Gen.Variant.Symmi.43793_d9a30954a7
Gen:Variant.Symmi.87613 (BitDefender), Trojan:Win32/Tiggre!rfn (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader26.50501 (DrWeb), Gen:Variant.Symmi.87613 (B) (Emsisoft), Generic-FAAF!D9A30954A785 (McAfee), Packed.Vmpbad!gen4 (Symantec), Trojan.Win32.VMProtect (Ikarus), Gen:Variant.Symmi.87613 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R020C0CFC18 (TrendMicro), Gen:Variant.Symmi.43793 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Packed, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: d9a30954a785a42afd0b8ca5122a1efe
SHA1: d74e532e501afcaac728e71190d713beb006f994
SHA256: 68185a6385ac03ba0c8f38d4126cd8a9f65d5c7be5a5e44fd2d19ae77e8358dd
SSDeep: 12288:/SIiLWB7v4WpOsCVfTfhctha9WUR8GIGMgZvLBtLxKVAPRxJ6lVQ:/SIiLAZDton8lNgBH0VMWK
Size: 675840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2018-06-13 08:21:19
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
GoogleUpdate.exe:2124
GoogleUpdate.exe:2576
GoogleUpdate.exe:2628
GoogleUpdate.exe:1388
GoogleUpdate.exe:3928
GoogleUpdate.exe:2104
GoogleUpdateSetup.exe:4084
The Trojan injects its code into the following process(es):
UI0Detect.exe:2796
UI0Detect.exe:2656
%original file name%.exe:3508
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process GoogleUpdate.exe:2124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\GUM9387.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)
The Trojan deletes the following file(s):
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)
The process GoogleUpdate.exe:3928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\Google\Update\Install\{A414FE65-6B28-45C9-83F9-A2357E0ADEFD}\GoogleUpdateSetup.exe (7596 bytes)
The Trojan deletes the following file(s):
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{F509E677-519E-471C-83A3-F4168DDF8EDE}-GoogleUpdateSetup.exe (0 bytes)
The process GoogleUpdateSetup.exe:4084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\GUM9387.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM9387.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUT9388.tmp (7 bytes)
%Program Files%\GUM9387.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM9387.tmp (32 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM9387.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM9387.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM9387.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM9387.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM9387.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM9387.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM9387.tmp\psuser.dll (206 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM9387.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM9387.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM9387.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM9387.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM9387.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sv.dll (43 bytes)
The Trojan deletes the following file(s):
%Program Files%\GUM9387.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUT9388.tmp (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ru.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM9387.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM9387.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM9387.tmp (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM9387.tmp\psuser.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM9387.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM9387.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sv.dll (0 bytes)
The process %original file name%.exe:3508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Windows\System32\COMCTL32.OCX (608 bytes)
C:\Windows\0BCZU.dll (332 bytes)
C:\Windows\System32\COMDLG32.OCX (307 bytes)
C:\Windows\System32\drivers\etc\hosts (9 bytes)
The Trojan deletes the following file(s):
C:\Windows\System32\drivers\etc\hosts (0 bytes)
Registry activity
The process GoogleUpdate.exe:2124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"
[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"
[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{42BECD3C-F136-4EAD-A1D6-D7C89536F199}]
"PersistedPingString" = "
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"
[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529374346"
[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{42BECD3C-F136-4EAD-A1D6-D7C89536F199}]
"PersistedPingTime" = "131738479466837598"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529374346"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"
[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"
[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{42BECD3C-F136-4EAD-A1D6-D7C89536F199}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"
[HKLM\SOFTWARE\Google\Update]
"old-uid"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"
[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"
[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"
[HKLM\SOFTWARE\Google\Update]
"ui"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"
[HKLM\SOFTWARE\Google\Update]
"mi"
The process GoogleUpdate.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"
[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"
[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"
[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"
[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"
[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"
[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"
[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"
[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"
[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:2628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"
[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"
[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"
[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"
[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"
[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4186"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4186"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529305202"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529305202"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4186"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{EE9B2F9B-2137-4053-ACB1-BB11994627A7}]
"PersistedPingString" = "
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""
[HKLM\SOFTWARE\Google\Update\PersistedPings\{937DCB29-59A8-492F-938C-4A45E4D17DF8}]
"PersistedPingTime" = "131738478839148430"
[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4186"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "4294967295"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529305202"
"ping_freshness" = "{5649E2C3-3B69-4FF2-AFE2-2E595EE9835B}"
[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529374283"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{3C080054-7C18-414D-AB45-5C58738AC88C}"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529305202"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{EE9B2F9B-2137-4053-ACB1-BB11994627A7}]
"PersistedPingTime" = "131738478763748285"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4186"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{7F141017-B102-46FA-B09B-1A79985B0270}"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529374283"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529305202"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{937DCB29-59A8-492F-938C-4A45E4D17DF8}]
"PersistedPingString" = "
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{937DCB29-59A8-492F-938C-4A45E4D17DF8}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{EE9B2F9B-2137-4053-ACB1-BB11994627A7}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"
[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"
[HKLM\SOFTWARE\Google\Update]
"uid"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"
The process GoogleUpdate.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process %original file name%.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version]
"(Default)" = "1.2"
[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"
[HKCR\MSComDlg.CommonDialog.1\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"
[HKCR\MSComDlg.CommonDialog\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Font Property Page Object"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}]
"(Default)" = "ICommonDialog"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "ICommonDialogEvents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.OCX, 1"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS]
"(Default)" = "2"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID]
"(Default)" = "MSComDlg.CommonDialog.1"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX, 1"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID]
"(Default)" = "MSComDlg.CommonDialog"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"Version" = "1.2"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Help Property Page Object"
[HKCR\MSComDlg.CommonDialog\CurVer]
"(Default)" = "MSComDlg.CommonDialog.1"
[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1]
"(Default)" = "132499"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2]
"(Default)" = "Microsoft Common Dialog Control 6.0 (SP6)"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"Version" = "1.2"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"MaxFileSize" = "1048576"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Open Property Page Object"
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\MSComDlg.CommonDialog]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Tracing\d9a30954a785a42afd0b8ca5122a1efe_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"
[HKCR\MSComDlg.CommonDialog.1]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Color Property Page Object"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR]
"(Default)" = ""
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Print Property Page Object"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"
Dropped PE files
| MD5 | File path |
|---|---|
| 6c718849d436a7ccebed72538f8bd04b | c:\Program Files\GUM9387.tmp\GoogleCrashHandler.exe |
| d2f56e366f1cb26866a6f43bd53b46c3 | c:\Program Files\GUM9387.tmp\GoogleCrashHandler64.exe |
| 92ee791a630830452485e8e375f8db35 | c:\Program Files\GUM9387.tmp\GoogleUpdate.exe |
| 8171211b809414b6d8a8e4f6ea8cf140 | c:\Program Files\GUM9387.tmp\GoogleUpdateBroker.exe |
| 03b587bfaf6dd67b330ccb6fb99ca59a | c:\Program Files\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe |
| 678dd73ca364411bcf431892b8f878da | c:\Program Files\GUM9387.tmp\GoogleUpdateCore.exe |
| 96e08eb0d929c279536bdbbc543da8fb | c:\Program Files\GUM9387.tmp\GoogleUpdateOnDemand.exe |
| 53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\GUM9387.tmp\GoogleUpdateSetup.exe |
| 063ca1017835923689c4957562ea2862 | c:\Program Files\GUM9387.tmp\GoogleUpdateWebPlugin.exe |
| 463a426da94fc2418a713ceebb799e22 | c:\Program Files\GUM9387.tmp\goopdate.dll |
| e433408ca45786f9b6b7873709f57eba | c:\Program Files\GUM9387.tmp\goopdateres_am.dll |
| 9d85c8517de4db2380aa14593d8a899a | c:\Program Files\GUM9387.tmp\goopdateres_ar.dll |
| f376765117f5b82123ec1f4fd352fb9c | c:\Program Files\GUM9387.tmp\goopdateres_bg.dll |
| 4a5e2fac15b93b43a2ee673e2e111478 | c:\Program Files\GUM9387.tmp\goopdateres_bn.dll |
| 230fe7b526bde7aff33b616618a8d05a | c:\Program Files\GUM9387.tmp\goopdateres_ca.dll |
| 9b598c6a4d3d9586f93feca20f51da70 | c:\Program Files\GUM9387.tmp\goopdateres_cs.dll |
| b1bd2d1889f42f20aeac5f1998d8b21b | c:\Program Files\GUM9387.tmp\goopdateres_da.dll |
| e5ea4068551b3ac782d955a699222067 | c:\Program Files\GUM9387.tmp\goopdateres_de.dll |
| 68cf3b8fef6b56cd583e8c30ae8ca563 | c:\Program Files\GUM9387.tmp\goopdateres_el.dll |
| 2087af32c82c00e32094ae86dcf35607 | c:\Program Files\GUM9387.tmp\goopdateres_en-GB.dll |
| 9c2a3eec41cd4effd6ffecaa910dd7da | c:\Program Files\GUM9387.tmp\goopdateres_en.dll |
| 7c7c2b897c7107e910eab8b669c93738 | c:\Program Files\GUM9387.tmp\goopdateres_es-419.dll |
| 73ccbf92e13acc6389bb9f7dd04935b6 | c:\Program Files\GUM9387.tmp\goopdateres_es.dll |
| a2cb2c0b126c87336bc2b29a3e995dc5 | c:\Program Files\GUM9387.tmp\goopdateres_et.dll |
| 1d688c7571f047a36b585d810e02067f | c:\Program Files\GUM9387.tmp\goopdateres_fa.dll |
| 81f8d0fbff693910fedc808047cdf156 | c:\Program Files\GUM9387.tmp\goopdateres_fi.dll |
| 6cec555d88a69bdb910188c2b53b19a3 | c:\Program Files\GUM9387.tmp\goopdateres_fil.dll |
| 598294ce0043943aa4cc04edc139e6c8 | c:\Program Files\GUM9387.tmp\goopdateres_fr.dll |
| 7d3a8a7aec219fcbecacd04f1ad66053 | c:\Program Files\GUM9387.tmp\goopdateres_gu.dll |
| 0a9a7354a95c559a4093f24fff784911 | c:\Program Files\GUM9387.tmp\goopdateres_hi.dll |
| de931037c2f487efa900aa6590cac9e0 | c:\Program Files\GUM9387.tmp\goopdateres_hr.dll |
| 456664b46a1948b0df8785bd5b87f858 | c:\Program Files\GUM9387.tmp\goopdateres_hu.dll |
| 43a73db8674c025026ed4cad9359a574 | c:\Program Files\GUM9387.tmp\goopdateres_id.dll |
| 5e609c7d0ab38fa244949da75da04a1b | c:\Program Files\GUM9387.tmp\goopdateres_is.dll |
| d002a3352574a6e6999a6f2c23566745 | c:\Program Files\GUM9387.tmp\goopdateres_it.dll |
| ffef2d63908222cacee0e40c138d5986 | c:\Program Files\GUM9387.tmp\goopdateres_iw.dll |
| b71ff4a60875f30db7e492d4806f0c92 | c:\Program Files\GUM9387.tmp\goopdateres_ja.dll |
| c6a1c2e334df66970a03b30539757f36 | c:\Program Files\GUM9387.tmp\goopdateres_kn.dll |
| fb58fffc04f44137610caae567cfaf6a | c:\Program Files\GUM9387.tmp\goopdateres_ko.dll |
| 3b033e1092474acd6b7cfcf01a999d34 | c:\Program Files\GUM9387.tmp\goopdateres_lt.dll |
| 3b00a99d877881ba0fc786fdd8e3b426 | c:\Program Files\GUM9387.tmp\goopdateres_lv.dll |
| 157bf7b8eca4bc66d5c7fb3e358d5c58 | c:\Program Files\GUM9387.tmp\goopdateres_ml.dll |
| 7c864e8d77ebe0bc8451ade4f67f68b3 | c:\Program Files\GUM9387.tmp\goopdateres_mr.dll |
| 225c45af996ebf983800025ea32f6c18 | c:\Program Files\GUM9387.tmp\goopdateres_ms.dll |
| 2b04cd187acac2019e13195a3cc53a31 | c:\Program Files\GUM9387.tmp\goopdateres_nl.dll |
| 38651bcc330768d3e74763452a8e46e2 | c:\Program Files\GUM9387.tmp\goopdateres_no.dll |
| 531e1fca96b1cc6dfbb74c2e96d990c7 | c:\Program Files\GUM9387.tmp\goopdateres_pl.dll |
| 237642b8bddfe765e073a3aa6c29ca0a | c:\Program Files\GUM9387.tmp\goopdateres_pt-BR.dll |
| 298f4f2bd4e7b962615bcf0ed3d673ca | c:\Program Files\GUM9387.tmp\goopdateres_pt-PT.dll |
| ea1ef744fb8ba02148b362adeac70952 | c:\Program Files\GUM9387.tmp\goopdateres_ro.dll |
| 774b5644ad40e4d3863d81a7d30d4fae | c:\Program Files\GUM9387.tmp\goopdateres_ru.dll |
| 6ffd62c9d080288bcc95816afd018048 | c:\Program Files\GUM9387.tmp\goopdateres_sk.dll |
| d7b41237faca93b3d0666e4fd38092b8 | c:\Program Files\GUM9387.tmp\goopdateres_sl.dll |
| 25bbd03fc02f7daa9168dce7dfaef624 | c:\Program Files\GUM9387.tmp\goopdateres_sr.dll |
| e645c5eb4401b5e443a9744fc141b2f5 | c:\Program Files\GUM9387.tmp\goopdateres_sv.dll |
| 2f111d7785bfcd6b4228df0cdf353407 | c:\Program Files\GUM9387.tmp\goopdateres_sw.dll |
| 8bb63ae799037b02a89c42408abf755a | c:\Program Files\GUM9387.tmp\goopdateres_ta.dll |
| 2f40316ac456b383c58be478daf69ce9 | c:\Program Files\GUM9387.tmp\goopdateres_te.dll |
| cdc5e8fdba12f79c056bcf3085335ac5 | c:\Program Files\GUM9387.tmp\goopdateres_th.dll |
| 811ac46d616f94ae885175863e0ce95d | c:\Program Files\GUM9387.tmp\goopdateres_tr.dll |
| 23725511dd277f08993bbfbaf27123c1 | c:\Program Files\GUM9387.tmp\goopdateres_uk.dll |
| 3edc8f630a94d57674097194540a9f6a | c:\Program Files\GUM9387.tmp\goopdateres_ur.dll |
| baff2a81498cb67c560d443e96153060 | c:\Program Files\GUM9387.tmp\goopdateres_vi.dll |
| 6c2d04d599eb5b4549653d030d9d6550 | c:\Program Files\GUM9387.tmp\goopdateres_zh-CN.dll |
| f66719fb333de285e6edd1fd20e0edf8 | c:\Program Files\GUM9387.tmp\goopdateres_zh-TW.dll |
| 671e1e25f6f08809863bb9aed544e70e | c:\Program Files\GUM9387.tmp\npGoogleUpdate3.dll |
| cca7a6b6c2bce1e8af12a95f69c4cc8f | c:\Program Files\GUM9387.tmp\psmachine.dll |
| edad26bca1696d23ecb9dc3ab48fd551 | c:\Program Files\GUM9387.tmp\psmachine_64.dll |
| c2762290bb2ece339d4c63f7a8a6acc8 | c:\Program Files\GUM9387.tmp\psuser.dll |
| 58b48e4352559d4d76776377fde5df0c | c:\Program Files\GUM9387.tmp\psuser_64.dll |
| 6c718849d436a7ccebed72538f8bd04b | c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler.exe |
| d2f56e366f1cb26866a6f43bd53b46c3 | c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler64.exe |
| 92ee791a630830452485e8e375f8db35 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdate.exe |
| 03b587bfaf6dd67b330ccb6fb99ca59a | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe |
| 678dd73ca364411bcf431892b8f878da | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateCore.exe |
| 463a426da94fc2418a713ceebb799e22 | c:\Program Files\Google\Update\1.3.33.17\goopdate.dll |
| e433408ca45786f9b6b7873709f57eba | c:\Program Files\Google\Update\1.3.33.17\goopdateres_am.dll |
| 9d85c8517de4db2380aa14593d8a899a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ar.dll |
| f376765117f5b82123ec1f4fd352fb9c | c:\Program Files\Google\Update\1.3.33.17\goopdateres_bg.dll |
| 4a5e2fac15b93b43a2ee673e2e111478 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_bn.dll |
| 230fe7b526bde7aff33b616618a8d05a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ca.dll |
| 9b598c6a4d3d9586f93feca20f51da70 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_cs.dll |
| b1bd2d1889f42f20aeac5f1998d8b21b | c:\Program Files\Google\Update\1.3.33.17\goopdateres_da.dll |
| e5ea4068551b3ac782d955a699222067 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_de.dll |
| 68cf3b8fef6b56cd583e8c30ae8ca563 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_el.dll |
| 2087af32c82c00e32094ae86dcf35607 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_en-GB.dll |
| 9c2a3eec41cd4effd6ffecaa910dd7da | c:\Program Files\Google\Update\1.3.33.17\goopdateres_en.dll |
| 7c7c2b897c7107e910eab8b669c93738 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_es-419.dll |
| 73ccbf92e13acc6389bb9f7dd04935b6 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_es.dll |
| a2cb2c0b126c87336bc2b29a3e995dc5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_et.dll |
| 1d688c7571f047a36b585d810e02067f | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fa.dll |
| 81f8d0fbff693910fedc808047cdf156 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fi.dll |
| 6cec555d88a69bdb910188c2b53b19a3 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fil.dll |
| 598294ce0043943aa4cc04edc139e6c8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fr.dll |
| 7d3a8a7aec219fcbecacd04f1ad66053 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_gu.dll |
| 0a9a7354a95c559a4093f24fff784911 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hi.dll |
| de931037c2f487efa900aa6590cac9e0 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hr.dll |
| 456664b46a1948b0df8785bd5b87f858 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hu.dll |
| 43a73db8674c025026ed4cad9359a574 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_id.dll |
| 5e609c7d0ab38fa244949da75da04a1b | c:\Program Files\Google\Update\1.3.33.17\goopdateres_is.dll |
| d002a3352574a6e6999a6f2c23566745 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_it.dll |
| ffef2d63908222cacee0e40c138d5986 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_iw.dll |
| b71ff4a60875f30db7e492d4806f0c92 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ja.dll |
| c6a1c2e334df66970a03b30539757f36 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_kn.dll |
| fb58fffc04f44137610caae567cfaf6a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ko.dll |
| 3b033e1092474acd6b7cfcf01a999d34 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_lt.dll |
| 3b00a99d877881ba0fc786fdd8e3b426 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_lv.dll |
| 157bf7b8eca4bc66d5c7fb3e358d5c58 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ml.dll |
| 7c864e8d77ebe0bc8451ade4f67f68b3 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_mr.dll |
| 225c45af996ebf983800025ea32f6c18 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ms.dll |
| 2b04cd187acac2019e13195a3cc53a31 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_nl.dll |
| 38651bcc330768d3e74763452a8e46e2 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_no.dll |
| 531e1fca96b1cc6dfbb74c2e96d990c7 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pl.dll |
| 237642b8bddfe765e073a3aa6c29ca0a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-BR.dll |
| 298f4f2bd4e7b962615bcf0ed3d673ca | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-PT.dll |
| ea1ef744fb8ba02148b362adeac70952 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ro.dll |
| 774b5644ad40e4d3863d81a7d30d4fae | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ru.dll |
| 6ffd62c9d080288bcc95816afd018048 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sk.dll |
| d7b41237faca93b3d0666e4fd38092b8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sl.dll |
| 25bbd03fc02f7daa9168dce7dfaef624 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sr.dll |
| e645c5eb4401b5e443a9744fc141b2f5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sv.dll |
| 2f111d7785bfcd6b4228df0cdf353407 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sw.dll |
| 8bb63ae799037b02a89c42408abf755a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ta.dll |
| 2f40316ac456b383c58be478daf69ce9 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_te.dll |
| cdc5e8fdba12f79c056bcf3085335ac5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_th.dll |
| 811ac46d616f94ae885175863e0ce95d | c:\Program Files\Google\Update\1.3.33.17\goopdateres_tr.dll |
| 23725511dd277f08993bbfbaf27123c1 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_uk.dll |
| 3edc8f630a94d57674097194540a9f6a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ur.dll |
| baff2a81498cb67c560d443e96153060 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_vi.dll |
| 6c2d04d599eb5b4549653d030d9d6550 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-CN.dll |
| f66719fb333de285e6edd1fd20e0edf8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-TW.dll |
| 53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe |
| 53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\Install\{A414FE65-6B28-45C9-83F9-A2357E0ADEFD}\GoogleUpdateSetup.exe |
| eb5f811c1f78005b3c147599a0cccf51 | c:\Windows\System32\COMCTL32.OCX |
| ab412429f1e5fb9708a8cdea07479099 | c:\Windows\System32\COMDLG32.OCX |
| 90a39346e9b67f132ef133725c487ff6 | c:\Windows\System32\MSINET.OCX |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 9024 bytes in size. The following strings are added to the hosts file listed below:
| 182.253.238.102 | localhost |
| 182.253.238.102 | www.puasaciter.com |
| 182.253.238.102 | puasaciter.com |
| 182.253.238.102 | citpekalongan.net |
| 182.253.238.102 | www.citpekalongan.net |
| 182.253.238.102 | www.pekalongan-kommuniti.net |
| 182.253.238.102 | wawcheatvip.blogspot.co.id |
| 182.253.238.102 | wawcheatvip.blogspot.com |
| 182.253.238.102 | waw-jakarta-cheater.blogspot.co.id |
| 182.253.238.102 | waw-jakarta-cheater.blogspot.com |
| 182.253.238.102 | pekalongan-kommuniti-cheat.blogspot.com |
| 182.253.238.102 | pekalongan-kommuniti-cheat.blogspot.co.id |
| 182.253.238.102 | www.pekalongankomuniti.com |
| 182.253.238.102 | pekalongan-kommunitiy.blogspot.com |
| 182.253.238.102 | pointblankidhack.xyz |
| 182.253.238.102 | pekalongan-kommuniti.net |
| 182.253.238.102 | rhm-files.blogspot.co.id |
| 182.253.238.102 | www.rhm-files.blogspot.co.id |
| 182.253.238.102 | rhm-files.blogspot.com |
| 182.253.238.102 | sites.google.com |
| 182.253.238.102 | www.rhm-files.blogspot.com |
| 182.253.238.102 | rhm-files.blogspot.sg |
| 182.253.238.102 | www.rhm-files.blogspot.sg |
| 182.253.238.102 | mrcheat.us |
| 182.253.238.102 | www.mrcheat.us |
| 182.253.238.102 | www.mrcheat.net |
| 182.253.238.102 | applogsg.matrix.netease.com |
| 182.253.238.102 | mgbsdksgtest.matrix.netease.com |
| 182.253.238.102 | unisdk.update.netease.com |
| 182.253.238.102 | netease.com |
| 182.253.238.102 | mrcheat.net |
| 182.253.238.102 | rhm-files.blogspot.co.uk |
| 182.253.238.102 | www.rhm-files.blogspot.co.uk |
| 182.253.238.102 | rhm-files.blogspot.de |
| 182.253.238.102 | www.rezpektor-key.net |
| 182.253.238.102 | rezpektor-key.net |
| 182.253.238.102 | vista-tigabelas.blogspot.com |
| 182.253.238.102 | vista-tigabelas.blogspot.co.id |
| 182.253.238.102 | vista-tigabelas.blogspot.de |
| 182.253.238.102 | d-cit.blogspot.com |
| 182.253.238.102 | d-cit.blogspot.co.id |
| 182.253.238.102 | mod-cit.blogspot.co.id |
| 182.253.238.102 | mod-cit.blogspot.com |
| 182.253.238.102 | mod-cit.blogspot.de |
| 182.253.238.102 | www.gelo-cheats.com |
| 182.253.238.102 | gelo-cheats.com |
| 182.253.238.102 | bancyberz.com |
| 182.253.238.102 | www.vvip-x-anonymous.com |
| 182.253.238.102 | vvip-x-anonymous.com |
| 182.253.238.102 | mrcheat.us |
| 182.253.238.102 | www.mrcheat.us |
| 182.253.238.102 | mrcheat.us/blog |
| 182.253.238.102 | www.mrcheat.us/blog |
| 182.253.238.102 | www.mrcheat.us/blog/ |
| 182.253.238.102 | bagicheatonline.blogspot.co.id |
| 182.253.238.102 | bagicheatonline.blogspot.com |
| 182.253.238.102 | bagicheatonline.blogspot.de |
| 182.253.238.102 | triomarbot.com |
| 182.253.238.102 | www.bagicheatonline.blogspot.co.id |
| 182.253.238.102 | www.sundaizer.com |
| 182.253.238.102 | sundaizer.com |
| 182.253.238.102 | www.bancyberz.com |
| 182.253.238.102 | gudang-ngecit.com |
| 182.253.238.102 | www.gudang-ngecit.com |
| 182.253.238.102 | mediadisk.net |
| 182.253.238.102 | cupit-cheat.com |
| 182.253.238.102 | www.cupit-cheat.com |
| 182.253.238.102 | www.mediadisk.net |
| 182.253.238.102 | propekalongan-kommunity.blogspot.co.id |
| 182.253.238.102 | www.propekalongan-kommunity.blogspot.co.id |
| 182.253.238.102 | propekalongan-kommunity.blogspot.com |
| 182.253.238.102 | www.propekalongan-kommunity.blogspot.com |
| 182.253.238.102 | propekalongan-kommunity.blogspot.sg |
| 182.253.238.102 | mitracit.blogspot.co.id |
| 182.253.238.102 | mitracit.blogspot.com |
| 182.253.238.102 | www.propekalongan-kommunity.blogspot.sg |
| 182.253.238.102 | kotakciter.blogspot.co.id |
| 182.253.238.102 | www.kotakciter.blogspot.co.id |
| 182.253.238.102 | kotakciter.blogspot.com |
| 182.253.238.102 | www.kotakciter.blogspot.com |
| 182.253.238.102 | kotakciter.blogspot.sg |
| 182.253.238.102 | www.kotakciter.blogspot.sg |
| 182.253.238.102 | kotakciter.blogspot.co.uk |
| 182.253.238.102 | www.kotakciter.blogspot.co.uk |
| 182.253.238.102 | www.citpurworejo.com |
| 182.253.238.102 | citpurworejo.com |
| 182.253.238.102 | www.vazdancer.net |
| 182.253.238.102 | vazdancer.net |
| 182.253.238.102 | mediadisk.net |
| 182.253.238.102 | www.mediadisk.net |
| 182.253.238.102 | mediadisk.net |
| 182.253.238.102 | www.mediadisk.net |
| 182.253.238.102 | mediadisk1.net |
| 182.253.238.102 | www.mediadisk.net |
| 182.253.238.102 | mediadisk1.net |
| 182.253.238.102 | www.mediadisk.net |
| 182.253.238.102 | mediadisk2.net |
| 182.253.238.102 | www.mediadisk2.net |
| 182.253.238.102 | mediadisk3.net |
| 182.253.238.102 | 140.207.168.45/g/d |
| 182.253.238.102 | api.goapk.com |
| 182.253.238.102 | api.goapk.com/ucsdk.php |
| 182.253.238.102 | appdump.x.netease.com/upload |
| 182.253.238.102 | fc.my.163.com:8080/ |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/before_create_order |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/check_channel |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/check_white_phone |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/create_order |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/dot_upload |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/init |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/reg_ver_confirm |
| 182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/ver_confirm |
| 182.253.238.102 | g0.gdl.netease.com |
| 182.253.238.102 | g73.drpf.x.easebar.com |
| 182.253.238.102 | h5.m.taobao.com/trade/paySuccess.html?bizOrderId=$OrderId$& |
| 182.253.238.102 | hydra.alibaba.com |
| 182.253.238.102 | m.alipay.com/?action=h5quit |
| 182.253.238.102 | mbdl.update.netease.com/%s.mbdl |
| 182.253.238.102 | mbdl.update.netease.com/httpdns.mbdl |
| 182.253.238.102 | mcgw.alipay.com/sdklog.do |
| 182.253.238.102 | mobile.unionpay.com/getclient?platform=android&type=securepayplugin |
| 182.253.238.102 | mobilegw-1-64.test.alipay.net/mgw.htm |
| 182.253.238.102 | mobilegw.aaa.alipay.net/mgw.htm |
| 182.253.238.102 | mobilegw.alipay.com/mgw.htm |
| 182.253.238.102 | mobilegw.stable.alipay.net/mgw.htm |
| 182.253.238.102 | tqlm.16163.com/zt/tqlm/gamefeedback-test/index.html |
| 182.253.238.102 | update.unisdk.163.com/feature/query.json |
| 182.253.238.102 | update.unisdk.163.com/g0/ |
| 182.253.238.102 | update.unisdk.163.com/html/latest_default.json |
| 182.253.238.102 | update.unisdk.easebar.com/feature/ |
| 182.253.238.102 | update.unisdk.easebar.com/html/latest_v4.json |
| 182.253.238.102 | update.unisdk.easebar.com/html/latest_v9.json |
| 182.253.238.102 | update.unisdk.easebar.com/realname/ |
| 182.253.238.102 | update.unisdk.easebar.com/realname/all.json |
| 182.253.238.102 | update.unisdk.easebar.com/realname/all.json.md5 |
| 182.253.238.102 | applog.matrix.netease.com |
| 182.253.238.102 | applog.matrix.netease.com |
| 182.253.238.102 | applog.matrix.netease.com |
| 182.253.238.102 | applogsg.matrix.easebar.com |
| 182.253.238.102 | applogsg.matrix.easebar.com |
| 182.253.238.102 | applogsg.matrix.easebar.com |
| 182.253.238.102 | data-detect.nie.easebar.com |
| 182.253.238.102 | data-detect.nie.netease.com |
| 182.253.238.102 | dby.ipaynow.cn/api/payment |
| 182.253.238.102 | g0-unipatch.nie.easebar.com |
| 182.253.238.102 | g0-unipatch.nie.netease.com |
| 182.253.238.102 | mgbsdk.matrix.netease.com |
| 182.253.238.102 | mobilegw.alipay.com |
| 182.253.238.102 | pay.ipaynow.cn |
| 182.253.238.102 | pay.ipaynow.cn/api_release/ |
| 182.253.238.102 | pay.ipaynow.cn/sdk/syncException |
| 182.253.238.102 | sigma-echoes.proxima.nie.netease.com/query/ |
| 182.253.238.102 | udt-sigma.proxima.nie.easebar.com/query |
| 182.253.238.102 | udt-sigma.proxima.nie.netease.com/query |
| 182.253.238.102 | unisdk.update.easebar.com/unipatch/ |
| 182.253.238.102 | www.mediadisk3.net |
| 182.253.238.102 | mediadisk4.net |
| 182.253.238.102 | www.mediadisk4.net |
| 182.253.238.102 | mediadisk5.net |
| 182.253.238.102 | www.mediadisk5.net |
| 182.253.238.102 | mediadisk6.net |
| 182.253.238.102 | www.mediadisk6.net |
| 182.253.238.102 | mediadisk7.net |
| 182.253.238.102 | www.mediadisk7.net |
| 182.253.238.102 | mediadisk8.net |
| 182.253.238.102 | www.mediadisk8.net |
| 182.253.238.102 | mediadisk9.net |
| 182.253.238.102 | www.mediadisk9.net |
| 182.253.238.102 | mediadisk6.net |
| 182.253.238.102 | www.mediadisk6.net |
| 182.253.238.102 | duniaku.net |
| 182.253.238.102 | www.duniaku.net |
| 182.253.238.102 | mrsnapznet.us |
| 182.253.238.102 | www.mrsnapznet.us |
| 182.253.238.102 | blackxat.com |
| 182.253.238.102 | www.blackxat.com |
| 182.253.238.102 | black-xat.com |
| 182.253.238.102 | www.xlack-xat.com |
| 182.253.238.102 | 203.117.172.56 |
| 182.253.238.102 | 203.117.172.43 |
| 182.253.238.102 | 203.117.172.4 |
| 182.253.238.102 | 203.117.172.57 |
| 182.253.238.102 | bandicam.com |
| 182.253.238.102 | www.bandicam.com |
| 182.253.238.102 | ssl.bandisoft.com |
| 182.253.238.102 | fairplay.pb.garena.co.id |
| 182.253.238.102 | wellbia.com |
| 182.253.238.102 | www.wellbia.com |
| 182.253.238.102 | zm1.november-lax.com |
| 182.253.238.102 | www.adnetworkperformance.com |
| 182.253.238.102 | n162adserv.com |
| 182.253.238.102 | 447pihoz.tech |
| 182.253.238.102 | rdsa2012.com |
| 182.253.238.102 | www.blkget.com |
| 182.253.238.102 | ampclicks.com |
| 182.253.238.102 | match.mixplugin.com |
| 182.253.238.102 | track.funshopfun.com |
| 182.253.238.102 | cdn.adplxmd.com |
| 182.253.238.102 | cdn.todigroup.com |
| 182.253.238.102 | www.blkget8.com |
| 182.253.238.102 | Offerjuice.me |
| 182.253.238.102 | www.Offerjuice.me |
| 182.253.238.102 | www.ab4hr.com |
| 182.253.238.102 | track.frwdx.com |
| 182.253.238.102 | adsrvmedia.adk2x.com |
| 182.253.238.102 | zo6.realsuperblite.com |
| 182.253.238.102 | srv.revdepo.com |
| 182.253.238.102 | www.trackingclick.net |
| 182.253.238.102 | xml.adfclick1.com |
| 182.253.238.102 | prjcq.com |
| 182.253.238.102 | servicegetbook.net |
| 182.253.238.102 | damaral.com |
| 182.253.238.102 | Cliponyu.com |
| 182.253.238.102 | 49.media.tumblr.com |
| 182.253.238.102 | 40.media.tumblr.com |
| 182.253.238.102 | 41.media.tumblr.com |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name: Hizx3zMagfhaer6maR
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: Triptofan 3.0.exe
Internal Name: Triptofan 3.0
File Version: 1.00
File Description:
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 184672 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 192512 | 11024 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 204800 | 930944 | 28672 | 3.93731 | 37edb9cadbc80f6b2598d625f65d01c4 |
| .vmp0 | 1138688 | 220808 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .vmp1 | 1359872 | 642080 | 643072 | 5.50856 | 23791e1f08ba418a435eebc564ba5f3a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://blogspot.l.googleusercontent.com/ |  |
| hxxp://ghs.google.com/ | |
| hxxp://statuscit.com/index/load13.id |  |
| hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe | |
| hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529373009&mv=u&pcm2cms=yes&pl=24&shardbypass=yes |  |
| hxxp://tools.l.google.com/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0= | |
| hxxp://tools.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6 | |
| hxxp://googleapis.l.google.com/ajax/libs/jquery/2.1.3/jquery.min.js | |
| hxxp://pl14336753.pvclouds.com/c1/91/cd/c191cdedf2d49ff724fe8b19d5277cff.js |  |
| hxxp://googleapis.l.google.com/css?family=Oswald:400,700 | |
| hxxp://tools.l.google.com/GTSGIAG3.crl | |
| hxxp://tools.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k | |
| hxxp://pagead46.l.doubleclick.net/pagead/js/adsbygoogle.js | |
| hxxp://ad.a-ads.com/713373?size=468x60 |  |
| hxxp://ie8eamus.com/sfp.js | |
| hxxp://www.modulepush.com/e604cb81f3c1551e1b0b66f6ab1e3f05/invoke.js | |
| hxxp://ad.a-ads.com/a-ads-banners/65682/468x60?region=eu-central-1 | |
| hxxp://go.oclasrv.com/apu.php?zoneid=1369047 | |
| hxxp://e734.a.akamaiedge.net/js/300/addthis_widget.js |  |
| hxxp://deloton.com/apu.php?zoneid=1369047 | |
| hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff | |
| hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff | |
| hxxp://ghs.google.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts | |
| hxxp://pl14336753.pvclouds.com/invoke.js | |
| hxxp://www.modulepush.com/watch.972275274587?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid= | |
| hxxp://www.modulepush.com/watch.972275274587?shu=629db1921081c1a036e139de420c0edf40d2e91be7166ecec06d61ec4641fd8e592d025be48e5fb10b269e97a0de6009bd72356f9dfdc1c7f6e3a72562cdf0b08000cc9951bf7dcf&pst=1529374364&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&dev=r&res=4.0&kw=[]&tz=3 | |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ= | |
| hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= |  |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI= | |
| hxxp://scontent.xx.fbcdn.net/connect/xd_arbiter/r/qMnGlIs-JNW.js?version=42 | |
| hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc= | |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY= | |
| hxxp://ghs.google.com/favicon.ico | |
| hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy+emBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEH5c/k1FvZXWtoolHS8QY7c= | |
| hxxp://cdnjs.cloudflare.com/ajax/libs/fingerprintjs2/1.6.1/fingerprint2.min.js | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl | |
| hxxp://ie8eamus.com/fp?uuid=&fingerprint=ab4174aa8f1a47e69078e73ac87c027d&ua=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&dev=r&res=4.0&b_frame=false&pk=c191cdedf2d49ff724fe8b19d5277cff | |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE= | |
| hxxp://crl.comodoca.com.cdn.cloudflare.net/COMODORSADomainValidationSecureServerCA.crl | |
| hxxp://cs9.wpc.v0cdn.net/IE9CompatViewList.xml | |
| hxxp://www.citpekalongan.com/ | |
| hxxp://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl | |
| hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529373009&mv=u&pcm2cms=yes&pl=24&shardbypass=yes | |
| hxxp://fonts.googleapis.com/css?family=Oswald:400,700 | 172.217.21.234 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | 93.184.220.29 |
| hxxp://s7.addthis.com/js/300/addthis_widget.js | 2.16.29.231 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE= | 93.184.220.29 |
| hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe | |
| hxxp://www.urldelivery.com/watch.972275274587?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid= | 198.134.112.244 |
| hxxp://www.citpekalongan.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts | |
| hxxp://crl.microsoft.com/pki/crl/products/tspca.crl | |
| hxxp://fonts.gstatic.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff | 172.217.21.227 |
| hxxp://citpekalongans.blogspot.com/ | 172.217.21.225 |
| hxxp://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml | |
| hxxp://crl.pki.goog/GTSGIAG3.crl | |
| hxxp://staticxx.facebook.com/connect/xd_arbiter/r/qMnGlIs-JNW.js?version=42 | |
| hxxp://sr.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI= | 23.46.123.27 |
| hxxp://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js | 216.58.208.42 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= | 93.184.220.29 |
| hxxp://www.statuscit.com/index/load13.id | 162.241.153.47 |
| hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ= | |
| hxxp://fonts.gstatic.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff | 172.217.21.227 |
| hxxp://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0= | |
| hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k | |
| hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc= | 178.255.83.1 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY= | 93.184.220.29 |
| hxxp://www.bnserving.com/invoke.js | |
| hxxp://www.urldelivery.com/watch.972275274587?shu=629db1921081c1a036e139de420c0edf40d2e91be7166ecec06d61ec4641fd8e592d025be48e5fb10b269e97a0de6009bd72356f9dfdc1c7f6e3a72562cdf0b08000cc9951bf7dcf&pst=1529374364&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&dev=r&res=4.0&kw=[]&tz=3 | 198.134.112.244 |
| hxxp://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | |
| hxxp://www.citpekalongan.com/favicon.ico | |
| hxxp://static.a-ads.com/a-ads-banners/65682/468x60?region=eu-central-1 | |
| hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6 | |
| hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy+emBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEH5c/k1FvZXWtoolHS8QY7c= | 178.255.83.1 |
| 1.bp.blogspot.com | 172.217.21.225 |
| 2.bp.blogspot.com | 172.217.21.225 |
| adservice.google.com | 216.58.206.2 |
| www.blogger.com | 172.217.21.233 |
| www.paypalobjects.com | 80.239.245.5 |
| a.algovid.com | 209.58.138.144 |
| scontent.fiev7-2.fna.fbcdn.net | 77.222.131.81 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY PE EXE or DLL Windows file download HTTP
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
GoogleUpdate.exe:2124
GoogleUpdate.exe:2576
GoogleUpdate.exe:2628
GoogleUpdate.exe:1388
GoogleUpdate.exe:3928
GoogleUpdate.exe:2104
GoogleUpdateSetup.exe:4084 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\GUM9387.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\Google\Update\Install\{A414FE65-6B28-45C9-83F9-A2357E0ADEFD}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM9387.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUT9388.tmp (7 bytes)
%Program Files%\GUM9387.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ru.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM9387.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM9387.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM9387.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM9387.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM9387.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM9387.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM9387.tmp\psuser.dll (206 bytes)
%Program Files%\GUM9387.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM9387.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUM9387.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM9387.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM9387.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM9387.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM9387.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM9387.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM9387.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM9387.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM9387.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM9387.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM9387.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM9387.tmp\goopdateres_sv.dll (43 bytes)
C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Windows\System32\COMCTL32.OCX (608 bytes)
C:\Windows\0BCZU.dll (332 bytes)
C:\Windows\System32\COMDLG32.OCX (307 bytes)
C:\Windows\System32\drivers\etc\hosts (9 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
