Trojan.Win32.Occamy.C_09b97501d8

Trojan.GenericKD.30978676 (BitDefender), Trojan:Win32/Occamy.C (Microsoft), UDS:DangerousObject.Multi.Generic (Kaspersky), Trojan.GenericKD.30978676 (B) (Emsisoft), RDN/Generic.hra (McAfee), Trojan.Ge...
Blog rating:1.4 out of5 with5 ratings

Trojan.Win32.Occamy.C_09b97501d8

by malwarelabrobot on June 20th, 2018 in Malware Descriptions.

Trojan.GenericKD.30978676 (BitDefender), Trojan:Win32/Occamy.C (Microsoft), UDS:DangerousObject.Multi.Generic (Kaspersky), Trojan.GenericKD.30978676 (B) (Emsisoft), RDN/Generic.hra (McAfee), Trojan.Gen.2 (Symantec), Trojan.Win32.Delf (Ikarus), Trojan.GenericKD.30978676 (FSecure), FileRepMalware (AVG), TROJ_GEN.R001C0OFI18 (TrendMicro), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 09b97501d8777df33d50444adac89d7f
SHA1: 02c47451d444270128e640e07296d6d56ee6db93
SHA256: acbd648478f3e9e07838d2ae673636ffae83ae07afcbb46452976e298f19e5c9
SSDeep: 6144:Gh4gI5zUXCAcBlfaocp9BqTtHDgWM15lMZwrtCPKUfghsxxYee4ngW:EszUXxTXqTtHDfw5lKwrMgyUeQ
Size: 359424 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2018-06-14 15:32:02
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:3636
GoogleUpdate.exe:4072
GoogleUpdate.exe:4000
GoogleUpdate.exe:2028
GoogleUpdate.exe:3968
GoogleUpdate.exe:2104
GoogleUpdateSetup.exe:3960

The Trojan injects its code into the following process(es):

UI0Detect.exe:2100
UI0Detect.exe:348
%original file name%.exe:3512

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\Install\{CF016442-2328-4BE4-98CF-A6376FF2041E}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{7061BA61-2DEA-4324-B19A-618F9629C500}-GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)

The process GoogleUpdate.exe:4000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\GUM7BF2.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)

The process GoogleUpdateSetup.exe:3960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUM7BF2.tmp (32 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM7BF2.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM7BF2.tmp\psuser.dll (206 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUT7BF3.tmp (7 bytes)
%Program Files%\GUM7BF2.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM7BF2.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM7BF2.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ja.dll (39 bytes)

The Trojan deletes the following file(s):

%Program Files%\GUM7BF2.tmp (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\psuser.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUT7BF3.tmp (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM7BF2.tmp\goopdateres_ja.dll (0 bytes)

The process %original file name%.exe:3512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\libeay32.dll (1 bytes)
C:\ssleay32.dll (270 bytes)

Registry activity

The process GoogleUpdate.exe:3636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\PersistedPings\{C7308E9A-E4B1-419E-80EC-46E4D9AB22D8}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529305202"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529305202"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{9CF11127-11C8-4E04-9D8F-DDCD9C778EF1}]
"PersistedPingTime" = "131738538422076277"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529305202"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{9CF11127-11C8-4E04-9D8F-DDCD9C778EF1}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529380249"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{CCAAC543-2FB5-4062-8F02-C17AA4709D7D}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529305202"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ping_freshness" = "{A13D262A-37E6-4694-8D28-842BAA0188DB}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{DCDD284F-6960-43FD-8355-9434A2B966D2}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529380249"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{C7308E9A-E4B1-419E-80EC-46E4D9AB22D8}]
"PersistedPingTime" = "131738538498204411"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529305202"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{9CF11127-11C8-4E04-9D8F-DDCD9C778EF1}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{C7308E9A-E4B1-419E-80EC-46E4D9AB22D8}]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

The process GoogleUpdate.exe:4072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:4000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{84A0A230-7F21-4867-AEED-21E0CD52C860}]
"PersistedPingTime" = "131738538946081198"

[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{84A0A230-7F21-4867-AEED-21E0CD52C860}]
"PersistedPingString" = ""

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529380294"

[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529380294"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{84A0A230-7F21-4867-AEED-21E0CD52C860}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKLM\SOFTWARE\Google\Update]
"ui"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Google\Update]
"mi"

The process GoogleUpdate.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process %original file name%.exe:3512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"09b97501d8777df33d50444adac89d7f" = "c:\%original file name%.exe"

Dropped PE files

MD5 File path
6c718849d436a7ccebed72538f8bd04b c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler.exe
d2f56e366f1cb26866a6f43bd53b46c3 c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler64.exe
92ee791a630830452485e8e375f8db35 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdate.exe
8171211b809414b6d8a8e4f6ea8cf140 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateBroker.exe
03b587bfaf6dd67b330ccb6fb99ca59a c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe
678dd73ca364411bcf431892b8f878da c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateCore.exe
96e08eb0d929c279536bdbbc543da8fb c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateSetup.exe
063ca1017835923689c4957562ea2862 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe
463a426da94fc2418a713ceebb799e22 c:\Program Files\Google\Update\1.3.33.17\goopdate.dll
e433408ca45786f9b6b7873709f57eba c:\Program Files\Google\Update\1.3.33.17\goopdateres_am.dll
9d85c8517de4db2380aa14593d8a899a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ar.dll
f376765117f5b82123ec1f4fd352fb9c c:\Program Files\Google\Update\1.3.33.17\goopdateres_bg.dll
4a5e2fac15b93b43a2ee673e2e111478 c:\Program Files\Google\Update\1.3.33.17\goopdateres_bn.dll
230fe7b526bde7aff33b616618a8d05a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ca.dll
9b598c6a4d3d9586f93feca20f51da70 c:\Program Files\Google\Update\1.3.33.17\goopdateres_cs.dll
b1bd2d1889f42f20aeac5f1998d8b21b c:\Program Files\Google\Update\1.3.33.17\goopdateres_da.dll
e5ea4068551b3ac782d955a699222067 c:\Program Files\Google\Update\1.3.33.17\goopdateres_de.dll
68cf3b8fef6b56cd583e8c30ae8ca563 c:\Program Files\Google\Update\1.3.33.17\goopdateres_el.dll
2087af32c82c00e32094ae86dcf35607 c:\Program Files\Google\Update\1.3.33.17\goopdateres_en-GB.dll
9c2a3eec41cd4effd6ffecaa910dd7da c:\Program Files\Google\Update\1.3.33.17\goopdateres_en.dll
7c7c2b897c7107e910eab8b669c93738 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es-419.dll
73ccbf92e13acc6389bb9f7dd04935b6 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es.dll
a2cb2c0b126c87336bc2b29a3e995dc5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_et.dll
1d688c7571f047a36b585d810e02067f c:\Program Files\Google\Update\1.3.33.17\goopdateres_fa.dll
81f8d0fbff693910fedc808047cdf156 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fi.dll
6cec555d88a69bdb910188c2b53b19a3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fil.dll
598294ce0043943aa4cc04edc139e6c8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fr.dll
7d3a8a7aec219fcbecacd04f1ad66053 c:\Program Files\Google\Update\1.3.33.17\goopdateres_gu.dll
0a9a7354a95c559a4093f24fff784911 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hi.dll
de931037c2f487efa900aa6590cac9e0 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hr.dll
456664b46a1948b0df8785bd5b87f858 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hu.dll
43a73db8674c025026ed4cad9359a574 c:\Program Files\Google\Update\1.3.33.17\goopdateres_id.dll
5e609c7d0ab38fa244949da75da04a1b c:\Program Files\Google\Update\1.3.33.17\goopdateres_is.dll
d002a3352574a6e6999a6f2c23566745 c:\Program Files\Google\Update\1.3.33.17\goopdateres_it.dll
ffef2d63908222cacee0e40c138d5986 c:\Program Files\Google\Update\1.3.33.17\goopdateres_iw.dll
b71ff4a60875f30db7e492d4806f0c92 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ja.dll
c6a1c2e334df66970a03b30539757f36 c:\Program Files\Google\Update\1.3.33.17\goopdateres_kn.dll
fb58fffc04f44137610caae567cfaf6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ko.dll
3b033e1092474acd6b7cfcf01a999d34 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lt.dll
3b00a99d877881ba0fc786fdd8e3b426 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lv.dll
157bf7b8eca4bc66d5c7fb3e358d5c58 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ml.dll
7c864e8d77ebe0bc8451ade4f67f68b3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_mr.dll
225c45af996ebf983800025ea32f6c18 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ms.dll
2b04cd187acac2019e13195a3cc53a31 c:\Program Files\Google\Update\1.3.33.17\goopdateres_nl.dll
38651bcc330768d3e74763452a8e46e2 c:\Program Files\Google\Update\1.3.33.17\goopdateres_no.dll
531e1fca96b1cc6dfbb74c2e96d990c7 c:\Program Files\Google\Update\1.3.33.17\goopdateres_pl.dll
237642b8bddfe765e073a3aa6c29ca0a c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-BR.dll
298f4f2bd4e7b962615bcf0ed3d673ca c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-PT.dll
ea1ef744fb8ba02148b362adeac70952 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ro.dll
774b5644ad40e4d3863d81a7d30d4fae c:\Program Files\Google\Update\1.3.33.17\goopdateres_ru.dll
6ffd62c9d080288bcc95816afd018048 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sk.dll
d7b41237faca93b3d0666e4fd38092b8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sl.dll
25bbd03fc02f7daa9168dce7dfaef624 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sr.dll
e645c5eb4401b5e443a9744fc141b2f5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sv.dll
2f111d7785bfcd6b4228df0cdf353407 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sw.dll
8bb63ae799037b02a89c42408abf755a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ta.dll
2f40316ac456b383c58be478daf69ce9 c:\Program Files\Google\Update\1.3.33.17\goopdateres_te.dll
cdc5e8fdba12f79c056bcf3085335ac5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_th.dll
811ac46d616f94ae885175863e0ce95d c:\Program Files\Google\Update\1.3.33.17\goopdateres_tr.dll
23725511dd277f08993bbfbaf27123c1 c:\Program Files\Google\Update\1.3.33.17\goopdateres_uk.dll
3edc8f630a94d57674097194540a9f6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ur.dll
baff2a81498cb67c560d443e96153060 c:\Program Files\Google\Update\1.3.33.17\goopdateres_vi.dll
6c2d04d599eb5b4549653d030d9d6550 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-CN.dll
f66719fb333de285e6edd1fd20e0edf8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-TW.dll
671e1e25f6f08809863bb9aed544e70e c:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll
cca7a6b6c2bce1e8af12a95f69c4cc8f c:\Program Files\Google\Update\1.3.33.17\psmachine.dll
edad26bca1696d23ecb9dc3ab48fd551 c:\Program Files\Google\Update\1.3.33.17\psmachine_64.dll
c2762290bb2ece339d4c63f7a8a6acc8 c:\Program Files\Google\Update\1.3.33.17\psuser.dll
58b48e4352559d4d76776377fde5df0c c:\Program Files\Google\Update\1.3.33.17\psuser_64.dll
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Install\{CF016442-2328-4BE4-98CF-A6376FF2041E}\GoogleUpdateSetup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ZocDoC
Product Name: Compilingmicrosoft Friends
Product Version: 7.4.49.147
Legal Copyright: Copyright (c) ZocDoC
Legal Trademarks: Copyright (c) ZocDoC
Original Filename: Compilingmicrosoft Friends.exe
Internal Name: Compilingmicrosoft Friends
File Version:
File Description: Dnating Firmware Risky Distinction
Comments: Dnating Firmware Risky Distinction
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 442368 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 446464 303104 302080 5.46468 030d5c6ff5ff87678339e13962430ba2
.rsrc 749568 57344 56320 4.27468 23b060d595c8e9b4f1f61cd0dd922409

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe
hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529380160&mv=m&pcm2cms=yes&pl=24&shardbypass=yes
hxxp://smart.cloudnetwork.kz/t 37.1.218.68
hxxp://smart.cloudnetwork.kz/fd/libeay32.dll 37.1.218.68
hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529380160&mv=m&pcm2cms=yes&pl=24&shardbypass=yes 80.91.179.80
hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe 172.217.21.238
update.googleapis.com 172.217.21.227
tools.google.com 172.217.21.238


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:3636
    GoogleUpdate.exe:4072
    GoogleUpdate.exe:4000
    GoogleUpdate.exe:2028
    GoogleUpdate.exe:3968
    GoogleUpdate.exe:2104
    GoogleUpdateSetup.exe:3960

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Google\Update\Install\{CF016442-2328-4BE4-98CF-A6376FF2041E}\GoogleUpdateSetup.exe (7596 bytes)
    %Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
    %Program Files%\GUM7BF2.tmp\goopdate.dll (49 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_en.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.31.5 (28 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_nl.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_kn.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_da.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_no.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_sr.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ta.dll (45 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ro.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ru.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleCrashHandler.exe (550 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_mr.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_zh-CN.dll (36 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_bg.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_lv.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_zh-TW.dll (36 bytes)
    %Program Files%\GUM7BF2.tmp\psuser.dll (206 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_it.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_am.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_pl.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_sw.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_gu.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_vi.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_pt-BR.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_iw.dll (40 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ar.dll (41 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdateCore.exe (838 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_tr.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_pt-PT.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_sl.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_hr.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_fi.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_fil.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_lt.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_sv.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_en-GB.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ca.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_is.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\psuser_64.dll (248 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_te.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_es-419.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_et.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdateOnDemand.exe (96 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_hi.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_id.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_th.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_de.dll (45 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ko.dll (38 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_fa.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdateHelper.msi (40 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_uk.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_cs.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdateBroker.exe (96 bytes)
    %Program Files%\GUT7BF3.tmp (7 bytes)
    %Program Files%\GUM7BF2.tmp\psmachine.dll (206 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_es.dll (45 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_hu.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ur.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ml.dll (46 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_bn.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_sk.dll (43 bytes)
    %Program Files%\GUM7BF2.tmp\psmachine_64.dll (248 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ms.dll (42 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_fr.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\GoogleUpdate.exe (308 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_el.dll (44 bytes)
    %Program Files%\GUM7BF2.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files%\GUM7BF2.tmp\goopdateres_ja.dll (39 bytes)
    C:\libeay32.dll (1 bytes)
    C:\ssleay32.dll (270 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "09b97501d8777df33d50444adac89d7f" = "c:\%original file name%.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1.4 (5 votes)

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now