Gen.Variant.Adware.Graftor.174400_b56e5dbd20

by malwarelabrobot on May 20th, 2015 in Malware Descriptions.

not-a-virus:AdWare.NSIS.Rocketfuel.a (Kaspersky), Gen:Variant.Adware.Graftor.174400 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b56e5dbd20d532e6ffd1cabbbc17ee0f
SHA1: 5f44a71c979843add1e9ac0dcbb3baf101a593e0
SHA256: 8e2393f6bd55fa706a097f99cb603e4cc518307a3316ad703ce0948dd0dd3782
SSDeep: 6144:NSlBaLRnuP3flEpFHP6b617gcbBy2NxxIH4TYeNB6wG0QPaqHoJLZIuKBL86RbGz:XBuPPlEp1i2dD42lIYPYyiKWuSYM
Size: 400992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:52:06
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:2596
GoogleUpdate.exe:1732
GoogleUpdate.exe:2636
GoogleUpdate.exe:1612
GoogleUpdate.exe:1604
GoogleUpdate.exe:1748
GoogleUpdate.exe:1916
GoogleUpdateSetup.exe:2660
%original file name%.exe:1372
GoogleUpdateComRegisterShell64.exe:976
GoogleUpdateComRegisterShell64.exe:1664
GoogleUpdateComRegisterShell64.exe:1020

The Trojan injects its code into the following process(es):

setup.exe:1512

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:2596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_it.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll (72 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll (77 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe (1738 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll (32380 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll (69 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (40 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll (1954 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateHelper.msi (90 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_no.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_is.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll (71 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\psuser_64.dll (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll (12490 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_te.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_th.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe (21970 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe (4210 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_et.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_da.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll (79 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdate.dll (49 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_id.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_am.dll (78 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe (3778 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_de.dll (86 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_el.dll (80 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.26.9 (28 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll (79 bytes)
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll (87 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll (79 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe (1738 bytes)
%Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll (71 bytes)

The process GoogleUpdate.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe (8278 bytes)
%Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe (7345 bytes)

The process GoogleUpdateSetup.exe:2660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\GUMEE34.tmp\goopdateres_gu.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_vi.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_nl.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateBroker.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fa.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-CN.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ja.dll (35 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_cs.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_is.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_kn.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateComRegisterShell64.exe (127 bytes)
%Program Files% (x86)\GUTEE35.tmp (6 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ar.dll (37 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ta.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_lt.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdate.exe (291 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ro.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ru.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_am.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateWebPlugin.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_en-GB.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-TW.dll (33 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateOnDemand.exe (88 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_th.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_tr.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_es-419.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateSetup.exe (7345 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fil.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_da.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sv.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_uk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp (28 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sk.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_no.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pl.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_el.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_sw.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_id.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-BR.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_fi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ms.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_et.dll (38 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_te.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler.exe (244 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_it.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ur.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psmachine_64.dll (213 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_de.dll (41 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_iw.dll (36 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_mr.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_bg.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-PT.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdate.dll (2632 bytes)
%Program Files% (x86)\GUMEE34.tmp\GoogleUpdateHelper.msi (45 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hu.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\psuser.dll (183 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ml.dll (42 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_hi.dll (39 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ca.dll (40 bytes)
%Program Files% (x86)\GUMEE34.tmp\goopdateres_ko.dll (35 bytes)

The process setup.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2858020935-2156992550-3658131804-1003\d16af8aafb8de36166d078029ced25a7_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)

The process %original file name%.exe:1372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFD.tmp (28110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe (38152 bytes)

Registry activity

The process GoogleUpdate.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"UninstallCmdLine" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe /uninstall"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"
"Description" = "Google Update"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Path" = "%Program Files% (x86)\Google\Update\GoogleUpdate.exe"

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1431987791"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files% (x86)\Google\Update\1.3.25.11, , \??\%Program Files% (x86)\Google\Update\1.3.26.9,"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files% (x86)\Google\Update\1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.27.5"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1431987791"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"Version" = "1.3.27.5"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
"Path" = "%Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\Google.Update3WebControl.3]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]

The Trojan deletes the following value(s) in system registry:

[HKCR\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version"
"Description"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"ui"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKCR\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"mi"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Vendor"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"eulaaccepted"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastCodeRedCheck"

The process GoogleUpdate.exe:1732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\Wow6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
[HKCR\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"DayOfLastRollCall" = "3059"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastCheckSuccess" = "1431987755"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked" = "1431987755"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"pv" = "35.0.1916.153"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"pv" = "35.0.1916.153"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "3059"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.26.9"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1431932400"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "3059"
"ActivePingDayStartSec" = "1431932400"

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
"StateValue" = "17"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "3059"
"DayOfLastRollCall" = "3059"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "3059"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "35.0.1916.153"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
[HKCU\Software\Classes\Local Settings\MuiCache\2C]
[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableSince"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerResult"
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

The process GoogleUpdate.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-3000"

[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"

[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\Wow6432Node\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Wow6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Wow6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Wow6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe"

[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Wow6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\Wow6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Wow6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Wow6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\Wow6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll,-1004"

[HKCR\Wow6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\Wow6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Wow6432Node\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

The Trojan deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\Wow6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "1"
"LastStartedAU" = "1431987720"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process setup.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "35 2A 3F 0E B9 91 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionTime" = "35 2A 3F 0E B9 91 D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDecisionReason" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AAB62F56-1F12-4B3C-A0EE-A1324874AB51}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process GoogleUpdateComRegisterShell64.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]

The process GoogleUpdateComRegisterShell64.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}]

The process GoogleUpdateComRegisterShell64.exe:1020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\CLSID\{53AA8AFA-807E-4272-87D9-BBA51A9DB376}\InprocHandler32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{2CD26C3A-654C-4E82-9EEC-E15D26223057}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{2CD26C3A-654C-4E82-9EEC-E15D26223057}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]

Dropped PE files

MD5 File path
8715a0d10cffc8dee923957f07daa042 c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe
6509a96dae25340772b51ac020cb1094 c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe
0c03fb91e17987eed93f60007b08daa0 c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe
f6eee6848e933962e12e7b3f25c73c88 c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe
bb3045b399d898061b926b447c446e05 c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe
6732c4a894855042fd3618406b6bbd48 c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe
c990a8ead57da59fa8156cc02d3b7da5 c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe
0894890f30b5f6510df953bc50b5504f c:\Program Files (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe
4cfe6eeb44d35c7b16693a97fbc9f368 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdate.dll
08171157668eebd2383e90eaf3f66aad c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_am.dll
b5a2589dd3e5b934c78c9ab1954532dd c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll
083956adf99f8cd0b36b54c93c291c1e c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll
9bea43ecb11038854eb939256534a669 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll
1bd2127c632d783af6d7fc49110b1d1f c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll
7e6aa753aebbf36337fa46b78065a8ef c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll
48123d9de5a24e6f846811d1818f42dc c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_da.dll
fd6598856e573171379298199c143226 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_de.dll
c39b9a29db403893453dcb4a2878db75 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_el.dll
2a364ab5881dbc31c4cdc33205c900eb c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll
3028318db29c2fca86e04287c8a96031 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_en.dll
8d5a00c850396ebb5a6f14fbc74871d9 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll
b012247e999e95741a3b243b1cc8fdfa c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_es.dll
0ace6ee20ea149fd959683659f484f0f c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_et.dll
0bb0f6e59d10c7b8443aa22c40574652 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll
531969a054efb1a5169eb3677c2a2410 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll
6bc91c70751ca456a654ac2e3050175a c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll
11e2c5cc166267d15f281201e67ba2db c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll
4dd7ee4a31e6052e519114f87bd568b8 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll
29575adcaee9c75deb47275b2fa85e71 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll
dd843413bfeeab35e355d2201cd0eaf9 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll
7806d33bfb2248fd52dbd423b10f1247 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll
6d4c1b29f1c1f422b679e71147a1dbac c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_id.dll
fe92c90570e92759eb023b7994cf9564 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_is.dll
9ac94b9c2c8887be459072761c48087d c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_it.dll
6db01ce7229e0362b6e8cfb86cf1dc8b c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll
b6c29a9f24b655407711bbccd9aa3723 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll
29c4cde0af7453930c8897a4fad83701 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll
3a162d9c713982cd20db33b6ed58e517 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll
160f03c5e0369b60d58e40754a54ba00 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll
fc3bca51a30f97d5737c3776ba6d0b24 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll
e2c5957d2d671779d73ad8abc49ba015 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll
d0413005ee471c2cb310bab1fafb33d3 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll
5835d491f5746b9abbccbdad2cc88f8f c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll
f8f1f2f2de104fb727627e2efa4b5e92 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll
c85cee926d55d376126f62b9d577b583 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_no.dll
3353610afe5ad1f3cbf6160927628a87 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll
453f3fa552533ff685d139fc5a27f380 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll
114d38b5e740311753ddff9ad9410aa7 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll
192b5b83c0d13613e3d832f79a9236dc c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll
beab86068645905a26bed2bb524470ae c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll
de812a532f35b968817b412b34c1563b c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll
4587fd7664101020cf94201451b8ddb0 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll
57509f1bcd90517078c31d6e05bcb994 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll
52d5f3a506c6a1a4c25859b55a53d908 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll
1bd1a95b13f7eba37dc042f05c224ae6 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll
e012e9ce832b2ced0e69ee3049306f89 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll
4aad678fcafff8ba048fbd31c83ea147 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_te.dll
3cdc681a91d505114dd057961b6907c2 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_th.dll
5719ba1c9893f442c391c99c365ba15b c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll
047aa0679b6cdf0a9ae2e04d8bab4d08 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll
6d6868d750c3d1c9e1febf5c5925ce1b c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll
5e1759e2c88d986697c93a378cc1e1f0 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll
a79ef631a2196025016902b1538f1098 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll
7662e0146b639a3bbdb7422e07e53b08 c:\Program Files (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll
08aceceb47faf053c468d8afe44709ad c:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll
f593a6d82c5334be5626f3b9ce8130f3 c:\Program Files (x86)\Google\Update\1.3.27.5\psmachine.dll
113cd27882e9d2f3199bb2390ac48f3d c:\Program Files (x86)\Google\Update\1.3.27.5\psmachine_64.dll
997726d70e3a8fc1dc81f2a0dd52810a c:\Program Files (x86)\Google\Update\1.3.27.5\psuser.dll
b5780847a26ec6d002f69bc718ffd0d6 c:\Program Files (x86)\Google\Update\1.3.27.5\psuser_64.dll
c990a8ead57da59fa8156cc02d3b7da5 c:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe
c990a8ead57da59fa8156cc02d3b7da5 c:\Program Files (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe
5bc24d29ed088faafc207ba3f21aad73 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.11.5
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.11.5
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.4603 c3953c262c50b3d94af076321878ec20
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 253848 1024 3.25977 8304967a23ff32b1b0197005a845ef83
.ndata 290816 262144 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 552960 26136 26624 2.67301 dfcf6ccc6b472eb48939df4b862563ac

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
2445cbe7f7512a037c2ee2d2406e9940

URLs

URL IP
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=84211eed-2475-4dd6-99b9-c6179b9932ec
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628=
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=014c656e-070c-42e4-a618-0b7cd62f7000
hxxp://inst.vertitechnologygroup.com/consent/json/188?nexcb=167f6d1d-be93-4e51-a9cc-3010c16127bb
hxxp://inst.vertitechnologygroup.com/evt/?nexcb=842ff0c4-2308-4356-945b-9611b5868b15
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83
hxxp://tools.l.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe
hxxp://r8.sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U=
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.43.139.27
hxxp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 46.28.246.83
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= 23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83 87.245.221.97
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= 23.43.139.27
hxxp://cache.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe 216.58.209.174
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 87.245.221.98
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.221.98
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.221.98
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= 23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc 87.245.221.97
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.221.98
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.43.139.27
tools.google.com 216.58.209.174


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

HEAD /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 931408
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 931408..Content
-Type: application/x-msdos-program..Etag: "53b96"..Server: downloads..
Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN.
.X-Xss-Protection: 1; mode=block..Date: Sat, 09 May 2015 07:40:43 GMT.
.Alternate-Protocol: 80:quic,p=1..Last-Modified: Mon, 04 May 2015 16:3
9:00 GMT..Connection: keep-alive..Alternate-Protocol: 80:quic,p=0..ont>....


GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=0-8794
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 8795
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 0-8794/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........K...*...*..
.*...x_..*...xa..*...x^..*...{_..*...][..*..s.u..*...*...*...xe..*...*
)..*...]`..*..Rich.*..................PE..L....xDU.................&..
.........T.......@....@..........................`......X.....@.......
..........................d...x........Q..............P<...@.......
A..8...............................@............@.....................
..........text...}$.......&.................. ..`[email protected]...
*..............@[email protected]...`[email protected].
......R..................@[email protected].......@[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
................................................t.......A......A......
hs4A.. o..Y..............U...}..........j.j.j..H..E.P..(AA..U...E...t$
...t....t..."t...Pt...hW.....h......][email protected]@A...u....@A.
............N...^.U..SW....WS...AA...tDVP..,AA.....t'WS...AA..U.......
v.;.s.....4F...Ju.;.r.3...3.f9..D...^_[][email protected].
V.....|...Y_^.U..QSVW.....A.j..}..Q...3...C..t<...j..G....Pj.V...AA
...t..u......2...Y..u.S...A........C..u.3._^[..]......y....8.A.t..y..t
..q... AA..U...u.j..q....@A.]...U...}..t..u.j..q....@A.]...U...U..
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=8795-21861
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 13067
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 8795-21861/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
..]...hW.........V..W.....P..V....:.|.;[email protected]'.F
..G..F...E....Q.F.PQ.G.P.U........_^.......U..Q.U..M..M..4......M...tI
...SV.Y.3.QQQQPSQj...(@A..M...V. ...3.RRVP.E....QSRj...(@A..M.V.e...3.
^@[..]...U...U.V....x ..3.A H..@. ...}.R.........^]...hW.........h....
......U..V.u.W....9q..Oq..y..~.V...5....-.I.;.}&.....@~............ ..
...;..L.Q...l..._^]...U..Q..SVW.8.E..O.._....P..u...j.V.....E...t4;..L
.F..6RW.p.RV......E..O.....X..<....E._.0^[..]....:....U..V.u.W.....
....9r.}...~...j.VR.P...t......_^].........U..V.u.W....9q..Oq..y..~.V.
..5....-.I.;.}&.....@~............ .....;..L.Q...p..._^]...U..QQ..S.E.
V..W.K..s..u....P..}...j.W.....E...t4;..L..p.GWSWV......M.....E..A..K.
.D....E._.0^[..]....B....U..V.u.W.........9r.}...~...j.VR.P...t......_
^].........U...M..E.P.u..v...].U..QQ.M.V.=...P.M.......u..............
.......g.......tuSW..>.M.W................u...u.3...V..T..Y@PVWS.}.
..P.h.......M.W......u._[.~..t .M..E..E..E.PV.p....e...N..<...^..].
h.@....hW.........U..QQSVW............W..S....Y..........u.3...V..S..Y
..0.U....M...te.>.t!..:.tG..u.F..V..tAA..M....>.u..U.3.8..D.....
t2.. .;.r*SWV.N}.......t..>.u.F...U...V..tAA....U...3....._^[..].U.
..........A.3..E.S.][email protected][email protected]
[email protected]._...SV.W........YY......W.}....M._^3.[..V....]...h
[email protected][email protected]...
u.....u4.u....@A..}...t.W..R..Y...M.VW......u...<AA._^..]....l....U
....\..SVW....U..S...jD3.S.p..E..u.P.c`..3..}.........E.P..<@A.
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=21862-37948
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 16087
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 21862-37948/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
..:....U..E...3.B3...FA.>\t..>"u3...u..}..t..F..8"u.....3.3.9E..
...E.....I..t...\G....u.....tA9M.u.< t8<.t4..t*...P.4#..Y..t...t
.....GF......G....t.F....F.o.....t....G...-....U._^[..t.."..E...]..=T.
A..u......V.5`.A.W3...u.........<=t.GV.)#..FY......u..G.j.P........
=x.A.YY..t..5`.A.S.>.t>V.."...>=Y.X.t"j.S.s.....YY..t@VSP.{".
......uH......>.u..5`.A.V......%`.A...'.3...X.A.....Y[_^..5x.A.....
..%x.A.......3.PPPPP. ....j.. ...Y...t.j......Y..u..=..A..u.h.....1...
h.....'...YY.U...M.3.;[email protected].].....BA.].U...........A.3..E.V.
u.WV.......Y....y...Sj......Y.........j......Y..u..=..A...............
.A...h.LA.h....h..A..."[email protected].
h.LA.Vh..A..`".............h..A..."..@Y..<v5h..A..."..j.h.LA...El.A
...-..A... .VQ..".............h.LA.h.......A.V..!.............Wh....V.
w!.......u}h. ..h.LA.V.."[email protected]
.A......r.S.......].P......P.. ..YP......PV..D@A.[.M._3.^.|$....].SSSS
S......U...E....A.].U...E...x!...~....u.....A.......A....A...]..'.....
............].U......e...e.....A.VW.N.@......;.t...t......A..f.E.P..T@
[email protected]@[email protected].;[email protected]...
..G...........A.......A._^..].VW...A....A.......t......;.r._^.VW...A..
..A.......t......;.r._^[email protected]
P .P..FVWPP..(@A..E...t7P.......Y..t*3.PP.u.SVWPP..(@A...u.S.....Y3.W.
.\@A.....W..\@A.3.[^_..].U.....A.3...A.t..u...].].%[email protected]..
u.t...]....@A.].U.....A.3...A..u.t...]...|@A.].U.....A.3...A..u..u
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=37949-59919
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 21971
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 37949-59919/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
......3..}.j......Y!}.j.^.u.;5..A.}[email protected].}.
...|)...A...... [email protected]..$..F...E...................
}[email protected].......=..A..YYu.j......Yh.........Y
].U....$...j...k....t.j.Y.)...A.....A.....A.....A..5..A..=..A.f....A.f
....A.f....A.f....A.f.%..A.f.-|.A......A..E....A..E....A..E....A......
.....A........A....A.....A.........A.........A.....j.Xk......A.....j.X
k......A..L..j.X.......A..L..h.|A........].j.h..A.........A.95..A.t*j.
.-...Y.e..Vh..A......YY...A..E................j..g...Y...Q.L$. .......
...Y.Z%..Q.L$. ..........Y.D%....u.f.....f.n.f.`.f.a.f.p..SQ.......ux.
.......t0f...f..A.f..A [email protected]`f..Ap......Ku...t7.....t...
.I.f....I.Ku....t......t.f.~..I.Ju....t...AKu.X[...... .R.....t...AJu.
...t.f.~..I.Ku.Z.^...U...%..A.....S3.C....A.j...i......L...3.....A.3..
.V.5..A.W.}......._..O..W..E..M..E...ineI.E.5ntel.5..A....E.5Genu....j
...X..j.Y....._..O..W..M..M.tC.E.%.?..=....t#=`...t.=p...t.=P...t.=`..
.t.=p...u..=..A.....=..A....=..A..}..|5j.3..u.X.......5..A..X..H..M..P
..E......t.....=..A...3.......tM.......A......5..A.......t2......t*...
....A......5..A.. t... ....A......5..A._^3.[..].U..3...9E.v..M.f9.t.@.
..;E.r.].j.h..A..(...3..u..}....u..}......................;=D.A.......
......E..............A...D.....trW.."..Y.u..E......A..D...t(W..#..YP..
[email protected][email protected].............!.}..u.W
..#..Y.............L............j.h8.A..?...3..]..u....u..`...........
..................;5D.A.........................A...D8....u.......
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=59920-81823
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 21904
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 59920-81823/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
..@..$...@..([email protected][email protected][email protected].#[email protected].#..G..F
[email protected].#..G..F..G..F.....G............V.....
[email protected]...@...@...@...@...@...@...@[email protected]
...D...D...D...D...D...D...D..............$...@...$.@.,.@.<[email protected].@..
D$.^_...F..G..D$.^_..I..F..G..F..G..D$.^_...F..G..F..G..F..G..D$.^_...
$....W.....................te..$.....f.o.f.oN.f.oV f.o^0f...f..O.f..W 
[email protected]`[email protected]`f...p............Ju...tO......
.t.......f.o.f....v....Ju....t*.....t......v....Iu......t.....FGIu....
...X^_...$.............. . .Q.......t.....FGIu....t......v....Hu.Y....
.............U..W.=..A.........}.ww..U........f.n...p..........#......
 .3...o.f...f.t.f.t.f...#.u.f...#.........E.........Sf...#...3. .#.I#.
[........D._....U...t93.......t....;..D...t G......u.f.n....f.:[email protected].
..B.u._.......#.f...f.t......#........f...#[email protected].....
....}.3...............E.......8.t.3......_..U...U.V.u.W.z...u......j.^
.0.0...........}[email protected]"....0S.^.....~.....t.
[email protected]..?5|.....0H.89t....>1u..B...S.....@PSV..
......3.[_^].U..QQ.E.SVW..x.......P...........................}....E..
.t.......t....<...%......!..u...u..E.!P.!.f.x..X...<..3.....M...
..............E..]..s.....x&........................y..}..}..E..s...f.
{._^[..].U....0...A.3..E..E.S.].V.E..E.WP.E.P.....YY.E.Pj.j.....u.....
f..Z....u..C...E.....E..C..E.P.u.V.......$..u..M..._.s.3.^[.......].3.
PP...q.......f..ye.].....3.......E..}.B.}..U.t.G.M.......M..m..E..
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=81824-127857
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 46034
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 81824-127857/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
......................................................................
......................................................................
.................. ...................................................
......................................................................
......................................................................
.................................................................... .
 . . . . . . . .(.(.(.(.(. . . . . . . . . . . . . . . . . . .H.......
......................................................................
......................................................................
.......................................... . . . . . . . . . . . . . .
 . . . . . . . . . . . . . . . . . . .................................
......................................................................
......................................................................
......................................................................
......................................................................
.............................................. !"#$%&'()* ,-./01234567
89:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvw
xyz{|}~...............................................................
......................................................................
......................................................................
......................................................................
................ !"#$%&'()* ,-./0123456789:;<=>?@ABCDEFGHIJK
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=127858-222054
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 94197
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 127858-222054/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
....=......2?.....$,z..Tq.......N..|.3..,k........l.....8p...|........
..9.d.u<uX.....{........;._....b..6p.'V......N{..xJG..h......I..[ .
........*.W...s.'.n1DE..NKs.S.d.>..3.".......0.....W0|....K..g. g..
.U...7...@...]4.&.~....AH...4...T.e..8p.!.#...7M.....sEj.....'.Y.F. .y
_*..>m.0.`..@.;.s......d...F...m.y.....K...)"_.~>....w......{%..
b..l..s...Y...k.k6....2..v~......b...k.;...tth...;!...iOua~..pR/......
[O7....}.[.*.....}Y.....7..j..:.-vi.....F.<lA.aI...E .F1g..2..n....
.....]...C....\.W...........F...z.<e....Va{}..|.b..]9k...S,..S...w.
.).........R.P.......{.)..WR.&f.FLB8.. ]3$...EfvF7f..c..!..}.S.i.....;
....BcZ..Y.T.....)..o......." ...9..v....'....$B.."*5.y@..~Nn....L ..w
...,...,N^....pP..|...z...M_..A.OW.PU......"...i...$.....n.9.!........
BT..... ...^U.hbJ..}...)...eJ?e.....d...SQ.....Dz.>.....#...,P....D
..c....g.0.L.5$....A..#.....Xw.5...=..*E.... i.......n.Az`.Y...r.N/..z
.S. .U...P.`C.c.S^..K.Oz..[r..T.;6.....:B2.u[....}...(1.....$.......P.
.u..-.y........v....A.$(nao.......H.h=.lR^.....Gm.. qD...'..O....N.X..
....3..j.?.4n..O..=H...P?w.7K.....Y..`...U.9.\...a..Z%............@...
;.r...7.%..q>%.Z.....(Y..@...&W35 0.a...|..7'q...#.P.z..u%..j...(..
q.. .f.z....m /V4?...c.....Uh.....Z,.eV..2....'.....B2...t(B.PY~br..u.
..bM'}.O8.pN`.v-#a...o6L......g.../.v.!...e.4G4.}.k....c..........b..,
V{...qY.P.$e.5.....W..(. /-...;..5.kEZ.l...P...4......$@D-&..JY.....V|
.`25gC:...h....p..][email protected](Y3.......W.u....&....G-...ci..Z.:...
9.k......u].Y..Q..%.W;V......2... &......$.L..<....:M.|.......k
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=222055-411151
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 189097
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 222055-411151/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
.6,.LE'[email protected]..'C/:.911.....PD.."<]!.hpv..G..~8n.&.......
.......E..n~..$)?...nU.;l...HBu..0=Q.\...H$]>0B............j......,
...G..V..k}..y../.......2......)..1.W..P..".&y..R.f..G.......p.>T9.
.....?...Z/..tl.sn...^*...J.........z.=>..A?>..4|.G.....6.4R..&g
t;...9SW...n.J*.........\]..v..!...J}......A..4... Rm.'...E...~Z4io.".
{.^:.%..j.>. .j`^.,.0..Ix.7.E....lKY.A..[.;K...Y.ZD.s.2. _X.nM.....
.O..F.>.#..B..&d}.BL......Y..3U.#..;..>........k......w.....hM..
.V.%....o...........N....>7.4.....Bxl....Y....&_.`.x.R.).F..T...s..
>.S_.'5Y.*...v..|.`>.f.7.6GG....XZ....bD8....Pj....#...6.....<
;.Z....Y..nWX... }....e..(N.......Q^.......6~.zSa>..`.@8......&... 
.*..O....jmvC...%.;.{R..W1..6..a.q:...h.u.Y..mq..[......G>s......F.
.w....J._.1..F|....m..i...d........|v3.n....?T..G...r./. .I,..P....n..
S.j-.}..Z.Z.x.O..l.sen.L.../.bb)7........B..2..l..m..M.......;.....Cc.
K..l.'$...9C.C#.od..tc..%....p,B[b...:RJ....G..T..1.'......5p..a...-\(
...........&....m...|....x.&0V.b..>o...dM.H..5v.tP.....w.2j.]jZL0.,
..D......SDR.m.Y.^.\],...;...o..Y.ME._R.d(}...%...d.g..:J.........D../
.?....|.}7R. .......Xma..9..<;........6..g...$V.....A......T.,.....
!.-_:..G%.ID./..-.|.k..... ........z..D?N...F. @{..o....G....U:..G....
 ....rM....jh*rce-..]......J.M-.. ...h..fx.t.].....qq......F...HY.)...
.....p.......8p........4G..t.Q.q...!..]..R.<&=A..[.O..[I..63.2.p...
=}a..h'..Y......:/.4.......I.m....J.....DJI...D.m..d.FM....^.......8sS
m#2o.c.|0.f.....".W.....SR.v....R0.J:....x.K.`0.o../....$...b:[z..
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=411152-789699
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 378548
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 411152-789699/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
/.....bba.............Q....c.T..I0. ..>j...<... .~...A.$.T6`.W.d
....sV...0Y.k...<q..olE....N......F.mXk.q...]Gjl...U.Z<.F..4.R..
....)`..v...@...:..E..G..^: ......<.4............t. =c.h.?.MT.o...&
lt;...r..) 7J.p...D. ..)gn;[...-..}...w........u.d@..;.s.....'...n.}lm
@../L..MZ |..\..&d......=.z...#7......#...L...c..*............/..=~.'.
.=.'B\3R.?ol..|kH.Bm.Ck.]......N...S...3.......:.U.y@....=.........B..
(.. E.U..JO=P..y....m......Q...t8q.,.*D.w2.......F...G.....I..Z...7 .c
?...~....=.....j*..I.H.j..I.*..5e..jS.f.I.M..5..........Z._.......Wjs.
q....|I..4.P......F.....Ej.8=....O...FM.. .To.u....".]..[.|........_.P
...y....9.'....r....J .Z...PF...C..^..[.....}J.>.k'.>.~kjT.....0
....... ...TX..?D..e....HXPG.T{Y..L]..^..f.8.>J[,..x.G....l.|.c.IpJ
.. .~... ..c..}.W...vW..4..:M..&7w.H4.o.".J...yY..>,.....7...nh.$..
U......<...:..5_.......`o...}{...H...'c.X.1_ei4...a.[.._..9e.......
.....q..p$..i.b.....A.kzt...r. ....o.h.[yaK.(.v.6...F...M.<?..;)i..
.8JPh..-.....V.}F.?L.y<.@.....@E..[......]-.......{....2S!X...'.|R.
...QM3 ........<-../..Y.S}.....]h....g<.._j(.P...Zk.......8c..QD
rP2'...D.-...j..m@..."..,..'.z.4j.V.. .....y..k......y..1........!:5..
?|.'.a....f......z.\........./..]r.:u"|&.TWa.v.#..N.\.6I.Y...-........
.,[email protected]../.(....*..=.:...N.z...'.D....<@.F....=..s8:<.
.....).^l....I......N).. .......-..t../...:.WFH.f.....U.f=...BgK..nK|.
.y..... 1...vzQ...n.T.z..J....r.N...s...4 .....$../.O...{nxT..j..v..L.
..#.:1......4n.."!....#a..r:.EQ....y=..dj........y..w.m.d...E.1...
<<< skipped >>>

GET /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1 HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Mon, 04 May 2015 16:39:00 GMT
Range: bytes=789700-931407
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: r8---sn-2apm-f5fd.c.pack.google.com


HTTP/1.1 206 Partial Content
Accept-Ranges: bytes
Content-Length: 141708
Content-Type: application/x-msdos-program
Etag: "53b96"
Server: downloads
Vary: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Date: Sat, 09 May 2015 07:40:43 GMT
Alternate-Protocol: 80:quic,p=1
Last-Modified: Mon, 04 May 2015 16:39:00 GMT
Content-Range: bytes 789700-931407/931408
Connection: keep-alive
Alternate-Protocol: 80:quic,p=0
q...H.."........G.To..n.....kT.p.>....G\.D............W..;6%N..y.[6
..{.z....._.`S..".Cy.8....a.....y..L.....`..u../......)....f0......s'M
NiX...CF"3,.;..~..=..;3..........d.......*4ou.....M....2Q.!..>z....
.a..`..l1.V..J^!0W..s...n....c. ....U.............Y..V...i.>..hi=.(
&.F..`......=....t.NX.}JX........_G.i....U....oS....w._.n.......rE Io.
/.....xJj.........Y.....8.....[. ..,.%....a.'j/j.jg.....%..l..........
....6...P.RQA..bXM.OzqR:[email protected].=.e...^x.;W......J..n
Em......*z.....H..............(.. ..?.P.v..6.a"P..mG./`w*.S...F;j.t.%R
.z#.b....Kv.($...'....g.3.H.....yK.m.....I..&..EQ.......<4..%n..J.P
%7.....1.4....TK...)W.=1....m.Xa.>@:z....x*..OdeBA.Y....\.........G
2j.7...9..U.U0..vr..as..N/.[[email protected]#..g]D.;....qI..{&B
pNZ;w...S..Nh. .\U^w:.[.y..#....q....n.Z8#..d......UhSp..<-.^...P..
#...APuc.y..YL...\:....q...C..X.T....9.fn..II......2.C....&T.x...*.r..
.<..).........6.>.l"s....$......(..__.)...........&x"....^..9.gv
....0..H...\..}........c....>.4:.S. ?...i...X.z.!\..sR.j,..._..... 
...8YZ`.!.^.......|......S...t.. ..T.w............d.....7{..Dl...S....
[email protected]`...J...V......<....X...:..).......3.K......u[B..
).M..uD(.z...{[email protected].'.p....N..#Z..OH....8..8.....$..E...E.W..yx@
[email protected]..:.|`..wx...F)...t..P....%......;8..e..M..^uG.5Tme........A..&l
t;$:P..u........Z.zX...1=.|^-....."..2.....-D...?....y.....-`<..^..
.../!!..(a.B0.c.i...=.(...;.Q..=/..{Cj.iQ...!..a.2..O>zZ........Z{.
w&.<D.F.)...x.. 8..F..h......F.|-#.Y....Ody,..3.=..b^...*.r.j
<<< skipped >>>


HEAD /edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: cache.pack.google.com


HTTP/1.1 302 Found
Date: Mon, 18 May 2015 22:22:38 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: hXXp://r8---sn-2apm-f5fd.c.pack.google.com/edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F92.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 623
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic,p=1
HTTP/1.1 302 Found..Date: Mon, 18 May 2015 22:22:38 GMT..Pragma: no-ca
che..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Location: hXXp://r8---sn-2apm-f5fd.c.pack.google.com/
edgedl/update2/1.3.27.5/GoogleUpdateSetup.exe?cms_redirect=yes&expire=
1432002158&ip=193.138.244.231&ipbits=0&mm=28&mn=sn-2apm-f5fd&ms=nvh&mt
=1431986808&mv=u&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,
ms,mv,pl,shardbypass&signature=26C6B382E5033B12EEC4F159ED76E6F203B82F9
2.652AB959CC00DD22F5742E7B816BDE1635F28BDF&key=cms1..Content-Type: tex
t/html; charset=UTF-8..Server: ClientMapServer..Content-Length: 623..X
-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate
-Protocol: 80:quic,p=1..



POST /consent/json/188?nexcb=167f6d1d-be93-4e51-a9cc-3010c16127bb HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1536
Connection: Keep-Alive
Cache-Control: no-cache

a=8729E68030ABF3FE817009D0E6609A30233C2F11B12E5E814E8BB3DCE495A738462773D58BE650C1843214342590585D23E8A86D57D1EE41A8530B8811EBE282B5469EFE7D23D18371DFC6595D00E8892577D5B9A56444FC14048B3282D562901D4EC42FCE7FA0166986EC514ADB64DF074EE5A870F7F132A78F63F03BF78E6251FCFD8953575FB9362C0BB688A5857494E6AFB60588347CFF26D88B7EF2137EB230D2D2F6C639589E2FF2DA24B3942AF9DC0D67AA88404A46600DAFE80069E99B67D71FF4889A4C11602A753E689EEDEB3EBCD81B08A3E9D357B0FC4BEEE7B9712D187F0BAC6F933D45E38EDC0B5559E28589E9EB63148B5C20D3AC74979B374E9FA0C11DF9347E1A2A746CBF5312149F9DFFCA72F97A5FD7E8100D10B2C57FF3610E5CA724EF806CA3901A26C104A3FA7F066A08CE84027FA7C65E6194C44D2990A2C41598AFB31CCBDF5FCEAFCB8F0E526800EE260C246E08D1FACFADCEA00AF016FA528C269CE3C1EED3587A7D6453A70622D4C01678487AFDC8484401169A1A&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopI
yQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jG
n0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/j
egwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62
b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4
l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMoQ53SPkjfHSKzMRhY6UgU00GjEjn4W1O9KG
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:56 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:56 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
Content-Length: 0
Connection: keep-alive
....


POST /evt/?nexcb=842ff0c4-2308-4356-945b-9611b5868b15 HTTP/1.1


Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1582
Connection: Keep-Alive
Cache-Control: no-cache

a=8723A8C161F7ABBD90471EDBFA769F002465230EB93849D90ECDE1DEE490A7246D0E7FC3C5DD79E69F675F626AD4050749ACB96E49C7E547CA732AED13E1E4F6940DBDC74D69D2B57DC9C6595D3AECD11E41E48687165BD05933BC04CBC47FDB4B11E435FF6DAA1369CAB10F40B33F8C2553F9A173F0A769F8B66BF27AAAC94211BCBBD715004ADB74130CB090F3DE2BCBA2F1A31FDA1270E13494DA2BE0177ED378948BB0D13B598D29EF902FB2DB2EF9C4691AEADF021E4A775CE9FF020F92D82BC713A59CC27E454413773E76DEFAE90EBCD81B0DADCDFB00E7E93DB7C2BB266B5D5A02FF34C00B45E2DCD9057171B5D29C9FE1354D9E385DE0A8709BDD605BFAABE524FB34605A3D765CBF53121191B9D79D25EC0C06F2EA474B5597CC2CA832385FE37DD8A650D7E36561E41FB5B46804091AECB34E2EF2D36C2E98D64B70FBD78A45DCFAA3199EEA31BF8BDB8C5C501D44B46655756700D9AFCAAEC9F35FA417F801DF71C7E2C2EDD40D7C293401F35424DEC217704F27AC9C4D440117994DC6FE3B2FD05BAD6902BBF28F01CC14E800FB83D904132A&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopI
yQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jG
n0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/j
egwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62
b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4
l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMo
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:56 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:56 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertite
chnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate.
.Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300,
 must-revalidate..Content-Language: en..Content-Type: text/html..Date:
 Mon, 18 May 2015 22:21:56 GMT..Expires: 0..Last-Modified: Mon, 18 May
 2015 22:21:56 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: Use
r-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..Con
tent-Length: 0..Connection: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTEemCaVgs8Tuh2B9fGVE0pKKNyzgQUTF+nNhcF4oZhIkk5jLmo40rgOBoCEC6utoKGY/7ZdVX4/iTzOxo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1552
content-transfer-encoding: binary
Cache-Control: max-age=328291, public, no-transform, must-revalidate
Last-Modified: Fri, 15 May 2015 17:35:11 GMT
Expires: Fri, 22 May 2015 17:35:11 GMT
Date: Mon, 18 May 2015 22:26:44 GMT
Connection: keep-alive
0..........0..... [email protected]
5173511Z0s0q0I0... .........z`.V.<N.v...TM)(.r...L_.6....a"I9....J.
8........c..uU..$.;.....20150515173511Z....20150522173511Z0...*.H.....
.........L...NI}..* >........K.J..RH..\..f...jN..,.%.....ye'..#...Q
?..EUs..`q..]G9....(...~.m..5.....2G."{.d_L...a....,.-8%6z..u..E.....z
^.%b.=.....yV.x7...|e.>.<.HJ-.D._yHM.j!..w..2...-..o...*U.plj[..
.hd......>V. ....K.'|.,.6....C.W..4.G.3.:?..w..~.|...b..-..f.0....5
0..10..-0..........y.P}~.EY....T]. 0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certificatio
n Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized us
e only1.0...U....VeriSign Trust Network0...141202000000Z..151216235959
Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Tr
ust Network1?0=..U...6Symantec Class 3 PCA - G2 OCSP Responder Certifi
cate 30.."0...*.H.............0..........6..]......w';.r........I..c..
4.... .........TyW......hd_.....!C.k......SE<?o.H.. .me.c..9N.&....
e.^-..a.....i\:..*."..u...|....".Nf3.~.L...QW...p.....-]UV8U...J&.<
./.G.....I...4.T....#I*.i.E0\..~q$.I.......X?G....f.t......v.l.U.Ld.I.
..B.....=...Sf...H.s.........0..0...U....0.0l..U. .e0c0a..`.H...E....0
R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.sy
mauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U.
...0...0.1.0...U....TGV-B-2740...*.H............1.`...i.....H.C.i.9~.i
..Z.r.*$..(./.ag9.....J.Q.~.`.$?b..C....<.h.........d&....3.kV.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs/UZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq+2TZMCEA89qsgV9niZmSI6gIO0S/U= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=604301, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 22:15:43 GMT
Expires: Mon, 25 May 2015 22:15:43 GMT
Date: Mon, 18 May 2015 22:26:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0......%bn.$..5.......?'4....2015051
8221543Z0s0q0I0... ........N.E.~.?Q.n.j<a.....3...>c."t..d.1..#.
...M....=....x..":...K.....20150518221543Z....20150525221543Z0...*.H..
...........i.`._..84...".FlP.T.LzX../f.....&..f...X.>.Ig.N4*....d..
....=....|q. p....J...m[.V.Kz....2.c.Zj\.s...^}...............'H.7i.u.
nD..J.....Jw.yI....vGi......_........o*z..Z....cH[...w.8.....K.}.1..=|
.(.l.e.CC77..l.kR.....?.x...>...o3d.....JQ.tS3v....<...3f.\.....
0...0...0..........7.R.~|..r."....#0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms
 of use at hXXps://w..



GET /pki/crl/products/WinPCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
Accept-Ranges: bytes
ETag: "dde36a309c58d01:0"
Server: Microsoft-IIS/8.0
VTag: 43879645100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:25:56 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..150306223202Z..150605105201Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......40... .....7......15060
4224201Z0...*.H.............4......n[.t........'....Dx.P3R.!3.|D.6vL..
"k..9'....L..k......e.4......._..N..TJ......N.fP...H.....8...TJA...fGA
.e...^"{../...H?..E.Y.U....h..0/.......d...6..K..V?QM...{..h.....{.3..
.v.....\~.7n..5..'..k.Ia.YL..LP.b....._7.V..%......z*$q..Y..f.b..L8<
;~..v.w....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
Accept-Ranges: bytes
ETag: "cf2633d6957d01:0"
Server: Microsoft-IIS/8.0
VTag: 43853244400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:25:56 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..150304221607Z..150603103607Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......20... .....7......150602222607Z0...*.
H.............Y..}y`....T.Z..`B<..I.N..O... E:....7......a..)......
...._|W5laoqi(..>t~.."...&`.._.7J...:..{bO_Kyi...R...!...B.s..I.c&j
...(I\.S{._;@B...[i.e.[."...R` \...........M^k.=q[.V...9y..G.1o#k3<
.W.......H.$>}...U...2qyd2|b.fB.....r....H.P...;....Q...b......5%.P
.#..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEGO+CyDUoFQBjrKVo87pCRc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=351582, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 00:04:54 GMT
Expires: Sat, 23 May 2015 00:04:54 GMT
Date: Mon, 18 May 2015 22:26:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015051
6000454Z0s0q0I0... ...................F....0.yV......{&.K......&......
.c.. ..T.............20150516000454Z....20150523000454Z0...*.H........
.......t...H$.HE.NJ......o...7....K...U.....t..p.......q......g...>
...w.z..#.....aa$ .Xt..B".>c...~..mP...I] ..53e]......Z.N)=.....K..
..(.....W.N..........j..... ..l...L\..*..A..y.E....C..d........M..$...
.f.;{.....Q.B. [email protected]>.....)..e..>.. ..{..........0..
.0...0............F...I]A([email protected]...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of
 use at hXXps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 
Code Signing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.
0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1Ver
iSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............
0.........q<...A...#......A...u..Lz.............o..D.vQ%..s.......f
....e../jI.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.
p....M/.. ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b.
.L...5.o..o..{..}.........%e.....N..._i........*Bc....:yQg.........0..
.0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://www
.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS
 incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0.
..U........0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.
H..............-..^.........f.P`...s.....8.....V.......... .... B.
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a7c16baf48995fbc HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Mon, 18 May 2015 22:21:55 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Mon, 18 May 2015 22:21:55 GMT..Conn
ection: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=586327, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 17:15:12 GMT
Expires: Mon, 25 May 2015 17:15:12 GMT
Date: Mon, 18 May 2015 22:26:44 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015051
8171512Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^[email protected]...*.H........
....."...S...P......,;...X..d]..1Do......c...i.{g..'...K...1...5.E.6.I
.F.. .......2...-Dy2"..PPF.n....A"6:A4>..G.,.ei...'.......2Jt^.....
1CP...F..@......:6.q...U '...hJ..W_\.J.Z..= ..i......l_S...a......p..e
..]....B......v .M.x.S..1S..P%...........w.....w..sp;....#0...0...0...
.......r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0..........
...m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(.
..V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*
....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C
.Q.i~rl..<..krS..8.B..o][email protected]..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEALa8SdwQh28+NjkQGqVhx8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=600018, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 21:05:30 GMT
Expires: Mon, 25 May 2015 21:05:30 GMT
Date: Mon, 18 May 2015 22:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015051
8210530Z0s0q0I0... ...................F....0.yV......{&.K......&......
....'[email protected]...*.H........
........^.M...a..b....0....}......Q.^..E.#s5'mX...Mj.X$1,....k...v\...
..9....k.L":d.l..%.0......-..JGH.c&TCn.MD..K..w.9..a....=.3;E...a.....
/.l.R.....b.1..^x.-...5..1...w%By.s...N4...u2>.ai Z..X...%.........
.S.7.._...$[.^.....'LTY.M....R..cO.A...m.;k.....;.........0...0...0...
.........F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....
VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Cla
ss 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0........
.q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../j
I.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/..
 ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o.
.o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U...
.0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign
.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. 
by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U......
..0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H........
......-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=595511, public, no-transform, must-revalidate
Last-Modified: Mon, 18 May 2015 19:50:23 GMT
Expires: Mon, 25 May 2015 19:50:23 GMT
Date: Mon, 18 May 2015 22:26:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015051
8195023Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150518195023Z....20150525195023Z0...*.H........
......MI......._.3}...$.f?....]..._j..a.....H...E.H..A....}..o.w.C6...
0.)j.._..N...7.....0s..j.V.{B.6....O..4...n..p..;}a?.lh.....t.w.Uph...
..i`....U\.sQ.P..5..S.DNt\./W.....T..]r.O.".Lp....4....qO.J..G._..>
 ...R..... ...[y..02..|.......R..>....bl....".Ov.S@......#0...0...0
..........r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
......m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...n
z(...V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*].
..*....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...
:.C.Q.i~rl..<..krS..8.B..o][email protected]...
U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.veri
sign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS inco
rp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:26:27 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Tue, 24 Mar 2015 05:02:25 GMT..ETag: "a1132b8ef65d01:0"..Cache
-Control: max-age=900..Date: Mon, 18 May 2015 22:26:27 GMT..Connection
: keep-alive..



GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 14 Apr 2015 05:02:07 GMT
Accept-Ranges: bytes
ETag: "2711f7277076d01:0"
Server: Microsoft-IIS/8.5
VTag: 279782516600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 18 May 2015 22:26:35 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..150413163223Z..150713045223Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......Z0... .....7......150712164223Z0.
..*.H.............WK....e.\.-.n......./......."]..E!.. //=...[....w...
 ..........#...[.l.J..f|..... .s......w...J._.......3.[..#.z....ko.I..
Q{....e.nV......F..d}..rF\H.jlH]dQ.E....x......W............j....&L. 2
.$.?...X?.#.(.....pK.v.......y..r....t......=.AW......K.G.gJD.b...



POST /evt/?nexcb=84211eed-2475-4dd6-99b9-c6179b9932ec HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1576
Connection: Keep-Alive
Cache-Control: no-cache

a=8723A8C061F7AEBD90471EDBFA769F0024652319E86E1CC401D2F9DAFAA3B433400B73DED88927A6927840636AD0124A10E3BF6C54FDE257A848089967C3C8B6911DB7D26767D48568C8CC5C1316DBB40748F3848E774CCD3250932883D779C25C21E523D268A60E749E93081E8C399C385AFEEB27B4D532A6856DEB6DE08C0103ABB9D0604015ED630F19BC8CEED62880F1ADD54898377CF027D88B7E95442DE83CC5D0A4C639588079AAD121A39770ADD66D1AECC0171D00775CBAEC0412C685728312B587FC570F732C657A36D8FAE95DCFA75C3A92DFBF40B29A66F5E0A735730D095E8923C2683393BFC3631008D489DFB0AD7416FF6F1BCDAE63D78D672884BED21BE970205C3D760FCC2C5526AEAB93DD709F5744D0F6545305C4905ABF305B29921EC2C031AE823E22CB53F4EF09534F37EAA0013BFE917F28C1E5693ACCE898019CAFD57DE9F842CAFACDFA4A0B2E0BB82C04286B0ED0ABCBFB9AFC0CA71AFF06DB71C7E1C4BFD30E7C2D6402F10273DDC24A744B78FE931B105912C91A92F86F2B820CF16F52BAF78E5C9B13EB5BA9D4D6&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopI
yQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jG
n0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/j
egwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62
b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4
l8SvbFzLp0F5WD13RoPX+8Mav5zKrW06dP0rMoQ53SPk
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:50 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:50 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
0..HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vert
itechnologygroup.com..Cache-Control: no-store, no-cache, must-revalida
te..Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=3
00, must-revalidate..Content-Language: en..Content-Type: text/html..Da
te: Mon, 18 May 2015 22:21:50 GMT..Expires: 0..Last-Modified: Mon, 18 
May 2015 22:21:50 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: 
User-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..
transfer-encoding: chunked..Connection: keep-alive..0......


POST /evt/?nexcb=014c656e-070c-42e4-a618-0b7cd62f7000 HTTP/1.1


Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: inst.vertitechnologygroup.com
Content-Length: 1590
Connection: Keep-Alive
Cache-Control: no-cache

a=8723A8C061F7ACBD90471EDBFA769F002465230EB93849815886B3D6E68FB6375E147FC3E9C273FAD13F1E3C79D41A1952BBEB2C1584E85FFC7F20A41ECEC9EDA22E92805C60C08B6AD7DD714C2DF19B2461CEEB821C51C53B39B604C3F64EF00909FA28C474B81245D5BB130E9739816A71E3AD67EBF134AE9527AE2E92D75F50E1FC9315004ABC234E5A8591EFD121D6B0F4E9438B2D30A172AEDC3CB34C2DE63CC5D0C58268038D29EF8968F5826AFF943246B9CC001F54645EBBF3150DC7C934954CE597C8730C3436646252F6A8BA1FFCCF1938C588AA24CFBB6EF5F1F7662F7E521CAE73913445E2DCD9631008C3A3FF92AD7416FF631ECFE834C2FA6008A0AAD64CBF3744726F254DFF441024F9FC86B90DBE5F44C1A6070F769FD27DEF63075FE37DD8C031AE951402E953F4EF095F4A35ACF71709F283732499955224C9FF9219F8D2F14ADCDC42CAFAADE82B227C50EC227837324F89FAC1A6C5F50CF21AF9018C7893B6C6BE840B7D7E3206F20523DDC117734E2CFC9A191B0C11CD4ACAAC3F2F815BFE3E53E0A7DC0CC040E85AAD818557417A3E1A9666&b=FjJQeNZNTgZyE52Q/fsOTqK1JbPBHVkWhZ6AMzUE8YaYjtncJbyzYSZAp0H1tVzwDrApJaEqoopI
yQw6PLWQVMRTgP+h6AZoFVFKr7qs5gIfZS3laaih6W2KUEbgiK0qg3NZ/wrfIbs0i+ZfSStTH1jG
n0XduyWZroUzi4wLH8onZy2/7o91AwmMCo54W5ng1DQfvndE0Thmd1o1cU12Tn/XUcsTT0R9if/j
egwiRYEf1vipv8JkWzITzfMGD0Q2+wud07pY1UvgD+ixvqqdJAPen+qJQscpTBS0EBU/wp/THp62
b9bVNKPHgaaFuzoJrjS+qGhu3U3VwJ0Q7Sh/v5tQZgtLZY/26/BN/n9lM0FovcTkQ6X3GMvQlnr4
l8SvbFzLp0F5WD13RoPX+8Mav5zKrW
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: hXXp://lp.vertitechnologygroup.com
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Cache-Control: max-age=300, must-revalidate
Content-Language: en
Content-Type: text/html
Date: Mon, 18 May 2015 22:21:55 GMT
Expires: 0
Last-Modified: Mon, 18 May 2015 22:21:55 GMT
Pragma: no-cache
Server: Apache/2.2.15
Vary: User-Agent,Accept-Encoding
VTG-Country: UA
X-Powered-By: PHP/5.3.3
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Access-Control-Allow-Origin: hXXp://lp.vertite
chnologygroup.com..Cache-Control: no-store, no-cache, must-revalidate.
.Cache-Control: post-check=0, pre-check=0..Cache-Control: max-age=300,
 must-revalidate..Content-Language: en..Content-Type: text/html..Date:
 Mon, 18 May 2015 22:21:55 GMT..Expires: 0..Last-Modified: Mon, 18 May
 2015 22:21:55 GMT..Pragma: no-cache..Server: Apache/2.2.15..Vary: Use
r-Agent,Accept-Encoding..VTG-Country: UA..X-Powered-By: PHP/5.3.3..Con
tent-Length: 0..Connection: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=329712, public, no-transform, must-revalidate
Last-Modified: Fri, 15 May 2015 18:00:38 GMT
Expires: Fri, 22 May 2015 18:00:38 GMT
Date: Mon, 18 May 2015 22:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015051
5180038Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150515180038Z....20150522180038Z0...*.H........
.............K..(...v..g..$...JG^]....e.TT{..o.A.;.vA....\!.0>...(.
..\.?M...r\..:...#2.M'..b.f...A/...<..W9...M.o{..=.C-~E(..........}
...9.........NH...].......r..............T.p.=.}..._......S......^vih.
Fc...'...E. .u. ..|.D.[./....../uJ&...\....EzB.}..S..Z.M`....0...0...0
..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....Ver
iSign, Inc.1705..U....Class 3 Public Primary Certification Authority0.
..141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corp
oration1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PC
A - G1 OCSP Responder Certificate 30.."0...*.H.............0..........
'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-;
 ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS
.p..^|o....S..v.).)[email protected]#qh...u1T.].G0.]E...=.
_...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..
U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .
......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........
0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H...........
..$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..
D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,t>....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=404818, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 14:50:04 GMT
Expires: Sat, 23 May 2015 14:50:04 GMT
Date: Mon, 18 May 2015 22:26:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......'.V.8.F.V....H....JW..2015051
6145004Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150516145004Z....20150523145004Z0...*.H........
.........T.....j....../.....i....A.......\.<2.Lg.....kBq......\..."
}.HO6..%M..k....g.#..U......I..T"...~..%s.&).i...._.!.K.0W....n....V..
&.....m.G.......l|....p...l7.`..0............n......-4X..K..^.uN....U.
X.:3...e..H-..K..Y9.Q.)p]......H='jn............n.).l....#0...0...0...
.......r..?.*......y"..0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...150226000000Z..150527235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0..........
...m5*R........2....>...yU4..L.. ...........u..Hez..Pn.....d...nz(.
..V7.}^...d!RX...bl..[..a...L.. .~..Ij......%..%p.-...u..:..i..F*]...*
....{NH..|0...gHX.Q.r....S..........._.9.(w...suC...N..s.....&."...:.C
.Q.i~rl..<..krS..8.B..o][email protected]..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-32010...*.H...
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?56698f683a44bf83 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Mon, 18 May 2015 22:22:26 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..C
ache-Control: max-age=604800..Date: Mon, 18 May 2015 22:22:26 GMT..Con
nection: keep-alive..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=405089, public, no-transform, must-revalidate
Last-Modified: Sat, 16 May 2015 14:50:06 GMT
Expires: Sat, 23 May 2015 14:50:06 GMT
Date: Mon, 18 May 2015 22:21:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015051
6145006Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150516145006Z....20150523145006Z0...*.H.....
.................v q....?.J.........o.....Q_.?6....t:....2..g.....7.=.
/...a...cr*N*.mE...R(6N...W......`FS.M..Z.Du.....Zr........(>......
W.N...Aa..;..Xe=.`h....!D..............:dx......[...........D#".....2.
.&...`.]n.!.`.]......=Q.........w....L.Fl.?....(5=...j.Y.....0...0...0
...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriS
ign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Publ
ic Primary Certification Authority - G50...141202000000Z..151216235959
Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Tr
ust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certifi
cate 30.."0...*.H.............0...............2&..PL...,..2....:..tH..
.`JG.%..*...s.c%[email protected]"1.5?..s.....
3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l
.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.p
r4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R
0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.sym
auth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..
U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#.
.0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5.N.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEC9TU26kAR6B+//SjEsL628= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=492498, public, no-transform, must-revalidate
Last-Modified: Sun, 17 May 2015 15:10:13 GMT
Expires: Sun, 24 May 2015 15:10:13 GMT
Date: Mon, 18 May 2015 22:21:55 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015051
7151013Z0s0q0I0... ...................F....0.yV......{&.K......&......
./SSn........K..o....20150517151013Z....20150524151013Z0...*.H........
......Il.C9ZS...4dUC....K.H.%..;r.O.."...s.Au...i.."Pr.f.h..1.b.....hj
.wkl...Il.)...3}...hQ}.*....va........8....2..&.....'...d..oN.....i.M.
.c...o..7..Z.......I.jIg.Y..E4M...4.H......zC~..iA1.....s.$.=.."..bMg.
...../......4..nQs...4z.~./9.N..W...u.". C......-.;....0...0...0......
......F...I]A([email protected]...*.H........0..1.0...U....US1.0...U....VeriSign
, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at http
s://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing
 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....Ver
iSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 
3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........q&
lt;...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../jI.d
.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/.. ..
;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o..o.
.{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U....0.
0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.co
m/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by 
reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0
... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H...........
...-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1372:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe" /hostpath="c:\%original file name%.exe"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe
T.lnaG
.Vp]A
_/0.ok;^
nssCAFE.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nssCAFC.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
"$.11112#
pfTPPPPPE*&
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
1.0.11.5

setup.exe_1512:

.text
`.rdata
@.data
.rsrc
@.reloc
%u>8V
</tq<\tm<.um
PSSSSSSh
?#%X.y
GetProcessWindowStation
operator
1.0.11.5
ux
1.3.6.1.4.1.311.2.1.12
KERNEL32.dll
EnumWindows
keybd_event
USER32.dll
GDI32.dll
CryptGetKeyParam
CryptDestroyKey
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
URLDownloadToFileW
urlmon.dll
CryptImportPublicKeyInfo
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
PFXImportCertStore
CRYPT32.dll
WINTRUST.dll
IPHLPAPI.DLL
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
InternetCrackUrlW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
HttpAddRequestHeadersA
HttpSendRequestA
WININET.dll
RPCRT4.dll
GetProcessHeap
GetCPInfo
zcÁ
.?AV?$CAtlExeModuleT@VInstallerModule@@@ATL@@
.?AV?$IDispEventImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$00VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VInstallerWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
"$.11112#
pfTPPPPPE*&
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></application></compatibility></assembly>
8-8E8q8}8
="=9=]=|=
8"9(9,90949
>*?/?9?|?
> ?$?(?,?
; ;$;(;,;0;
: :<:@:\:`:
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
4f8e4a92-ce56-489d-a291-f4c00708a10c
https
kernel32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:2596
    GoogleUpdate.exe:1732
    GoogleUpdate.exe:2636
    GoogleUpdate.exe:1612
    GoogleUpdate.exe:1604
    GoogleUpdate.exe:1748
    GoogleUpdate.exe:1916
    GoogleUpdateSetup.exe:2660
    %original file name%.exe:1372
    GoogleUpdateComRegisterShell64.exe:976
    GoogleUpdateComRegisterShell64.exe:1664
    GoogleUpdateComRegisterShell64.exe:1020

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_mr.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_it.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fi.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lv.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-TW.dll (69 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_iw.dll (72 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_kn.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdate.exe (1954 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sl.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-PT.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ar.dll (77 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateWebPlugin.exe (1738 bytes)
    C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job (898 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdate.dll (32380 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_zh-CN.dll (69 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_uk.dll (79 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_en.dll (40 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psuser.dll (1954 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psmachine.dll (1954 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bn.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_tr.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateHelper.msi (90 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ru.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_vi.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ur.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psmachine_64.dll (3778 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_no.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ta.dll (86 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_is.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ms.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ja.dll (71 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pt-BR.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_pl.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es.dll (86 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\psuser_64.dll (3778 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll (12490 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_te.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ro.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_th.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hi.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_gu.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateSetup.exe (21970 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fa.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateComRegisterShell64.exe (1738 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fil.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler64.exe (4210 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_lt.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ca.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_et.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_cs.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_da.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sv.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_nl.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hr.dll (79 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdate.dll (49 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sk.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sr.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_id.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_fr.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_en-GB.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_am.dll (78 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_bg.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleCrashHandler.exe (3778 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_sw.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_de.dll (86 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_el.dll (80 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateOnDemand.exe (1738 bytes)
    %Program Files% (x86)\Google\Update\1.3.26.9 (28 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_es-419.dll (79 bytes)
    C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job (902 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ml.dll (87 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_hu.dll (79 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\GoogleUpdateBroker.exe (1738 bytes)
    %Program Files% (x86)\Google\Update\1.3.27.5\goopdateres_ko.dll (71 bytes)
    %Program Files% (x86)\Google\Update\Install\{43CD7B63-9C36-46FD-8900-CAA6999A400A}\GoogleUpdateSetup.exe (8278 bytes)
    %Program Files% (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.27.5\GoogleUpdateSetup.exe (7345 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_gu.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_vi.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_nl.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psuser_64.dll (213 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateBroker.exe (88 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_lv.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_bn.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fa.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-CN.dll (33 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psmachine.dll (183 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sl.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ja.dll (35 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_cs.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fr.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_is.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_kn.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateComRegisterShell64.exe (127 bytes)
    %Program Files% (x86)\GUTEE35.tmp (6 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ar.dll (37 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ta.dll (41 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_lt.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdate.exe (291 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ro.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ru.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_es.dll (41 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_am.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_hr.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateWebPlugin.exe (88 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_en-GB.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sr.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_zh-TW.dll (33 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateOnDemand.exe (88 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_th.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_tr.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_es-419.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateSetup.exe (7345 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fil.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_da.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sv.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_uk.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sk.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_no.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_pl.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_el.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_sw.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_id.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-BR.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_fi.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ms.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_et.dll (38 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_te.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleCrashHandler.exe (244 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_it.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ur.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psmachine_64.dll (213 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_de.dll (41 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_iw.dll (36 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_mr.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_bg.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_pt-PT.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\GoogleUpdateHelper.msi (45 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_hu.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\psuser.dll (183 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ml.dll (42 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_hi.dll (39 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ca.dll (40 bytes)
    %Program Files% (x86)\GUMEE34.tmp\goopdateres_ko.dll (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1552 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_2F4605ECD1CDA455EBB782CE30D68BB7 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2858020935-2156992550-3658131804-1003\d16af8aafb8de36166d078029ced25a7_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFD.tmp (28110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssCAFE.tmp\setup.exe (38152 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now