MD5: 36673e2b7c5c77f7b71cbc21a0dd9c5a
SHA1: c18abec07aea597e0b7b9453018da05f40a1a382
SHA256: 10a6a2a84bf2ae3b81287e78eff069aa331abfe2bdeaa9454c0b47c0f5d4b94a
SSDeep: 786432:Jbu/VcGXHprY6t JnjzRCjoLdjYhJI40H5m1YlPWfMX:JbutvpYpC0Z0hiQfMX
Size: 30668968 bytes
File type:
Platform:
Entropy:
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

TPAutoConnSvc.exe:1776
GoogleUpdate.exe:2972
GoogleUpdate.exe:2568
GoogleUpdate.exe:492
%original file name%.exe:600
setup.exe:2688
taskeng.exe:2172
39.0.2171.95_chrome_installer.exe:3348
MsiExec.exe:2252

The Trojan-Dropper injects its code into the following process(es):

%original file name%.exe:3276

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process GoogleUpdate.exe:2972 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\39.0.2171.95\39.0.2171.95_chrome_installer.exe (309253 bytes)
%Program Files% (x86)\Google\Update\Install\{19171A5A-1060-4B7D-86A1-49C9FF206701}\39.0.2171.95_chrome_installer.exe (327230 bytes)

The process %original file name%.exe:3276 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\ResourceCleaner.dll (4451 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI90FC.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\tabback (854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\lzmaextractor.dll (452 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI77DE.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends 3.0.1\install\LoL.EUW.msi (29679 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\completi (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\dialog (940 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\removico (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\aipackagechainer.exe (3243 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\cmdlinkarrow (864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\LoLIconBanner.jpg_1 (802 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\Prereq.dll (3547 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\banner (374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI782D.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_11BFDD5895E992E1D3AE9CF87B14B921 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9552.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\repairic (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI785D.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_11BFDD5895E992E1D3AE9CF87B14B921 (1592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\insticon (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\info (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\New (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9708.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\aicustact.dll (1251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\Up (318 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9 (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\Ashe_Background.jpg_1 (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\TxtUpdater.dll (3667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\exclamic (766 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\custicon (1000 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9541.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI7722.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9 (471 bytes)

The process %original file name%.exe:600 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\DXSETUP.exe (5257 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dxupdate.cab (1137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\DSETUP.dll (1137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_d3dx9_39_x86.cab (11034 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_XAudio_x86.cab (2569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\vcredist_x64.exe (24833 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dxdllreg_x86.cab (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dsetup32.dll (12751 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_d3dx10_39_x86.cab (8737 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\vcredist_x86.exe (20901 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dxnt.cab (105063 bytes)

The process setup.exe:2688 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\pdf.dll (58 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\vi.pak (637 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\lt.pak (552 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\chrome.7z (268785 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\en-GB.pak (466 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sv.pak (514 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome.dll (29434 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\mr.pak (1126 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\cs.pak (560 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\he.pak (643 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\resources.pak (64 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\youtube.crx (47 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\search.crx (54 bytes)
%Program Files% (x86)\Google\Chrome\Application\35.0.1916.114\default_apps (4 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\lv.pak (562 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ru.pak (873 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ml.pak (1457 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\docs.crx (12 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\nl.pak (544 bytes)
%Program Files% (x86)\Google\Chrome\Application\35.0.1916.114 (8 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fr.pak (596 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\nacl64.exe (50 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ko.pak (568 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\de.pak (481 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\wow_helper.exe (146 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\widevinecdmadapter.dll (293 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\da.pak (506 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_elf.dll (268 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\zh-CN.pak (456 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\PepperFlash\manifest.json (6 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\gmail.crx (48 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\39.0.2171.95.manifest (226 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\VisualElements\smalllogo.png (21 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\te.pak (1242 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libegl.dll (423 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Extensions\external_extensions.json (103 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\tr.pak (554 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\VisualElements\splash-620x300.png (22 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\gu.pak (1104 bytes)
%Program Files% (x86)\Google\Chrome\Application\35.0.1916.114\Locales (8 bytes)
%Program Files% (x86)\Google\Chrome\Application\chrome.exe (20458 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin (4 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ta.pak (1333 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sk.pak (579 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\metro_driver.dll (1022 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\th.pak (1121 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ar.pak (742 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\drive.crx (53 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sw.pak (471 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\secondarytile.png (641 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\pl.pak (553 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\PepperFlash\pepflashplayer.dll (63 bytes)
C:\Windows\Temp\chrome_installer.log (7903 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_200_percent.pak (50 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\delegate_execute.exe (51 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fa.pak (793 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\el.pak (1011 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\am.pak (769 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\VisualElementsManifest.xml (400 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\en-US.pak (466 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sl.pak (515 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\d3dcompiler_46.dll (52 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\bg.pak (922 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sr.pak (847 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\pt-BR.pak (544 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fi.pak (528 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ro.pak (570 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\external_extensions.json (5 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\zh-TW.pak (457 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\es.pak (571 bytes)
%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe (22234 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\ffmpegsumo.dll (50 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ca.pak (562 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\pt-PT.pak (553 bytes)
%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe (22234 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\bn.pak (1176 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\xinput1_3.dll (162 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libglesv2.dll (50 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_child.dll (32644 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\icudtl.dat (59 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ja.pak (670 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (6 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\nacl_irt_x86_64.nexe (52 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\hr.pak (523 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\hu.pak (587 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\nb.pak (506 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\chrome.exe (1716 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_100_percent.pak (50 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libpeerconnection.dll (51 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ms.pak (421 bytes)
%Program Files% (x86)\Google\Chrome\Application\35.0.1916.114\VisualElements (4 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\it.pak (546 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libexif.dll (621 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fil.pak (570 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\hi.pak (1137 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\nacl_irt_x86_32.nexe (51 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\kn.pak (1273 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\et.pak (490 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\id.pak (505 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\uk.pak (872 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\VisualElements\logo.png (7 bytes)
%Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\es-419.pak (561 bytes)

The process 39.0.2171.95_chrome_installer.exe:3348 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Windows\Temp\CR_01E20.tmp\SETUP.EX_ (375 bytes)
C:\Windows\Temp\CR_01E20.tmp\setup.exe (17361 bytes)
C:\Windows\Temp\CR_01E20.tmp\CHROME.PACKED.7Z (43831 bytes)

The process MsiExec.exe:2252 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI90FC.tmp (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9541.tmp (303 bytes)
C:\Windows\Tasks\{79BF4901-1EC4-4726-B3C2-A7859706C6E7}.job (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI77DE.tmp (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI785D.tmp (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\vcredist_x64.exe (291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9552.tmp (303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9708.tmp (303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI782D.tmp (303 bytes)

Registry activity

The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"

[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"

The Trojan-Dropper deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]

The process GoogleUpdate.exe:2972 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1418803200"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"DownloadProgressPercent" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"DayOfLastRollCall" = "2907"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"LastCheckSuccess" = "1418873481"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"RollCallDayStartSec" = "1418803200"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1418873526"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1418803200"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastChecked" = "1418873481"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"pv" = "35.0.1916.153"

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"InstallTimeRemainingMs" = "4294967295"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}]
"pv" = "35.0.1916.153"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"DownloadTimeRemainingMs" = "4294967295"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "2907"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"LastInstallerResult" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1418803200"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"UpdateTime" = "1418873526"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerResult" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"InstallProgressPercent" = "4294967295"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.25.11"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1418803200"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "2907"
"ActivePingDayStartSec" = "1418803200"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"LastInstallerError" = "2"

[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1418873481"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
"StateValue" = "17"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError" = "2"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"UpdateAvailableCount" = "1"
"DayOfLastActivity" = "2907"
"DayOfLastRollCall" = "2907"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "2907"

[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "35.0.1916.153"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "7"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"

The Trojan-Dropper deletes the following registry key(s):

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{FDA71E6F-AC4C-4A00-8B70-9958A68906BF}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\CurrentState]

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"LastInstallerSuccessLaunchCmdLine"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerSuccessLaunchCmdLine"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"LastInstallerExtraCode1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerExtraCode1"
"LastInstallerResult"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"old-uid"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"InstallerError"
"LastInstallerResult"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"iid"
"LastInstallerResultUIString"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"LastInstallerError"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"dr"
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"tttoken"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"InstallerResult"

The process GoogleUpdate.exe:2568 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"IsMSIHelperRegistered" = "1"
"LastStartedAU" = "1418873460"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process GoogleUpdate.exe:492 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2A\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update]
"uid"
"old-uid"

The process %original file name%.exe:3276 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Caphyon\Setups]
"Advinst_F97C590466734686980C9759A741364A" = "c:\%original file name%.exe"

The process setup.exe:2688 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"ap" = "-stage:preconditions-multi-chrome-full"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"VersionMajor" = "2171"
"DisplayVersion" = "39.0.2171.95"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"InstallerExtraCode1" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"NoModify" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{FDA71E6F-AC4C-4a00-8B70-9958A68906BF}]
"pv" = "39.0.2171.95"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "39.0.2171.95"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"pv" = "39.0.2171.95"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallString" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe"
"InstallerResult" = "0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\Commands\quick-enable-application-host]
"WebAccessible" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayName" = "Google Chrome"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"UninstallArguments" = " --uninstall --multi-install --system-level"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"UninstallArguments" = " --uninstall --multi-install --chrome --system-level"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"UninstallString" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\Commands\quick-enable-application-host]
"SendsPings" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{FDA71E6F-AC4C-4a00-8B70-9958A68906BF}]
"Name" = "Google Chrome App Launcher"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\Commands\query-eula-acceptance]
"RunAsUser" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"UninstallString" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe --uninstall --multi-install --chrome --system-level"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Version" = "24,0,0,0"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\Commands\query-eula-acceptance]
"WebAccessible" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"InstallerError" = "2"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Version" = "39.0.2171.95"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Name" = "Google Chrome"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "-multi-chrome-full"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"StubPath" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe --configure-user-settings --verbose-logging --system-level --multi-install --chrome"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"InstallLocation" = "%Program Files% (x86)\Google\Chrome\Application"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"Localized Name" = "Google Chrome"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"CommandLine" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe --on-os-upgrade --multi-install --chrome --system-level --verbose-logging"

[HKCR\Wow6432Node\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\delegate_execute.exe"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\Commands\quick-enable-application-host]
"RunAsUser" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"VersionMinor" = "95"
"NoRepair" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\Commands\quick-enable-application-host]
"CommandLine" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe --multi-install --app-launcher --ensure-google-update-present"

[HKCR\Wow6432Node\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\LocalServer32]
"ServerExecutable" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\delegate_execute.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"DisplayIcon" = "%Program Files% (x86)\Google\Chrome\Application\chrome.exe,0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"(Default)" = "Google Chrome"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\on-os-upgrade]
"AutoRunOnOSUpgrade" = "1"

[HKCR\Wow6432Node\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}]
"(Default)" = "CommandExecuteImpl Class"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"Name" = "Google Chrome binaries"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\Commands\query-eula-acceptance]
"CommandLine" = "%Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe --query-eula-acceptance --system-level"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
"Publisher" = "Google Inc."

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
"IsInstalled" = "1"

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"InstallerResult" = "0"

The Trojan-Dropper deletes the following registry key(s):

[HKCR\Wow6432Node\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}]
[HKCR\Wow6432Node\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\LocalServer32]
[HKCR\Wow6432Node\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\Programmable]
[HKLM\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Commands\install-extension]

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"InstallerExtraCode1"

The process taskeng.exe:2172 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{46781B8F-4CD0-469B-8812-240F09039996}]
"data" = "4D 45 4F 57 01 00 00 00 E4 B7 BD 92 8B F2 A0 46"

The process 39.0.2171.95_chrome_installer.exe:3348 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Google\Update\ClientState\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}]
"ap" = "-multi-chrome-full"

The process MsiExec.exe:2252 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Riot Games AiTemp]
"{79BF4901-1EC4-4726-B3C2-A7859706C6E7}" = "/i C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends 3.0.1\install\LoL.EUW.msi AI_RESUME=1 ADDLOCAL=BAEAC99E_37AC_4DB1_8AA2_D0B4B5C09ED_1,LeagueofLegends,LeagueofLegends_GameClient,D2BCE474_49DC_4169_8EFD_7CAB0921B614,F477261_82C3_4613_8028_BC4B6AA8AD37,LoLDesktopShortcut,LoLStartMenuShortcut PRIMARYFOLDER=APPDIR ROOTDRIVE=C:\ AI_PREREQFILES=C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\DXSETUP.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_d3dx9_39_x86.cab
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_d3dx10_39_x86.cab
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_XAudio_x86.cab
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\DSETUP.dll
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dsetup32.dll
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dxdllreg_x86.cab
C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot CǼ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"{79BF4901-1EC4-4726-B3C2-A7859706C6E7}" = "c:\%original file name%.exe /cmdloc HKCU\Software\Riot Games AiTemp\{79BF4901-1EC4-4726-B3C2-A7859706C6E7}"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

No information is available.

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 0

URLs

URL	IP
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f58ed40c6a18306
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEA+oSQYV1wCgviF2/cXsbb0=
hxxp://cs9.wac.edgecastcdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAvVsLNPkJUQ8VRDHj9KlzQ=
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b26dcbe06ad1c88d
hxxp://redirector.c.pack.google.com/edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe
hxxp://r4.sn-ugpva5o-3c2e.c.pack.google.com/edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://e6845.ce.akamaiedge.net/ThawtePremiumServerCA.crl
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAvVsLNPkJUQ8VRDHj9KlzQ=	93.184.220.29
hxxp://r4---sn-ugpva5o-3c2e.c.pack.google.com/edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1	80.73.12.15
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	88.221.132.166
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	88.221.132.166
hxxp://crl.thawte.com/ThawtePremiumServerCA.crl	23.43.133.163
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	88.221.132.166
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=	23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	88.221.132.166
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEA+oSQYV1wCgviF2/cXsbb0=	93.184.220.29
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=	23.43.139.27
hxxp://cache.pack.google.com/edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe	173.194.122.8
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=	23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f58ed40c6a18306	88.221.132.207
hxxp://crl.verisign.com/pca3.crl	23.43.133.163
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b26dcbe06ad1c88d	88.221.132.207
tools.google.com	173.194.113.196

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
SURICATA STREAM SHUTDOWN RST invalid ack
SURICATA STREAM Packet with invalid ack

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=514948, public, no-transform, must-revalidate

Last-Modified: Wed, 17 Dec 2014 02:34:46 GMT

Expires: Wed, 24 Dec 2014 02:34:46 GMT

Date: Thu, 18 Dec 2014 03:32:18 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
7023446Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20141217023446Z....20141224023446Z0...*.H........
........!..4./....*Dj...$."......1.".x..C...}.o.u.-...:..V..IG.p......
.G@."..~...c.....s.5sf...C;.`C.S~.....v...H..w..V...oo.z7.}C...m...8.-
t..|?32.V...Q).txG.........Y.|N...l.#..;.......&.T.je.=.C?..f...T?....
(.iv.})_q.....R.'[email protected]),.....J...7.............#0...0...0......
....<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Sign
ing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U..
..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of u
se at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3
 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{
(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(.......
...p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}..
.r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n.
.i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0
.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.c
om/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by
 reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........
0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?b26dcbe06ad1c88d HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Thu, 18 Dec 2014 03:27:59 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=510394, public, no-transform, must-revalidate

Last-Modified: Wed, 17 Dec 2014 01:14:37 GMT

Expires: Wed, 24 Dec 2014 01:14:37 GMT

Date: Thu, 18 Dec 2014 03:31:59 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
7011437Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20141217011437Z....20141224011437Z0...*.H........
[email protected].[k.2......."7..".m...".=....z.C.........(....F-Q\#.....P..
...;.....":W.......'(........3...r.....OB..............JV5...7X.*..QM.
...Uf...6.....g.p.#....98..&...<.......I.@.|../!.qT.....W..qB..o.x.
^(..3.#....}.....o...Lq...Y.~...X.\.?......~..opF.u......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

HEAD /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Length: 40747600

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
HTTP/1.1 200 OK..Accept-Ranges: bytes..Content-Length: 40747600..Conte
nt-Type: application/x-msdos-program..Etag: "4c442"..Server: downloads
..Vary: *..X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGI
N..X-Xss-Protection: 1; mode=block..Date: Mon, 15 Dec 2014 09:02:47 GM
T..Alternate-Protocol: 80:quic,p=0.002..Last-Modified: Tue, 09 Dec 201
4 17:25:00 GMT..Connection: keep-alive..Alternate-Protocol: 80:quic,p=
0.01......


GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=0-8264

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 8265

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 0-8264/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........ K..A%..A%.
.A%..Nx..A%..A$..A%...K..A%...Y..A%..A%..A%...]..A%.Rich.A%.........PE
..L....b.T.................(...Zm......-.......@....@.................
..........m.......n.....................................d1..P....P..pY
m...........m.P<...................................................
........................................text...&&.......(.............
..... ..`.data........@[email protected]..
,..............@..@...................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................2...2...2...2.......2.
..2...2...3...3.."3...3..D3..Z3..f3..r3...3...3...3...3...3...3...3...
4...4..64..B4..X4..n4...4...4...4...4...4...4...4...4...5...5..(5..>
;5..N5..b5..~5...5...5...5...5...5...5.......6.......................b
.T........0...............{.8.A.6.9.D.3.4.5.-.D.5.6.4.-.4.6.3.c.-.A.F.
F.1.-.A.6.9.D.9.E.5.3.0.F.9.6.}.....{.F.D.A.7.1.E.6.F.-.A.C.4.C.-.4.a.
0.0.-.8.B.7.0.-.9.9.5.8.A.6.8.9.0.6.B.F.}.....{.8.B.A.9.8.6.D.A.-.5.1.
0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=8265-20622

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 12358

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 8265-20622/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
.S....@._[^[email protected]";.s.3.....@
.......P...........YYr.^..U....D...SV.....je^.M..u.......M........u..u
..M........^[..3.8].t.3.F...E.P.E.P.......YYu.......P.u.f......f......
.......YYt..E.P. .........P......P......P.u..E.Pf......f......f.].f...
.............u..E.f....:[email protected][email protected].......
...u..E.g......................P......P......P.............j.....@.P..
[email protected]=..w... .E..P.f...w... 3.f;......].U..V.u...69E.
w.2..?.U.3.;.f...v0W.E...........f.<}[email protected].<[email protected];.
r._..^].U...M...t..}..t.3...f.<[email protected].].3.].U..V.u...Wt!.}...t..
U......f..AABBf..t.Ou.f!>2._^].....U...U.V.u.RV......u. .R..FP.....
...^].U...}..SVWtH.][email protected]) ..<0..{..|!...P.E....
pP.......YYt.NKKOy.....2._^[].U..S.]...VWt8.u...t1...3.f..t#...3.....Q
P.q.....YYt.G..?...0f..u.....2._^[].U...U...SVWt^f.:.tX.E....f....tC .
.....f...u.t"...f..t0P...7P.......YYt.FFf.<7.u.f.>.t.CC...GGf..u
.3........E._^[][email protected]"........f..-t.f..t..u
.Q.Q.....YYu.2.^]..M...t.......U...E....w.3.]..U..LB...f.9\t.II;.u... 
........#.].U...E.V.u....u..&.P.F.....@.....^][email protected]
[email protected].;.u.2..eP....@.;[email protected]..
[email protected]..}[email protected]...<[email protected].....<.@......[_^..
.....1...........2.......1...........5.......2...........6............
...............2...2...2...2.......2...2...2...3...3.."3...3..D3..Z3..
f3..r3...3...3...3...3...3...3...3...4...4..64..B4..X4..n4...4...4
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=20623-35859

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 15237

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 20623-35859/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
..'....i...a....Mst..e..E{.....*d..#. ~.K.......;...s.p.=.....i....s..
...H..jq.......$.`....Lt......'........;.?) .6.x|a....).%.1..........!
d....^.2/.....w}x..jsqdt...b83...........?[..&...hl(..pB.0C......A.[m.
./....'V@...=y...6.-J....T.Ak.*....D..q..M..J.:.;...^.L.V...l. ......d
p2..7c.p..... ..4\a%...V.]...A3.C|.-..e.x..[EP.HU...I.nL.....V....Zz..
.....}-.).k".&...n..Q%x.!,...a.D.w2.o...a.P0:......}d..D.;..]B..(....6
..dv.......g...3I.Y...s.....-...........#.R.....2_.kho....6...'.......
[...........*..ya.....N.K...:....g.*[email protected].......(..4u.b...=7m..^]5
.....A..7k..k...B|p.V5Z..........(...s...7.*......9H.e..q.."...j.....,
&....a,:. 5X.....vL.d. .x_.$;/h]!.......]|..K.*.......G#..`.O.].......
.W.....%.8...;.U.3O.....te6q.:k..7.N.2.....0..R..U.....U....^...Y..q..
...C.c...6...x.s.{...8.v|...... .G^...b..e.x.U....%..fx..|.....5).@H..
.:..:m.UzI5.!..._.......%"a.[.4.[.B..x....uEw`=.4....N.,......C.;.(|..
.M..O...uD...g..9..?.^...T9..... W*..v.....8..2.jZ.....7">.#d..F...
.g).$..........W..n.H}m.......\...7s.....A!...A........o?m......./.l.i
..&..$..0.>..W.I......!< W:p.".4....8#..E...C...g...Df...9)?1I.7
?e.ga..]].X..bl^.mRj..< ....#3.....U3....6.9...{74.........._.4....
{Se.,j....| `?.&....TW..Ob.|..B........}.:\<..P.[r...q...<.%uL..
` ..v..q.....:..f..wH.Z..A.y.....1.'.\./.U.......y.....e..."......h...
....P...q. f.T..!.#.I..F..z..t........h..Jf..v..-=D.w.mFx0.0;....i5.v.
g....y...>........ .h;...W.9.G....w.b...ya..P).....Xd....t.(C.F.'@.
M ...U......d...Q..........w....I..@*$r........ ..].P.......q.X...
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=35860-56860

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 21001

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 35860-56860/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
... z',...5DH....J.R..~.5....i...sR....J4.=....}..(..ir...{.*h? ..Te..
.N\..........q]J7.u.&^X..X..8..I.T.....!7a'.:&.so......-......M..G.i.w
.Y..-.js..Y..S..[...d.9.....S......#.N.@Y...!8 |m.^7............\.z.m.
....M}.V..m..j..x.. .% #p.>.u ............i.(T..v.....u. Bw>.bO.
(...W..k|P.-...f{.4... wL!.'....$.8..C...E..."......A...W. .....%. ...
...h&...... W.`.,....[.jA-........j.....c..g....<[email protected]......
\[email protected]!..;.iN.w...k.f.......w. zt.|..!........i..).......
L#...2 ........68m.._u................z4....Q....F..&..H.....Hq%.). ..
.9....r......1$...Lg@><...E`...G.....)X....p.....}.D..)..d......
!.w.!b.o.#ba.s........c;f......5...5.\...^...7. .ADI.3...l...:D...6...
.....=H....iY{*d.....T..X...%..i.O0!..o..LB..uY.$.Z... .3....2w-..&.M.
:x.x&.a.",xT...'Z...}g,t_...4 .....9....O.......%F...!.`C9>.VOP....
..j....~Q..j(<.0.Q...m..go..5.(NB..].>[..q.2`..U......t/...8...S
..b.)*.d.....b...._7....H`h....V......zs>..3,..#.l.uz......^..V%...
$...&j.)...?m.Z;....x...rm.../.2.`.S{.H}...G..q`W.='..k.^H..4>.....
.g...?...;.v_..=H..|..........K.0.G~.d...6.*....=..(..I..7.OJ*..8:B.9.
.Y..DR.$XzqV...........edV,..L..![.w.....z.4.T.O9.,)..b..97..$.ktGy.!.
...hr........8. .....NT...R..(.U.<...k.......\Ub...8ZT..&.P_oN....O
.l.......&4.;..r.zOf..e.g... ....O......&.;E..{......b......K.?.....7.
.7G........si.b.~Z.@...$....QF.E/"..8%.6..^...&..Tw........W].........
.'.jq..........4.....~<.%...p..R.;6.(z.6J.* ..-.[.... #'1CL.x`EU...
vc;E..p...../.X.7..QN:;..7.....a^.(.......\.e.NFz..1~..:...k.7}.\O
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=56861-77843

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 20983

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 56861-77843/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
8....<.P.y.4.../g.}.e~0...;......gd=.#._.\Q'.y:HRV..m.[z.Z....R.F..
..Ds.....01.]S.y.....u.p 3..z]..)C]........_".....?% 3jbc=...\.6K...D.
!~eur.z-.O0u...?..v..;.[c...7F...l.g7qD.~..........z'..B._.{H......$..
.Z._Y..#..y..%,N..;....;S...CP6.;N.m!..$G.....5.....g4.\.>GT.v.t..7
..#.g.......[....U{j...c\.go.$X~N....A.IG%..'...V.Jh..U.8dq..:U..M.IU.
..=.O....wTm ..!..v|Ub .^..3.[.Gu..x....%....TY.... ..E7.I......Y.e3m.
.F....k..1u...6.x...2..i...1#..X...../'.C.....:Y.gHnH_.5.EAX.....'....
S!^.S..........L.p.lT.8B...X...}.d.'5........L......4s..........V....5
|..M..J.d.\Yd............}.7.H...C......{z.....a(...$...`.........?...
...n.q.............L.FJ..Q..Q.q....8....`5/...P.....{.~.Q..H..Kvh....q
..0.wj.........)..p.....)Ep...yX..eu qsFW=..../...u]...\r-.......<\
."$......Vw.(..IE......G..o.IA.IZ..#..*.`q.<X$..."v....~.7...f.../.
..3H..I..ga.7..v$..R...'..h.=.|>g....VR..{......B. O.......9. .....
.:m.%..^f..ngd^..}A..;...N|10...L.....]...-{Q.U...}.~.>........&TU&
lt;.....==.p.=.4..&..]....{..S].[/$... ..........a.o..^,.. )O.......kR
...#.7.r.h......Q..16....fi.....{....kS.v...)...Ahm..ak=}A*`......yj..
rBQ...e....Np.....H..D..g.;....|_5..'.....uf...>...uW..G..z..7.F...
P.&m#....&~ ;!0.......)..N.....?.....6g..........#.....A..l...\o..4^d_
 tD....&.~.;,...l.....I.....S..o..........4.r.pe.W.y....q=.XF.....cv@o
t.=.-...u....%~%Y$UOP...s...&...k..l..z.0.-..'%.3>2...S.#]....H0...
l.........^.xh.........\..r.9..8...n..c.~.L.07......sv|.."........].E%
].%.u~3>f.....qL__.u........$H6W....=.E.Z%[.C..7.....m..>.^ 
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=77844-121888

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 44045

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 77844-121888/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
...|..;'.Q.j!P..]..g4.........R...~}2Mj9.E.X..7..4..*...vo@am.|..y~3..
{KX...qo.....@Sv......] .?X......y.&...:..s..uU?..........%..Sw;s%~.\\
.Kz.L)....D.~:....r...8.1D......V...B:@.....W.)......|wvI...#..||...o{
....;.Z..I..O.d.7C.u.O.{Cz....s&..$9.'R..C...Ws.v..^.U....W..)....`.m.
~.q.p.3*..................HK\......\.`......7P,...Z..w~.LE..*./...A.P.
c.=..QC..b.l..3........UE.......w.p%b.MU8}[email protected].&....k.
...#{...l.R.tY..I..U`.5....".<.P.t.&eB...P.....~..J.ib...6A..2d)#..
..o..?.x....$."..n.R1..< (.....\=.}.....-.9.U..PYB.O.c..)..g...a...
n...w.; ..iY./(..........~....%.........KZ...Mm......<....Sk...Fha.
.d.Gy.0.......vY..c.<..A_S.6.'.".I.j...[6...........r..I.bu.M(..J..
.....]lP.m<.Q..%......"\..S..u....%ZmK,.J.5.<".C/.....<..%0..
..... ^Ds..v..&.1..........D.o......y..V...R-...h.F.\%K.A....].{..\]..
%z..6....\3......5.....<|[email protected]'.....M..{.u.F.R........
U..u...z..]x.t....e4......Q.....F..j.~`j..:.p...Y....y6...Q..gz..]Y...
...x....q.z.`.?.)8.......!....F.._.z;.tt.*.d<..#.. .T....!{=<Q.N
......v...h..r....l4....X...e....Z6.7'.x.]TSY.....CYm5]..W.~..slK...O.
.0...f..5|oF.dr.ku@......>k9.]........U../.=.A.6....t PiJ<...8.B
......4.=.*.....l7..z...A.....F...8T..s.....Sh..7..>w.Q...,e.n...].
&..H.W....S.c.SN..J.....lz....A./.|`....X.^^. ..{}z6..M....@d.........
a.=K.T..V.u..<[email protected].....=Oq.`.N~....."..D...B _6..Gfl..........'1
%...2=fa~..x_w....~ne......%:.JJ......... !........Y.......n.....xR...
$...q.^...s..t.wq.:2.....tn.].. .s. .)...>0.5U.e....pVI..s....x
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=121889-211907

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 90019

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 121889-211907/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
0@}.Is....f.M6...l;...9..~...j..,..7.g....*&L..\\G-".........<....#
.....J.k.0....<>k..).q... ..........pI..N:C.....9C...{..P.....S.
Sv...l. h.Tc...F.....b..aV.gZ.... 2...K'........_.........Qs..y....^Y:
u........!\.yd.J.p$0.t.c4;{}.R....P...c.k-..NV...@~l.....I=..#5...&T..
DR.#[email protected]....=..I....X....<
;.5.\[email protected]..%...aW .A..
gv...xyBC..i.h..-..}.C9L.rl..r........D.b2..6ZLSPN...vKn1nie......w..o
f...-.h...5.J...E...5....9.y_.E.:.v..u..=%.W`>...x..y ../...H.}.4..
....Q=.:....d...~.W.. .F.n`.m.p.....3..K`g.Z?.3w.q....}[email protected] YAc..
....E...Y........=8....S..a.......C.....k.1..>5F...]....K.1.~8fp..|
.....&.D :!........L.....q.7t.....n`...jBDN.Z..]q....1.u.H.9c..vv.~...
.vuZA....[.. .wm.ws.......... ......K..8Z".........e.[.2.V../..*s.....
#...............;^..m..`*F.C...'...6...d .m3.$......0pDE#.....T...v...
A>.EF..(].u.M..5...T..a..5[G...v.#........U#.....F.;K.I.b.G.e.!....
.....]..u..}.t.....6...........c..#.}........yU.|../..|v`:....._h.H.9.
.Q.....E].0=k(.7....e.j[i.L..fF..ZC....>.$w..Q.........v|......g.\.
lZ_V.....w..J....7.....s.a ..J..s..%#I.A.cX..D..NW..|...>V27..(^A..
.fx.m$.7.c..X.^...............]13...... .v.V.FS..-..9..x....?.d.*...P.
.(N..............1........x..:.O.s.W.h.,........|3.u@}.I...;..d.'nC  @
..y.........j....v..c..'0. ....7....\..T...j."..)..X.\..[.B....Y...O./
....Q...a...2...H.N..i.N.0S...E.?B........r...uU...,N..v&....^t..'...H
....o.............-.....W{......Ix...W{8....#.*PX..M..E....}..]..d
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=211908-393058

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 181151

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 211908-393058/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
*.Q...k.o...O4B.X.p.O..[.c.G...~.."...b..P7..n.$.^. .k..7w}...Mk.j.kZ.
.;}..%.....:...4[lx..>..8...v.....,B..x..R.. ...2.".X.[[email protected]
la.J.Oum..b..{G..g.IIQ.i%....Kl.Ap....yG.3..v?.?..M...zbu.b...>...D
K.QA.u..n...b$S..D.../5>.h...'.f....0U..K$R.d'..-........Y o.y..E.=
...=....f.......U.....S...b?.....(4...`..i.k../.:.ZGy.........E.......
hK?12hZm........ejr.w.6..t....E-...s......l.D...0...F.]....A(...&rK...
.)v...T#.:....8......Y9...o.q..G|..2.......(.....~..2m.Jt.h.L..T."....
^..K...\.qQ&<....p$....^q...a.....]#...F...o....L.~........W....8.H
f.=\r..8;.....O.n....$....).H..Mr.v.Aa\Y..].\..E......G.:..[....f.....
....:rB...*..0.UG7....?R9[T..~i@18...;.%..2.".&.W......RS.<Q[......
M.T).....~$... z.3y..-.m{.8hJj..kx....G.L.i.$..T....D.\.bT...}.6..;}..
...".4C.....NU3.$..nJg2&...Oy....U.dH.C...........cK..(.S..3... .=....
..p$.5....#..Yi...oY...vw..6......Q2.~xE......E._......^:..JL....S%.6e
"e...6..5.$..hR......u.."...~.Q (.....xM....$Cvu..'.d.p.= ..-.....1 :.
.zS.Vkc.R.Q..-...4'oJ....V7Y..(...J..7,........,..".H.......e..u....zf
.o....L..l...DyK9...9?.K....Lz..P3B.-*.?..j..N...*^....n.R.].EGi%.b.8.
..<...a.....{...........l`.....z.Z...pd....{."' .. ..;....5W...f.C.
.x..?..$.|..V......W..N.....K..Q.P<......._8Iw.. h@. ..|Mhb.=....m3
R.........^#..... <...B.v....Y..z...e.S\r..hG..kn.L.T..7.s..m.,....
.ji#.cQ.v.".(.O.=.5,$.}.6S.5"..x.A.s.6BC."h.N....vZ._...U.|C).M.O1H.H.
y.{..x...@!..........I........H..W..".s..;.........G./..m...Y..B`.....
..Q...E.f...5}/... ^.^........O.@7-[.B4..%. 8...a)..iV.Bn...n"...X
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=393059-753459

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 360401

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 393059-753459/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
.C.cz.. ....c....>p.....\O.fQ6..)?.L.d...:-.%..%...,......\k./..HiB
j..P..T..g.>.0.....d....fI.G.lO4...j......b.3J..s..7..i E.7[C;..q.[
..................c!..<.HEV. .s.S...v....!J.....L....>mJ..$.4..&
gt;......d.2..W{."... K..)i...G..7.b....g.E..d..\.C...c.2..V.u.2..:..(
e.JMF.......q.&.A@9.!wk..G.Z..5.(3.....y'.z]....G..3@\p.....>....J.
J...R[##..0...,....Cz.k..T6.7@=.`.....^.......P.....c.;^6V.9....S .e..
.5{1....2g">.a.>.........q..!.2V.G0.ea6.B.....9l..........N.%..H
.hp7.....Y$.YlOG.....Y(F..q..$\K1!.e..u.k...%...G .:.s..~..k6Xd....-Z|
Yf......h....wME...yV..D.rBRtBZ.p4.R...A..%2|.t...........6..RJ..R{...
. ...W.M...^S....'[email protected]"....1..E.<..p. .{....C...o3...p...a.m&..
..Tz......ip.zc...|\.H..\8.t$.9.S.J..g.......v..1.7...t.J.p`x.........
.(u6Z...[_.On.X...r.......<a....e.}..4V8.y..j..........[" |q.......
..K...S.Q..(t.\.....`..{.. .W.)J@I3....^...^I.. .\.(.q..p^..m......e..
2..6;..zr.-........PV(..Ccu.E`y.Q.'.XP...F.?M.N.....4j.fy.{...eB...OD.
..i...%.|...0.(,..A ).,.......qT...)...f..B9[PMo.@...^..v.....2.5m%~..
[email protected]&...{...&^........."tQ.bLX.*q....$X...?.........n
..#.>....\t........A.....q. .3.8BS;.........D./.8.X..Z..6.v......J.
}....3. ]X......S.x.B!..;r..F.._....$...<.)Z.....r.eS..E.4...S:.T.h
..>V2.8.........|.g.....f..>.....w.:..5>Mon....;.....K.4r.U..
(o..2.......{6p.mp.n.........?.Zn.E.GB.`.{...b.Q..0.......BbL..3......
..$|$,...r..%`....V.......TU}0KHM.......{..C.$9...&.Cc.v.....(..>..
.g-q<..o........].WI..8......1d.lbR......4.. .T)n..="}.<.s.$
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=753460-1468415

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 714956

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 753460-1468415/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
z.....q.......\................*.. .c#..............%.'[email protected]...
.pb=..;..)...0.{xr..nTW.. .i......k{K}'_.bCd....."...NJ..cY...SR..^.c.
.{.lXk..og...e:.:....:.\z.V=..w....S..\QV$O....:M.,.....%[email protected].
......X.*[email protected].'Y.^....|^3.c1..XP_]@Q.$...ZN.g}......... 
....._?.{./....V;f.X...B2.|X.........v....G.,..Pa._m.]&.[uv7.<...u.
.......d]N.........%..........b..B...T<Gy...);3.............{......
F.........BS.4.B.d.M..I._A..1..y'..'=....H.Ud.B.....H...c..w...5.;..$*
..........L.....Z...hZ.7.. n...f..U..l....&&h.9s...H.~...c..y..E......
..........K,.O.^....?....R...c1.E.8...[..Ia.R.O$o[(z...0...<D.G9...
E ..,|C9;. .6f]... ..C%^...@?".......Z.Ic...1..J......".9...|-.0.5.9..
s...N.. '........E.k.pz...;.....n...p [email protected]....... w/.I
...O.s.-.-...... .1d.....X.....NT..f.."L^..f*.3...)W...&.vLU..o...gg..
{gq.4j.L.us.i.|..U......d.[..W"(..f...i..S.$..s.o\.^..1..du\[email protected].,..7.
..ST.<9...w! f.....[t.3..T.f..K.....xp....U5/z........o..'../^N.VB.
....g"[email protected]......"3).3..H..h.L.'>.4..H..0.y%..K.k...tQ...q%.]..
..,.....s.Q.......H.=...(>......8p.!&\..7. ..7..<...v...y...vo.0
...H*..J... .;..H%q..?Is.2.......M..R...}.>.{@;.... ......-.}c.z.h)
.Q..C.../F...w......sq.....Zs...I.>...H.EaI...C..<...A...y..f.H;
{).y..JDR..............iSdKRnYqX.,.[.....:.Jr..A...TOYB.l...SR<"J..
F.V...#.?..<...nq.......#,.m...w.5.VhW....K.].a9.V......dmf..l .B;/
.^..D...m>..{.s..4)..r.^.*.j......>^..(..U.0y.}.. K.&....SC".,4.
-...{.. ....?.bL...~C.b...U.....].:.?0.H.J.....A.......fA*x.....B'
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=1468416-2890012

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 1421597

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 1468416-2890012/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
.9.#.J...3.m...F..U..p...<.Q:d..cL4....9..c>o.<.T[..ZT.Z.u.@.
.}.C..}....4....... z...3 .s....P0....kb.u....e..%[email protected];T.:
......P.Z./..M...K..I.Y{.~O./....t_...p...F..<...;]g..Qm...@......;
 g!cHL...P..Av..;.] .,.yN...h............Z..`..9.....k.......ZX..;..O.
... ?...9j.Mw..L..Z.C.........}...gh..... .<{A..)..*/.d..........L.
.k..|..F..O.......6..P.}.....I..}~.(..8.. ..tgF>IR*q.P8...cv..b.(o.
...........I~...........>WH(N......VX....2.,o..B#..Fl..?m z..V.F..{
C......_B....m....!.).4...M*.v.j!Pk.g..D_...v.~..q...........$iY.O..w.
.;........u.!..L........F.$}.6.........N...B#{..<..-....Y..`....u..
=..@.>.o.rq.23~[...L.J..... fy..f.S.4..2f...k....W..g......t...a...
.0zVv...m.R..Q6.w..i.8dI.72n.7.F.}.U.:.......X..|6....o;f......3...L..
..fP&..o...0]..c......<'.uh.O...7.>K./Z....wO.[...E. ..\...M...(
W......\5V.r..&.W..|.........i?.........&]..E.1.UR..B...A....}a.M.L.Cu
...1.&..r[..S.....=B.Vw.F..4.>b.;...s...|]..u...Q..O.:1....M...n...
.... ...).."........I.3..E..........,.:...8.-..s.&.3...lr].0. O...Y...
...}l.........D.%.17.U.L9_y..Fzut.cVN..I.V..42...b.[.T...g:N...O..l,..
."6yk.".......hf....F[OGe.d.......=*......v. ...OFj.......o......!.#Tn
..J.q......gz....Y.>[email protected]........}.,.Y{...|.1..u@o.......=.MPs..
..#r..:Lr"ND.\5z../..K.....'..>....C.[..u...]...}-O.....E..........
8&q..A..34...T.<.C.y...er...9....).......]L ...4s........./.}e[.w..
0.............?<H...J....{..v......M.e..&w..........7l..{.XHRe...!.
........S.=...E.../Pm..y-.h.x.u...<....S..e}{....K5*..\........
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=2890013-5709720

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 2819708

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 2890013-5709720/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
......n....NM...*[email protected]..;..*.....u.....0=..t.I."A.V...j
.1...g..Yx`.g...U...g....j55.d... ...\.(?..Q.....a...M|>....b....Y.
"6.....r.%.I...{...Nk>..pR.@..<...G..."cZ......4m|-......HW.;...
P.,.6. p...;....:x.m..=...xi.....\.o}.=.!..k..n1....-..o..J.v.g...~.|\
...G....c..>1NcI.T[...i.d....z...X.....".>{q..8..T..bn.#..eo.7..
J.k^V....,.[Qh......=..;A.gCC...u#0.;*....d>.....1..F[y.*..tY.89.JP
.).._.....x9.6.w_GEVu..}.m.......S...G...i?N..Ay1...5_F.ol..p.4.b64..Z
..k.!e..X.H..."..(m.?..~d.......5c\...M.(.?........;O......t....;m....
...%S..n..H...c..`...."..Q.....T...<2.Qj'..(.|!A.>..............
..9R.-v*.q~..8\.J......Z..........3v....&rN.>Dvzb\..,...i._...i....
............,......S....-$.c..EQ....}..JZ........ .X`..X...t........ .
.Gv...ss..-... .. .i8A.CM.?/......5.i"O.K.)...g.N. E..Xx.Z..S.Vs......
..\.XY.O....l..)..H...\.&..{.o...D....u.^C........o..Y....x.K%C.~..E..
.n..W.C...}3.h...`f...3...oY,.n-.......?.Lr......._.~.....D.A.....!.Y.
..<...b..K...z...*.C.1..m...^....j.Xn....2.s.B..E..R...s@...:.|'K..
.bo...6R....2.vLz0dQ....u...3i..o5....-i.P..........P....G...<8....
.R.9...^.....0l.5Rpg}x..8..8.^...e...?..o..."E..!;[email protected].
8._.....m*..:bV..}..T.I...!]..e...U..:j5V..tzc2..6.T....'..w..W5..yv,.
.Tx5..E.&h.p.M&.!.9......8GW...3%.....!0G...2x..:_..:..].s.=P./p...I.P
...QJ?..Dd.H...*;..Y..).....j.Q?.8C.....W\.../.z^Bt.w......QZ...A.A...
...z..]6...._5.P. 1..n-:....?.F>...X.BY.f.).Fa8[..3....h.2...;.oa..
.t/j..,.<Y...ue......_k wF.... S~.A$......r...t. :.....(....D_E
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=5709721-9761708

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 4051988

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 5709721-9761708/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
M.%<`.r^..f.f.*.6Y....9.;.p.....k|..c...pD....j...N..X-..?PS.O....z
/.1.....9.d.O...1mr.RK.)....dl....x...G#..N.C'NE.#.3....jo..y...a....j
..........6r............N.f...2..].....9c..L...NP....4.V#....v.......j
.........s.5 ....?.$.......,L.'..K....8...s.".9..Ih\.N..L.,......&e...
....:........... .x"..A.p..T@....]_..C..i......q..*........L~bI.......
]..J.#9.-.(.3..W.R/....P9...]..6..V'.....J...={..q.]C..q.Xp....s.}Q. .
.....cks..nr..7Bj..k.....S....c.".F{...-....g..CZ.y...iYR....5.$z.T.W.
A.-.K".....4..:h.;n7.\7...e.,.#a?..p$... ....\.D...4.n.Q..o.r.'..4.U..
f...SZ. .'I..."[email protected]?1.>...........c.
..I......<s..M...3.>8...k..6.8...y..1....X...l...........VdM..4.
..hI..Bb.a%f~u5.7...Q0......H.y..r...u.m....^5...sK.1^..1..H.-Y..y.(..
E:.e...."...5i.....K..L^...-.....Y..t)M.........o.......K..D.....9...w
....i......Sx^..}..J]....X.t.{._Vx ..h.o...>....Y.X...k.K.;...$S#.t
t...\.u.6.L.L.....-....i............SD."..}#.g.)...]UN...~E.3ULL..q..H
..LF..{@...'...1;_.r....Nm~....(!..f.....V.K2.G.^....6...S*...txi4x...
....2.NO.....<|.k....}]D..f.r.P...n|$[.*,.....8^'.4x...!..r...:...m
.}.>..>[email protected].._.....!.w.6by.....`./].../..d.QWy...j.-
.OV(]..y.3.D.........{...7..^X.X.....I....RzU.A?..=mI."W...2.......=..
...mk.7.'P..P.$.T.'W...>..._.... A.K.(..G.n....._...6S....q.|`b....
..@.&q...s.b.$..'. ...K/=...Q..V.....va..T7[6....G{7n..E.`m....n.BzJ..
[....P.g..=.'...&...[.............q.C..:c.f.8.v'l.....rQ..t.........64
DH.y....7...........2n{.)n(.`.X..:P.J..1.l..B.....IG..6\.....&.c..
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=9761709-14792061

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 5030353

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 9761709-14792061/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
..'...I ..Q.........>..j....#<.f;.]..J...)h..X,....K./.^;..{..^.
#..J........`l...a.[72....7.....o.f.gu.5....&%....7.?S..%,[email protected][
.a.3.Q..[..8..../C.x._...a7..2.`9.{*>.>..)$I1.f.bXz..........f..
.4....a 5....;.S..*.m...<~...\...szFP.........S..........<..:>
;(JX....}.w.i=Gh.R...g....6-........h:X..G..p.........66F.x.L.....h.L.
z........a'.1....9a}1......j...../.Gj8.i...p....be. yF.%..\.x.//b..a..
@....~...M/-L.J....=..iM.....$.^.....l.Z.VJ.bQ...Gf#k......[Za].<..
T.'.o.........JQ....?[.:..N....34...[=.. ..\...>c...b.y.f?....i. &.
........].m/...d...l....G)..eo.......Sd.p"..J....M..Z ....)j/.......:.
....wf,.I..c............Ur..-...=.-..:.......m..(....=... .v%....P..n&
gt;B....-3m....#.WHs.....]...`R....*4j.[BI7...`.oh..3E....4#.....f....
Q.J....D.....l..(' W....(..M.T0......;.]\.Y.w-W....u.Ix..G}..[nF.aJ...
......\1.........'vv.,&H.s..)[email protected]=..&8j....].$.G.b....I..u....u{D
Xkk.o..R...u.....\Y|.;:....(.S5...Q%Z...X|..........Y.ywD.....b.8.....
.G.........u.LJ.-n..%D..#..W0=h..V.ia.A=............t .Y"[email protected].(._f.
......U.f.0..i..3z.Y.H.........s....K.U.j6t..T&.IdNV..g.9p3..H.JW.U=].
........VzqU.;N.k..(r.d...s....s....c.o....".Q.wS.K/.v.~ag/..J..Q....|
L|........"....d........1.?..P@....~X.....e3.}.-.[..LC6....ta.x..\....
'wo.:....{V..'.....[.G......{..q......x(...H.....C....x.!.....H;g..#.m
.*.Y.m..x7..x..l;......Cf.C<...U...c.6E.....$..WXA........#.K......
.b.....h.X....`D~W....f|.z..../dL.f.J0..hf.....;..F.K.G.f..? n......o'
yT.4..-....J.......M?R4....n..!H... T.xZ.....y..p.).U......|...g{.
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=14792062-20434324

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 5642263

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 14792062-20434324/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
..R.z.F...x...=C.H.p..wEW.r.W....2.`..f...JJC...:q...F...>`.rq.Q"..
.....-.*.!Y*.8..R..............y.b.@....>4`.u....VP..|X...EW/.w..%a
..b..H...J,*.WD.r..yv..eg.2a... .[....w\xW.m..R..?..\.x......\.......w
....1.50.....Ui<j.xq.7..,...........t.n.7B.:.....Q.....?..K.N.*.V.J
......wi..M.n..$[l..7..O....rr.!.[.]..,g... G..s.../T.....].(.}t..:LTZ
KEs...9.>... ./.2Fi........M..s...Ts...=.$......(.H.p.!;.@v.\....&.
......8f.e...aX..$i.|g..3......|..j..y.........n.|..V./......{....G.n.
..${_%l....cE....<:.U*d...>0.E....#*`.(&H..p.f...]....P...na;..g
hX.....p.C.a.^.HkB....O.3..f>.).....TZ.\.I/.z...sN*E...iU......|].&
*.......#..vK;Qu.S.S.....\.'9....Z.M.G.E..-...2..o0ko#.(..?O5..~...bN.
k....*...SH,. }*..LQ.`.<..=..n(/_.u.x..3g .t....}w...3..$px..vP.>
; ..03?......a<.u..8.....?..@ ...C.H3M..s...n."..;..)u.T.b.........
........5....!...U....V..U82...!4 .~.uC.....$5p..B..7.2OV....SA>.&g
t;G. ..i*).I* )[email protected].}vv..t...=....{...n.E(.P...5q....U....m..o
.#FVN.YF9.n.i.o.......n.O..$.ZC..pCK}..2......us..X.rf...`u7..... ..3.
..*d..3.....{./.k.l..,...ATv....X.....;....i.......\.Y#G.....p.....V_.
.T~j..Ii.5......t...tX.$.Q....N...~.j./...Y...;.....A<.@..#.?.../H.
X....m{h..*A.V...|........[........#.|..J..i..) .....cS.".....[...1...
$.pO#..r..E....}'...........j"3#W.......y..5.=....p...h..W.....@..}...
%..q.pV.|.WO[.Y..'.%;..}^8.SR.D3k)...|..M.......'Z?..s..=.&....]]~.S..
.U^.k....aj\[email protected]...=.E4..K.....\..`f..&...C...F.a
...f.......$^hb.E....k.L.u.6P..G......m-....n...k.=...E....4..J.E.
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=20434325-26426727

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 5992403

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 20434325-26426727/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
A$..M..-.......h.~....)........*..i..e....s.d...1b..z......^."...L...5
lW\k7A,r8XC..Q.WvR..(.....]tE{Ju.....LC.$....k}v..' 7.........*3.t.]..
z..........JR...m...V........@Z...^.6.!t.fD..z.....O3J_..r.?..`.&...'K
.H..D ..i(.....w.t.......0..ai....=...Q.b...d.T..E._.#g.Y..Tw....-....
..VA.....8S.;.m..t8...Ec...q...x.g...q.,.=.....RLt..p.....z!iX....Mo?;
..S? .Q:.&...g.rw.r...l...=...AR........_....`[email protected]....:=....
..o..\>q.E.._.&..6`2.d.|4X.<.wU....).G.....n1B. 3."Q..2.8.......
1{]..I%'.1f...2..;....*.^,...}.......[.WC......E..n4.....q6...{YG.5_.u
.6...... ..  [email protected]...!.\=o&,./.y.Z..k......g...5...4.?l
....j......T...u..QG........F.\...L..../_.[.m..lR..m.M.;.....s......v.
..i......6..B...J..'a5x..U...^.........."....P|..!...V.f.i...wFQ../~`.
.d^.V.....Col.}.Bk..fOR..i...b.k..[..(mE.....7..S.o.O..r.)...~0u...~..
9.........R...k...]...s.............A..s..|E.....}.dD.<....3....t..
Y..-...#z.>..m...*..f..p..T....U.yK1..&.._>..R7.|AF.J..8S....}..
[email protected].(g.(.\[w1v..Q...>...X8..W..
.Lo_.....K.w.t.vXT..R.*..ne.bQ.~..U...jeb.....dF.*$..........{......q=
b-.Qf.. ...n..w.........t......\....F.. m.......{[email protected]....
.Q....M...tV...r.......d3..#;....(..bH.......^X...55k._D..b..(.[EKR..{
[email protected]..>..\8....D..{k.......
.8..g.|9-p..0.Dl...x.w.....f....9.x...e<....l%.a./..0..... :.6.-.18
~r.7...`......g. ;.X.5$.(i...da/.E.j..B..X............cQ_(*qIHZ~.C....
R...4t.gK......4...;U..e{GT......r'.1.%.d....Fj....(....."pE...o..
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=26426728-32619706

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 6192979

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 26426728-32619706/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
.......8..^<{2w.L.W.3...C.{....mG......S.7.y..B'tG)..z......r.(`:a.
..{...:N.6...#7n.....~b .b.M.R..9p...t...!8.!t.0..o*...^.a)..h..~..w..
1..e.....~....o.......3UO..M..k...F.$.,{......aa4.c...;M..7....) @....
..3b...N\..%.$.....Qd... ..<-."o...._...!...]..`.YS'[email protected]
....F.0..]Mu.}..............E9....r"x..gH..6...>..17[.W.*...C$(qMF.
.2.(y.Jv......(.z..w.n......[b..._.z....(b..o...,.L..zH...=#...P.E...u
3.}..^...../.lM...v.|xm`.\..Q.u.7..`..z.....G.m...U.J..|.Y ....<...
,....y.-.P3...F..'..V...n........sS....._. .......T{g........|I.......
[email protected]._.U..N8v|.r..~.....[.~...m....rr..e.....L...:/X.[.r.:
.l.=."T...J.~Wt;.6.)V..=zc......... ......i...7FF...(v.....5E$.;^.3.zL
. ....].lM^..$fd.. w'|..?|..&.M.../?.?s...Q.....D.....t......*9v.B....
f.hWC,|k.nC......X.!$\L.....>Y..~V..g......8RtOn.m.....7....r.....S
.4.(*.q}..#.014Y.......ci..#.C6.t...........1v.u....s.,......w..\.eM..
nI..|..,Q.`.>L..$.#...y.....n8.AmX..../...p.....6.......P.0...S.wz.
s.S.m*.L..........F|.E...&....qq..Y~J....%....u7.........8. g"..O...m.
...V.j.x.\.`g..7.....wl!.U^..".`......b....J>...#....2pdl.!.L#...$)
....U.X..9...*.K..j[P./5`..(..N..s...t.L..&,..j.....S..l..JI..?.3....c
YiD..Jz..hx.8>.U;.....,..a.XTEz9.......h..Ijz.%..^{.>C....@....(
..;4].L.........W.........V......]c.>Pp..._~.....M*..*...~......d..
..!.<O:<=...].uR....j...#...uh/[email protected].\.....V......o$~
)g.'.,lVa0F?....T.h..o........B..?U;j..N...C..mY . z...,.F`...~7.I.5..
.N4}...x.i.4...`Z..q..6..UKDv..6..a._...D.....l..D..JZ...[.....I.o
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=32619707-38943041

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 6323335

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 32619707-38943041/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
...._.....%T>2..m.z.......*..tq..............\e....^....^..o..v..qc
[email protected]}...U.#.....-\...R5{.4.a..].?1&.u..5.t..5}..],...V.Ud..=%a.
...4......V.c.>[email protected].,.22..|..".>.8x....Y...S2."... N..f......
.k...7...]...".Pg..[..GhF...D..).?z....A.....Y.......F.."<f...xR"..
Jf. ...ixDl#.a.-...t!.O0.3..xU.Xh...>..x1.../..v}...[|N.....1_ra...
q.W..B. .....q5$"...5.:)jL.....G(..R.-...387t2 .(..,......Z....=.lm..S
..lJ.-.N~.bj....ah2....5.wF..1..W...H.................=. .M...N4.".q..
/..=i.<.K......8....n.................~.'...$#.2...M...g..u0..Q....
q|..:_o.....'......C.>...,....*.y.Z..a.d....#B..........'....hG.l.O
....Zt=....)j..>B...*.V..s........?...8..(....;4....m....-..v...9.Q
3iC.-h......~...............4v...m?....|..~%.{.w.Q. ..1.l..A......E ..
=....z..P{...`T[a..2.....4.3x..O>.>'=. .?....k.Q...5..K.....o...
......zs...K...q^.....\&hR.n\..-.."..0....&...W/..'.{..GQ.lH...x..F...
..|.K...V......7BOT.....5~.L!7.s.U..GS.P............I...l.3.Y.._.^O...
5....w..=...9...2..i..^.. .>.. 2 .y.....4..........B;h..sy.....D...
?.Z|...)*...Aqb6.e...J....L........m...[.'>...9..T..Gtf..8.}P......
.U...d.....`..e.t..}N&V...o.<}.d.}....K....\..f.......1......W.....
}G.Q=G."~). _.....].....}.....~d..".3*..F`.Jyl.n7k.P"o.E..w....t...5.;
...O...Y._VS80.....e.....P.M..4kxY..>.E.E.q..a*.za..;^.:^..b..n~...
................d5.=...bM.....o3v*.U...l......j...Pk......S......[....
..0.....i.....si...X..`...E.!.....OF..!....?6.{c........f.I...6..Z~...
...g.R.8B..cz0..^....$p!.."...~9../...\....HF...>.c.......P.*8i
<<< skipped >>>

GET /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Tue, 09 Dec 2014 17:25:00 GMT

Range: bytes=38943042-40747599

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: r4---sn-ugpva5o-3c2e.c.pack.google.com

HTTP/1.1 206 Partial Content

Accept-Ranges: bytes

Content-Length: 1804558

Content-Type: application/x-msdos-program

Etag: "4c442"

Server: downloads

Vary: *

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-Xss-Protection: 1; mode=block

Date: Mon, 15 Dec 2014 09:02:47 GMT

Alternate-Protocol: 80:quic,p=0.002

Last-Modified: Tue, 09 Dec 2014 17:25:00 GMT

Content-Range: bytes 38943042-40747599/40747600

Connection: keep-alive

Alternate-Protocol: 80:quic,p=0.01
W.Q.*...Wf.... )..{.'VE.....@ .~Z.....UV.............).P...*1@QV......
.:.....*..~9..../#.=....5.%[email protected]=".C..G..Z.....`.^.N.
.m.Kk..E 3...).O.bW..`8..n.........\.;.1.xp.r...m...Zn.....c..JM.k%4..
..-C5~`...........|.1......]F.&...?Zf..Z.Ye\.....z...W.).xz....Bl...\.
.._z..!...bc.....XR.K.(....2}.e.!...%d.X..-.]...G...D.=.&........I..0.
........~...;.*1..m..8...v._J,>'.J.r..F}..8T...'.{;.Q.-...7r.......
......8......bP[.......Q.Z..qt..nJ...:r*.D...g..,..(,...$...........R}
........@. $].rlr.%.....5. ..X.....bS.$..i .l...I...;.0.j.X...E....B..
.k......A4..9..:..Me.g...{.. x.U...... ..[.......b.......L.B....-.$...
V.RU.b..w@q9.."^..Y.!.v.......EY.<.p`.....l.3............))af".n.9,
V.'.YoE.V..........JE..=p..W..[.L....c.~y..&2 .{{.k..".......K.l4...Kc
i.d....qQ..O..,"..zUX....e..`[email protected]..<Wj7.nmT"G.B'..y'
.L.Wt...U.._B.K...._..-~......O..AF>A..,...>.:.....v.v_8....U...
.....[..n?w.D7u.....^h......J.M I.Z..S.H......5"..^...G......0...=....
.r...".;.K.".....$......g.;.eF1........".. ..6... ..mh0n..O.&s.f.m.j.U
5..h..G...5Sl..A.b...&......m....Li...ga.y.....*..'L.!?'..t...f.....ZE
.i..>8L,.X.{......_.....r..)v.UH-.m(Z.m...e.?....*.....t.}.....~...
....R......TX.|.)...?.y\9..\.......\/l....H..i.w...T.25.2.d_.N5.lx0...
.....)W........1w.....-.4........kB.'[email protected]..~.!ER...
..I.....<Z..8J. ......c.@$y.......j.........Ra..C...3..*..w.^.Q../.
..u>.2.;..s.....M!...V..-...Z.O.)....4R%nE@....}...|.I.~!..|.K. k3.
#..a...n>.r)H.....5..N!....c".....d..p.!.....K..i_Z......._.)E.
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f58ed40c6a18306 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Thu, 18 Dec 2014 03:26:57 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..C
ache-Control: max-age=86400..Date: Thu, 18 Dec 2014 03:26:57 GMT..Conn
ection: keep-alive..

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 812

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT

If-None-Match: "a2f3ff97eeecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT

ETag: "a2f3ff97eeecf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:27:43 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Thu, 23 Oct 2014 05:05:32 GMT..ETag: "a2f3ff97eeecf1:0"..Cache
-Control: max-age=900..Date: Thu, 18 Dec 2014 03:27:43 GMT..Connection
: keep-alive......


GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT

If-None-Match: "3e1c83923e1cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT

ETag: "3e1c83923e1cf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:27:48 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Mon, 06 Oct 2014 05:06:02 GMT..ETag: "3e1c83923e1cf1:0"..Cache
-Control: max-age=900..Date: Thu, 18 Dec 2014 03:27:48 GMT..Connection
: keep-alive......


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT

If-None-Match: "58cddbea90dfcf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 304 Not Modified

Content-Type: application/pkix-crl

Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT

ETag: "58cddbea90dfcf1:0"

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:27:54 GMT

Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Sat, 04 Oct 2014 05:06:12 GMT..ETag: "58cddbea90dfcf1:0"..Cach
e-Control: max-age=900..Date: Thu, 18 Dec 2014 03:27:54 GMT..Connectio
n: keep-alive..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir/SSy4IxLVGLp6chnfNtyA8CEA+oSQYV1wCgviF2/cXsbb0= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=515677

Content-Type: application/ocsp-response

Date: Thu, 18 Dec 2014 03:27:02 GMT

Etag: "5492346f-1d7"

Expires: Wed, 24 Dec 2014 15:27:02 GMT

Last-Modified: Thu, 18 Dec 2014 01:57:03 GMT

Server: ECS (ams/49D5)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......E.......1-Q...!..m....2014121
7200000Z0s0q0I0... [email protected]=?..Mn8...Q..E.......1-Q...!..m...
...I......!v...m.....20141217200000Z....20141224200000Z0...*.H........
........ka....d.j$f.U..$j..G\....9..gU..i..._....0.x*..j6...\..cMAu.8.
hq..C.......L....M....".5.v...EkF[.4......k....q1`E.."...D.......!..&g
t;....j...`.....5tH.h......[.........5...O.z......D......|.j./........
...o......A...I=.8eFf.....A.M.Q...Y.....V.........3Y.OHTTP/1.1 200 OK.
.Accept-Ranges: bytes..Cache-Control: max-age=515677..Content-Type: ap
plication/ocsp-response..Date: Thu, 18 Dec 2014 03:27:02 GMT..Etag: "5
492346f-1d7"..Expires: Wed, 24 Dec 2014 15:27:02 GMT..Last-Modified: T
hu, 18 Dec 2014 01:57:03 GMT..Server: ECS (ams/49D5)..X-Cache: HIT..Co
ntent-Length: 471..0..........0..... .....0......0...0......E.......1-
Q...!..m....20141217200000Z0s0q0I0... [email protected]=?..Mn8...Q..E.
......1-Q...!..m......I......!v...m.....20141217200000Z....20141224200
000Z0...*.H................ka....d.j$f.U..$j..G\....9..gU..i..._....0.
x*..j6...\..cMAu.8.hq..C.......L....M....".5.v...EkF[.4......k....q1`E
.."...D.......!..>....j...`.....5tH.h......[.........5...O.z......D
......|.j./...........o......A...I=.8eFf.....A.M.Q...Y.....V.........3
Y.O....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAvVsLNPkJUQ8VRDHj9KlzQ= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=516056

Content-Type: application/ocsp-response

Date: Thu, 18 Dec 2014 03:27:07 GMT

Etag: "549230bf-1d7"

Expires: Wed, 24 Dec 2014 15:27:07 GMT

Last-Modified: Thu, 18 Dec 2014 01:41:19 GMT

Server: ECS (ams/4996)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0......{h.)....Iz..?...E.52..2014121
8012600Z0s0q0I0... .........j......3h...H.Y.!&...{h.)....Iz..?...E.52.
.....O....TC.?J.4....20141218012600Z....20141225014100Z0...*.H........
.....@[email protected]......=...e...gz5.O].$.. .. .....n!.'.]>..w.m3.w.....
.06.D!-..x....E4...W5.... .W.yoo....8.>....d..{L...........WL..D.ur
*..e......D..I...E$.tF...rq..~....]P.....co...J.../......#...mz.1.XI.,
.M.....o.S..w,^.....<...4RX....O../.).Q.zA{....!.#......lHTTP/1.1 2
00 OK..Accept-Ranges: bytes..Cache-Control: max-age=516056..Content-Ty
pe: application/ocsp-response..Date: Thu, 18 Dec 2014 03:27:07 GMT..Et
ag: "549230bf-1d7"..Expires: Wed, 24 Dec 2014 15:27:07 GMT..Last-Modif
ied: Thu, 18 Dec 2014 01:41:19 GMT..Server: ECS (ams/4996)..X-Cache: H
IT..Content-Length: 471..0..........0..... .....0......0...0......{h.)
....Iz..?...E.52..20141218012600Z0s0q0I0... .........j......3h...H.Y.!
&...{h.)....Iz..?...E.52......O....TC.?J.4....20141218012600Z....20141
225014100Z0...*.H.............@[email protected]......=...e...gz5.O].$.. .. ...
..n!.'.]>..w.m3.w......06.D!-..x....E4...W5.... .W.yoo....8.>...
.d..{L...........WL..D.ur*..e......D..I...E$.tF...rq..~....]P.....co..
.J.../......#...mz.1.XI.,.M.....o.S..w,^.....<...4RX....O../.).Q.zA
{....!.#......l..
<<< skipped >>>

GET /ThawtePremiumServerCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.thawte.com

HTTP/1.1 200 OK

Server: Apache

ETag: "824cd0491950c511e344c8ad273b3cb8:1418851241"

Last-Modified: Wed, 17 Dec 2014 21:20:41 GMT

Date: Thu, 18 Dec 2014 03:32:40 GMT

Content-Length: 13012

Connection: keep-alive

Content-Type: application/pkix-crl
0.2.0.290...*.H........0..1.0...U....ZA1.0...U....Western Cape1.0...U.
...Cape Town1.0...U....Thawte Consulting cc1(0&..U....Certification Se
rvices Division1!0...U....Thawte Premium Server CA1(0&..*.H........pre
[email protected]!....f....p..
........100129104213Z0!...X..W.*.R.....2e..130906065816Z0!....l.C`..L.
%|\.T...130819183955Z0!....T..W...p.[..%...100322161038Z0!....hx.....k
...7....130919164724Z0!....$#.R|..$.....j..130926101045Z0!...!P..6{.lS
[email protected]!...Da\v..........%..130920062728Z0!...>.e..-
...s[.2I...140418142220Z0!....dU...(...=...*..140801114607Z0!........d
.{#E..9`...130926061856Z0!....6..q.'tT..1.Q...130926062249Z0!...g.._6.
[email protected]!.....cXzF..(O0.|.N..131002103626Z0!.........
...>..i....130528164218Z0!..........#.P.......130716072254Z0!.....W
........JH....130924125316Z0!.....%.......R......100801221434Z0!.....M
..HK.....x....130926060355Z0!....k."..z......64..130919082450Z0!...N..
D...0....`H2..130829152308Z0!......Q..m...A..j...100226190909Z0!.....-
...k......h...130930085951Z0!...... ...7. .UA.I..130927152007Z0!.....}
.L....\/..$^..100407191443Z0!....1....c...s.>9t..100215170304Z0!...
W..._....%..I....130926063253Z0!..._._~gq.I.)[email protected]!...
..=X>...][email protected]!.............U.<....100318180248
Z0!... .(........n.S...130923202627Z0!.....k(....k4.......130919073042
Z0!....rF..O..#^.......100312081338Z0!....\x...DyV........130920004114
Z0!.....:...B..=]Hsx_..130920011556Z0!....uJdm..'...\G....13052305
<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT

Accept-Ranges: bytes

ETag: "88cab6f7ffcf1:0"

Server: Microsoft-IIS/8.0

VTag: 438246244800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 554

Cache-Control: max-age=900

Date: Thu, 18 Dec 2014 03:32:26 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b([email protected]... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
-@...

HEAD /edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Old-UID: cnt=0

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: cache.pack.google.com

HTTP/1.1 302 Found

Date: Thu, 18 Dec 2014 03:31:24 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Location: hXXp://r4---sn-ugpva5o-3c2e.c.pack.google.com/edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.exe?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68CFA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1

Content-Type: text/html; charset=UTF-8

Server: ClientMapServer

Content-Length: 610

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic,p=0.02
HTTP/1.1 302 Found..Date: Thu, 18 Dec 2014 03:31:24 GMT..Pragma: no-ca
che..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, 
must-revalidate..Location: hXXp://r4---sn-ugpva5o-3c2e.c.pack.google.c
om/edgedl/chrome/win/24C7E2C109DDFCC6/39.0.2171.95_chrome_installer.ex
e?cms_redirect=yes&expire=1418887884&ip=37.57.16.189&ipbits=0&mm=28&ms
=nvh&mt=1418873206&mv=u&shardbypass=yes&sparams=expire,ip,ipbits,mm,ms
,mv,shardbypass&signature=4F0C06D0B9EE486BB492B31BDE2E8534B2687092.68C
FA14FCDE608F9F518BCACEFD6ED283A4F5B0E&key=cms1..Content-Type: text/htm
l; charset=UTF-8..Server: ClientMapServer..Content-Length: 610..X-XSS-
Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Alternate-Prot
ocol: 80:quic,p=0.02..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1697

content-transfer-encoding: binary

Cache-Control: max-age=350738, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT

Expires: Mon, 22 Dec 2014 04:54:07 GMT

Date: Thu, 18 Dec 2014 03:32:10 GMT

Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201412
15045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. 
..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.
mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....
[email protected]....)>..Z..`$.p9.E..p...y..;4.n
^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|....
.Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U..
..VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisig
n.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140
428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 20
04 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.
....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l
.....f..;]s!.\"v...|....][email protected]. ..W..
..n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....&l
t;..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%.
.0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E..
..0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.sym
cb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>
q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..w
o......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1790

content-transfer-encoding: binary

Cache-Control: max-age=369990, public, no-transform, must-revalidate

Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT

Expires: Mon, 22 Dec 2014 10:19:02 GMT

Date: Thu, 18 Dec 2014 03:32:32 GMT

Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2014121
5101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20141215101902Z....20141222101902Z0...*.H........
.....A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e..
.....m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s.
..V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....
'...l..e....b.(q..CH. .........T.M.d.:[email protected]!..-,....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>

GET /pca3.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.verisign.com

HTTP/1.1 200 OK

Server: Apache

ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"

Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT

Date: Thu, 18 Dec 2014 03:32:05 GMT

Content-Length: 933

Connection: keep-alive

Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: A
pache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modif
ied: Wed, 24 Sep 2014 00:15:16 GMT..Date: Thu, 18 Dec 2014 03:32:05 GM
T..Content-Length: 933..Connection: keep-alive..Content-Type: applicat
ion/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSig
n, Inc.1705..U....Class 3 Public Primary Certification Authority..1409
22000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!..
...A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0
!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>

The Trojan-Dropper connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

u}SSh

PSShG

8%uPP3

u!SSh

t.Qhp

L$4QSSh

SSh</

t.It!

RSShh/

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

msi.dll

gdiplus.dll

kernel32.dll

UxTheme.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

GetProcessWindowStation

USER32.DLL

operator

WININET.dll

dwmapi.dll

()$^.* ?[]|\-{},:=!

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

F%D,3

ATTRIB -r "%s"

rd "%s"

if exist "%s" goto try

del "%s" | cls

del "%s"

FLT_DENORMAL_OPERAND

FLT_INVALID_OPERATION

Dbghelp.dll

[SystemFolder]msi.dll

FtpCommandW

FtpGetFileSize

URL=%s

invalid _N_type: %d

D:\BranchAI\win\Release\stubs\x86\ExternalUi.pdb

GdiplusShutdown

GdipSetImageAttributesColorKeys

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpFindFirstFileW

InternetCrackUrlW

KERNEL32.dll

GetAsyncKeyState

GetKeyState

USER32.dll

SetViewportOrgEx

GDI32.dll

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

dbghelp.dll

SHLWAPI.dll

COMCTL32.dll

MSIMG32.dll

VERSION.dll

NETAPI32.dll

Secur32.dll

GetConsoleOutputCP

GetWindowsDirectoryW

CreateNamedPipeW

ConnectNamedPipe

PeekNamedPipe

GetProcessHeap

GetCPInfo

EnumWindows

MsgWaitForMultipleObjects

ExitWindowsEx

COMDLG32.dll

RegOpenKeyExA

RegOpenKeyW

RegCreateKeyW

RegDeleteKeyA

RegCreateKeyA

RegOpenKeyA

zcÁ

.?AVWindowsException@@

{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\lang1033\f0\fs20\par

{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 EULA\par

43333333333333333

"999500>

"999550-]

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"/>

<!-- Set the current process as DPI aware (for Windows Vista or newer) -->

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

3(343<3]3{3

2%3s3

2'2F2\2

;$; ;5;?;

='=3=@=[=

6&787#828

7#828#909

5"5/565;5

<'<4<?<_<

4F4S4]4z4

33383{5

3$3(3,303

8$8*80868

<%<@<[<~<

%0X0|0

: :$:,:0:

? ?$?(?,?0?4?

3 3$3(3,3034383<3

KERNEL32.DLL

mscoree.dll

user32.dll

controls\QuickSelectionListControl.cpp

d:\branchai\externalui\controls\generic\VisualStyleBorder.h

controls\TabControl.cpp

nativeui\NativeDialog.cpp

d:\branchai\externalui\nativeui\NativeAccelerator.h

nativeui\NativeUiBridge.cpp

controls\CheckBoxControl.cpp

controls\CheckListControl.cpp

WindowsBuild

controls\ColumnsTreeControl.cpp

d:\branchai\externalui\controls\generic/VisualStyleBorder.h

comctl32.dll

controls\ComboBoxControl.cpp

cmdlinkarrow

controls\CommandLinkButtonControl.cpp

controls\HyperLinkControl.cpp

controls\ListBoxControl.cpp

controls\ListViewControl.cpp

controls\PushButtonControl.cpp

controls\QuickSelectionTreeControl.cpp

controls\RadioButtonControl.cpp

controls\ScrollableTextControl.cpp

uxtheme.dll

controls\SelectionTreeControl.cpp

0123456789

controls\VolumeCostListControl.cpp

controls\VolumeSelectComboControl.cpp

controls\generic\GenericEditControl.cpp

NumberValidationTipMsg

controls\generic\GenericRichEditControl.cpp

hXXp://

controls\mshtml\GenericAxControl.cpp

AppEvents\Schemes\Apps\Explorer\Navigating\.Current

Caphyon.AI.ExtUI.IEClickSoundRemover

{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}

Windows

FOLDERID_Windows

{F38BF404-1D43-42F2-9305-67DE0B28FC23}

{18989B1D-99B5-455B-841C-AB7C74E4DDFC}

{A63293E8-664E-48DB-A079-DF759E0509F7}

{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}

{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}

{B97D20BB-F46A-4C97-BA10-5E3608430854}

{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}

{8983036C-27C0-404B-8F08-102D10DCFD74}

{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}

{8AD10C31-2ADB-4296-A8F7-E4701232C972}

{AE50C081-EBD2-438A-8655-8A092E34987A}

{2400183A-6185-49FB-A2D8-4A392A602BA3}

{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}

{3214FAB5-9757-4298-BB61-92A9DEAA44FF}

{ED4824AF-DCE4-45A8-81E2-FC7965083634}

{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}

{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}

{DE974D24-D9C6-4D3E-BF91-F4455120B917}

{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}

{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}

{905e63b6-c1bf-494e-b29c-65b732d3d21a}

{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}

{5E6C858F-0E22-4760-9AFE-EA3317B67173}

{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}

{33E28130-4E1E-4676-835A-98395C3BC3BB}

{C5ABBF53-E17F-4121-8900-86626FC2C973}

{4BD8D571-6D19-48D3-BE97-422220080E43}

{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}

{352481E8-33BE-4251-BA85-6007CAEDCF9D}

{D9DC8A3B-B784-432E-A781-5A1130A75963}

{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}

{1777F761-68AD-4D8A-87BD-30B759FA33DD}

{FDD39AD0-238F-46AF-ADB4-6C85480369C7}

{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}

{2B0F765D-C0E9-4171-908E-08A611B84FF6}

{B94237E7-57AC-4347-9151-B08C6C32D1F7}

{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}

{A4115719-D62E-491D-AA7C-E74B8BE3B067}

{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}

{D0384E7D-BAC3-4797-8F14-CBA229B392B5}

{9E52AB10-F80D-49DF-ACB8-4330F5687855}

{724EF170-A42D-4FEF-9F26-B60E846FBA4F}

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

ExternalUi.cpp

RICHED20.DLL

/passive

Unable to start installation error code: %u

oAI_MORE_CMD_LINE

ExternalUiManager.cpp

..\core\ExceptionPresenter.cpp

EXCEPTION_CMD

..\core\ExceptionHandling.cpp

C:\FAKE_DIR\

Advapi32.dll

\/:*?"<>|

Failed to get Windows error message [win32 error 0x

Send Error Report

/cmdloc

Return code of msiexec.exe:

Launching msiexec.exe with command line:

Detected Windows Installer version:

Code returned to Windows by setup:

User name and password for proxy server were received from command line and used.

Command line to pass to MSI:

"%s" %s

TRANSFORMS=":%d"

TRANSFORMS="%s;%s\%d"

TRANSFORMS="%s\%d"

TRANSFORMS="%s"

%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"

EXE_CMD_LINE="%s "

[SystemFolder]msiexec.exe

%s=%i

Windows installer is inluded in package.

[WindowsVolume]

%d.dll

%sholder%d.aiph

%d-%s

Windows 2000

Shlwapi.dll

Shell32.dll

%d.%d.%d.%d

\StringFileInfo\xx\%s

%d %s

%d.0%d %s

%d.%d %s

Windows 8.1 x64

Windows 8.1 x86

Windows Server 2012 R2 x64

Windows 8 x64

Windows 8 x86

Windows Server 2012 x64

Windows 7 x64 Service Pack 1

Windows 7 x64

Windows 7 x86 Service Pack 1

Windows 7 x86

Windows Server 2008 R2 x64 Service Pack 1

Windows Server 2008 R2 x64

Windows Vista x64 Service Pack 2

Windows Vista x64 Service Pack 1

Windows Vista x64

Windows Vista x86 Service Pack 2

Windows Vista x86 Service Pack 1

Windows Vista x86

Windows Server 2008 x64

Windows Server 2008 x86

Windows XP x64 Service Pack 2

Windows XP x64 Service Pack 1

Windows XP x64

Windows Server 2003 x64 Service Pack 2

Windows Server 2003 x64 Service Pack 1

Windows Server 2003 x64

Windows Server 2003 x86 Service Pack 2

Windows Server 2003 x86 Service Pack 1

Windows Server 2003 x86

Windows XP x86

Windows XP x86 Service Pack 3

Windows XP x86 Service Pack 2

Windows XP x86 Service Pack 1

Windows 2000 Service Pack 4

Windows 2000 Service Pack 3

Windows 2000 Service Pack 2

Windows 2000 Service Pack 1

Windows NT 4.0

Windows NT 4.0 Service Pack 6

Windows NT 4.0 Service Pack 5

Windows NT 4.0 Service Pack 4

Windows NT 4.0 Service Pack 3

Windows NT 4.0 Service Pack 2

Windows NT 4.0 Service Pack 1

Windows 95 OSR

Windows 95 OSR2.5

Windows 95

Windows 98 SE

Windows 98

Windows Millennium

{374DE290-123F-4565-9164-39C4925E467B}

Newer version is at a local URL.

/exenoupdates

Detected SQL Compact:

Detected SQL Express:

Detected .NET:

Windows PowerShell 4.0 (Windows Management Framework Core 4.0)

Windows PowerShell 3.0 (Windows Management Framework Core 3.0)

Windows PowerShell 2.0 (Windows Management Framework Core)

Windows PowerShell 1.0

HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\SharePoint

HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\SharePoint

HKLM\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\12.0\SharePoint

Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007

Windows Mobile Device Center 6.1

Windows Mobile Device Center 6.0

HKLM\SOFTWARE\Microsoft\Windows CE Services\MinorVersion

HKLM\SOFTWARE\Microsoft\Windows CE Services\MajorVersion

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CEAPPMGR.EXE\

HKLM\Software\Microsoft\VSTO Runtime Setup\v9.0.21022\Install

HKLM\Software\Microsoft\vsto runtime Setup\v2.0.50727\Install

{64E2917E-AA13-4CA4-BFFE-EA6EDA3AFCB4}

{FAB10E66-B22C-4274-8647-7CA1BA5EF30F}

{7102C98C-EF47-4F04-A227-FE33650BF954}

{011B9112-EBB1-4A6C-86CB-C2FDC9EA7B0E}

{B2279272-3FD2-434D-B94E-E4E0F8561AC4}

{8B74A499-37F8-4DEA-B5A0-D72FC501CEFA}

{3EA123B5-6316-452E-9D51-A489E06E2347}

{EECBA6B8-3A62-44AD-99EB-8666265466F9}

{1D844339-3DAE-413E-BC13-62D6A52816B2}

{4153F732-D670-4E44-8AB7-500F2B576BDA}

{EA7564AC-C67D-4868-BE5C-26E4FC2223FF}

{957A4EC0-E67B-4E86-A383-6AF7270B216A}

{00B41853-4377-4AD8-AD44-8404E0D331EC}

{580CB155-841D-4D48-9F59-866A035C2241}

{816D4DFD-FF7B-4C16-8943-EEB07DF989CB}

{C1F1028F-D91A-43E8-A117-4F7CAFD7A041}

{04E73476-518E-4B6A-8E10-021A00078847}

{ED569DB3-58C4-4463-971F-4AAABB6440BD}

{F1B5AE30-CB00-4DCF-978B-07D33B034ADB}

{1ABEAF09-435F-47D6-9FEB-0AD05D4EF3EA}

{53C65973-D89D-4EA0-8567-8788C14E0A02}

{A58B51D1-89BF-4D88-939D-B6D0DB2EEB53}

{835AC3CE-E36B-4D65-B50F-2863A682ABEE}

{1C8772BD-6E6F-4C9D-8FF8-B5EA072F86EF}

{6F1AE751-4D8A-4B25-AC0A-C6CB912A9791}

{3F40FA9E-26CA-4CA2-93C9-603622349915}

{14D3E42A-A318-4D77-9895-A7EE585EFC3B}

{C1E59364-35F6-44B3-AF0F-FCA934C4B252}

{A1FE0698-609D-400F-BF10-F52238DD6475}

6.01.7000.0000

6.00.6000.16386

4.09.00.0903

4.09.00.0902

4.09.00.0901

4.09.00.0900

4.08.02.0134

4.08.01.0901

4.08.01.0810

4.08.00.0400

4.07.01.3000

4.07.00.0716

4.07.00.0700

SQL Server Compact 4.0

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v4.0\ENU\DesktopRuntimeVersion

SQL Server Compact 3.5 SP2

SQL Server Compact 3.5 SP1

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU\DesktopRuntimeServicePackLevel

SQL Server Compact 3.5

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Compact Edition\v3.5\ENU\DesktopRuntimeVersion

11.0.3000

SQL Server Express 2012 SP1

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\110\Tools\ClientSetup\CurrentVersion\CurrentVersion

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server Native Client 11.0\CurrentVersion\Version

SQL Server Express 2012

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server 2012 Redist\SQLNCLI11\1033\CurrentVersion\Version

10.52.4000

SQL Server Express 2008 R2 SP2

10.51.2500

SQL Server Express 2008 R2 SP1

SQL Server Express 2008 R2

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\100\Bootstrap R2\CurrentVersion\Version

SQL Server Express 2008 SP3

SQL Server Express 2008 SP2

SQL Server Express 2008 SP1

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\100\Bootstrap\Setup\PatchLevel

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\SQLSERVER2008\MSSQLServer\CurrentVersion\CurrentVersion

SQL Server Express 2008

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\SQLEXPRESS\MSSQLServer\CurrentVersion\CurrentVersion

9.00.5000

SQL Server Express 2005 SP4

9.00.4035

SQL Server Express 2005 SP3

9.00.3042

SQL Server Express 2005 SP2

9.00.2047

SQL Server Express 2005 SP1

SQL Server Express 2005

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\90\Tools\ClientSetup\CurrentVersion\CurrentVersion

4.5.2

4.5.1

HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727\Install

HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322\Install

3321-3705

HKLM\SOFTWARE\Microsoft\.NETFramework\policy\v1.0\3705

Windows 9x/ME

Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86

Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64

[SystemFolder]wininet.dll

[SystemFolder]inetsrv\inetinfo.exe

[SystemFolder]inetsrv\w3wp.exe

[ProgramFilesFolder]Microsoft Office\Office14\vviewer.dll

[ProgramFiles64Folder]Microsoft Office\Office14\vviewer.dll

[ProgramFilesFolder]Microsoft Office\Office15\vviewer.dll

[ProgramFiles64Folder]Microsoft Office\Office15\vviewer.dll

[ProgramFilesFolder]Microsoft Office\Office15\lync.exe

[ProgramFiles64Folder]Microsoft Office\Office15\lync.exe

EXE_CMD_LINE

SETUPEXEDIR

AI_SETUPEXEPATH

/aespassword

/proxypassword

/password

/exelog

/exelang

/exefullui

/exebasicui

/exenoui

%s %s

d-d-d @d:d:d

MajorVersion: %u;

MinorVersion: %u;

BuildNumber: %u;

PlatformId: %u;

CSDVersion: %s;

ServicePackMajor: %u;

ServicePackMinor: %u;

SuiteMask: %u;

ProductType: %u;

WindowsFolder

WindowsVolume

shfolder.dll

instname-custom.mst

instname-target.msi

instname-template.msi

TRANSFORMS=:%s.mst

AI_INTANCE_LOCATION="%s"

/n %s

TRANSFORMS="%s"

TRANSFORMS=":%s.mst;%s" MSINEWINSTANCE=1

TRANSFORMS=:%s.mst MSINEWINSTANCE=1

SELECT `Value` FROM `Property` WHERE Property='%s'

Software\Microsoft\Windows\CurrentVersion\Run

MainAppCmdLine

UpdatesUrl

MainAppURL

SQLExpress

SQLCompact

Operator

SearchCmdLine

.part

hXXp://VVV.google.com

hXXp://VVV.yahoo.com

hXXp://VVV.example.com

tin9999.tmp

wininet.dll

FTP Server

HTTP/1.0

Range: bytes=%u-

REST %u

0.0.0.0

Launching URL:

SELECT `Value` FROM `Property` WHERE `Property` = '%s'

\\.\pipe\ToServer

*.pack

--verbose --log-file="%s" --remove-pack-file "%s" "%s"

unpack200.exe

%s (%s)

(%s) %s

(%s (%s

mstask.exe

BIN\STSADM.EXE

12\BIN\STSADM.EXE

14\BIN\STSADM.EXE

15\BIN\STSADM.EXE

Microsoft Shared\Web Server Extensions\

Solutions.list

SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\

EventPublisher.cpp

`Key` = '

AiMsgBox

AiProgressReport

ErrorMsgTitle

PIDKEY

Software\Microsoft\Windows\CurrentVersion\Uninstall\

PTF://

hXXps://

AI_MORE_CMD_LINE=1

msiexec.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\TempPackages

MsiInstaller.cpp

UninstallMsg

InstallExecuteAgain

InstallExecute

InstallExecuteSequence

1500000

3000000

InstallMonitor.cpp

(.*)(?:\{)?(.*)\[1\](.*)(?:\})?(.*)

(.*)\{(.*)\[.\](.*)\}(.*)

(.*)\[.\](.*)

(.*)(\{[^}]*\})(.*)

[1-9]: (.*)

ARPURLUPDATEINFO

ARPURLINFOABOUT

zzzzzzzzz.zzzzzzzzzzzzzzzzzzzzzz

c:\%original file name%.exe

Copy URL In Clipboard

You must locate, download and install the following prerequisites onto your computer. Double click on an URL to open it in your web browser.

Password:

Show password

This archive is corrupted.(This archive has an unsupported version.'Windows Installer could not be started.)An error occurred while reading the file.#An error occurred while extracting.

Select the download folder.R%s can not be installed on systems with Windows Installer version smaller than %s.

ErrorkThis package requires Windows Installer version "%s". You have "%s".

Please upgrade your Windows Installer.

%s Options(Extracting the main application files...

%s [options]

/listlangs - list languages supported by this setup

/exenoui - launches the EXE setup without UI

/exebasicui - launches the EXE setup with basic UI

/exelang <langId> - launches the EXE setup using the specified language

/password - password used by the proxy

/exelog<path_to_log_file> - creates a log file at specified path

/exenoupdates - does not check for a newer version

<msiOptions> - options for msiexec.exe on running the MSI package

Installing %s4Press the Next button to download the prerequisites.3Press the Next button to install the prerequisites.;Press the Next button to open the prerequisites' web sites.8Press the Finish button to install the main application.

%s Setup

Required: %s or lower.

Required: %s or higher.

Required: between %s and %s.

Found: %s.

NameCPress the Finish button when you are done and ready to install %s. 3Press the Next button to install the prerequisites.

Error: %s

Installing %s from: %sZSome prerequisites could not be installed. Press Back to return to the prerequisites list.{After launching all packages some required prerequisites are still missing. Press Back to return to the prerequisites list.aAll prerequisites have been installed successfully. Press Finish to install the main application.&Welcome to the %s Prerequisites Wizard

%d.%d KB/slSome required prerequisites are still missing. You can try again or remove them from the prerequisites list.

%d hr %d min at %s/sec

%d min %d sec at %s/sec

%d sec at %s/sec

Progress: %d%% (%s of %s) Downloading: %s %d%% (%s of %s)

Opening site of %s

Downloading %s Extracting files from archive...

Extracting file to %s0The %s file can't be unpacked. Error message: %saThe Java Runtime Environment version 1.5 or later must be installed in order to unpack JAR files.-Another instance of setup is already running.

%s cannot be installed on %s<%s cannot be installed on the following Windows versions: %sP%s cannot be installed on systems with Internet Explorer version smaller than %s\%s cannot be installed on systems with Internet Information Services version smaller than %sH%s cannot be installed on systems with screen resolution smaller than %sJ%s cannot be installed on systems with color quality smaller than %s bits.G%s cannot be installed on systems with less physical memory than %s MB.M%s cannot be installed on systems with .NET Framework version smaller than %s1%s requires administrative privileges to install.

Unpacking file:%syThere is not enough space in folder:%s

Preparing...L%s can not be installed on systems with Adobe Reader version smaller than %s

%s Languages

B%s cannot be installed on systems with JRE version smaller than %sF%s cannot be installed on systems with DirectX version smaller than %sw%s requires an active Internet connection for installation. Please check your network configuration and proxy settings.<%s cannot be installed on systems without %s 2003 or higher.<%s cannot be installed on systems without %s 2007 or higher.

QuestionOAn upgrade of the selected instance will be performed. Do you want to continue? Upgrade all installed instances.xThis package allows you to install multiple instances of %s. Please select the option you want and press OK to continue:L%s cannot be installed on systems with XNA Framework version smaller than %s

Evaluating launch conditions...B%s cannot be installed on systems with JDK version smaller than %s-%s can not be installed on systems without %s6%s cannot be installed on systems without %s or higher,%s cannot be installed on systems without %sK%s cannot be installed on systems without %s 2003 Primary Interop Assembly.K%s cannot be installed on systems without %s 2007 Primary Interop Assembly.-%s cannot be installed on systems without %s.<%s cannot be installed on systems without %s 2010 or higher.

Connect to %sNThe server %s at %s requires a username and password. Please enter them below.

Cannot acces URL: %sK%s cannot be installed on systems without %s 2010 Primary Interop Assembly.-%s cannot be installed on systems without %s.p%s cannot be installed because the current user does not have enough permissions to deploy SharePoint solutions.g%s cannot be installed because SharePoint Administration and SharePoint Timer services are not started.Y%s cannot be installed because the SharePoint solutions it contains are already deployed.

Failed>%s cannot be installed on systems running on virtual machines.F%s cannot be installed on systems without %s Primary Interop Assembly.PThere is a newer version of %s (%s).

Checking for a newer version...mFailed to download newer version (Error: %s). Would you like to retry or proceed and install current version?(Failed to read from file "%s". Error: %s'Failed to write in file "%s". Error: %s

Setup package was encrypted using AES 256 algorithm. To continue the setup process, you should provide the password needed to decrypt the package.?

Deleting extracted files...<%s cannot be installed on systems without %s 2013 or higher.EUnmatching digital signature between EXE bootstraper and MSI database

Invalid command line"Unable to init windows application

Internal errorNThis application cannot be installed on systems earlier than Windows 2000 SP4._This installation package is not supported by this processor type. Contact your product vendor.

Unexpected exception.XThe application ran into a problem that it couldn't handle.

Could not allocate memory.PParse error in file: "%1!ls!" at line: [%2!ld!] column: [%3!ld!] (code: %4!ls!).

Unsupported XML file encoding. File "%1!ls!" could not be read.

3.0.1

LeagueofLegends_EUW_Installer.exe

MsiExec.exe_2252:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

ole32.dll

msi.dll

PSSSSSSh

t%SSWV3

ntdll.dll

RegOpenKeyExW

RegCreateKeyExW

ReportEventW

RegCloseKey

RegDeleteKeyW

RegEnumKeyW

RegEnumKeyExW

RegGetKeySecurity

MsgWaitForMultipleObjects

_acmdln

_amsg_exit

msiexec.pdb

name="MSIExec"

version="4.0.0.0"

<description> Windows installer setup service </description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

> >$>(>,>4>8><>

Msi.dll

Software\Microsoft\Windows\CurrentVersion\Installer

passive

Kernel32.dll

FIsKeyLocalSystemOrAdminOrTrustedInstallersOwned: Could not get owner security info.

PurgeUserOwnedSubkeys: Could not open subkey: %s

PurgeUserOwnedSubkeys: Could not enumerate subkeys.

PurgeUserOwnedSubkeys: Could not delete SubKey tree.

PurgeUserOwnedSubkeys: %s not owned by System, Admin or Trusted Installers. Deleting key   subkeys.

PurgeUserOwnedInstallerKeys: Could not delete tree.

PurgeUserOwnedInstallerKeys: Key '%s' not owned by System, Admin, or Trusted Installers. Deleting key   subkeys.

PurgeUserOwnedInstallerKeys: Could not open key '%s'

OpenProcessToken failed with %d

OLEAUT32.dll

Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries

SetInstallerACLs: Could not create Secure Installer sub key.

SetInstallerACLs: Could not delete Installer key tree.

SetInstallerACLs: Installer key not owned by System or Admin. Deleting key   subkeys and re-creating.

SetInstallerACLs: Could not create Installer key.

Wait Failed in MsgWait.

kernel32.dll

APPID\%s

%s\DefaultIcon

%s\CLSID

CLSID\%s

CLSID\%s\ProgId

Msi.Package

Windows Installer Package

Msi.Patch

Windows Installer Patch

MsiExecCA32

{lX-0000-0000-C000-000000000046}

MsiRegMv.Exe

ISMIF32.DLL

%d.%d.%.4d.%d

REINSTALL=ALL REINSTALLMODE=%s

Error: %d. %s.

Software\Policies\Microsoft\Windows\Installer

Failed to connect to server. Error: 0x%X

FDeleteRegTree: Unable to delete subkey: %s

Windows

5.0.7601.17514 (win7sp1_rtm.101119-1850)

msiexec

msiexec.exe

Windows Installer - Unicode

5.0.7601.17514

vcredist_x64.exe_3272:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

VERSION.dll

advapi32.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

setupapi.dll

setupx.dll

IXPd.TMP

TMP4351$.TMP

FINISHMSG

USRQCMD

ADMQCMD

msdownld.tmp

wextract.pdb

PSSSSSSh

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

GetWindowsDirectoryA

ExitWindowsEx

MsgWaitForMultipleObjects

rundll32.exe %s,InstallHinfSection %s 128 %s

SHELL32.DLL

Software\Microsoft\Windows\CurrentVersion\RunOnce

PendingFileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

%s /D:%s

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

Command.com /c %s

33333330

3333333

33333333

VCREDI~2.EXE

icrosoft.VC80.MFCLOC.cat

.8.00.Microsoft.VC80.MFCLOC.cat

Microsoft.VC80.OpenMP.cat

policy.8.00.Microsoft.VC80.OpenMP.cat

vcredist.msi

vcredis1.cab

.qoRr_R

 ,.gV2\

M%SQTU

/1`121406

7.KZc

.AN _!

%xlN!

,8mv-I}~

Nv.uQz/wy

i\'.Ru

&(.JEj

-j}$@

hdt.Lb

Z'.lB

7@s%U

y.hJr

lp.HU

CRTq!

h.DFo

r "%sDD

.Ub{Y_

.LK=e

,qE]i.jrD

6M< @

.vql]BM

o .Jt

EFZ.MO

ju'$?r6.qJW

v:%F,

yL.VUJ

0I.QN

SNG. %D

@xÂ>

Qk.ek

wC.OqVd

r%Dn,.

.ujv&

vT.LnB^

PU.bq6

.jOu',

XO.Zu

c.Hgb

fPu.eejg9)

.UIKm

P.kx 

G.RCv

Y9%Dy

6:%FzvB

=D.If;

*=3%F

/4.avD

%XjPV

O$%X?S

XT.NHk

`w).QI

bt%shu

n.Zx@

0 .jU

O_HA.ar

Y.fG2I

Ëdu

N[&(%u

(!.cI

*-GL}4

).qxv

u|%7x

[email protected]

E-%xA=

.cXvt

E^I.sh0

%u!5#

WkEy#

*<%xK*C

-p.ql

HL%DI;

yj.uI

Ta-%u

2R%DNS^

=È"

5 &4.fd

P.noy

m/%XA

0.GCN !

H.lBO

UDpf

RA7b%s

%D~(<NJ

/$A.tujw

.oq*$

V}k'%UO

i5.us 2

!?.yH

Xc.aE

-M.sv

4.KbE

.QpK<

g.CYh

V-z.ID

?>*"87(2

.q]%D

@Az.Ly

q"%XHT

Ug%Sf

.8.XPAf

-.OZ7

W.ul:`

pp0.dm

MlP.sD

zA#[%f

%6Ul7

=.gb'

r{%1sjcn1

 5%C^c

:"%C=

m.Bcu

?X.sH

@%xeI

9;.ol

.UduQR

qH.QF

.RYvD 

5W.rk

0.njQW

1x0.QyK

%XoRz

{LFR--mU}$V]

\PÐ

%F"[0

a,.vA

bx5?

'.qT=

'%xGP

d.tLIQ

$K.tIgN!*/

b.Lt2g

<y.Nv

Jw.RR

%%DOK

fm %d

1p9.yv

|.cJ9

w.DWJ

S.dm[)]

K!.py

=LX.pC

.nY8S/

7)G%XE!Ac

{.sdTv

/%dI\

p$;%s

c%2X"%@8

%XLeT

Rf]%S_N

;B%SW:

}.ln"

M:\H=.1

9{ceXe

u[@^5TF.PA

9' "'")")

Z.TV-A

w{.HX

W%fp>

n.AA.|

`cM%ua

%0S4&a

NŸe

.Xu%o7B

E2I.Fp

H6.Og

.MVw<

[Q.yn

%uO/i

-Hu})

?FI%d

?*.Zyj~j

t&X%F

',594898

.Xw\^

0V.FY

Ak.wi

m/.pnl

V\#9B%D

2~o%u9

~oÍ

"/%f_

e.ot:

.GJ-ZG

iQp.mR

VY.uv

M.fmX\

x_.qI

G %xs

C<.Ob

8a%%S

&(.kA

We.ja

.YSVM

w%FYwF

RbB.NVF5{I

.YOHg

x%UYT

y#-W}

zf.PJ

~`-xj}

AS.kK

N.OUY

&PG%x

Il.zs

F9.kL

#6dF/

9b%F:4

= v.sH

$%d$}]V

/.zc|J`

g5.Nm

Qv%dR6

r%sfj

(PB%D

O.NOK

[%X8]

.SYKT

{%Dmz

qB:%sW

%X!'<

ia%d*

%UI/sW

NtN-bd}

|.mBb

<.mwv

;&c.WG

.exG1

KKc%f

r(%xIWJ

~%X@R2o

#v.Hq

G%XR9,=i

.ynV/

f[Z.DH

%S(U?t

5XWj-h}ud

mz%fQ[

.%C"FR

,po

%UH"J

QLp

#t.lZ

.gR\ )~

4O8r%S

HGo.zG2

 %u/p

fTp gp

/,.oD

8%XGF

35Y%X%

.FwOc

t%CmHdj

Zsbi|

.bKD C/8/a

tsqLz

nue.ONsG

I%CV'

v].LC

.EF9V

~.Mb{

'.lR:

T.XCt

slv%8S

T).RE

nh.MD

']t6.stVF

u{P%F

H.dJ "Ad`

.yNIY>

.JFL.WL

13.dJ1

1|%xDT9

M-6d}

}*t%XI'

D%U>fA

).PP1

B/

%cZ~.txdYtZ

R.KGk

Mt|

.jsxt,

)&).qu

x-7A}

F=RP|.cGm-?`#z

* support services

2. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not

5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see VVV.microsoft.com/exporting.

6. SUPPORT SERVICES. Because this software is

we may not provide support services for it.

7. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.

9. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

WEXTRACT.EXE

Windows

Operating System

6.00.2900.2180

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   TPAutoConnSvc.exe:1776
   GoogleUpdate.exe:2972
   GoogleUpdate.exe:2568
   GoogleUpdate.exe:492
   %original file name%.exe:600
   setup.exe:2688
   taskeng.exe:2172
   39.0.2171.95_chrome_installer.exe:3348
   MsiExec.exe:2252

2. Delete the original Trojan-Dropper file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Dropper:
   

   %Program Files% (x86)\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\39.0.2171.95\39.0.2171.95_chrome_installer.exe (309253 bytes)
   %Program Files% (x86)\Google\Update\Install\{19171A5A-1060-4B7D-86A1-49C9FF206701}\39.0.2171.95_chrome_installer.exe (327230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\ResourceCleaner.dll (4451 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI90FC.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\tabback (854 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\lzmaextractor.dll (452 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI77DE.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends 3.0.1\install\LoL.EUW.msi (29679 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\completi (1000 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\dialog (940 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\removico (1000 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\aipackagechainer.exe (3243 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\cmdlinkarrow (864 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\LoLIconBanner.jpg_1 (802 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\Prereq.dll (3547 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\banner (374 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI782D.tmp (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_11BFDD5895E992E1D3AE9CF87B14B921 (471 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9552.tmp (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\repairic (1000 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI785D.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_11BFDD5895E992E1D3AE9CF87B14B921 (1592 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\insticon (1000 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\info (79 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\New (318 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9708.tmp (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\aicustact.dll (1251 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\Up (318 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9 (1640 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\Ashe_Background.jpg_1 (707 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\TxtUpdater.dll (3667 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\exclamic (766 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (680 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AI_EXTUI_BIN_3276\custicon (1000 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI9541.tmp (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI7722.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9 (471 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\DXSETUP.exe (5257 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dxupdate.cab (1137 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\DSETUP.dll (1137 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_d3dx9_39_x86.cab (11034 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_XAudio_x86.cab (2569 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\vcredist_x64.exe (24833 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dxdllreg_x86.cab (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dsetup32.dll (12751 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\Aug2008_d3dx10_39_x86.cab (8737 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\vcredist_x86.exe (20901 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Riot Games\League of Legends\prerequisites\dxnt.cab (105063 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\pdf.dll (58 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\vi.pak (637 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\lt.pak (552 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\chrome.7z (268785 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\en-GB.pak (466 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sv.pak (514 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome.dll (29434 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\mr.pak (1126 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\cs.pak (560 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\he.pak (643 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\resources.pak (64 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\youtube.crx (47 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\search.crx (54 bytes)
   %Program Files% (x86)\Google\Chrome\Application\35.0.1916.114\default_apps (4 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\lv.pak (562 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ru.pak (873 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ml.pak (1457 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\docs.crx (12 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\nl.pak (544 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fr.pak (596 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\nacl64.exe (50 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ko.pak (568 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\de.pak (481 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\wow_helper.exe (146 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\widevinecdmadapter.dll (293 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\da.pak (506 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_elf.dll (268 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\zh-CN.pak (456 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\PepperFlash\manifest.json (6 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\gmail.crx (48 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\39.0.2171.95.manifest (226 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\VisualElements\smalllogo.png (21 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\te.pak (1242 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libegl.dll (423 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Extensions\external_extensions.json (103 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\tr.pak (554 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\VisualElements\splash-620x300.png (22 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\gu.pak (1104 bytes)
   %Program Files% (x86)\Google\Chrome\Application\35.0.1916.114\Locales (8 bytes)
   %Program Files% (x86)\Google\Chrome\Application\chrome.exe (20458 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ta.pak (1333 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sk.pak (579 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\metro_driver.dll (1022 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\th.pak (1121 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ar.pak (742 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\drive.crx (53 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sw.pak (471 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\secondarytile.png (641 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\pl.pak (553 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\PepperFlash\pepflashplayer.dll (63 bytes)
   C:\Windows\Temp\chrome_installer.log (7903 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_200_percent.pak (50 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\delegate_execute.exe (51 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fa.pak (793 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\el.pak (1011 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\am.pak (769 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\VisualElementsManifest.xml (400 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\en-US.pak (466 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sl.pak (515 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\d3dcompiler_46.dll (52 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\bg.pak (922 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\sr.pak (847 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\pt-BR.pak (544 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fi.pak (528 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ro.pak (570 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\default_apps\external_extensions.json (5 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\zh-TW.pak (457 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\es.pak (571 bytes)
   %Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe (22234 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\ffmpegsumo.dll (50 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ca.pak (562 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\pt-PT.pak (553 bytes)
   %Program Files% (x86)\Google\Chrome\Application\39.0.2171.95\Installer\setup.exe (22234 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\bn.pak (1176 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\xinput1_3.dll (162 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libglesv2.dll (50 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_child.dll (32644 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\icudtl.dat (59 bytes)
   C:\Users\Public\Desktop\Google Chrome.lnk (6 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ja.pak (670 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk (6 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\nacl_irt_x86_64.nexe (52 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\hr.pak (523 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\hu.pak (587 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\nb.pak (506 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\chrome.exe (1716 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\chrome_100_percent.pak (50 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libpeerconnection.dll (51 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\ms.pak (421 bytes)
   %Program Files% (x86)\Google\Chrome\Application\35.0.1916.114\VisualElements (4 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\it.pak (546 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\libexif.dll (621 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\fil.pak (570 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\hi.pak (1137 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\nacl_irt_x86_32.nexe (51 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\kn.pak (1273 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\et.pak (490 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\id.pak (505 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\uk.pak (872 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\VisualElements\logo.png (7 bytes)
   %Program Files% (x86)\Google\Chrome\Temp\source2688_6892\Chrome-bin\39.0.2171.95\Locales\es-419.pak (561 bytes)
   C:\Windows\Temp\CR_01E20.tmp\SETUP.EX_ (375 bytes)
   C:\Windows\Temp\CR_01E20.tmp\setup.exe (17361 bytes)
   C:\Windows\Temp\CR_01E20.tmp\CHROME.PACKED.7Z (43831 bytes)
   C:\Windows\Tasks\{79BF4901-1EC4-4726-B3C2-A7859706C6E7}.job (3 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "{79BF4901-1EC4-4726-B3C2-A7859706C6E7}" = "c:\%original file name%.exe /cmdloc HKCU\Software\Riot Games AiTemp\{79BF4901-1EC4-4726-B3C2-A7859706C6E7}"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.