Gen.Trojan.Heur.9y1vqu9UYmi_3a17d7f749

Trojan.Win32.Agent.icgh (Kaspersky), Gen:Trojan.Heur.9y1@vqu9UYmi (B) (Emsisoft), Gen:Trojan.Heur.9y1@vqu9UYmi (AdAware), Trojan.Win32.Swrort.4.FD, mzpefinder_pcap_file.YR, TrojanSwrort.YR (Lavasoft M...
Blog rating:2 out of5 with1 ratings

Gen.Trojan.Heur.9y1vqu9UYmi_3a17d7f749

by malwarelabrobot on October 29th, 2016 in Malware Descriptions.

Trojan.Win32.Agent.icgh (Kaspersky), Gen:Trojan.Heur.9y1@vqu9UYmi (B) (Emsisoft), Gen:Trojan.Heur.9y1@vqu9UYmi (AdAware), Trojan.Win32.Swrort.4.FD, mzpefinder_pcap_file.YR, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3a17d7f749e93b7396ebe46ccdda2b60
SHA1: 5f176f1ea3a30c9e2464730cf93abec638fb9d4b
SHA256: cb6469d715dfdb41d69e9c85a4dfae6f66f7c2fbf0a99bb4a63c32451df29964
SSDeep: 12288:/1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSda8QigvI9zuT:/1/aGLDCM4D8ayGMZo8/nQxvhf5oO
Size: 1010921 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Simple.Company
Created at: no data
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:3896
GoogleUpdate.exe:1796
54.0.2840.71_54.0.2840.59_chrome_updater.exe:560
%original file name%.exe:436
htjtr.exe:2472
setup.exe:1968
setup.exe:600
setup.exe:1280

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:3896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16158 bytes)
%Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16304 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{7450580E-9D4A-43A0-ACBD-336C9A6D6735}-54.0.2840.71_54.0.2840.59_chrome_updater.exe (0 bytes)

The process 54.0.2840.71_54.0.2840.59_chrome_updater.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\CR_EDCE3.tmp\CHROME_PATCH.PACKED.7Z (2 bytes)
C:\Windows\Temp\CR_EDCE3.tmp\setup.exe (49 bytes)
C:\Windows\Temp\CR_EDCE3.tmp\SETUP_PATCH.PACKED.7Z (3 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\CR_EDCE3.tmp\CHROME_PATCH.PACKED.7Z (0 bytes)
C:\Windows\Temp\CR_EDCE3.tmp\setup.exe (0 bytes)
C:\Windows\Temp\CR_EDCE3.tmp (0 bytes)

The process %original file name%.exe:436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\htjtr.exe (1019423 bytes)
C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)

The process htjtr.exe:2472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\original .exe (1963131 bytes)
C:\config.sys .exe (1963131 bytes)
C:\bootmgr .exe (1963131 bytes)
C:\Boot .exe (1963131 bytes)
C:\Windows .exe (1963131 bytes)
C:\ProgramData .exe (1963131 bytes)
C:\$Recycle.Bin .exe (1963131 bytes)
C:\BOOTSECT.BAK .exe (1963131 bytes)
%Documents and Settings% .exe (1963131 bytes)
C:\%original file name%.exe .exe (1963131 bytes)
C:\totalcmd .exe (1963131 bytes)
C:\Users .exe (1963131 bytes)
C:\XELDZ .exe (1963131 bytes)
C:\autoexec.bat .exe (1963131 bytes)
C:\System Volume Information .exe (1963131 bytes)
C:\marker .exe (1963131 bytes)
%Program Files% .exe (1963131 bytes)
C:\pagefile.sys .exe (1963131 bytes)

The Trojan deletes the following file(s):

C:\Mirax (0 bytes)
C:\Mirat (0 bytes)
C:\Mirav (0 bytes)
C:\Miraw (0 bytes)
C:\Mirap (0 bytes)
C:\Miraq (0 bytes)
C:\Mirar (0 bytes)
C:\Miral (0 bytes)
C:\Miram (0 bytes)
C:\Miran (0 bytes)
C:\Mirao (0 bytes)
C:\Mirai (0 bytes)
C:\Miraj (0 bytes)
C:\Mirak (0 bytes)
C:\Miraf (0 bytes)
C:\Mirag (0 bytes)
C:\Mirab (0 bytes)

The process setup.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
C:\Windows\Temp\CR_EDCE3.tmp\setup.exe (1 bytes)
C:\Windows\Temp\scoped_dir1968_5772\setup_patch.diff (6 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\scoped_dir1968_5772\setup_patch.diff (0 bytes)
C:\Windows\Temp\scoped_dir1968_5772 (0 bytes)

The process setup.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\Crashpad\settings.dat (84 bytes)

The process setup.exe:1280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\chrome.VisualElementsManifest.xml (411 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\kn.pak (1488 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\drive.crx (53 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\gmail.crx (48 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ta.pak (1539 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fa.pak (930 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sv.pak (597 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\snapshot_blob.bin (1375 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\zh-CN.pak (537 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\libglesv2.dll (50 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\chrome_patch.diff (52 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\logo.png (37 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_elf.dll (758 bytes)
C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_watcher.dll (963 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\cs.pak (662 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Extensions\external_extensions.json (103 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\nacl64.exe (54 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\el.pak (1169 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ko.pak (659 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sw.pak (555 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_200_percent.pak (1742 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fake-bidi.pak (808 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\pt-BR.pak (636 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\nacl_irt_x86_32.nexe (52 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ro.pak (666 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sk.pak (684 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin (4 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_100_percent.pak (1160 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\te.pak (1438 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome.dll (41963 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\external_extensions.json (5 bytes)
%Program Files%\Google\Chrome\Application\SetupMetrics\92BC.tmp (14 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_child.dll (53736 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (441 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ar.pak (891 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\uk.pak (1023 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\docs.crx (12 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ru.pak (1029 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\nb.pak (588 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ms.pak (504 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\tr.pak (645 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sr.pak (995 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\pt-PT.pak (645 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\natives_blob.bin (702 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fi.pak (612 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\th.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\en-US.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\hu.pak (692 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\logocanary.png (46 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\54.0.2840.71.manifest (254 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\wow_helper.exe (160 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\en-GB.pak (539 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\pl.pak (652 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\zh-TW.pak (538 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\am.pak (905 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\smalllogocanary.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\WidevineCdm\manifest.json (954 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ja.pak (777 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\nl.pak (629 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\lv.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\lt.pak (661 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\chrome.exe (1846 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154 (4 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\d3dcompiler_47.dll (52 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ml.pak (1669 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ca.pak (653 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sl.pak (613 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\gu.pak (1294 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\bg.pak (1077 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\it.pak (636 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe (24778 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\id.pak (586 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fil.pak (667 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\da.pak (596 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\resources.pak (2572 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\hi.pak (1333 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\libegl.dll (187 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (54 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\youtube.crx (47 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fr.pak (700 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\hr.pak (618 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\nacl_irt_x86_64.nexe (53 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\de.pak (570 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\icudtl.dat (59 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\es.pak (660 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\vi.pak (741 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\bn.pak (1383 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\es-419.pak (651 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\smalllogo.png (15 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\mr.pak (1317 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\chrome.7z (279369 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\he.pak (760 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\et.pak (576 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (21970 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Chrome\Temp\source1280_8154\chrome_patch.diff (0 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\wow_helper.exe (0 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\Installer\chrome.7z (0 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154 (0 bytes)
%Program Files%\Google\Chrome\Temp (0 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin (0 bytes)
%Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\chrome.exe (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1280_5821 (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1280_28370 (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1280_28370\chrome.VisualElementsManifest.xml (0 bytes)
%Program Files%\Google\Chrome\Temp\scoped_dir_1280_5821\chrome.exe (0 bytes)

Registry activity

The process GoogleUpdate.exe:3896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "7"
"InstallProgressPercent" = "4294967295"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]
"PersistedPingTime" = "131221113080140525"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.71"
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateTime" = "1477637733"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]
"PersistedPingString" = "
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine" = "%Program Files%\Google\Chrome\Application\chrome.exe"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1477637733"
"LastInstallerError" = "0"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerResult" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"DownloadProgressPercent" = "0"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerError" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResult" = "0"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\PersistedPings\{790CEE4C-A10D-431B-B8F9-9BE1B3FF9E95}]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResultUIString"
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerResult"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerExtraCode1"
"InstallerError"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerError"
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerSuccessLaunchCmdLine"
"LastInstallerSuccessLaunchCmdLine"
"InstallerResult"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastInstallerError"
"iid"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

The process GoogleUpdate.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"
"fveui.dll,-844" = "BitLocker Data Recovery Agent"
"qagentrt.dll,-10" = "System Health Authentication"
"fveui.dll,-843" = "BitLocker Drive Encryption"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process 54.0.2840.71_54.0.2840.59_chrome_updater.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome-full"

The process htjtr.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\ProgramData\htjtr.exe"

The process setup.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerProgress" = "10"

The process setup.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Name" = "Google Chrome"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"IsInstalled" = "1"
"Localized Name" = "Google Chrome"
"Version" = "43,0,0,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoModify" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayIcon" = "%Program Files%\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "-statsdef_1-multi-chrome-full"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"InstallLocation" = "%Program Files%\Google\Chrome\Application"
"VersionMinor" = "71"
"VersionMajor" = "2840"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UninstallArguments" = " --uninstall --multi-install --system-level"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Version" = "54.0.2840.71"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"(Default)" = "Google Chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe --uninstall --multi-install --chrome --system-level"

[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"Name" = "Google Chrome binaries"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoRepair" = "1"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"CommandLine" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe --on-os-upgrade --multi-install --chrome --system-level --verbose-logging"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerResult" = "0"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"InstallerProgress" = "21"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"StubPath" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level --multi-install --chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayName" = "Google Chrome"

[HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.71"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-statsdef_1-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayVersion" = "54.0.2840.71"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallArguments" = " --uninstall --multi-install --chrome --system-level"
"UninstallString" = "%Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe"

[HKLM\SOFTWARE\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.71"

Dropped PE files

MD5 File path
647f87e4a842d4574b3425e14e662ee0 c:\$Recycle.Bin .exe
fae227551dfb89c3fdfb20a59c643f4d c:\%original file name%.exe .exe
f11d718d07fe5ac32effaf9e661fb683 c:\BOOTSECT.BAK .exe
ade775603f1b8aaf84e8c2ec54eb63c0 c:\Boot .exe
78c8436f43e0af27a27537edac13ae33 c:\Documents and Settings .exe
e4fd0a59a79d203e0b996c80ead0177b c:\Perl .exe
e501d889953a5346a470267dc2766e5b c:\Program Files .exe
503a8048c5558c4bedb95f5d408280e7 c:\Program Files\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe
503a8048c5558c4bedb95f5d408280e7 c:\Program Files\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe
6f4c70c96fedc4e0a79c49d75fb31819 c:\Program Files\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll
01d6c4d58f79447c38992c6615548cff c:\Program Files\Google\Chrome\Application\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll
00c36ae47c7e16937834705dda03ef7e c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome.dll
6848d69d5550119ed5e5df9b334b6537 c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_child.dll
c4b3022907fb6c0748df860dde1e9ee9 c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_elf.dll
3d341f7ee28b0bdf8b8cdca3b0ed97c0 c:\Program Files\Google\Chrome\Application\54.0.2840.71\chrome_watcher.dll
02e034cd47aa9a633f6aaef348dbbba0 c:\Program Files\Google\Chrome\Application\54.0.2840.71\d3dcompiler_47.dll
98a53cfa1945b99656db4332d89c9328 c:\Program Files\Google\Chrome\Application\54.0.2840.71\libegl.dll
d1df316e69e13e0911ed19c80e8500c8 c:\Program Files\Google\Chrome\Application\54.0.2840.71\libglesv2.dll
a99fb676e5eb1393bb241fde05843127 c:\Program Files\Google\Chrome\Application\54.0.2840.71\nacl64.exe
ab3d3d17ad0174384c0088d397388558 c:\Program Files\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe
ab3d3d17ad0174384c0088d397388558 c:\Program Files\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe
0b56ef9ccf7344521357ec9903166d77 c:\ProgramData .exe
2549139ceeb2c40c2ea0aeb04527d833 c:\ProgramData\Saaaalamm\Mira.h
4fa4219bb06898c6e77ef039be042c00 c:\ProgramData\htjtr.exe
124492e816a2329fa02b2bb4a493933b c:\System Volume Information .exe
95056d1607a4fa393db596797ca5226d c:\Users .exe
2549139ceeb2c40c2ea0aeb04527d833 c:\Users\All Users\Saaaalamm\Mira.h
4fa4219bb06898c6e77ef039be042c00 c:\Users\All Users\htjtr.exe
d7226a5c87ea487d5de15de20441cc5b c:\Windows .exe
503a8048c5558c4bedb95f5d408280e7 c:\Windows\Temp\CR_EDCE3.tmp\setup.exe
81c169790e46818db990dc1bd091bd35 c:\XELDZ .exe
01364db7a70caba82fc7bcb0e091fb29 c:\autoexec.bat .exe
165974ab84e79f5246e664aa5075d05e c:\bootmgr .exe
77383fe1d57247991320187d33fac9ad c:\config.sys .exe
5b5ace062f6b4ca5ea41c2fdcd125497 c:\marker .exe
3dfe6d56eff0bda0ac8211f798e910ee c:\original .exe
8ba9f545446aff089ea22d882bd9e26d c:\pagefile.sys .exe
24d4bccc8c68bc6a8d30c25286bd36ef c:\totalcmd .exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Mira Malware
Product Version: 1.0.0.155
Legal Copyright: Microsoft Corporation
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.155
File Description: Mira Malware
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 245368 245760 4.21465 8b164ac8ef3742f37830dc1842275667
.data 249856 608 1024 0.488703 6fda88cf7188a8245a53dfde927250fd
.rdata 253952 9384 9728 3.47165 dbe852009dbd077a9976cb0ecfb9aadf
.bss 266240 18576 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 286720 2212 2560 2.97703 5e5242c565219f3bd33a6568632559dc
.rsrc 290816 758300 750825 4.91659 dea1187baa7fb90d7fdcd223546b2953

Dropped from:

2291ef522c5abb39601b0a4bb382ba4b

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://redirector.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe 64.233.164.102
hxxp://r2.sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1
hxxp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 194.242.96.109
tools.google.com 74.125.131.139


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

HEAD /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2377080
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Connection: keep-alive
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 2377080..Conten
t-Type: application/octet-stream..Etag: "1013e5"..Server: downloads..V
ary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..
X-Xss-Protection: 1; mode=block..Date: Thu, 27 Oct 2016 07:27:47 GMT..
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"..Last-Modified: Thu, 20
 Oct 2016 09:56:47 GMT..Connection: keep-alive......


GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=0-9255
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 9256
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 0-9255/2377080
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$............v...v..
.v....}..v...v...v... ...v... ...v... m..v...v...v... ...v..Rich.v....
......PE..L......X.........."......(....#.....X .......@....@.........
.................0$.......$...@..................................P..P.
...`..@.#...........#.xS... $.........8...............................
.............P...............................text....'.......(........
.......... ..`.data........@[email protected]..
.....,..............@[email protected]...@.#..`....#..4..............@[email protected]
....... $.......#[email protected]....................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................ ... .-.-...=.".....".
 .-.-....."...D.:.P.A.I.(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.I.O.C.I.;.G.
A.;.;.;.B.A.).(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.S.
Y.).(.A.;.O.I.I.O.C.I.;.G.A.;.;.;.C.O.).(.A.;.;.F.A.;.;.;.....).....t.
m.p.....\...\.*...*.....*...*.....@[email protected]._.......{.8.B.A.9.
8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....
{.8.A.6.9.D.3.4.5.-.D.5.6.4.-.4.6.3.c.-.A.F.F.1.-.A.6.9.D.9.E.5.3.0.F.
9.6.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.5.b.-.d.b.f.
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=9256-22548
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 13293
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 9256-22548/2377080
Connection: keep-alive
....E.........U.........e..3.f.E.f.......E.P.u......YY..tuSW..........
[email protected][email protected]%V....
..SP.z........t.......PW.M..o...^_[.M........].U....\...SV.u.3..u.....
...Y..u.........E..].P.0...Y..t}W3..,...h([email protected]......
....tE.u.......WP..........t.h..@.......WP..........t.SVj.......P.....
......u...xP@..._^[..][email protected][email protected].}.0
u.2.......].U....P...SV.u.3.WVf.E......f............SP............3...
[email protected].................}[email protected]{ @[email protected]..}..u....
.u...TP@..M...p....A........h....W.P...YY..u..E...p........h....3.V.}.
.,...YY........3.f......f......f......f............h....P.u..E.P......
[email protected].....<.........P......h....P.)[email protected]..
..P................h<[email protected][email protected]...
[email protected]......
....tvh`[email protected][email protected]<...
...P......h....P./[email protected][.}.......P
[email protected]!......Ph....V.{...
.....u.jl[.}...V..,[email protected]{ @[email protected]@..M.
[email protected]....,[email protected]*
......Ph....V..........u.......P..,[email protected].}._.E..8.U....E...l....`.
._^[..].U....P...VW.....3..M..}..}.......u..M........u..u...e....~..M.
...........E.P.E.P.....YY..t..u..M....M..N...3.f......f.......E.P.....
.P.u..8........t..E.SP.>...3.f......f......f.E.f............P..
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=22549-36774
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 14226
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 22549-36774/2377080
Connection: keep-alive
K.iE..<....M..Cd............G....!...c{7...................).$..=].
...x..A.'s.)N.a.hW.....4.cN..Hv.~.....:*.....0...oA....t5.....H....]p.
...B_wIv....U..RLp.Z.,...xI........>..X..[...P....t...g...u........
..G... .bC..c..>W.Q...n/..D...M.y..~s/..\.....y....y......,..)Q..a.
W...}....}%0..t.R...Ek..E.wm..r..fk.-:q.m\...L".Ph...qN0..W=Uu..._.1T.
.#.....v..PV. d.G...^t;..N...)dGYR...h.$c...85.)..C@..#fb.c'.9>..h.
b.."......W...OzJ.a...js,.}........_S....S.o.f.sC.....R......p {cQ..G.
..E..p....Y.Yo...{>`mM..b6cq..'.F...X.pn../qM[QZG....S.....N.m.e.rG
.....j.GU........^D..o.[.d...eiH..e>S....D......YsyL?.z[..J....>
.|......h..... ............B...XQ...TM.....V......X]i..I..oeO..j.Uw.%-
~.>.E.G.k.E..S....%....Cl;p6*....x|.....3.;..L.8....h..........d6..
T..b..Irmi...{.....3...Rr).%..6^@..PW.c..-":(...sF...:.y[...B.....g...
~a.W.t...?2......C.....:..d..7...qV^._..r-M....b..Y......W...m...r?..k
[nw.S.....L.....#R..._.t....?....Vj..f.......o].&=U...\s.T5|.y..<..
.!..E/,.r2.?.w.u.[..'........K3.R......Sp...A.I.r..i.......12.$....>
;..dA.|`...7...;||.V.knAOk'f&..... .W..V..7...`1fFS9~<......Q>]8
Wy.*..)...p/>:.X.G.].J........~..nUE=..uwI}..\.......DtG.<..#8.5
M.O.$.1.N.....}..U...]...4.u.y..O0..L...nD...#. .8..Y..&mx.'..U..L..d.
.$$h..V.r.p..4.GZ......^..[.vF....^[B..Q2.8V...h...K...w........v5..Q=
R..J....Y.g..jE|........d..-8........J.d.AN.\r...'..y$.Yf.H&.....=..af
y^eC..t.1.Q.S._."Q10.w.$_.l..%O..m..... .t.Oc"W.W...~}...j ...R.2..]Jm
....fa.f...F/..vP.......-Y..E09.5.i."..v?9....V5..3...7.w.K_....4.
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=36775-56075
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 19301
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 36775-56075/2377080
Connection: keep-alive
@..w.....b..<A..Qj@/...T`.....9.(.]${>.../O.$j../.....b.`u..Z.GP
?...!.*..]..;.xI.~.6.^..Y.j..2.y.*c....>..9.u..e..G.].._....*.x?..B
}.a.MX...u.]....n.{_x2.Y..;^.*w4A].)y...H...Y.bd.....h....`Z5&..Mr.P.Z
f..........Co.... .J ..9._C...#...vj...u.6...wP..%...`....6......A.Z..
-a...Q....P.i}9...c.V........=...N...[.8,..*....U.*../c.......F*^.>
.....p~~..f.......y..2....,.|....V..!.P.<..........z.7...o.....x.t.
...X..l....n....YHL..M.[...l....t....v.V..Mp.<....An.)`.....N3j.z.Z
.T.5...i.G.z....([email protected]`F..'.z..Q......../.FPi.|..(2.,-....H}S..
=s.......|!..Isp.]..Q....#hU....h...*@..z...Y...K.W..8.......s.......4
"...,.I..Y...<..R...%....a..F.r..Y..a..'o.UK..l..)2)U.Z...(.C(Vn.?.
...D.F...].Yt..;.x4..8e.\.H.b..,..j...X:..t.^ ..4a.q.,..g$../.....f.~.
.8"..ym.*....HH..G,rg4..0..u....j..~/...@?*.....e..oOL..&...a.2../Z..\
).!.B....!"[email protected]..{U/V..jJ..iam.a.f.m.m/z..;fE~zSC...[..%-..kN.|Q@.=
@.>:.S.."....$X.....ox.X$q.@N|........=....V..# p..s.....0V..T.W.FP
.5~..C.L..Y.nR.C..0.IgY...3.....j.zJ|...x{5....V.?..W.....&.MYl.4....*
.{[.....Q..3o="....80dv......(. .]...(4.m.>U.Q.....K..(.W~.......^'
...H'...b..'...lc.1......M.....d..~...G.*.,....Kw.X(.N...?.&O......A..
...-.t./... ......y~%."..G.U......Z.. .x.c...Y..cZ.i>....g...i.\!..
gp.:W}..l..g........[....F..!..F.G........=.{.x..O...d.h.n\[email protected];M^..
xy..6X9.,.O}.Yr.D........_.$......7.(..2X..#o&._.x.....L.X.........O.!
...K...MlF...[L.T..NQW...b.1..~.........^n.13... .9....&v..o..S..k._(.
............i,.......o@....,?.D..K.......:..$.d...&.oi.....I>..
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=56076-74902
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 18827
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 56076-74902/2377080
Connection: keep-alive
^q.d63.0..=[*...A,...}.f...Hq..jB...\.......2.... .O....7.vFt|6...I..9
c6.4.c...G6.Y.a.$-.... .R...f.........@a`7...|..6.-/_...J......9l....&
gt;.*,rV...,..C.....S.z5.._...1..l..{p....:h.H).Hq.E...a....5f...z~X.,
.[.|..}Z.....ml....!5....s.^. .....4..#.~#5..t......D2}.e.6..:{.(....&
.c.. .tN.{....}....1...<E(.E..C..z...l....9......\<l.<2...m.a
.....,...7...3....G)...}bz.-h.qc72. .Z...IH..7,^u..)..?.sO..........h.
..8...*7....H....(j..:Z..k9B.}[email protected]`..{[email protected]
...g.I......R......A5#D..1.>p.H.....8...33....5!.....D .........~w.
*.2CL.4a.-.Z........$e...68..iY...:,...<y.\>.T....&.\.).........
.24.........T_..Lm.G..@fW\h......o_....j.).A..3....>u..i..Hi.=e....
.....<...j.....y..-..j.....J.....d".hF..o......e..y.\....2Um.?N....
{...$ ..G....LkyHG.....d..].&...4r=.....Nq....:Y..E%...3..*]=T...I...a
P^..dZ..%g<8[]4....%.D.\..$......d....c....'.-.h.3lQ.....q.....o..6
..:..w....e....IH.>.n...a.....A..g..B..NuZ..7.(....M............:..
...O,.Z...K4h~i}.1.......s..`...9.o.....1,pO.!.. @.;=.r.Q...4.../..f.&
.l$.Nz...bm.......!O.=."..H....N1..26...k......j..7UdQq..$.........cP.
..~..G....)#......E.K..O.^..;.B. u:.[..2B..E...A.!.t...iK.2< ....3t
D;p.w.o..jE,{..i....x..qQ.).!Z.Bh..a..q....L..1.y=.....v..#....~Ij:...
. ...1..Dlm..S.....6.....k9.....Ua..O.B..m._M.X..&.y...N%.w..V}..k... 
m.H....>f*.F>^y9.....!..KwW....2......\....r.'7..%q".I...k..4'H.
 ......C_w-.n:B..?*...3.z~....$.......v......B...ZT`...R.6n....Q=.....
.[....`1..].F.M.=......Y.c.......(....O[.......".cv1.....u".x1...J
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=74903-117401
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 42499
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 74903-117401/2377080
Connection: keep-alive
L.. ....'.S...fN.....}...M.....$.......O.J...*vM..[4.H...........<.
.Q.G..'.{..;.....Y../..V.....9..*.F..m.uW.......x...sN..MZ..?....U...s
...p*.ywC/....X...x...R......#..|.Kx.b.B$l.q.-;s.Z..qe5.._.bt.$.[\...D
..S7.....z.R........Eb_...4.....U.S....I..K).]...~`V=.-...............
...."5.]m{.Z/......`[email protected][email protected]~..e.<#.?$)q.y .
..................o.%.....kk@....: ?K% .v.^.$....'.G.w......o.%Kq...).
U.M..bU...^..i51..0.......lg..J...?...hJ5.-............;.A.':.o..8.../
._O|(V...6C.N....j.5.:V*. .. ....UE.B/Fe^.r.w.D..Wf(q../.R....(.. .(%2
5..Rq.T*....R...M........N.....J:(`.n...G....o@.#....X._A..`....b..=.H
%.....".R..9vG..(6.$Mm...F...2.[..._n........|.......%".<.idB,.....
.................]..\;..m.v.o.jl...DP....9......5...L....xcQ...;.(k...
........A../....).'9K...J.d..~....1.w.wH.....i.......iu.../J..L...n.W.
5...m.}g..f2.~...Z.Fp...E...1.O.m...<C.7..r..rw{;5.S9*.... 5..7gk6.
0.l... e-`....6..=.f._...j...S.7....v...'....z.Pn.a..$!.(.$.......A...
~Q..{J....M.....%'.>#...kR.8..[.;.".:`5..8{..D...q..aI.X...L0w.....
.x...-.9..G.F.`[k...&......3$..L.".....:Gt6.f'._..B:.....Xt.@|........
'.%>R|"....*3.......H{.e.E..^.E._."e.xO..B..D8..5.>T....xKr..*.}
vbn..fi4...n.K4.[..._.......G..s[...l.*5s...iN.....#pT....<g9.{.(-.
-....,..j...0.(mQ|'"8..v....K3..u('....,~`GU..0.#..Z*.......T6.... [bd
..]1...q.E......q......O-..."....k.}.....}s_.y..N2...<X..N.....T5!.
M.bWC...!...rk.Q.......6m...b..%h=>.*..~..bf.%Y.u..J.5.O..Il..M.5.Y
d..b].j$....8'......?..B.wl......O.$..&....5....d_P.k.Pm7^..oRs9.w
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=117402-207341
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 89940
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 117402-207341/2377080
Connection: keep-alive
2.h.}.........8..'.....1.?.lf..g.T...C.D.=.[.\)..q.,[.$....z..&..m....
A6...p.F.yqW.]C.l'......e.".f8..E.6....V.Q.....6.p....;.sR.i...%$.J.hB
...b.......B).J.D....).I....:..u ....>.....KF....|c.x.].......k.;..
A>$D]Z..'&{.k....3\K2..`@...s.|.......;..HJ..#B....b4....#l ..)....
.ei.F........X..,...I.?.......T....%...s..h.#.....t..ht.5.........N..5
>M.B.g.'..C']...}X.9...?:bg....t.Y........:M.....7w7..G.....'A. .,!
..|"^.......iD...{=......Q..O...YX..7.?........$.i...N#ck......&..Fm..
g.........2..wF]...A.3...6.aQP.f...L..^.zy.........^.....RX.~!.A. ....
RM.BYx.w...|.?O......0...'. .1.U...8Z.....<.6.....N.U..?BN....F%..:
....{.t...... #...8Ra..g...G.e..../.(..r...T>5`.eo?L7...We..A#.?...
l. ..8.WkH.r.>&....&.wBuw!K1..Rk..)...(..,V.......t..V#.Y.?8..0yx..
.*Rh.....W..X.8.>.....Ph._i.V....a..y.d.....y*V..o.......a.s.......
i..Y..'6..{.....u.C. ......{*U......W....i,3..&.$.............q..-.>
;pJP...I........R7...2/.=H.{a../.Nv..thD.w,F.?Y...........U....aa..?.b
..?.$..{m}.{...]...G..q....s..Rym<.?E.O6;$>...........7'....{..I
.(..c^....7...p]5..0..e.O4........E..<....k.U...4D.2........IFk|x..
...ZP..m...TL$...S....h...T......fwB.G<.o.....v.I....t.7..5.s..E...
.?..;..G.{..j$..K`..G.._.@...>{.L.i...i.kTK..m.. o.4....d......... 
.ZK..M..tq|[M...M]...I3a.G..\|H... ......'.....t)H........i.J..uOG.F..
..J..F ].....H9.N..7`..y............G.M"..P....h\f..$..J.  ....}..K.H*
[..6.._.......|S.u_.o.....!.............Xm.pj_.=...JPoAx....X.9.2.d...
............. 1.Ng;......d..Gs.. nX%...<....i_..p..$2F.....l.&g
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=207342-383042
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 175701
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 207342-383042/2377080
Connection: keep-alive
..}zr...`U.9..R.......~..-..m.:....L...:..\..U......\.E.C0.e..)Q. ..b.
N.gU.B...Z K...fx4U.....T..C...2.......arI'..y>Hs..}B....D.yK.8X&&g
t;......sB;....IS..Y.........w*x..Av.....P&.%...\........wf...x.m,a.y.
.. .2c...D.....).ED.T.x0l#.X.Z/..=K...v..d>..~..Do.Si4$.~.L.......7
.............l^[email protected]...,....4.6.S....vqX..d.q.LLg.}..d.........#...
...e......a...DA...DY..!.:/......K~;....C..CJ.B.. ..X.......hK.4.P.N.^
.................Z......G......:..$ ...Q. ..........,.CB. QL..?A...../
S........<.n.=.lt.;.......L.\..{..~.y=....C...|6.Dl..!.....Z...;...
...%.....Kw.}...(g.).`.c.[$...S)........D.L5%A...U.......F.....qcq%pQ.
...d,S..RF\...k(.".....q..r"U.=4..<.i....80..A.j......o........r.&l
t;..z.uN....n..f.........>.'...}ic.n.6...~...bm..^f.l.z.}.O.pC.....
....$....2.2...Y..D.42')7....E....c...1\_...$l.X..}.`t...i{..q\A..R...
t.x:.p.Z...M...(....E..C3%z..r6.9......|.,.......>>=...r86..j...
y?2J.y......<;...[x..{..C.B.......~E.5........7....M.v..'}...'...D.
5y.-{.{l5g4.K.h..e.i*[.(.f...m.d.....S...X.....~V.e .m...y..h....1.?J0
.S...tR.Uj.4.s..;7............#..%.V.....g....b....*.B.........`.Dj...
.M.m..!...#.%2.g..P%m...cI.Y....{4H......D..ii.M.....2~..n..... .uD..j
...l....t.......E...mJkW.v...O..H.q...M\...B....#.x.5.C.?.E....7.....v
U..t.......:.A.h........8.. Qygn.....('.....A]....PX.d.'R?6...K..p.f..
..:.......53..PW6..........L...jd...l-N.Q.z..)./j.g..gh...".z.V.z.....
.~.c..p-.Z...Zy....\....r.....C....l...n...".'9..He..G...X....7-.....E
....iL...~<*u.Lw..{..)....;l.:.q3..#.M..|...IP*[email protected].
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=383043-723329
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 340287
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 383043-723329/2377080
Connection: keep-alive
"][email protected].'.C.:1N...fO.pObbE..s..<.......b....... .....'..e..g.
C..uo...O=rl.....@T..;.J ..7..9...z...'{.........h}.....~...u..d.`....
......B.....Ir.SU.p/N.wH..&A..;.B.p=iI.|.:...Tm.q....Z......3.."......
...4%...A/..g..)...|{.[..D;....Q%...............YS<=V?...M.{..%.=._
U.....mL...dHSd]>A.I. ..T......-..4.J...M.pv<*. .........,.[~...
.\.{.rB./m...Y...i.......#......f..N..E..... z..(A..Vl..Ed./sc.3h.zI6e
Nu.D..)3.9..pV.....C..k. 7q0.j.Y.Z........h....._?...A..$(.....x"....f
.f?v....RGC..r....\..L.....E.Pp...9....Nk..z-..'.|.....7..H.<.YOw?.
s. ..-{.y._d.......wY......m.j..v.Q.i.D.l..>...f...0.?.~0.6..U.|kx.
...(...@....?H|.8q...f.....b..-l*.../< ...l......-..)..n.1.W....|2.
.0....o]I.7..p\u..... ..U.......G..!H.....C..g.JY!c .....2.x.'.[..x.:.
S...4V;..OF@. .'#.Z..zsnY...(....../`.).D.P.pE....._m..l..7N.q...D..3.
e......W....F.....7Z.V...6U....E.7,.1T..qX..::............... ..r...vr
..i.p..U.$...(.....dI.q.< ....y;L..2.n..".$Id............_...$.wD..
...w........M......(..m........m..]..E.?N.{x..LH..O.K.Bo.........t..o^
t8]....M........J.s...,<ad3-... .O.)...{e...........R./.......iD{..
X..m.......e..c...4.j/..r7.".`^.m......A,.]~...Ku].Ki..$0..p.s.*C..?U.
..6..{\8@.#...Cd......s..K....:T.D..H...:.R.vlR1H.,....7.)..>B.M...
w....-r...3.wi.....Y........... ;]..e.A.......*.!..V..o..f(......G.r..
..mjR...ZT)....D.!][email protected].(...Eb.....Y.jD....B
...!.5...N..z.v..>.:.E..D^Q...B......<2".]..B/..M.'w............
?.{a,v.N...iF7l..M....G(2/....,..R..^..R........!.6....}.h..=..k.v
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=723330-1433967
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 710638
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 723330-1433967/2377080
Connection: keep-alive
G.M..Hg{ .]..p.[l..}K...] [email protected].'~..S....h"........(W.......SG.&....u
;.6e..>...}._...K..R..5....'3.w.#r..?....d.pZ_....j..^a.u.B...r....
..X..'.1..|..vZ....{.oO.Q.E/o.a.Ld........w...v.`....=?fb.?..k6..-.Z.j
bE..D...jA....eb...hl..J....1/[email protected].(.S.Zf..Y...o..Ao(.....g9X
.71-A.V..a.8.x.~|......../.: Y....}..W..y.,... As...1l.P^...o..L..{.jZ
.P...O.2Q.......RB..U...!{.l........M...e.....iQ...b.....0...j.L!.W#..
..6..............g..:.p;H^c........2~y..U..I_.......k.?.....?.....a7.U
.t.8.l.....c......kW..3tY9.....r.HZ`....O..n#....G2c..uC.b...<..'n.
.o.#.........O.....<...e...1....^-..9?.e...kG...I].....F6Q.{.H....'
....s".......(.q2....a..=.4.Y.^.:...e......!.*..@.{........|*d.^.G.;..
j$zq.b.[.sFI..sB.LnP...[....,..gI...qp5U&.1...9.bU".}).U..Q..... .g/..
.&.ihh......h.c.}|...s_.:.d4....8.c....cq9#.v5..5..b...f$..........(..
.o..e.K..-....P't....k"...H.:..u.k...........'k.......S..f..xaCv......
...i`...;.....5L.Ku..y).O.rX...........n..)c&..}...Va..[b.....x.x..=.D
.....Z..@8y.'gO}....K.ff....Lb5.#......XRsM(?/.6...l...k... ....~.t.?.
..}.W.x...!.....#..*y.6]c`S....A....D...~....\..L.3=.R..:.*.BCk>.&g
t;}...nl.a.....'t.|Z{ZR.......=.OC....~....q......p.r";3M......8.V..^.
"Wu-nn........kO.....s....v..D{7..".;....w].....2xD.....,..F 4......`C
DaI.*.y..K%v.l..|PP...oaO..".,....q.xW...~.".....e..e.~.[&......3.u.}.
.7-.....^V"G4I{...6.... .k.@..)/....8.O.>.....v.)j%...T..d.*.".....
Y......Dz. .....|..(.([email protected]|F.....<.Xq.Z.?.=S..M
 ..k.a*.OB.N.-NC....a.gb. ....~.'.q..W........y.........M.........
<<< skipped >>>

GET /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 20 Oct 2016 09:56:47 GMT
Range: bytes=1433968-2377079
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: r2---sn-2puapox-ig3l.gvt1.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 943112
Content-Type: application/octet-stream
Etag: "1013e5"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Thu, 27 Oct 2016 07:27:47 GMT
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
Last-Modified: Thu, 20 Oct 2016 09:56:47 GMT
Content-Range: bytes 1433968-2377079/2377080
Connection: keep-alive
.r..a^.:...........q(RnzEi'....s.y.$`6.....DY......P...XP.),..........
..R.t..e....E..$O53..-.Yc.!`(..u.i...DA..,......R>..zn.e.Fu...dg...
O..Ih.7.mu.JyQ.!. _&.G.`...8... q..>..6..h.6.j...qJ.. ...-o..E.....
9.....U.%.....$.R....G...P..Z.8d....K.U.".'v..N.r..g...9....?V.W...Z..
..a....0.M....;.u9O...S...|^.~.......2..#.$C...."..$....|U.1P.O>...
....e]... ..];^.....X...../.:cQ...........J......^kDN........nj.rA..@.
[email protected]..(N.....z(4....p.........!B.....L-..j.a...\.] 
[email protected].~......K.C....Cdt.....u.Xi\x..l...!_"÷.D.
[email protected] [email protected]~.Nc0.Rz|:..Qp...u.lO.y.
k).Q..f..W|u.....!.$`...|...2q..s.....M.`.q..e..#g.i....... .O&...uY.L
-'m...9.=4...../.aq......SX.n c.........1... ..3.#.?..N....A.s..g..Y.#
..x38..c]..H..d..Kx...Q...Z..KC.=...fa..Q.#.andI.....J.-.....R..8@y...
..IY(.A..>.K...X..M..G3x/......,}..MD..`;9...:cup...J.F..Y.8.L.....
...E....9.G....!....O4......<g?.......B..Z{aC.V...sf..1...i...H....
Z|t.U$...r../..IY..*.......E..f...2. .....[...H..ki.7..u..>.z9.].:.
`...:a..-..hK.t...U~.K..G.2.Bl$..z..../.....".....0.0 '.....8...P.".=.
.vj.,.......j........:.....D.2lU...d....?.0M....P.}.=|..&......6.F... 
@...aX ......G..=......7..$....A,\ ..5.. ..|...}....s&-.<.-m.{..5..
....V.A.62w.Z..].Ec.g.1.....:.t...6.YPYD......oh)e..-2x...,..\H#kY#..o
.L.....B..<`......_.)...AQ....7PGO.k.=.O..z.d...GJ%....../y..f!..).
..Z.........8Y?....(P..^............D...>3.kG....(.ml.]...B.."...(L
.y..*........h..U.L#..M.....!.`[..,H....._.5..Q.0%.0$..6%_."0<.
<<< skipped >>>


HEAD /edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
X-GoogleUpdate-Interactivity: bg
Host: redirector.gvt1.com


HTTP/1.1 302 Found
Date: Fri, 28 Oct 2016 06:54:28 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r2---sn-2puapox-ig3l.gvt1.com/edgedl/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd13ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chrome_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ipbits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE73D49A6304020&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 734
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
HTTP/1.1 302 Found..Date: Fri, 28 Oct 2016 06:54:28 GMT..Pragma: no-ca
che..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Location: hXXp://r2---sn-2puapox-ig3l.gvt1.com/edgedl
/release2/9liqmqrgqfa7ez02glv729167mt3kbx8m7ksxfuuazw7up69ddgu8ol2axd1
3ipv75z76n27nysxd400sfjvpanesqdmeqaa7ho/54.0.2840.71_54.0.2840.59_chro
me_updater.exe?cms_redirect=yes&expire=1477652068&ip=194.242.96.218&ip
bits=0&mm=28&mn=sn-2puapox-ig3l&ms=nvh&mt=1477637602&mv=m&pl=23&shardb
ypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signatur
e=76A824BC258E6BBE49F5D44886985E9FAD966387.409F26E8AF241FF5933D677ACDE
73D49A6304020&key=cms1..Content-Type: text/html; charset=UTF-8..Server
: ClientMapServer..Content-Length: 734..X-XSS-Protection: 1; mode=bloc
k..X-Frame-Options: SAMEORIGIN..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

htjtr.exe_2472:

.text
`.data
.rdata
@.bss
.idata
C:\ProgramData\htjtr.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows
Operating System
%H:%M:%S
%m/%d/%y
-0123456789
%s:%u: failed assertion `%s'
RegCloseKey
RegOpenKeyA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL

SearchProtocolHost.exe_2320:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_2400:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

WMIADAP.EXE_2328:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
wbemcomn.dll
OLEAUT32.dll
ole32.dll
loadperf.dll
FEw.AEw]FEw
`.bik
PSSSSSSh
WMIADAP.exe
?CloseSubKey@CRegistry@@AAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?RewindSubKeys@CRegistry@@QAEXXZ
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
QSSh0
Invalid parameter passed to C runtime function.
ntdll.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyW
RegDeleteKeyW
RegQueryInfoKeyW
_amsg_exit
_acmdln
?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z
WMIADAP.pdb
<assemblyIdentity version="1.0.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
5m6z6
%s_x
%s_x_
Global\WMI_SysEvent_Semaphore_%d
WinMSGWMIADAP
\\.\root\cimv2
WMIADAP Msg window
\\.\root\wmi
PSAPI.DLL
x=%s
Describes all the counters supported via WMI Hi-Performance providers
_new.ini
xx %s%s.ini
xx %s
\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""
WmiApRes.dll
%s\%s
6.1.7600.16385 (win7_rtm.090713-1255)
wmicookr.dll
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:3896
    GoogleUpdate.exe:1796
    54.0.2840.71_54.0.2840.59_chrome_updater.exe:560
    %original file name%.exe:436
    htjtr.exe:2472
    setup.exe:1968
    setup.exe:600
    setup.exe:1280

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\54.0.2840.71\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16158 bytes)
    %Program Files%\Google\Update\Install\{4BE97E2F-B4A3-41A5-8B1D-EB58A7D5FCB4}\54.0.2840.71_54.0.2840.59_chrome_updater.exe (16304 bytes)
    C:\Windows\Temp\CR_EDCE3.tmp\CHROME_PATCH.PACKED.7Z (2 bytes)
    C:\Windows\Temp\CR_EDCE3.tmp\setup.exe (49 bytes)
    C:\Windows\Temp\CR_EDCE3.tmp\SETUP_PATCH.PACKED.7Z (3 bytes)
    C:\ProgramData\htjtr.exe (1019423 bytes)
    C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
    C:\original .exe (1963131 bytes)
    C:\config.sys .exe (1963131 bytes)
    C:\bootmgr .exe (1963131 bytes)
    C:\Boot .exe (1963131 bytes)
    C:\Windows .exe (1963131 bytes)
    C:\ProgramData .exe (1963131 bytes)
    C:\$Recycle.Bin .exe (1963131 bytes)
    C:\BOOTSECT.BAK .exe (1963131 bytes)
    %Documents and Settings% .exe (1963131 bytes)
    C:\%original file name%.exe .exe (1963131 bytes)
    C:\totalcmd .exe (1963131 bytes)
    C:\Users .exe (1963131 bytes)
    C:\XELDZ .exe (1963131 bytes)
    C:\autoexec.bat .exe (1963131 bytes)
    C:\System Volume Information .exe (1963131 bytes)
    C:\marker .exe (1963131 bytes)
    %Program Files% .exe (1963131 bytes)
    C:\pagefile.sys .exe (1963131 bytes)
    C:\Windows\Temp\Crashpad\settings.dat (80 bytes)
    C:\Windows\Temp\scoped_dir1968_5772\setup_patch.diff (6 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\chrome.VisualElementsManifest.xml (411 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\kn.pak (1488 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\drive.crx (53 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\gmail.crx (48 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ta.pak (1539 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fa.pak (930 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (6 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sv.pak (597 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\snapshot_blob.bin (1375 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\zh-CN.pak (537 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\libglesv2.dll (50 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\chrome_patch.diff (52 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\logo.png (37 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_elf.dll (758 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_watcher.dll (963 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\cs.pak (662 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Extensions\external_extensions.json (103 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\nacl64.exe (54 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\el.pak (1169 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ko.pak (659 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sw.pak (555 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_200_percent.pak (1742 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fake-bidi.pak (808 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\pt-BR.pak (636 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\nacl_irt_x86_32.nexe (52 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ro.pak (666 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sk.pak (684 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_100_percent.pak (1160 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\te.pak (1438 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome.dll (41963 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\external_extensions.json (5 bytes)
    %Program Files%\Google\Chrome\Application\SetupMetrics\92BC.tmp (14 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\chrome_child.dll (53736 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll (441 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ar.pak (891 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\uk.pak (1023 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\docs.crx (12 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ru.pak (1029 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\nb.pak (588 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ms.pak (504 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\tr.pak (645 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sr.pak (995 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\pt-PT.pak (645 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\chrmstp.exe (24778 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\natives_blob.bin (702 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fi.pak (612 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\th.pak (1294 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\en-US.pak (539 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\hu.pak (692 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\logocanary.png (46 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\54.0.2840.71.manifest (254 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\wow_helper.exe (160 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\en-GB.pak (539 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\pl.pak (652 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\zh-TW.pak (538 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\am.pak (905 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\smalllogocanary.png (15 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\WidevineCdm\manifest.json (954 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ja.pak (777 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\nl.pak (629 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\lv.pak (667 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\lt.pak (661 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\chrome.exe (1846 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\d3dcompiler_47.dll (52 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ml.pak (1669 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\ca.pak (653 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\sl.pak (613 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\gu.pak (1294 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\bg.pak (1077 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\it.pak (636 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.71\Installer\setup.exe (24778 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\id.pak (586 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fil.pak (667 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\da.pak (596 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\resources.pak (2572 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\hi.pak (1333 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\libegl.dll (187 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\WidevineCdm\_platform_specific\win_x86\widevinecdm.dll (54 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\default_apps\youtube.crx (47 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\fr.pak (700 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\hr.pak (618 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\nacl_irt_x86_64.nexe (53 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\de.pak (570 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\icudtl.dat (59 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\es.pak (660 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\vi.pak (741 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\bn.pak (1383 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\es-419.pak (651 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\VisualElements\smalllogo.png (15 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\mr.pak (1317 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\chrome.7z (279369 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\he.pak (760 bytes)
    %Program Files%\Google\Chrome\Temp\source1280_8154\Chrome-bin\54.0.2840.71\Locales\et.pak (576 bytes)
    %Program Files%\Google\Chrome\Application\chrome.exe (21970 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft® Windows® Operating System" = "C:\ProgramData\htjtr.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now