
iexplore.exe
c:\b\c\b\win_pgo\src\chrome\installer\util\google_chrome_distribution.cc
googlechrome
c:\b\c\b\win_pgo\src\chrome\installer\util\language_selector.cc
c:\b\c\b\win_pgo\src\components\browser_watcher\watcher_client_win.cc
user_experience_metrics.reporting_enabled
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io.cc
Crashpad.CrashUpload.AttemptSuccessful
Crashpad.CrashReportSize
Crashpad.CrashReportPending
Crashpad.ExceptionEncountered
Crashpad.HandlerLifetimeMilestone
Crashpad.ExceptionCode.Win
Crashpad.ExceptionCaptureResult
Crashpad.CrashUpload.Skipped
Crashpad.HandlerCrash.ExceptionCode.Win
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\handler_main.cc
requires KEY=VALUE
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
HANDLE_pipe,
--monitor-self-annotation=KEY=VALUE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
--monitor-self-argument=--monitor-self is not supported
has duplicate key
--monitor-self-annotation=%s=%s
pipe-name
--initial-client-data and --pipe-name are incompatible
--initial-client-data or --pipe-name is required
SetProcessShutdownParameters
duplicate key
reserved key
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\user_stream_data_source.cc
kernel32.dll
c:\b\c\b\win_pgo\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateByHandle
GetCertificateSizeByHandle
GetCertificate
GetCertificateSize
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crashpad_client_win.cc
\\.\pipe\crashpad_%d_
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc
0x%x,0x%x,0x%x,0x%x,0x%x,0x%I64x,0x%I64x,0x%I64x
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\misc\paths_win.cc
::GetNamedPipeClientProcessId
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
ConnectNamedPipe
ImpersonateNamedPipeClient
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
%s: error 0x%x while retrieving error 0x%x
%s: %s (0x%x)
%s/%s WinHTTP
/%u.%u.%u.%u
Windows_NT/%u.%u.%u.%u (
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReadData
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
%%x
--%s%sContent-Disposition: form-data; name="%s"
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
<failed to retrieve error message (0x%x)>
(0xx)
TransactNamedPipe
TransactNamedPipe: expected
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
WaitNamedPipe
SetNamedPipeHandleState
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\critical_section_with_debug_info.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\module_version.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body.cc
%s (%d)
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %u.%u.%u.%s%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
0x%llx   0x%llx (%s)
C:\b\c\b\win_pgo\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$vtableC
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
SignalInitializeCrashReporting
chrome_elf.dll
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
ADVAPI32.dll
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
PSAPI.DLL
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
GetCPInfo
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
USERENV.dll
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="59.0.3071.115" version="59.0.3071.115" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
012O4|4
5 5$5(5,5
;#;*;4;9;
7#7(7.757:7
? ?$?(?,?0?
00C0i0{0
8-8A8U8i8}8
5 5)5.545;5@5
9#9(9.959:9
< =@=_=~=
5(6/64686<6@6
4 4$4(4,4044484
7|7v7
5%6S6
6\6!8(80888@8
1!4>4"6>6
8 8$8(8,8
lKERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Ndebug.log
Kernel32.dll
ntdll.dll
Chrome_MessageWindow
shell32.dll
pepflashplayer.dll
resources.pak
script.log
chrome
chrome_child.dll
chrome.dll
Browse the web
-chromeframe
-chrome
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
%d.%d.%d
0.0.0.0-devel
Chrome
${windows}
wtsapi32.dll
advapi32.dll
SOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_DATA
HKEY_USERS
pipe\
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gdi32.dll
xntdll.dll
\\.\pipe
awinhttp.dll
%Program Files%\Google\Chrome\Application\chrome.exe
Google Chrome
chrome_exe

chrome.exe_904:




.text
`.rdata
@.data
.didat
.rsrc
@.reloc
D$,j.Xf
PVSSh
SSh W4
j.Yf;
_tcPVj@
.PjRW
Cv.TBv_-Av%
w.SCv
dbghelp.dll
ole32.dll
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
address family not supported
broken pipe
function not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
POWRPROF.dll
user32.dll
c:\b\c\b\win_pgo\src\chrome\app\chrome_exe_main_win.cc
c:\b\c\b\win_pgo\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\c\b\win_pgo\src\base\debug\activity_tracker.cc
Histogram: %s recorded %d samples
(flags = 0x%x)
x-x-x-x-2llx
.thunks
.syzygy
TrackedObjects.GetRetiredOrCreateThreadData
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
UMA.PersistentAllocator.
.UsedPct
.Errors
c:\b\c\b\win_pgo\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
Collections of histograms for %s
c:\b\c\b\win_pgo\src\base\metrics\statistics_recorder.cc
UMA.CreatePersistentHistogram.Result
UMA.NegativeSamples.Reason
-Windows NT
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
59.0.3071.115
widevinecdmadapter.dll
c:\b\c\b\win_pgo\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
c:\b\c\b\win_pgo\src\chrome\installer\util\channel_info.cc
iexplore.exe
c:\b\c\b\win_pgo\src\chrome\installer\util\google_chrome_distribution.cc
googlechrome
c:\b\c\b\win_pgo\src\chrome\installer\util\language_selector.cc
c:\b\c\b\win_pgo\src\components\browser_watcher\watcher_client_win.cc
user_experience_metrics.reporting_enabled
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io.cc
Crashpad.CrashUpload.AttemptSuccessful
Crashpad.CrashReportSize
Crashpad.CrashReportPending
Crashpad.ExceptionEncountered
Crashpad.HandlerLifetimeMilestone
Crashpad.ExceptionCode.Win
Crashpad.ExceptionCaptureResult
Crashpad.CrashUpload.Skipped
Crashpad.HandlerCrash.ExceptionCode.Win
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\handler_main.cc
requires KEY=VALUE
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
HANDLE_pipe,
--monitor-self-annotation=KEY=VALUE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
--monitor-self-argument=--monitor-self is not supported
has duplicate key
--monitor-self-annotation=%s=%s
pipe-name
--initial-client-data and --pipe-name are incompatible
--initial-client-data or --pipe-name is required
SetProcessShutdownParameters
duplicate key
reserved key
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\user_stream_data_source.cc
kernel32.dll
c:\b\c\b\win_pgo\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateByHandle
GetCertificateSizeByHandle
GetCertificate
GetCertificateSize
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crashpad_client_win.cc
\\.\pipe\crashpad_%d_
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc
0x%x,0x%x,0x%x,0x%x,0x%x,0x%I64x,0x%I64x,0x%I64x
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\misc\paths_win.cc
::GetNamedPipeClientProcessId
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
ConnectNamedPipe
ImpersonateNamedPipeClient
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
%s: error 0x%x while retrieving error 0x%x
%s: %s (0x%x)
%s/%s WinHTTP
/%u.%u.%u.%u
Windows_NT/%u.%u.%u.%u (
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReadData
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
%%x
--%s%sContent-Disposition: form-data; name="%s"
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
<failed to retrieve error message (0x%x)>
(0xx)
TransactNamedPipe
TransactNamedPipe: expected
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
WaitNamedPipe
SetNamedPipeHandleState
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\critical_section_with_debug_info.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\module_version.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body.cc
%s (%d)
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %u.%u.%u.%s%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
0x%llx   0x%llx (%s)
C:\b\c\b\win_pgo\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$vtableC
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
SignalInitializeCrashReporting
chrome_elf.dll
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
ADVAPI32.dll
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
PSAPI.DLL
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
GetCPInfo
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
USERENV.dll
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="59.0.3071.115" version="59.0.3071.115" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
012O4|4
5 5$5(5,5
;#;*;4;9;
7#7(7.757:7
? ?$?(?,?0?
00C0i0{0
8-8A8U8i8}8
5 5)5.545;5@5
9#9(9.959:9
< =@=_=~=
5(6/64686<6@6
4 4$4(4,4044484
7|7v7
5%6S6
6\6!8(80888@8
1!4>4"6>6
8 8$8(8,8
lKERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Ndebug.log
Kernel32.dll
ntdll.dll
Chrome_MessageWindow
shell32.dll
pepflashplayer.dll
resources.pak
script.log
chrome
chrome_child.dll
chrome.dll
Browse the web
-chromeframe
-chrome
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
%d.%d.%d
0.0.0.0-devel
Chrome
${windows}
wtsapi32.dll
advapi32.dll
SOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_DATA
HKEY_USERS
pipe\
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gdi32.dll
xntdll.dll
\\.\pipe
awinhttp.dll
%Program Files%\Google\Chrome\Application\chrome.exe
Google Chrome
chrome_exe

chrome.exe_2800:




.text
`.rdata
@.data
.didat
.rsrc
@.reloc
D$,j.Xf
PVSSh
SSh W4
j.Yf;
_tcPVj@
.PjRW
Cv.TBv_-Av%
w.SCv
dbghelp.dll
ole32.dll
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
address family not supported
broken pipe
function not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
POWRPROF.dll
user32.dll
c:\b\c\b\win_pgo\src\chrome\app\chrome_exe_main_win.cc
c:\b\c\b\win_pgo\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\c\b\win_pgo\src\base\debug\activity_tracker.cc
Histogram: %s recorded %d samples
(flags = 0x%x)
x-x-x-x-2llx
.thunks
.syzygy
TrackedObjects.GetRetiredOrCreateThreadData
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
UMA.PersistentAllocator.
.UsedPct
.Errors
c:\b\c\b\win_pgo\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
Collections of histograms for %s
c:\b\c\b\win_pgo\src\base\metrics\statistics_recorder.cc
UMA.CreatePersistentHistogram.Result
UMA.NegativeSamples.Reason
-Windows NT
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
59.0.3071.115
widevinecdmadapter.dll
c:\b\c\b\win_pgo\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
c:\b\c\b\win_pgo\src\chrome\installer\util\channel_info.cc
iexplore.exe
c:\b\c\b\win_pgo\src\chrome\installer\util\google_chrome_distribution.cc
googlechrome
c:\b\c\b\win_pgo\src\chrome\installer\util\language_selector.cc
c:\b\c\b\win_pgo\src\components\browser_watcher\watcher_client_win.cc
user_experience_metrics.reporting_enabled
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io.cc
Crashpad.CrashUpload.AttemptSuccessful
Crashpad.CrashReportSize
Crashpad.CrashReportPending
Crashpad.ExceptionEncountered
Crashpad.HandlerLifetimeMilestone
Crashpad.ExceptionCode.Win
Crashpad.ExceptionCaptureResult
Crashpad.CrashUpload.Skipped
Crashpad.HandlerCrash.ExceptionCode.Win
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\handler_main.cc
requires KEY=VALUE
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
HANDLE_pipe,
--monitor-self-annotation=KEY=VALUE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
--monitor-self-argument=--monitor-self is not supported
has duplicate key
--monitor-self-annotation=%s=%s
pipe-name
--initial-client-data and --pipe-name are incompatible
--initial-client-data or --pipe-name is required
SetProcessShutdownParameters
duplicate key
reserved key
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\user_stream_data_source.cc
kernel32.dll
c:\b\c\b\win_pgo\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateByHandle
GetCertificateSizeByHandle
GetCertificate
GetCertificateSize
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crashpad_client_win.cc
\\.\pipe\crashpad_%d_
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc
0x%x,0x%x,0x%x,0x%x,0x%x,0x%I64x,0x%I64x,0x%I64x
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\misc\paths_win.cc
::GetNamedPipeClientProcessId
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
ConnectNamedPipe
ImpersonateNamedPipeClient
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
%s: error 0x%x while retrieving error 0x%x
%s: %s (0x%x)
%s/%s WinHTTP
/%u.%u.%u.%u
Windows_NT/%u.%u.%u.%u (
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReadData
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
%%x
--%s%sContent-Disposition: form-data; name="%s"
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
<failed to retrieve error message (0x%x)>
(0xx)
TransactNamedPipe
TransactNamedPipe: expected
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
WaitNamedPipe
SetNamedPipeHandleState
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\critical_section_with_debug_info.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\module_version.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body.cc
%s (%d)
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %u.%u.%u.%s%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
0x%llx   0x%llx (%s)
C:\b\c\b\win_pgo\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$vtableC
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
SignalInitializeCrashReporting
chrome_elf.dll
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
ADVAPI32.dll
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
PSAPI.DLL
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
GetCPInfo
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
USERENV.dll
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="59.0.3071.115" version="59.0.3071.115" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
012O4|4
5 5$5(5,5
;#;*;4;9;
7#7(7.757:7
? ?$?(?,?0?
00C0i0{0
8-8A8U8i8}8
5 5)5.545;5@5
9#9(9.959:9
< =@=_=~=
5(6/64686<6@6
4 4$4(4,4044484
7|7v7
5%6S6
6\6!8(80888@8
1!4>4"6>6
8 8$8(8,8
lKERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Ndebug.log
Kernel32.dll
ntdll.dll
Chrome_MessageWindow
shell32.dll
pepflashplayer.dll
resources.pak
script.log
chrome
chrome_child.dll
chrome.dll
Browse the web
-chromeframe
-chrome
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
%d.%d.%d
0.0.0.0-devel
Chrome
${windows}
wtsapi32.dll
advapi32.dll
SOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_DATA
HKEY_USERS
pipe\
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gdi32.dll
xntdll.dll
\\.\pipe
awinhttp.dll
%Program Files%\Google\Chrome\Application\chrome.exe
Google Chrome
chrome_exe

chrome.exe_3820:




.text
`.rdata
@.data
.didat
.rsrc
@.reloc
D$,j.Xf
PVSSh
SSh W4
j.Yf;
_tcPVj@
.PjRW
Cv.TBv_-Av%
w.SCv
dbghelp.dll
ole32.dll
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
address family not supported
broken pipe
function not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
POWRPROF.dll
user32.dll
c:\b\c\b\win_pgo\src\chrome\app\chrome_exe_main_win.cc
c:\b\c\b\win_pgo\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\c\b\win_pgo\src\base\debug\activity_tracker.cc
Histogram: %s recorded %d samples
(flags = 0x%x)
x-x-x-x-2llx
.thunks
.syzygy
TrackedObjects.GetRetiredOrCreateThreadData
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
UMA.PersistentAllocator.
.UsedPct
.Errors
c:\b\c\b\win_pgo\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
Collections of histograms for %s
c:\b\c\b\win_pgo\src\base\metrics\statistics_recorder.cc
UMA.CreatePersistentHistogram.Result
UMA.NegativeSamples.Reason
-Windows NT
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
59.0.3071.115
widevinecdmadapter.dll
c:\b\c\b\win_pgo\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
c:\b\c\b\win_pgo\src\chrome\installer\util\channel_info.cc
iexplore.exe
c:\b\c\b\win_pgo\src\chrome\installer\util\google_chrome_distribution.cc
googlechrome
c:\b\c\b\win_pgo\src\chrome\installer\util\language_selector.cc
c:\b\c\b\win_pgo\src\components\browser_watcher\watcher_client_win.cc
user_experience_metrics.reporting_enabled
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_io.cc
Crashpad.CrashUpload.AttemptSuccessful
Crashpad.CrashReportSize
Crashpad.CrashReportPending
Crashpad.ExceptionEncountered
Crashpad.HandlerLifetimeMilestone
Crashpad.ExceptionCode.Win
Crashpad.ExceptionCaptureResult
Crashpad.CrashUpload.Skipped
Crashpad.HandlerCrash.ExceptionCode.Win
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\handler_main.cc
requires KEY=VALUE
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
HANDLE_pipe,
--monitor-self-annotation=KEY=VALUE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
--monitor-self-argument=--monitor-self is not supported
has duplicate key
--monitor-self-annotation=%s=%s
pipe-name
--initial-client-data and --pipe-name are incompatible
--initial-client-data or --pipe-name is required
SetProcessShutdownParameters
duplicate key
reserved key
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\handler\user_stream_data_source.cc
kernel32.dll
c:\b\c\b\win_pgo\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateByHandle
GetCertificateSizeByHandle
GetCertificate
GetCertificateSize
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\client\crashpad_client_win.cc
\\.\pipe\crashpad_%d_
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\initial_client_data.cc
0x%x,0x%x,0x%x,0x%x,0x%x,0x%I64x,0x%I64x,0x%I64x
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\misc\paths_win.cc
::GetNamedPipeClientProcessId
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
ConnectNamedPipe
ImpersonateNamedPipeClient
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\session_end_watcher.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
%s: error 0x%x while retrieving error 0x%x
%s: %s (0x%x)
%s/%s WinHTTP
/%u.%u.%u.%u
Windows_NT/%u.%u.%u.%u (
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpOpen
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReadData
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
%%x
--%s%sContent-Disposition: form-data; name="%s"
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
<failed to retrieve error message (0x%x)>
(0xx)
TransactNamedPipe
TransactNamedPipe: expected
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
WaitNamedPipe
SetNamedPipeHandleState
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\critical_section_with_debug_info.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\win\module_version.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body_gzip.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\net\http_body.cc
%s (%d)
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %u.%u.%u.%s%s
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
c:\b\c\b\win_pgo\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
0x%llx   0x%llx (%s)
C:\b\c\b\win_pgo\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.cfguard
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$vtableC
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
SignalInitializeCrashReporting
chrome_elf.dll
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
ADVAPI32.dll
GetWindowsDirectoryW
CreateIoCompletionPort
GetProcessHandleCount
KERNEL32.dll
PSAPI.DLL
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
GetCPInfo
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
USERENV.dll
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="59.0.3071.115" version="59.0.3071.115" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
012O4|4
5 5$5(5,5
;#;*;4;9;
7#7(7.757:7
? ?$?(?,?0?
00C0i0{0
8-8A8U8i8}8
5 5)5.545;5@5
9#9(9.959:9
< =@=_=~=
5(6/64686<6@6
4 4$4(4,4044484
7|7v7
5%6S6
6\6!8(80888@8
1!4>4"6>6
8 8$8(8,8
lKERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Ndebug.log
Kernel32.dll
ntdll.dll
Chrome_MessageWindow
shell32.dll
pepflashplayer.dll
resources.pak
script.log
chrome
chrome_child.dll
chrome.dll
Browse the web
-chromeframe
-chrome
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
%d.%d.%d
0.0.0.0-devel
Chrome
${windows}
wtsapi32.dll
advapi32.dll
SOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_DATA
HKEY_USERS
pipe\
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
gdi32.dll
xntdll.dll
\\.\pipe
awinhttp.dll
%Program Files%\Google\Chrome\Application\chrome.exe
Google Chrome
chrome_exe

chrome.exe_3820_rwx_04706000_00076000:




u.SQR

chrome.exe_3820_rwx_04786000_0005A000:




u.SQR

chrome.exe_3820_rwx_07E86000_00079000:




WebK
VWSSShpO;






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    GoogleUpdate.exe:2784
    GoogleUpdate.exe:3384
    GoogleUpdate.exe:2600
    GoogleUpdate.exe:2556
    GoogleUpdate.exe:1860
    GoogleUpdate.exe:560
    GoogleUpdate.exe:3016
    GoogleUpdate.exe:1240
    %original file name%.exe:1760
    chrome.exe:3776
    chrome.exe:140
    chrome.exe:904
    chrome.exe:3680
    chrome.exe:3684
    chrome.exe:240
    chrome.exe:684
    chrome.exe:2800
    chrome.exe:1684
    chrome.exe:3676
    chrome.exe:936
    ._cache_%original file name%.exe:316
    59.0.3071.115_chrome_installer.exe:1388
    setup.exe:1368
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Program Files%\Google\Update\1.3.33.5\goopdateres_en.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdate.dll (49 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_tr.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_fr.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ml.dll (46 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_et.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\psuser.dll (1281 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_de.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_en-GB.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ko.dll (38 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_sr.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdateComRegisterShell64.exe (673 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_lt.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_da.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_es-419.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ca.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\npGoogleUpdate3.dll (4815 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_bn.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\psmachine_64.dll (1281 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_hu.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_es.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdateBroker.exe (601 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_sl.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ja.dll (39 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_sk.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ms.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_el.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdate.exe (673 bytes)
    %Program Files%\Google\Update\1.3.33.5\psmachine.dll (1281 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_th.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_id.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_fa.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_pt-BR.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdateHelper.msi (40 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_te.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_uk.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_kn.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_cs.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_zh-CN.dll (36 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleCrashHandler.exe (1425 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_it.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_tr.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_bg.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_lv.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdate.dll (49 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_pl.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_sw.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ur.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_am.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_no.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdateWebPlugin.exe (601 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_nl.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_mr.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_is.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ro.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_gu.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_zh-TW.dll (36 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdateOnDemand.exe (601 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleCrashHandler64.exe (2105 bytes)
    %Program Files%\Google\Update\1.3.33.5\GoogleUpdateCore.exe (4185 bytes)
    %Program Files%\Google\Update\1.3.33.5\psuser_64.dll (1281 bytes)
    %Program Files%\Google\Update\1.3.31.5 (28 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ta.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_fi.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_hr.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ru.dll (42 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_hi.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_fil.dll (44 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_pt-PT.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_ar.dll (41 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_iw.dll (40 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_sv.dll (43 bytes)
    %Program Files%\Google\Update\1.3.33.5\goopdateres_vi.dll (42 bytes)
    C:\Windows\Temp\guiB96F.tmp (118 bytes)
    %Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\59.0.3071.115\59.0.3071.115_chrome_installer.exe (335720 bytes)
    %Program Files%\Google\Update\Install\{99D26E4D-0150-4928-9F38-079C57715099}\59.0.3071.115_chrome_installer.exe (356565 bytes)
    C:\Windows\System32\config\SOFTWARE (33521 bytes)
    C:\ProgramData\Synaptics\Synaptics.exe (14796 bytes)
    C:\$Directory (96 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (27103 bytes)
    C:\ProgramData\Synaptics\RCX7F1D.tmp (136247 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma (4 bytes)
    %Program Files%\Google\Chrome\Application\59.0.3071.115\chrome_watcher.dll (507 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log (349 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db-journal (2220 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\be271b16-4967-41d8-b2da-76f04e6519c0.tmp (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Favicons-journal (3450 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\237913a104effca4_0 (2591 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\LOG (609 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History-journal (13452 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_0 (3767 bytes)
    %Program Files%\Google\Chrome\Application\59.0.3071.115\chrome_elf.dll (434 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (13444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\269f7f45e848c91c_1 (908 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\f9a13a1d-2658-4fbf-aebe-1fb961e492b7.tmp (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data (2560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOG (621 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BFYFVE9PRD77F8U25LJZ.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\index-dir\temp-index (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\index.txt.tmp (316 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (618 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (2379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\04c3cc8d-f783-4544-a1e3-22852d70d998.tmp (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com.ua_0.indexeddb.leveldb\000003.log (116 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\ced75f65-da8e-415d-89ae-fcdba13848c8.tmp (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1 (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\7f3e5c44-92be-4d21-87f5-813ceec751ee.tmp (644 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\f52eadfc4c4c9939_0 (1478 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\3da63c61c13c216f_0 (3669 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG (495 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\4552cf74d5ebf7e9_0 (1689 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_12807EEA10A7EC60FDD176C775E04F82 (788 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\725f5e67-80d1-4c6f-82c8-38453444be44.tmp (70 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (10458 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\temp-index (5448 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (13896 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (3784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (48460 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (27810 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\cfcee90a-e33f-4a51-9c30-4f3f6edc1f43.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000002.dbtmp (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f (60 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (20002 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (12178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002 (97 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\7d2a6b99-5993-4e06-9469-f06083020582.tmp (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TY0EQQ6VKUB6KDMHWS4U.temp (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (33564 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (495 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (7962 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\7df8a1ae1073cc82_0 (3129 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\4301b8f7-af49-43e9-938c-54072ee50286.tmp (160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log (1017 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012 (77 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs-journal (8937 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 (49 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\72691ae0-ae74-4a04-a758-d48446eef2ca.tmp (70 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\03ed3ea933b3eca9_0 (1419 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 (42 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (28456 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (98 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\439c751c-f17f-455e-8e3d-a1b2b901721d\fdf2cfeb8ad0eeac_0 (1811 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\b4e9f0cd8bb23778_1 (968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e (59 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (231 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_sl.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_iw.dll (40 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_vi.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_lt.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_sv.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_zh-TW.dll (36 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_fa.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_nl.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\psmachine.dll (206 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_pl.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_pt-PT.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_fi.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_gu.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdateOnDemand.exe (96 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdate.exe (308 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_th.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_en-GB.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdateBroker.exe (96 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ms.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\psuser.dll (206 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_hr.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ro.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_pt-BR.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ja.dll (39 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_te.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ru.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_fil.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\psuser_64.dll (248 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_kn.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ar.dll (41 bytes)
    %Program Files%\GUM7EB0.tmp\psmachine_64.dll (248 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_et.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_it.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ur.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_am.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_no.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_mr.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ml.dll (46 bytes)
    %Program Files%\GUM7EB0.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_sw.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_es-419.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_cs.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdateCore.exe (838 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ko.dll (38 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_zh-CN.dll (36 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_en.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_de.dll (45 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_sr.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_es.dll (45 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_bg.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_el.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ta.dll (45 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_bn.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_sk.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_is.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_hu.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleCrashHandler.exe (550 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_id.dll (42 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_hi.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_uk.dll (43 bytes)
    %Program Files%\GUT7EB1.tmp (7 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_lv.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_da.dll (43 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_fr.dll (44 bytes)
    %Program Files%\GUM7EB0.tmp\GoogleUpdateHelper.msi (40 bytes)
    %Program Files%\GUM7EB0.tmp\goopdateres_ca.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\SETUP.EX_ (537 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\setup.exe (19563 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CR_6D5E7.tmp\CHROME.PACKED.7Z (51087 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\zh-CN.pak (237 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\vi.pak (326 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\en-GB.pak (237 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sw.pak (241 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\lv.pak (293 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_child.dll.sig (1 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\da.pak (261 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\external_extensions.json (1 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\es-419.pak (282 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\nacl_irt_x86_32.nexe (3 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_elf.dll (430 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\bn.pak (604 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\zh-TW.pak (237 bytes)
    %Program Files%\Google\Chrome\Application\SetupMetrics\a7298fba-db36-40bd-8ad2-a1efe0034a52.tmp (14 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\cs.pak (290 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Extensions\external_extensions.json (99 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\kn.pak (652 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\drive.crx (25 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome.dll (33616 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\gu.pak (568 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\chrome.exe (1 bytes)
    C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ms.pak (217 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\pt-BR.pak (279 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.59\VisualElements (4 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (4 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\swiftshader\libglesv2.dll (2 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\59.0.3071.115.manifest (226 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ru.pak (453 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\libegl.dll (86 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\eventlog_provider.dll (12 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\smalllogo.png (7 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sk.pak (300 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\hu.pak (301 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome.exe.sig (1 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ar.pak (393 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\hr.pak (270 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\nb.pak (257 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ko.pak (288 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\resources.pak (16 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\hi.pak (583 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\bg.pak (464 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\docs.crx (4 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fa.pak (406 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\el.pak (512 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\mr.pak (578 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\uk.pak (450 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\it.pak (277 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.71\Locales (8 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\pt-PT.pak (284 bytes)
    %Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\chrmstp.exe (8657 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fil.pak (292 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\logocanary.png (22 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\lt.pak (292 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\nacl_irt_x86_64.nexe (4 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\swiftshader\libegl.dll (112 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll.sig (1 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\et.pak (252 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\chrome.7z (272250 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\icudtl.dat (10 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\d3dcompiler_47.dll (3 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fr.pak (304 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.71\default_apps (4 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\libglesv2.dll (2 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ml.pak (732 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\youtube.crx (23 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sl.pak (270 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ca.pak (286 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\chrome_installer.log (12861 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\default_apps\gmail.crx (24 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (217 bytes)
    %Program Files%\Google\Chrome\Application\59.0.3071.115\Installer\setup.exe (8657 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ja.pak (340 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\tr.pak (281 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\snapshot_blob.bin (1 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.71\VisualElements (4 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\pl.pak (286 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sv.pak (261 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\de.pak (246 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ro.pak (289 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\nl.pak (274 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\he.pak (334 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\th.pak (567 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\logo.png (17 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\manifest.json (950 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\ta.pak (675 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\en-US.pak (237 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\natives_blob.bin (239 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.sig (1 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\sr.pak (432 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\am.pak (398 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.59\Locales (8 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\nacl64.exe (6 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_watcher.dll (504 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\es.pak (287 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_100_percent.pak (458 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome.dll.sig (1 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.59\default_apps (4 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\fi.pak (267 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\te.pak (629 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\chrome_200_percent.pak (728 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\chrome.VisualElementsManifest.xml (410 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\Locales\id.pak (257 bytes)
    %Program Files%\Google\Chrome\Temp\source1368_32116\Chrome-bin\59.0.3071.115\VisualElements\smalllogocanary.png (7 bytes)
    %Program Files%\Google\Chrome\Application\chrome.exe (7386 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0EMQLVCV.txt (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ALZUFNWE.txt (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_B06F3AB2BEBC83E8764E9B220066791E (1432 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\v86Vgjk.ini (132 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_12807EEA10A7EC60FDD176C775E04F82 (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCX82D6.tmp (137517 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RCX82C5.tmp (137517 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\O18zWu6h.ico (284 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_B06F3AB2BEBC83E8764E9B220066791E (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB674.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\O18zWu6h.exe (5441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB675.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (624 bytes)
    C:\Users\"%CurrentUserName%"\Downloads\dotNetFx35setup.exe (25426 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synaptics Pointing Device Driver" = "C:\ProgramData\Synaptics\Synaptics.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now