Gen.Variant.Symmi.43793_d9a30954a7

by malwarelabrobot on June 20th, 2018 in Malware Descriptions.

Gen:Variant.Symmi.87613 (BitDefender), Trojan:Win32/Tiggre!rfn (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader26.50501 (DrWeb), Gen:Variant.Symmi.87613 (B) (Emsisoft), Generic-FAAF!D9A30954A785 (McAfee), Packed.Vmpbad!gen4 (Symantec), Trojan.Win32.VMProtect (Ikarus), Gen:Variant.Symmi.87613 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R020C0CFC18 (TrendMicro), Gen:Variant.Symmi.43793 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Packed, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d9a30954a785a42afd0b8ca5122a1efe
SHA1: d74e532e501afcaac728e71190d713beb006f994
SHA256: 68185a6385ac03ba0c8f38d4126cd8a9f65d5c7be5a5e44fd2d19ae77e8358dd
SSDeep: 12288:/SIiLWB7v4WpOsCVfTfhctha9WUR8GIGMgZvLBtLxKVAPRxJ6lVQ:/SIiLAZDton8lNgBH0VMWK
Size: 675840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2018-06-13 08:21:19
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

GoogleUpdate.exe:2124
GoogleUpdate.exe:2576
GoogleUpdate.exe:2628
GoogleUpdate.exe:1388
GoogleUpdate.exe:3928
GoogleUpdate.exe:2104
GoogleUpdateSetup.exe:4084

The Trojan injects its code into the following process(es):

UI0Detect.exe:2796
UI0Detect.exe:2656
%original file name%.exe:3508

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:2124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\GUM9387.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)

The process GoogleUpdate.exe:3928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\Google\Update\Install\{A414FE65-6B28-45C9-83F9-A2357E0ADEFD}\GoogleUpdateSetup.exe (7596 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{F509E677-519E-471C-83A3-F4168DDF8EDE}-GoogleUpdateSetup.exe (0 bytes)

The process GoogleUpdateSetup.exe:4084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\GUM9387.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM9387.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUT9388.tmp (7 bytes)
%Program Files%\GUM9387.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM9387.tmp (32 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM9387.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM9387.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM9387.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM9387.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM9387.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM9387.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM9387.tmp\psuser.dll (206 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM9387.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM9387.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM9387.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM9387.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM9387.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sv.dll (43 bytes)

The Trojan deletes the following file(s):

%Program Files%\GUM9387.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUT9388.tmp (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM9387.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM9387.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM9387.tmp (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM9387.tmp\psuser.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM9387.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM9387.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sv.dll (0 bytes)

The process %original file name%.exe:3508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Windows\System32\COMCTL32.OCX (608 bytes)
C:\Windows\0BCZU.dll (332 bytes)
C:\Windows\System32\COMDLG32.OCX (307 bytes)
C:\Windows\System32\drivers\etc\hosts (9 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\drivers\etc\hosts (0 bytes)

Registry activity

The process GoogleUpdate.exe:2124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"

[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"

[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{42BECD3C-F136-4EAD-A1D6-D7C89536F199}]
"PersistedPingString" = ""

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"

[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529374346"

[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{42BECD3C-F136-4EAD-A1D6-D7C89536F199}]
"PersistedPingTime" = "131738479466837598"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529374346"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"

[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"

[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{42BECD3C-F136-4EAD-A1D6-D7C89536F199}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"

[HKLM\SOFTWARE\Google\Update]
"old-uid"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"

[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"

[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"

[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"

[HKLM\SOFTWARE\Google\Update]
"ui"

[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"

[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"

[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"

[HKLM\SOFTWARE\Google\Update]
"mi"

The process GoogleUpdate.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"

[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"

[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"

[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"

[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"

[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"

[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"

[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"

[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"

[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"

[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"

[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"

[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"

[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"

[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"

[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"

[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"

[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"

[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"

[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"

[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"

[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"

[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"

[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"

[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"

[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"

[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"

[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"

[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"

[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"

[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"

[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"

[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"

[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"

[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"

[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"

[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"

[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"

[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"

[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"

[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"

[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"

[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:2628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"

[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"

[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"

[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"

[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"

[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"

[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"

[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"

[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"

[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529305202"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529305202"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{EE9B2F9B-2137-4053-ACB1-BB11994627A7}]
"PersistedPingString" = ""

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""

[HKLM\SOFTWARE\Google\Update\PersistedPings\{937DCB29-59A8-492F-938C-4A45E4D17DF8}]
"PersistedPingTime" = "131738478839148430"

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529305202"
"ping_freshness" = "{5649E2C3-3B69-4FF2-AFE2-2E595EE9835B}"

[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529374283"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{3C080054-7C18-414D-AB45-5C58738AC88C}"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529305202"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{EE9B2F9B-2137-4053-ACB1-BB11994627A7}]
"PersistedPingTime" = "131738478763748285"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4186"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{7F141017-B102-46FA-B09B-1A79985B0270}"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529374283"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529305202"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Google\Update\PersistedPings\{937DCB29-59A8-492F-938C-4A45E4D17DF8}]
"PersistedPingString" = ""

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{937DCB29-59A8-492F-938C-4A45E4D17DF8}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{EE9B2F9B-2137-4053-ACB1-BB11994627A7}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"

[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"

[HKLM\SOFTWARE\Google\Update]
"uid"

[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"

[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

The process GoogleUpdate.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"

The process %original file name%.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version]
"(Default)" = "1.2"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\MSComDlg.CommonDialog.1\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\MSComDlg.CommonDialog\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Font Property Page Object"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}]
"(Default)" = "ICommonDialog"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "ICommonDialogEvents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.OCX, 1"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS]
"(Default)" = "2"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID]
"(Default)" = "MSComDlg.CommonDialog.1"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX, 1"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID]
"(Default)" = "MSComDlg.CommonDialog"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"Version" = "1.2"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Help Property Page Object"

[HKCR\MSComDlg.CommonDialog\CurVer]
"(Default)" = "MSComDlg.CommonDialog.1"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1]
"(Default)" = "132499"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2]
"(Default)" = "Microsoft Common Dialog Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"Version" = "1.2"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"MaxFileSize" = "1048576"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Open Property Page Object"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\MSComDlg.CommonDialog]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\MSComDlg.CommonDialog.1]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Color Property Page Object"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Print Property Page Object"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

Dropped PE files

MD5 File path
6c718849d436a7ccebed72538f8bd04b c:\Program Files\GUM9387.tmp\GoogleCrashHandler.exe
d2f56e366f1cb26866a6f43bd53b46c3 c:\Program Files\GUM9387.tmp\GoogleCrashHandler64.exe
92ee791a630830452485e8e375f8db35 c:\Program Files\GUM9387.tmp\GoogleUpdate.exe
8171211b809414b6d8a8e4f6ea8cf140 c:\Program Files\GUM9387.tmp\GoogleUpdateBroker.exe
03b587bfaf6dd67b330ccb6fb99ca59a c:\Program Files\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe
678dd73ca364411bcf431892b8f878da c:\Program Files\GUM9387.tmp\GoogleUpdateCore.exe
96e08eb0d929c279536bdbbc543da8fb c:\Program Files\GUM9387.tmp\GoogleUpdateOnDemand.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\GUM9387.tmp\GoogleUpdateSetup.exe
063ca1017835923689c4957562ea2862 c:\Program Files\GUM9387.tmp\GoogleUpdateWebPlugin.exe
463a426da94fc2418a713ceebb799e22 c:\Program Files\GUM9387.tmp\goopdate.dll
e433408ca45786f9b6b7873709f57eba c:\Program Files\GUM9387.tmp\goopdateres_am.dll
9d85c8517de4db2380aa14593d8a899a c:\Program Files\GUM9387.tmp\goopdateres_ar.dll
f376765117f5b82123ec1f4fd352fb9c c:\Program Files\GUM9387.tmp\goopdateres_bg.dll
4a5e2fac15b93b43a2ee673e2e111478 c:\Program Files\GUM9387.tmp\goopdateres_bn.dll
230fe7b526bde7aff33b616618a8d05a c:\Program Files\GUM9387.tmp\goopdateres_ca.dll
9b598c6a4d3d9586f93feca20f51da70 c:\Program Files\GUM9387.tmp\goopdateres_cs.dll
b1bd2d1889f42f20aeac5f1998d8b21b c:\Program Files\GUM9387.tmp\goopdateres_da.dll
e5ea4068551b3ac782d955a699222067 c:\Program Files\GUM9387.tmp\goopdateres_de.dll
68cf3b8fef6b56cd583e8c30ae8ca563 c:\Program Files\GUM9387.tmp\goopdateres_el.dll
2087af32c82c00e32094ae86dcf35607 c:\Program Files\GUM9387.tmp\goopdateres_en-GB.dll
9c2a3eec41cd4effd6ffecaa910dd7da c:\Program Files\GUM9387.tmp\goopdateres_en.dll
7c7c2b897c7107e910eab8b669c93738 c:\Program Files\GUM9387.tmp\goopdateres_es-419.dll
73ccbf92e13acc6389bb9f7dd04935b6 c:\Program Files\GUM9387.tmp\goopdateres_es.dll
a2cb2c0b126c87336bc2b29a3e995dc5 c:\Program Files\GUM9387.tmp\goopdateres_et.dll
1d688c7571f047a36b585d810e02067f c:\Program Files\GUM9387.tmp\goopdateres_fa.dll
81f8d0fbff693910fedc808047cdf156 c:\Program Files\GUM9387.tmp\goopdateres_fi.dll
6cec555d88a69bdb910188c2b53b19a3 c:\Program Files\GUM9387.tmp\goopdateres_fil.dll
598294ce0043943aa4cc04edc139e6c8 c:\Program Files\GUM9387.tmp\goopdateres_fr.dll
7d3a8a7aec219fcbecacd04f1ad66053 c:\Program Files\GUM9387.tmp\goopdateres_gu.dll
0a9a7354a95c559a4093f24fff784911 c:\Program Files\GUM9387.tmp\goopdateres_hi.dll
de931037c2f487efa900aa6590cac9e0 c:\Program Files\GUM9387.tmp\goopdateres_hr.dll
456664b46a1948b0df8785bd5b87f858 c:\Program Files\GUM9387.tmp\goopdateres_hu.dll
43a73db8674c025026ed4cad9359a574 c:\Program Files\GUM9387.tmp\goopdateres_id.dll
5e609c7d0ab38fa244949da75da04a1b c:\Program Files\GUM9387.tmp\goopdateres_is.dll
d002a3352574a6e6999a6f2c23566745 c:\Program Files\GUM9387.tmp\goopdateres_it.dll
ffef2d63908222cacee0e40c138d5986 c:\Program Files\GUM9387.tmp\goopdateres_iw.dll
b71ff4a60875f30db7e492d4806f0c92 c:\Program Files\GUM9387.tmp\goopdateres_ja.dll
c6a1c2e334df66970a03b30539757f36 c:\Program Files\GUM9387.tmp\goopdateres_kn.dll
fb58fffc04f44137610caae567cfaf6a c:\Program Files\GUM9387.tmp\goopdateres_ko.dll
3b033e1092474acd6b7cfcf01a999d34 c:\Program Files\GUM9387.tmp\goopdateres_lt.dll
3b00a99d877881ba0fc786fdd8e3b426 c:\Program Files\GUM9387.tmp\goopdateres_lv.dll
157bf7b8eca4bc66d5c7fb3e358d5c58 c:\Program Files\GUM9387.tmp\goopdateres_ml.dll
7c864e8d77ebe0bc8451ade4f67f68b3 c:\Program Files\GUM9387.tmp\goopdateres_mr.dll
225c45af996ebf983800025ea32f6c18 c:\Program Files\GUM9387.tmp\goopdateres_ms.dll
2b04cd187acac2019e13195a3cc53a31 c:\Program Files\GUM9387.tmp\goopdateres_nl.dll
38651bcc330768d3e74763452a8e46e2 c:\Program Files\GUM9387.tmp\goopdateres_no.dll
531e1fca96b1cc6dfbb74c2e96d990c7 c:\Program Files\GUM9387.tmp\goopdateres_pl.dll
237642b8bddfe765e073a3aa6c29ca0a c:\Program Files\GUM9387.tmp\goopdateres_pt-BR.dll
298f4f2bd4e7b962615bcf0ed3d673ca c:\Program Files\GUM9387.tmp\goopdateres_pt-PT.dll
ea1ef744fb8ba02148b362adeac70952 c:\Program Files\GUM9387.tmp\goopdateres_ro.dll
774b5644ad40e4d3863d81a7d30d4fae c:\Program Files\GUM9387.tmp\goopdateres_ru.dll
6ffd62c9d080288bcc95816afd018048 c:\Program Files\GUM9387.tmp\goopdateres_sk.dll
d7b41237faca93b3d0666e4fd38092b8 c:\Program Files\GUM9387.tmp\goopdateres_sl.dll
25bbd03fc02f7daa9168dce7dfaef624 c:\Program Files\GUM9387.tmp\goopdateres_sr.dll
e645c5eb4401b5e443a9744fc141b2f5 c:\Program Files\GUM9387.tmp\goopdateres_sv.dll
2f111d7785bfcd6b4228df0cdf353407 c:\Program Files\GUM9387.tmp\goopdateres_sw.dll
8bb63ae799037b02a89c42408abf755a c:\Program Files\GUM9387.tmp\goopdateres_ta.dll
2f40316ac456b383c58be478daf69ce9 c:\Program Files\GUM9387.tmp\goopdateres_te.dll
cdc5e8fdba12f79c056bcf3085335ac5 c:\Program Files\GUM9387.tmp\goopdateres_th.dll
811ac46d616f94ae885175863e0ce95d c:\Program Files\GUM9387.tmp\goopdateres_tr.dll
23725511dd277f08993bbfbaf27123c1 c:\Program Files\GUM9387.tmp\goopdateres_uk.dll
3edc8f630a94d57674097194540a9f6a c:\Program Files\GUM9387.tmp\goopdateres_ur.dll
baff2a81498cb67c560d443e96153060 c:\Program Files\GUM9387.tmp\goopdateres_vi.dll
6c2d04d599eb5b4549653d030d9d6550 c:\Program Files\GUM9387.tmp\goopdateres_zh-CN.dll
f66719fb333de285e6edd1fd20e0edf8 c:\Program Files\GUM9387.tmp\goopdateres_zh-TW.dll
671e1e25f6f08809863bb9aed544e70e c:\Program Files\GUM9387.tmp\npGoogleUpdate3.dll
cca7a6b6c2bce1e8af12a95f69c4cc8f c:\Program Files\GUM9387.tmp\psmachine.dll
edad26bca1696d23ecb9dc3ab48fd551 c:\Program Files\GUM9387.tmp\psmachine_64.dll
c2762290bb2ece339d4c63f7a8a6acc8 c:\Program Files\GUM9387.tmp\psuser.dll
58b48e4352559d4d76776377fde5df0c c:\Program Files\GUM9387.tmp\psuser_64.dll
6c718849d436a7ccebed72538f8bd04b c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler.exe
d2f56e366f1cb26866a6f43bd53b46c3 c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler64.exe
92ee791a630830452485e8e375f8db35 c:\Program Files\Google\Update\1.3.33.17\GoogleUpdate.exe
03b587bfaf6dd67b330ccb6fb99ca59a c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe
678dd73ca364411bcf431892b8f878da c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateCore.exe
463a426da94fc2418a713ceebb799e22 c:\Program Files\Google\Update\1.3.33.17\goopdate.dll
e433408ca45786f9b6b7873709f57eba c:\Program Files\Google\Update\1.3.33.17\goopdateres_am.dll
9d85c8517de4db2380aa14593d8a899a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ar.dll
f376765117f5b82123ec1f4fd352fb9c c:\Program Files\Google\Update\1.3.33.17\goopdateres_bg.dll
4a5e2fac15b93b43a2ee673e2e111478 c:\Program Files\Google\Update\1.3.33.17\goopdateres_bn.dll
230fe7b526bde7aff33b616618a8d05a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ca.dll
9b598c6a4d3d9586f93feca20f51da70 c:\Program Files\Google\Update\1.3.33.17\goopdateres_cs.dll
b1bd2d1889f42f20aeac5f1998d8b21b c:\Program Files\Google\Update\1.3.33.17\goopdateres_da.dll
e5ea4068551b3ac782d955a699222067 c:\Program Files\Google\Update\1.3.33.17\goopdateres_de.dll
68cf3b8fef6b56cd583e8c30ae8ca563 c:\Program Files\Google\Update\1.3.33.17\goopdateres_el.dll
2087af32c82c00e32094ae86dcf35607 c:\Program Files\Google\Update\1.3.33.17\goopdateres_en-GB.dll
9c2a3eec41cd4effd6ffecaa910dd7da c:\Program Files\Google\Update\1.3.33.17\goopdateres_en.dll
7c7c2b897c7107e910eab8b669c93738 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es-419.dll
73ccbf92e13acc6389bb9f7dd04935b6 c:\Program Files\Google\Update\1.3.33.17\goopdateres_es.dll
a2cb2c0b126c87336bc2b29a3e995dc5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_et.dll
1d688c7571f047a36b585d810e02067f c:\Program Files\Google\Update\1.3.33.17\goopdateres_fa.dll
81f8d0fbff693910fedc808047cdf156 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fi.dll
6cec555d88a69bdb910188c2b53b19a3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fil.dll
598294ce0043943aa4cc04edc139e6c8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_fr.dll
7d3a8a7aec219fcbecacd04f1ad66053 c:\Program Files\Google\Update\1.3.33.17\goopdateres_gu.dll
0a9a7354a95c559a4093f24fff784911 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hi.dll
de931037c2f487efa900aa6590cac9e0 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hr.dll
456664b46a1948b0df8785bd5b87f858 c:\Program Files\Google\Update\1.3.33.17\goopdateres_hu.dll
43a73db8674c025026ed4cad9359a574 c:\Program Files\Google\Update\1.3.33.17\goopdateres_id.dll
5e609c7d0ab38fa244949da75da04a1b c:\Program Files\Google\Update\1.3.33.17\goopdateres_is.dll
d002a3352574a6e6999a6f2c23566745 c:\Program Files\Google\Update\1.3.33.17\goopdateres_it.dll
ffef2d63908222cacee0e40c138d5986 c:\Program Files\Google\Update\1.3.33.17\goopdateres_iw.dll
b71ff4a60875f30db7e492d4806f0c92 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ja.dll
c6a1c2e334df66970a03b30539757f36 c:\Program Files\Google\Update\1.3.33.17\goopdateres_kn.dll
fb58fffc04f44137610caae567cfaf6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ko.dll
3b033e1092474acd6b7cfcf01a999d34 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lt.dll
3b00a99d877881ba0fc786fdd8e3b426 c:\Program Files\Google\Update\1.3.33.17\goopdateres_lv.dll
157bf7b8eca4bc66d5c7fb3e358d5c58 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ml.dll
7c864e8d77ebe0bc8451ade4f67f68b3 c:\Program Files\Google\Update\1.3.33.17\goopdateres_mr.dll
225c45af996ebf983800025ea32f6c18 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ms.dll
2b04cd187acac2019e13195a3cc53a31 c:\Program Files\Google\Update\1.3.33.17\goopdateres_nl.dll
38651bcc330768d3e74763452a8e46e2 c:\Program Files\Google\Update\1.3.33.17\goopdateres_no.dll
531e1fca96b1cc6dfbb74c2e96d990c7 c:\Program Files\Google\Update\1.3.33.17\goopdateres_pl.dll
237642b8bddfe765e073a3aa6c29ca0a c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-BR.dll
298f4f2bd4e7b962615bcf0ed3d673ca c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-PT.dll
ea1ef744fb8ba02148b362adeac70952 c:\Program Files\Google\Update\1.3.33.17\goopdateres_ro.dll
774b5644ad40e4d3863d81a7d30d4fae c:\Program Files\Google\Update\1.3.33.17\goopdateres_ru.dll
6ffd62c9d080288bcc95816afd018048 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sk.dll
d7b41237faca93b3d0666e4fd38092b8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sl.dll
25bbd03fc02f7daa9168dce7dfaef624 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sr.dll
e645c5eb4401b5e443a9744fc141b2f5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sv.dll
2f111d7785bfcd6b4228df0cdf353407 c:\Program Files\Google\Update\1.3.33.17\goopdateres_sw.dll
8bb63ae799037b02a89c42408abf755a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ta.dll
2f40316ac456b383c58be478daf69ce9 c:\Program Files\Google\Update\1.3.33.17\goopdateres_te.dll
cdc5e8fdba12f79c056bcf3085335ac5 c:\Program Files\Google\Update\1.3.33.17\goopdateres_th.dll
811ac46d616f94ae885175863e0ce95d c:\Program Files\Google\Update\1.3.33.17\goopdateres_tr.dll
23725511dd277f08993bbfbaf27123c1 c:\Program Files\Google\Update\1.3.33.17\goopdateres_uk.dll
3edc8f630a94d57674097194540a9f6a c:\Program Files\Google\Update\1.3.33.17\goopdateres_ur.dll
baff2a81498cb67c560d443e96153060 c:\Program Files\Google\Update\1.3.33.17\goopdateres_vi.dll
6c2d04d599eb5b4549653d030d9d6550 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-CN.dll
f66719fb333de285e6edd1fd20e0edf8 c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-TW.dll
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe
53baee50f7a69bf3bc0fffe25341a923 c:\Program Files\Google\Update\Install\{A414FE65-6B28-45C9-83F9-A2357E0ADEFD}\GoogleUpdateSetup.exe
eb5f811c1f78005b3c147599a0cccf51 c:\Windows\System32\COMCTL32.OCX
ab412429f1e5fb9708a8cdea07479099 c:\Windows\System32\COMDLG32.OCX
90a39346e9b67f132ef133725c487ff6 c:\Windows\System32\MSINET.OCX

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 9024 bytes in size. The following strings are added to the hosts file listed below:

182.253.238.102 localhost
182.253.238.102 www.puasaciter.com
182.253.238.102 puasaciter.com
182.253.238.102 citpekalongan.net
182.253.238.102 www.citpekalongan.net
182.253.238.102 www.pekalongan-kommuniti.net
182.253.238.102 wawcheatvip.blogspot.co.id
182.253.238.102 wawcheatvip.blogspot.com
182.253.238.102 waw-jakarta-cheater.blogspot.co.id
182.253.238.102 waw-jakarta-cheater.blogspot.com
182.253.238.102 pekalongan-kommuniti-cheat.blogspot.com
182.253.238.102 pekalongan-kommuniti-cheat.blogspot.co.id
182.253.238.102 www.pekalongankomuniti.com
182.253.238.102 pekalongan-kommunitiy.blogspot.com
182.253.238.102 pointblankidhack.xyz
182.253.238.102 pekalongan-kommuniti.net
182.253.238.102 rhm-files.blogspot.co.id
182.253.238.102 www.rhm-files.blogspot.co.id
182.253.238.102 rhm-files.blogspot.com
182.253.238.102 sites.google.com
182.253.238.102 www.rhm-files.blogspot.com
182.253.238.102 rhm-files.blogspot.sg
182.253.238.102 www.rhm-files.blogspot.sg
182.253.238.102 mrcheat.us
182.253.238.102 www.mrcheat.us
182.253.238.102 www.mrcheat.net
182.253.238.102 applogsg.matrix.netease.com
182.253.238.102 mgbsdksgtest.matrix.netease.com
182.253.238.102 unisdk.update.netease.com
182.253.238.102 netease.com
182.253.238.102 mrcheat.net
182.253.238.102 rhm-files.blogspot.co.uk
182.253.238.102 www.rhm-files.blogspot.co.uk
182.253.238.102 rhm-files.blogspot.de
182.253.238.102 www.rezpektor-key.net
182.253.238.102 rezpektor-key.net
182.253.238.102 vista-tigabelas.blogspot.com
182.253.238.102 vista-tigabelas.blogspot.co.id
182.253.238.102 vista-tigabelas.blogspot.de
182.253.238.102 d-cit.blogspot.com
182.253.238.102 d-cit.blogspot.co.id
182.253.238.102 mod-cit.blogspot.co.id
182.253.238.102 mod-cit.blogspot.com
182.253.238.102 mod-cit.blogspot.de
182.253.238.102 www.gelo-cheats.com
182.253.238.102 gelo-cheats.com
182.253.238.102 bancyberz.com
182.253.238.102 www.vvip-x-anonymous.com
182.253.238.102 vvip-x-anonymous.com
182.253.238.102 mrcheat.us
182.253.238.102 www.mrcheat.us
182.253.238.102 mrcheat.us/blog
182.253.238.102 www.mrcheat.us/blog
182.253.238.102 www.mrcheat.us/blog/
182.253.238.102 bagicheatonline.blogspot.co.id
182.253.238.102 bagicheatonline.blogspot.com
182.253.238.102 bagicheatonline.blogspot.de
182.253.238.102 triomarbot.com
182.253.238.102 www.bagicheatonline.blogspot.co.id
182.253.238.102 www.sundaizer.com
182.253.238.102 sundaizer.com
182.253.238.102 www.bancyberz.com
182.253.238.102 gudang-ngecit.com
182.253.238.102 www.gudang-ngecit.com
182.253.238.102 mediadisk.net
182.253.238.102 cupit-cheat.com
182.253.238.102 www.cupit-cheat.com
182.253.238.102 www.mediadisk.net
182.253.238.102 propekalongan-kommunity.blogspot.co.id
182.253.238.102 www.propekalongan-kommunity.blogspot.co.id
182.253.238.102 propekalongan-kommunity.blogspot.com
182.253.238.102 www.propekalongan-kommunity.blogspot.com
182.253.238.102 propekalongan-kommunity.blogspot.sg
182.253.238.102 mitracit.blogspot.co.id
182.253.238.102 mitracit.blogspot.com
182.253.238.102 www.propekalongan-kommunity.blogspot.sg
182.253.238.102 kotakciter.blogspot.co.id
182.253.238.102 www.kotakciter.blogspot.co.id
182.253.238.102 kotakciter.blogspot.com
182.253.238.102 www.kotakciter.blogspot.com
182.253.238.102 kotakciter.blogspot.sg
182.253.238.102 www.kotakciter.blogspot.sg
182.253.238.102 kotakciter.blogspot.co.uk
182.253.238.102 www.kotakciter.blogspot.co.uk
182.253.238.102 www.citpurworejo.com
182.253.238.102 citpurworejo.com
182.253.238.102 www.vazdancer.net
182.253.238.102 vazdancer.net
182.253.238.102 mediadisk.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk1.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk1.net
182.253.238.102 www.mediadisk.net
182.253.238.102 mediadisk2.net
182.253.238.102 www.mediadisk2.net
182.253.238.102 mediadisk3.net
182.253.238.102 140.207.168.45/g/d
182.253.238.102 api.goapk.com
182.253.238.102 api.goapk.com/ucsdk.php
182.253.238.102 appdump.x.netease.com/upload
182.253.238.102 fc.my.163.com:8080/
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/before_create_order
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/check_channel
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/check_white_phone
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/create_order
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/dot_upload
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/init
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/reg_ver_confirm
182.253.238.102 fee.arc-soft.com:26000/gamefee/sdk/ver_confirm
182.253.238.102 g0.gdl.netease.com
182.253.238.102 g73.drpf.x.easebar.com
182.253.238.102 h5.m.taobao.com/trade/paySuccess.html?bizOrderId=$OrderId$&
182.253.238.102 hydra.alibaba.com
182.253.238.102 m.alipay.com/?action=h5quit
182.253.238.102 mbdl.update.netease.com/%s.mbdl
182.253.238.102 mbdl.update.netease.com/httpdns.mbdl
182.253.238.102 mcgw.alipay.com/sdklog.do
182.253.238.102 mobile.unionpay.com/getclient?platform=android&type=securepayplugin
182.253.238.102 mobilegw-1-64.test.alipay.net/mgw.htm
182.253.238.102 mobilegw.aaa.alipay.net/mgw.htm
182.253.238.102 mobilegw.alipay.com/mgw.htm
182.253.238.102 mobilegw.stable.alipay.net/mgw.htm
182.253.238.102 tqlm.16163.com/zt/tqlm/gamefeedback-test/index.html
182.253.238.102 update.unisdk.163.com/feature/query.json
182.253.238.102 update.unisdk.163.com/g0/
182.253.238.102 update.unisdk.163.com/html/latest_default.json
182.253.238.102 update.unisdk.easebar.com/feature/
182.253.238.102 update.unisdk.easebar.com/html/latest_v4.json
182.253.238.102 update.unisdk.easebar.com/html/latest_v9.json
182.253.238.102 update.unisdk.easebar.com/realname/
182.253.238.102 update.unisdk.easebar.com/realname/all.json
182.253.238.102 update.unisdk.easebar.com/realname/all.json.md5
182.253.238.102 applog.matrix.netease.com
182.253.238.102 applog.matrix.netease.com
182.253.238.102 applog.matrix.netease.com
182.253.238.102 applogsg.matrix.easebar.com
182.253.238.102 applogsg.matrix.easebar.com
182.253.238.102 applogsg.matrix.easebar.com
182.253.238.102 data-detect.nie.easebar.com
182.253.238.102 data-detect.nie.netease.com
182.253.238.102 dby.ipaynow.cn/api/payment
182.253.238.102 g0-unipatch.nie.easebar.com
182.253.238.102 g0-unipatch.nie.netease.com
182.253.238.102 mgbsdk.matrix.netease.com
182.253.238.102 mobilegw.alipay.com
182.253.238.102 pay.ipaynow.cn
182.253.238.102 pay.ipaynow.cn/api_release/
182.253.238.102 pay.ipaynow.cn/sdk/syncException
182.253.238.102 sigma-echoes.proxima.nie.netease.com/query/
182.253.238.102 udt-sigma.proxima.nie.easebar.com/query
182.253.238.102 udt-sigma.proxima.nie.netease.com/query
182.253.238.102 unisdk.update.easebar.com/unipatch/
182.253.238.102 www.mediadisk3.net
182.253.238.102 mediadisk4.net
182.253.238.102 www.mediadisk4.net
182.253.238.102 mediadisk5.net
182.253.238.102 www.mediadisk5.net
182.253.238.102 mediadisk6.net
182.253.238.102 www.mediadisk6.net
182.253.238.102 mediadisk7.net
182.253.238.102 www.mediadisk7.net
182.253.238.102 mediadisk8.net
182.253.238.102 www.mediadisk8.net
182.253.238.102 mediadisk9.net
182.253.238.102 www.mediadisk9.net
182.253.238.102 mediadisk6.net
182.253.238.102 www.mediadisk6.net
182.253.238.102 duniaku.net
182.253.238.102 www.duniaku.net
182.253.238.102 mrsnapznet.us
182.253.238.102 www.mrsnapznet.us
182.253.238.102 blackxat.com
182.253.238.102 www.blackxat.com
182.253.238.102 black-xat.com
182.253.238.102 www.xlack-xat.com
182.253.238.102 203.117.172.56
182.253.238.102 203.117.172.43
182.253.238.102 203.117.172.4
182.253.238.102 203.117.172.57
182.253.238.102 bandicam.com
182.253.238.102 www.bandicam.com
182.253.238.102 ssl.bandisoft.com
182.253.238.102 fairplay.pb.garena.co.id
182.253.238.102 wellbia.com
182.253.238.102 www.wellbia.com
182.253.238.102 zm1.november-lax.com
182.253.238.102 www.adnetworkperformance.com
182.253.238.102 n162adserv.com
182.253.238.102 447pihoz.tech
182.253.238.102 rdsa2012.com
182.253.238.102 www.blkget.com
182.253.238.102 ampclicks.com
182.253.238.102 match.mixplugin.com
182.253.238.102 track.funshopfun.com
182.253.238.102 cdn.adplxmd.com
182.253.238.102 cdn.todigroup.com
182.253.238.102 www.blkget8.com
182.253.238.102 Offerjuice.me
182.253.238.102 www.Offerjuice.me
182.253.238.102 www.ab4hr.com
182.253.238.102 track.frwdx.com
182.253.238.102 adsrvmedia.adk2x.com
182.253.238.102 zo6.realsuperblite.com
182.253.238.102 srv.revdepo.com
182.253.238.102 www.trackingclick.net
182.253.238.102 xml.adfclick1.com
182.253.238.102 prjcq.com
182.253.238.102 servicegetbook.net
182.253.238.102 damaral.com
182.253.238.102 Cliponyu.com
182.253.238.102 49.media.tumblr.com
182.253.238.102 40.media.tumblr.com
182.253.238.102 41.media.tumblr.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Hizx3zMagfhaer6maR
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: Triptofan 3.0.exe
Internal Name: Triptofan 3.0
File Version: 1.00
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 184672 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 192512 11024 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 204800 930944 28672 3.93731 37edb9cadbc80f6b2598d625f65d01c4
.vmp0 1138688 220808 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 1359872 642080 643072 5.50856 23791e1f08ba418a435eebc564ba5f3a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://blogspot.l.googleusercontent.com/
hxxp://ghs.google.com/
hxxp://statuscit.com/index/load13.id
hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe
hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529373009&mv=u&pcm2cms=yes&pl=24&shardbypass=yes
hxxp://tools.l.google.com/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0=
hxxp://tools.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6
hxxp://googleapis.l.google.com/ajax/libs/jquery/2.1.3/jquery.min.js
hxxp://pl14336753.pvclouds.com/c1/91/cd/c191cdedf2d49ff724fe8b19d5277cff.js
hxxp://googleapis.l.google.com/css?family=Oswald:400,700
hxxp://tools.l.google.com/GTSGIAG3.crl
hxxp://tools.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k
hxxp://pagead46.l.doubleclick.net/pagead/js/adsbygoogle.js
hxxp://ad.a-ads.com/713373?size=468x60
hxxp://ie8eamus.com/sfp.js
hxxp://www.modulepush.com/e604cb81f3c1551e1b0b66f6ab1e3f05/invoke.js
hxxp://ad.a-ads.com/a-ads-banners/65682/468x60?region=eu-central-1
hxxp://go.oclasrv.com/apu.php?zoneid=1369047
hxxp://e734.a.akamaiedge.net/js/300/addthis_widget.js
hxxp://deloton.com/apu.php?zoneid=1369047
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff
hxxp://ghs.google.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts
hxxp://pl14336753.pvclouds.com/invoke.js
hxxp://www.modulepush.com/watch.972275274587?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid=
hxxp://www.modulepush.com/watch.972275274587?shu=629db1921081c1a036e139de420c0edf40d2e91be7166ecec06d61ec4641fd8e592d025be48e5fb10b269e97a0de6009bd72356f9dfdc1c7f6e3a72562cdf0b08000cc9951bf7dcf&pst=1529374364&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&dev=r&res=4.0&kw=[]&tz=3
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ=
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI=
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI=
hxxp://scontent.xx.fbcdn.net/connect/xd_arbiter/r/qMnGlIs-JNW.js?version=42
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc=
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY=
hxxp://ghs.google.com/favicon.ico
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy+emBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEH5c/k1FvZXWtoolHS8QY7c=
hxxp://cdnjs.cloudflare.com/ajax/libs/fingerprintjs2/1.6.1/fingerprint2.min.js
hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl
hxxp://ie8eamus.com/fp?uuid=&fingerprint=ab4174aa8f1a47e69078e73ac87c027d&ua=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&dev=r&res=4.0&b_frame=false&pk=c191cdedf2d49ff724fe8b19d5277cff
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE=
hxxp://crl.comodoca.com.cdn.cloudflare.net/COMODORSADomainValidationSecureServerCA.crl
hxxp://cs9.wpc.v0cdn.net/IE9CompatViewList.xml
hxxp://www.citpekalongan.com/
hxxp://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529373009&mv=u&pcm2cms=yes&pl=24&shardbypass=yes
hxxp://fonts.googleapis.com/css?family=Oswald:400,700 172.217.21.234
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= 93.184.220.29
hxxp://s7.addthis.com/js/300/addthis_widget.js 2.16.29.231
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE= 93.184.220.29
hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe
hxxp://www.urldelivery.com/watch.972275274587?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid= 198.134.112.244
hxxp://www.citpekalongan.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl
hxxp://fonts.gstatic.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff 172.217.21.227
hxxp://citpekalongans.blogspot.com/ 172.217.21.225
hxxp://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
hxxp://crl.pki.goog/GTSGIAG3.crl
hxxp://staticxx.facebook.com/connect/xd_arbiter/r/qMnGlIs-JNW.js?version=42
hxxp://sr.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI= 23.46.123.27
hxxp://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js 216.58.208.42
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= 93.184.220.29
hxxp://www.statuscit.com/index/load13.id 162.241.153.47
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ=
hxxp://fonts.gstatic.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff 172.217.21.227
hxxp://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0=
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc= 178.255.83.1
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY= 93.184.220.29
hxxp://www.bnserving.com/invoke.js
hxxp://www.urldelivery.com/watch.972275274587?shu=629db1921081c1a036e139de420c0edf40d2e91be7166ecec06d61ec4641fd8e592d025be48e5fb10b269e97a0de6009bd72356f9dfdc1c7f6e3a72562cdf0b08000cc9951bf7dcf&pst=1529374364&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&dev=r&res=4.0&kw=[]&tz=3 198.134.112.244
hxxp://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
hxxp://www.citpekalongan.com/favicon.ico
hxxp://static.a-ads.com/a-ads-banners/65682/468x60?region=eu-central-1
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy+emBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEH5c/k1FvZXWtoolHS8QY7c= 178.255.83.1
1.bp.blogspot.com 172.217.21.225
2.bp.blogspot.com 172.217.21.225
adservice.google.com 216.58.206.2
www.blogger.com 172.217.21.233
www.paypalobjects.com 80.239.245.5
a.algovid.com 209.58.138.144
scontent.fiev7-2.fna.fbcdn.net 77.222.131.81


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    GoogleUpdate.exe:2124
    GoogleUpdate.exe:2576
    GoogleUpdate.exe:2628
    GoogleUpdate.exe:1388
    GoogleUpdate.exe:3928
    GoogleUpdate.exe:2104
    GoogleUpdateSetup.exe:4084

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_en.dll (45 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
    %Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
    %Program Files%\GUM9387.tmp\goopdate.dll (49 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
    %Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
    %Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
    %Program Files%\Google\Update\1.3.31.5 (28 bytes)
    %Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\Google\Update\Install\{A414FE65-6B28-45C9-83F9-A2357E0ADEFD}\GoogleUpdateSetup.exe (7596 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdateSetup.exe (7547 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_pt-BR.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_bg.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_hr.dll (43 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdateCore.exe (838 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_is.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_uk.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_pt-PT.dll (43 bytes)
    %Program Files%\GUT9388.tmp (7 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_gu.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_nl.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_pl.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_sr.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ca.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ar.dll (41 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_fil.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_te.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ja.dll (39 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ms.dll (42 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_fa.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ru.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_lv.dll (44 bytes)
    %Program Files%\GUM9387.tmp\npGoogleUpdate3.dll (838 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_th.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ko.dll (38 bytes)
    %Program Files%\GUM9387.tmp\GoogleCrashHandler64.exe (550 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_cs.dll (43 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdateBroker.exe (96 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_vi.dll (42 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdateHelper.msi (40 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdate.exe (308 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_et.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_sw.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_mr.dll (44 bytes)
    %Program Files%\GUM9387.tmp\psmachine.dll (206 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_fr.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_sl.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_no.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ro.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_de.dll (45 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_it.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_es-419.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_fi.dll (43 bytes)
    %Program Files%\GUM9387.tmp\psuser.dll (206 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_en-GB.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_da.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_zh-CN.dll (36 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_id.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_lt.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_am.dll (42 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ta.dll (45 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdateOnDemand.exe (96 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_hi.dll (43 bytes)
    %Program Files%\GUM9387.tmp\psuser_64.dll (248 bytes)
    %Program Files%\GUM9387.tmp\psmachine_64.dll (248 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_hu.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_el.dll (44 bytes)
    %Program Files%\GUM9387.tmp\GoogleCrashHandler.exe (550 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ur.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_zh-TW.dll (36 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_iw.dll (40 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_kn.dll (44 bytes)
    %Program Files%\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_bn.dll (44 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_tr.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_sk.dll (43 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_es.dll (45 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_ml.dll (46 bytes)
    %Program Files%\GUM9387.tmp\goopdateres_sv.dll (43 bytes)
    C:\Windows\System32\MSINET.OCX (267 bytes)
    C:\Windows\System32\COMCTL32.OCX (608 bytes)
    C:\Windows\0BCZU.dll (332 bytes)
    C:\Windows\System32\COMDLG32.OCX (307 bytes)
    C:\Windows\System32\drivers\etc\hosts (9 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now