Gen.Variant.Strictor.163942_9096b67474
Gen:Variant.Strictor.163942 (BitDefender), PUA:Win32/Spigot (Microsoft), not-a-virus:AdWare.Win32.BHO.bgvu (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Adware.Spigot.139 (DrWeb), Application.Toolbar (A) (Emsisoft), Artemis!9096B6747499 (McAfee), ML.Attribute.HighConfidence (Symantec), PUA.BrowserIO (Ikarus), Gen:Variant.Razy.283100 (FSecure), Win32:Adware-gen [Adw] (AVG), Win32:Adware-gen [Adw] (Avast), ADW_BROWSERIO (TrendMicro), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 9096b6747499bfc5d66441753b44421e
SHA1: 23d8eec09ddd0f7ad513426f850c436cf1719b75
SHA256: a16049009fc801c71399a146e6c6c4d802d02116f5d49504de5b262a626a4467
SSDeep: 24576:adqI6d5j5miM1tIY76hQfMxzqe3VIjD0wth9qWoWkBrMJQs:Y96LtZY7zema40hWoWkBU
Size: 1267864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: GlobalSign
Created at: 2016-07-25 03:55:51
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3552
GoogleUpdate.exe:2868
GoogleUpdate.exe:3952
GoogleUpdate.exe:4068
GoogleUpdate.exe:2932
GoogleUpdate.exe:288
GoogleUpdate.exe:3268
GoogleUpdateSetup.exe:2660
The Trojan injects its code into the following process(es):
Login Now.exe:3596
UI0Detect.exe:4076
UI0Detect.exe:4028
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8D.tmp\npHelper.dll (13985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Login Now.exe (38544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8C.tmp (55302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Uninstall.exe (9428 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8D.tmp\System.dll (23 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8D.tmp\npHelper.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nswDE7C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8D.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8D.tmp (0 bytes)
The process Login Now.exe:3596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\settings[1] (976 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab2ACB.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\down-arrow[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1554.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gradient[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\main[1] (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Sprite_Email_V6[1] (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.newsTicker[1] (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\api[1].js (18373 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1555.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1566.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1710 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1556.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1944 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\main_email[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery_min[1] (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ie[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\search-icon[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar2ACC.tmp (2712 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1555.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1554.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1566.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1556.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab2ACB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar2ACC.tmp (0 bytes)
The process GoogleUpdate.exe:3952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Update\Install\{DFDEFC36-7121-4D40-BC53-F993F9F529BD}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
The Trojan deletes the following file(s):
%Program Files%\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\54.0.2840.59\54.0.2840.59_chrome_installer.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{4F420220-357A-4FF0-A1D5-7A3B7A1DB72B}-GoogleUpdateSetup.exe (0 bytes)
The process GoogleUpdate.exe:288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\GUM891C.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\GUM891C.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)
The Trojan deletes the following file(s):
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdate.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psuser_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fil.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ms.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_am.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bg.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_bn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_it.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\npGoogleUpdate3.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_mr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ur.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lt.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ja.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_tr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ko.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ml.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_cs.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ru.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_is.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_kn.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fa.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ta.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_pl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ro.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_no.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_uk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_el.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\psmachine_64.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_vi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_da.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_th.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdate.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hu.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_hi.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ca.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sk.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en-GB.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_te.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_iw.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_et.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_en.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_id.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_ar.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_de.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_nl.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_sr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_lv.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_fr.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_es-419.dll (0 bytes)
%Program Files%\Google\Update\1.3.31.5\goopdateres_gu.dll (0 bytes)
The process GoogleUpdateSetup.exe:2660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\GUM891C.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM891C.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM891C.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM891C.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM891C.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM891C.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM891C.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM891C.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM891C.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM891C.tmp\psuser.dll (206 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdate.dll (2632 bytes)
%Program Files%\GUM891C.tmp\goopdateres_en.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM891C.tmp (32 bytes)
%Program Files%\GUM891C.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM891C.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM891C.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM891C.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM891C.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUT891D.tmp (7 bytes)
%Program Files%\GUM891C.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM891C.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ru.dll (42 bytes)
The Trojan deletes the following file(s):
%Program Files%\GUM891C.tmp\goopdateres_ta.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateCore.exe (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateComRegisterShell64.exe (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_de.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_id.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sv.dll (0 bytes)
%Program Files%\GUM891C.tmp\npGoogleUpdate3.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ar.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_en-GB.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pl.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ml.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hu.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_iw.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_es-419.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateHelper.msi (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_et.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_da.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_nl.dll (0 bytes)
%Program Files%\GUM891C.tmp\psuser.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fi.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_am.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdate.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_en.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fil.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sw.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_bn.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_zh-CN.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateBroker.exe (0 bytes)
%Program Files%\GUM891C.tmp (0 bytes)
%Program Files%\GUM891C.tmp\psuser_64.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fa.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ms.dll (0 bytes)
%Program Files%\GUT891D.tmp (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_gu.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleCrashHandler.exe (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_tr.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ja.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleCrashHandler64.exe (0 bytes)
%Program Files%\GUM891C.tmp\psmachine.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ro.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_cs.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_lv.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fr.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ko.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateSetup.exe (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sr.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_vi.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sl.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_it.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_mr.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ur.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_th.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_lt.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_el.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_es.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hr.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_zh-TW.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pt-BR.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ca.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hi.dll (0 bytes)
%Program Files%\GUM891C.tmp\psmachine_64.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_bg.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sk.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_kn.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_te.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdate.exe (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_is.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pt-PT.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_uk.dll (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_no.dll (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateOnDemand.exe (0 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateWebPlugin.exe (0 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ru.dll (0 bytes)
Registry activity
The process %original file name%.exe:3552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\uninstall.exe Login Now"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"UninstallImp" = "http://imp.browserio.com/do/install?value=uninstall&source=s-ccc3-lp0-bb8-sbe&uc=20180227&uid=8764d2ad-28c9-4cad-9a35-a27313574bb5&iid=bio-sbe-email&domain=hloginnow.net&ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299&partner=appfocus1"
"DisplayVersion" = "1.44.0.5"
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Local\Login Now"
"SearchBarUrl" = "https://search.browserio.com/search?q={searchTerms}&source=s-ccc3-lp0-bb8-sbe&uid=8764d2ad-28c9-4cad-9a35-a27313574bb5&uc=20180227&iid=bio-sbe-email&domain=hloginnow.net&partner=appfocus1"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"Publisher" = "Architecture Software"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"DisplayName" = "Login Now"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Login Now.exe,2"
[HKLM\SOFTWARE\Microsoft\Tracing\9096b6747499bfc5d66441753b44421e_RASMANCS]
"FileDirectory" = "%windir%\tracing"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Login Now" = "C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Login Now.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process Login Now.exe:3596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"selectedBrw" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"LastUpdateCheck" = "1529467461"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\Login Now_RASMANCS]
"ConsoleTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Login Now]
"FileRemovedAtRestart"
The process GoogleUpdate.exe:2868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:3952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"RollCallDayStartSec" = "1529391604"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"pv" = "54.0.2840.59"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"StateValue" = "3"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastRollCall" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastRollCall" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ActivePingDayStartSec" = "1529391604"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
"StateValue" = "16"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"DayOfLastActivity" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Hint" = ""
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
"StateValue" = "16"
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Hint" = ""
[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallTimeRemainingMs" = "0"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{B2994D52-B976-4EE3-BB75-7BCA5C778D6A}]
"PersistedPingString" = "
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"DayOfLastRollCall" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"InstallProgressPercent" = "100"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"RollCallDayStartSec" = "1529391604"
"ping_freshness" = "{8E38A0AF-1682-422F-994F-74698F5533A7}"
[HKLM\SOFTWARE\Google\Update]
"LastChecked" = "1529467471"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"(Default)" = "1:b8:"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"pv" = "54.0.2840.59"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.31.5"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\cohort]
"Name" = "Stable"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ping_freshness" = "{1E829720-A8A8-409C-8D32-E1CF0C9D5A3A}"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ActivePingDayStartSec" = "1529391604"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{FDBFC7B5-8945-4A0A-9597-57AC138F8DC1}]
"PersistedPingString" = "
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"Name" = "Everyone Else"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{B2994D52-B976-4EE3-BB75-7BCA5C778D6A}]
"PersistedPingTime" = "131739410642642283"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"DayOfLastActivity" = "4187"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"ping_freshness" = "{A6ECB65A-78B7-4722-B432-BF5A4A0830F5}"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\cohort]
"(Default)" = "1:9co:"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
"DownloadProgressPercent" = "0"
"DownloadTimeRemainingMs" = "4294967295"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"LastCheckSuccess" = "1529467471"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"RollCallDayStartSec" = "1529391604"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{FDBFC7B5-8945-4A0A-9597-57AC138F8DC1}]
"PersistedPingTime" = "131739410718458416"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{B2994D52-B976-4EE3-BB75-7BCA5C778D6A}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{FDBFC7B5-8945-4A0A-9597-57AC138F8DC1}]
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState]
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\CurrentState]
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerSuccessLaunchCmdLine"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerExtraCode1"
[HKLM\SOFTWARE\Google\Update]
"old-uid"
"LastInstallerError"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerResult"
"LastInstallerResultUIString"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastInstallerError"
[HKLM\SOFTWARE\Google\Update]
"uid"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"tttoken"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"tttoken"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr"
[HKLM\SOFTWARE\Google\Update]
"LastInstallerSuccessLaunchCmdLine"
"LastInstallerExtraCode1"
"LastInstallerResult"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr"
The process GoogleUpdate.exe:4068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\proxy]
"source" = "IEWPAD"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}]
"(Default)" = "IJobObserver2"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods]
"(Default)" = "13"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Google.OneClickProcessLauncherMachine]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods]
"(Default)" = "41"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}]
"(Default)" = "IAppCommand2"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\GoogleUpdate.Update3WebMachine\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}]
"(Default)" = "IProgressWndEvents"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.ProcessLauncher"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}]
"(Default)" = "IGoogleUpdate3"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}]
"(Default)" = "IGoogleUpdate"
[HKCR\GoogleUpdate.CoreMachineClass.1\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine"
[HKCR\GoogleUpdate.CoreMachineClass\CurVer]
"(Default)" = "GoogleUpdate.CoreMachineClass.1"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}]
"(Default)" = "IAppCommand"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}]
"(Default)" = "IOneClickProcessLauncher"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods]
"(Default)" = "7"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\GoogleUpdate.CoreMachineClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}]
"(Default)" = "IJobObserver"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CoreMachineClass\CLSID]
"(Default)" = "{9B2340A0-4068-43D6-B404-32E27217859D}"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods]
"(Default)" = "5"
[HKCR\Google.OneClickProcessLauncherMachine\CurVer]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID]
"(Default)" = "{B3D28DBD-0DFA-40E4-8071-520767BADC7E}"
[HKCR\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}]
"(Default)" = "ICoCreateAsyncStatus"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
"(Default)" = "CoCreateAsync"
[HKCR\GoogleUpdate.CoreMachineClass]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CoCreateAsync\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods]
"(Default)" = "10"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.CredentialDialogMachine.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}]
"(Default)" = "IAppBundle"
[HKCR\GoogleUpdate.ProcessLauncher\CurVer]
"(Default)" = "GoogleUpdate.ProcessLauncher.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\GoogleUpdate.Update3WebMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods]
"(Default)" = "8"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods]
"(Default)" = "4"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}]
"(Default)" = "IAppWeb"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods]
"(Default)" = "4"
[HKCR\Google.OneClickProcessLauncherMachine\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods]
"(Default)" = "41"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CredentialDialogMachine"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}]
"(Default)" = "IGoogleUpdate3WebSecurity"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}]
"(Default)" = "IRegistrationUpdateHook"
[HKCR\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}]
"(Default)" = "ICurrentState"
[HKCR\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods]
"(Default)" = "17"
[HKCR\GoogleUpdate.Update3WebMachine.1.0\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreMachineClass"
[HKCR\GoogleUpdate.CredentialDialogMachine\CLSID]
"(Default)" = "{25461599-633D-42B1-84FB-7CD68D026E53}"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}]
"(Default)" = "IPackage"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine"
[HKCR\GoogleUpdate.CoCreateAsync\CurVer]
"(Default)" = "GoogleUpdate.CoCreateAsync.1.0"
[HKCR\GoogleUpdate.ProcessLauncher.1.0]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}]
"(Default)" = "IGoogleUpdateCore"
[HKCR\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods]
"(Default)" = "9"
[HKCR\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}]
"(Default)" = "IProcessLauncher2"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods]
"(Default)" = "4"
[HKCR\GoogleUpdate.Update3WebMachineFallback]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"ThreadingModel" = "Both"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}]
"(Default)" = "IAppVersion"
[HKCR\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods]
"(Default)" = "10"
[HKCR\GoogleUpdate.CredentialDialogMachine\CurVer]
"(Default)" = "GoogleUpdate.CredentialDialogMachine.1.0"
[HKCR\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"(Default)" = "Google Update Core Class"
[HKCR\Google.OneClickProcessLauncherMachine.1.0]
"(Default)" = "Google.OneClickProcessLauncher"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CurVer]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoCreateAsync"
[HKCR\GoogleUpdate.CredentialDialogMachine]
"(Default)" = "GoogleUpdate CredentialDialog"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}]
"(Default)" = "IAppCommandWeb"
[HKCR\GoogleUpdate.CoCreateAsync.1.0]
"(Default)" = "CoCreateAsync"
[HKCR\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}]
"(Default)" = "IApp"
[HKCR\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods]
"(Default)" = "12"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}]
"(Default)" = "IApp2"
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\Google.OneClickProcessLauncherMachine.1.0\CLSID]
"(Default)" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\GoogleUpdate.Update3WebMachine\CLSID]
"(Default)" = "{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.ProcessLauncher]
"(Default)" = "Google Update Process Launcher Class"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods]
"(Default)" = "11"
[HKCR\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods]
"(Default)" = "24"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}]
"(Default)" = "IAppVersionWeb"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebMachine"
[HKCR\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods]
"(Default)" = "10"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
"IconReference" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-1004"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.Update3WebMachineFallback.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}]
"(Default)" = "IGoogleUpdate3Web"
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe"
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
"Enabled" = "1"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}]
"(Default)" = "IAppBundleWeb"
[HKCR\GoogleUpdate.CoCreateAsync]
"(Default)" = "CoCreateAsync"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe"
[HKCR\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachineFallback"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"CLSID" = "{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}"
[HKCR\GoogleUpdate.CoCreateAsync.1.0\CLSID]
"(Default)" = "{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}"
[HKCR\CLSID\{4FA480D8-32A4-4849-B774-DE8BD5242A4C}]
"(Default)" = "PSFactoryBuffer"
[HKCR\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.ProcessLauncher.1.0\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebMachineFallback.1.0"
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods]
"(Default)" = "43"
[HKCR\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\GoogleUpdate.Update3WebMachineFallback\CLSID]
"(Default)" = "{598FE0E5-E02D-465D-9A9D-37974A28FD42}"
[HKCR\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
"LocalizedString" = "@%Program Files%\Google\Update\1.3.33.17\goopdate.dll,-3000"
[HKCR\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}]
"(Default)" = "IProcessLauncher"
[HKCR\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32]
"(Default)" = "{4FA480D8-32A4-4849-B774-DE8BD5242A4C}"
[HKCR\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}]
"(Default)" = "ICoCreateAsync"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
"Policy" = "3"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine.1.0]
"(Default)" = "Google Update Broker Class Factory"
[HKCR\GoogleUpdate.ProcessLauncher\CLSID]
"(Default)" = "{ABC01078-F197-4B0B-ADBC-CFE684B39C82}"
[HKCR\GoogleUpdate.OnDemandCOMClassMachine\CLSID]
"(Default)" = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}"
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassMachine.1.0"
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\psmachine.dll"
[HKCR\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}]
"(Default)" = "ICredentialDialog"
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
"(Default)" = "Google.OneClickProcessLauncherMachine.1.0"
[HKCR\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}]
"(Default)" = "IBrowserHttpRequest2"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID]
[HKCR\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID]
[HKCR\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}]
[HKCR\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}]
[HKCR\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID]
[HKCR\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32]
[HKCR\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32]
[HKCR\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID]
[HKCR\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32]
[HKCR\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32]
[HKCR\CLSID\{71D2697F-5C53-4AAD-98E8-7FAEA818C36B}\InprocHandler32]
[HKCR\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
The process GoogleUpdate.exe:288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Google.Update3WebControl.3\CLSID]
"(Default)" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCR\Google.OneClickCtrl.9]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Google\Update]
"UninstallCmdLine" = "%Program Files%\Google\Update\GoogleUpdate.exe /uninstall"
[HKCR\Google.Update3WebControl.3]
"(Default)" = "Google Update Plugin"
[HKCR\Google.OneClickCtrl.9\CLSID]
"(Default)" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName" = "GoogleUpdateBroker.exe"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName" = "Google Update"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
"(Default)" = "Google.OneClickCtrl.9"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description" = "Google Update"
[HKLM\SOFTWARE\Google\Update]
"LastOSVersion" = "1C 01 00 00 06 00 00 00 01 00 00 00 B1 1D 00 00"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"LastCheckSuccess" = "1529467513"
[HKLM\SOFTWARE\Google\Update]
"Version" = "1.3.33.17"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
"(Default)" = "Google.Update3WebControl.3"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"(Default)" = "Google Update Plugin"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description" = "Google Update"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"vendor" = "Google Inc."
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID" = "{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"(Default)" = "Google Update Plugin"
[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateTime" = "1529467513"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"(Default)" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"pv" = "1.3.33.17"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{25545C02-14FF-4F10-B7FC-388BF0943F67}]
"PersistedPingString" = "
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Google\Update]
"IsMSIHelperRegistered" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"vendor" = "Google Inc."
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version" = "9"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath" = "%Program Files%\Google\Update\1.3.33.17"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName" = "Google Update"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Google\Update\1.3.31.5,"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Version" = "3"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
"(Default)" = "CATID_AppContainerCompatible"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path" = "%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName" = "GoogleUpdateWebPlugin.exe"
[HKLM\SOFTWARE\Google\Update]
"Path" = "%Program Files%\Google\Update\GoogleUpdate.exe"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"Policy" = "3"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID" = "{C442AC41-9200-4770-8CC0-7CDB4F245C55}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy" = "3"
[HKLM\SOFTWARE\Google\Update\PersistedPings\{25545C02-14FF-4F10-B7FC-388BF0943F67}]
"PersistedPingTime" = "131739411138411154"
[HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}]
"Name" = "Google Update"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains\*]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKLM\SOFTWARE\Google\Update\PersistedPings\{25545C02-14FF-4F10-B7FC-388BF0943F67}]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Implemented Categories]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
[HKCR\Google.Update3WebControl.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKCR\Google.OneClickCtrl.9]
[HKCR\Google.Update3WebControl.3\CLSID]
[HKCR\Google.OneClickCtrl.9\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\iexplore\AllowedDomains\*]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID]
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore\AllowedDomains]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\iexplore]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppName"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableCount"
[HKLM\SOFTWARE\Google\Update]
"LastCodeRedCheck"
[HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}]
"UpdateAvailableSince"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Path"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"AppPath"
[HKLM\SOFTWARE\Google\Update]
"old-uid"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Description"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Path"
[HKLM\SOFTWARE\Google\Update]
"eulaaccepted"
[HKCR\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Description"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Vendor"
[HKLM\SOFTWARE\Google\Update]
"uid"
"LastChecked"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3]
"CLSID"
[HKLM\SOFTWARE\Google\Update]
"ui"
[HKCR\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9]
"CLSID"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"Vendor"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"Version"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppPath"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3]
"ProductName"
"Version"
[HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9]
"ProductName"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}]
"AppName"
"Policy"
[HKCR\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32]
"ThreadingModel"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}]
"Policy"
[HKLM\SOFTWARE\Google\Update]
"mi"
The process GoogleUpdate.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\GoogleUpdate.Update3WebSvc\CurVer]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\GoogleUpdate.Update3COMClassService]
"(Default)" = "Update3COMClass"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\GoogleUpdate.Update3COMClassService\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.CoreClass.1]
"(Default)" = "Google Update Core Class"
[HKCR\GoogleUpdate.Update3WebSvc\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\GoogleUpdate.Update3COMClassService.1.0\CLSID]
"(Default)" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.Update3WebSvc.1.0\CLSID]
"(Default)" = "{534F5323-3569-4F42-919D-1E1CF93E5BF6}"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc.1.0"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc"
[HKCR\GoogleUpdate.Update3COMClassService.1.0]
"(Default)" = "Update3COMClass"
[HKCR\AppID\GoogleUpdate.exe]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "ServiceModule"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"LocalService" = "gupdatem"
[HKCR\GoogleUpdate.Update3WebSvc.1.0]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.Update3WebSvc]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
"(Default)" = "GoogleUpdate Update3Web"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"(Default)" = "Update3COMClass"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "Google Update Legacy On Demand"
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"(Default)" = "ServiceModule"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.CoreClass"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"ServiceParameters" = "/comsvc"
[HKCR\GoogleUpdate.CoreClass\CurVer]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\GoogleUpdate.CoreClass]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
"(Default)" = "GoogleUpdate.Update3WebSvc"
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"LocalService" = "gupdate"
[HKCR\GoogleUpdate.CoreClass.1\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
[HKCR\GoogleUpdate.Update3COMClassService\CurVer]
"(Default)" = "GoogleUpdate.Update3COMClassService.1.0"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0]
"(Default)" = "Google Update Legacy On Demand"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"AppID" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
"(Default)" = "GoogleUpdate.CoreClass.1"
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
"(Default)" = "Google Update Core Class"
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
"AppID" = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
"ServiceParameters" = "/comsvc"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CLSID]
"(Default)" = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}"
[HKCR\GoogleUpdate.OnDemandCOMClassSvc\CurVer]
"(Default)" = "GoogleUpdate.OnDemandCOMClassSvc.1.0"
[HKCR\GoogleUpdate.CoreClass\CLSID]
"(Default)" = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}]
[HKCR\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}]
[HKCR\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID]
[HKCR\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}]
[HKCR\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID]
[HKCR\AppID\GoogleUpdate.exe]
[HKCR\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update]
"uid"
"old-uid"
Dropped PE files
| MD5 | File path |
|---|---|
| 6c718849d436a7ccebed72538f8bd04b | c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler.exe |
| d2f56e366f1cb26866a6f43bd53b46c3 | c:\Program Files\Google\Update\1.3.33.17\GoogleCrashHandler64.exe |
| 92ee791a630830452485e8e375f8db35 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdate.exe |
| 8171211b809414b6d8a8e4f6ea8cf140 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateBroker.exe |
| 03b587bfaf6dd67b330ccb6fb99ca59a | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe |
| 678dd73ca364411bcf431892b8f878da | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateCore.exe |
| 96e08eb0d929c279536bdbbc543da8fb | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe |
| 53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateSetup.exe |
| 063ca1017835923689c4957562ea2862 | c:\Program Files\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe |
| 463a426da94fc2418a713ceebb799e22 | c:\Program Files\Google\Update\1.3.33.17\goopdate.dll |
| e433408ca45786f9b6b7873709f57eba | c:\Program Files\Google\Update\1.3.33.17\goopdateres_am.dll |
| 9d85c8517de4db2380aa14593d8a899a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ar.dll |
| f376765117f5b82123ec1f4fd352fb9c | c:\Program Files\Google\Update\1.3.33.17\goopdateres_bg.dll |
| 4a5e2fac15b93b43a2ee673e2e111478 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_bn.dll |
| 230fe7b526bde7aff33b616618a8d05a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ca.dll |
| 9b598c6a4d3d9586f93feca20f51da70 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_cs.dll |
| b1bd2d1889f42f20aeac5f1998d8b21b | c:\Program Files\Google\Update\1.3.33.17\goopdateres_da.dll |
| e5ea4068551b3ac782d955a699222067 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_de.dll |
| 68cf3b8fef6b56cd583e8c30ae8ca563 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_el.dll |
| 2087af32c82c00e32094ae86dcf35607 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_en-GB.dll |
| 9c2a3eec41cd4effd6ffecaa910dd7da | c:\Program Files\Google\Update\1.3.33.17\goopdateres_en.dll |
| 7c7c2b897c7107e910eab8b669c93738 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_es-419.dll |
| 73ccbf92e13acc6389bb9f7dd04935b6 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_es.dll |
| a2cb2c0b126c87336bc2b29a3e995dc5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_et.dll |
| 1d688c7571f047a36b585d810e02067f | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fa.dll |
| 81f8d0fbff693910fedc808047cdf156 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fi.dll |
| 6cec555d88a69bdb910188c2b53b19a3 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fil.dll |
| 598294ce0043943aa4cc04edc139e6c8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_fr.dll |
| 7d3a8a7aec219fcbecacd04f1ad66053 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_gu.dll |
| 0a9a7354a95c559a4093f24fff784911 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hi.dll |
| de931037c2f487efa900aa6590cac9e0 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hr.dll |
| 456664b46a1948b0df8785bd5b87f858 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_hu.dll |
| 43a73db8674c025026ed4cad9359a574 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_id.dll |
| 5e609c7d0ab38fa244949da75da04a1b | c:\Program Files\Google\Update\1.3.33.17\goopdateres_is.dll |
| d002a3352574a6e6999a6f2c23566745 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_it.dll |
| ffef2d63908222cacee0e40c138d5986 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_iw.dll |
| b71ff4a60875f30db7e492d4806f0c92 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ja.dll |
| c6a1c2e334df66970a03b30539757f36 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_kn.dll |
| fb58fffc04f44137610caae567cfaf6a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ko.dll |
| 3b033e1092474acd6b7cfcf01a999d34 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_lt.dll |
| 3b00a99d877881ba0fc786fdd8e3b426 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_lv.dll |
| 157bf7b8eca4bc66d5c7fb3e358d5c58 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ml.dll |
| 7c864e8d77ebe0bc8451ade4f67f68b3 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_mr.dll |
| 225c45af996ebf983800025ea32f6c18 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ms.dll |
| 2b04cd187acac2019e13195a3cc53a31 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_nl.dll |
| 38651bcc330768d3e74763452a8e46e2 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_no.dll |
| 531e1fca96b1cc6dfbb74c2e96d990c7 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pl.dll |
| 237642b8bddfe765e073a3aa6c29ca0a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-BR.dll |
| 298f4f2bd4e7b962615bcf0ed3d673ca | c:\Program Files\Google\Update\1.3.33.17\goopdateres_pt-PT.dll |
| ea1ef744fb8ba02148b362adeac70952 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ro.dll |
| 774b5644ad40e4d3863d81a7d30d4fae | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ru.dll |
| 6ffd62c9d080288bcc95816afd018048 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sk.dll |
| d7b41237faca93b3d0666e4fd38092b8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sl.dll |
| 25bbd03fc02f7daa9168dce7dfaef624 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sr.dll |
| e645c5eb4401b5e443a9744fc141b2f5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sv.dll |
| 2f111d7785bfcd6b4228df0cdf353407 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_sw.dll |
| 8bb63ae799037b02a89c42408abf755a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ta.dll |
| 2f40316ac456b383c58be478daf69ce9 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_te.dll |
| cdc5e8fdba12f79c056bcf3085335ac5 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_th.dll |
| 811ac46d616f94ae885175863e0ce95d | c:\Program Files\Google\Update\1.3.33.17\goopdateres_tr.dll |
| 23725511dd277f08993bbfbaf27123c1 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_uk.dll |
| 3edc8f630a94d57674097194540a9f6a | c:\Program Files\Google\Update\1.3.33.17\goopdateres_ur.dll |
| baff2a81498cb67c560d443e96153060 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_vi.dll |
| 6c2d04d599eb5b4549653d030d9d6550 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-CN.dll |
| f66719fb333de285e6edd1fd20e0edf8 | c:\Program Files\Google\Update\1.3.33.17\goopdateres_zh-TW.dll |
| 671e1e25f6f08809863bb9aed544e70e | c:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll |
| cca7a6b6c2bce1e8af12a95f69c4cc8f | c:\Program Files\Google\Update\1.3.33.17\psmachine.dll |
| edad26bca1696d23ecb9dc3ab48fd551 | c:\Program Files\Google\Update\1.3.33.17\psmachine_64.dll |
| c2762290bb2ece339d4c63f7a8a6acc8 | c:\Program Files\Google\Update\1.3.33.17\psuser.dll |
| 58b48e4352559d4d76776377fde5df0c | c:\Program Files\Google\Update\1.3.33.17\psuser_64.dll |
| 53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe |
| 53baee50f7a69bf3bc0fffe25341a923 | c:\Program Files\Google\Update\Install\{DFDEFC36-7121-4D40-BC53-F993F9F529BD}\GoogleUpdateSetup.exe |
| a9aae62d7d86d9d5622bf2af6d859f03 | c:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Login Now.exe |
| ccd457d59f42d6de9e8c388d5a288bca | c:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: GlobalSign
Product Name:
Product Version: 1.44.0.5
Legal Copyright: Copyright GlobalSign
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.44.0.5
File Description:
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 24925 | 25088 | 4.47096 | 0b0812166ebbd0109e7f5e007b182949 |
| .rdata | 32768 | 5028 | 5120 | 3.57872 | 4ac891d4ddf58633f14436f9f80ac6b6 |
| .data | 40960 | 131896 | 1536 | 2.76039 | 66b45fceba0f24d768fb09e0afe23c99 |
| .ndata | 176128 | 159744 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 335872 | 59512 | 59904 | 5.11079 | 99abc723018eda1065c64a1d36086a42 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
e5f8c9e73f34ff3d6e5c3ab1456ae2c7
61ef9aad6729be0aed713dde0d4ad2b5
URLs
| URL | IP |
|---|---|
| hxxp://search.browserio.com/Content/kits/SBVersion.json?source=s-ccc3-lp0-bb8-sbe&uid=8764d2ad-28c9-4cad-9a35-a27313574bb5&uc=20180227&iid=bio-sbe-email&domain=hloginnow.net&partner=appfocus1&distSubId3=1.44.0.5&distSubId4=InternetExplorer&distSubId5=6.1&distSubId6=update |  52.15.165.253 |
| hxxp://imp.hloginnow.net/impression.do?event=ex_installed&useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299&user_id=8764d2ad-28c9-4cad-9a35-a27313574bb5&source=s-ccc3-lp0-bb8-sbe&traffic_source=appfocus1&subid=20180227&implementation_id=email_ | 52.203.96.57 |
| hxxp://results.hloginnow.net/s?uid=8764d2ad-28c9-4cad-9a35-a27313574bb5&uc=20180227&source=s-ccc3-lp0-bb8-sbe&i_id=email_&ap=appfocus1 | 52.205.62.215 |
| hxxp://results.hloginnow.net/?Type=other&ImplementationHash=656d61696c5f&UserIsInstalled=False&Context=System.Web.HttpContextWrapper&Domain=hloginnow.net&Ip=77.222.144.250&Country=UA&Extension=Codenetics.BrowserApps.Extensions.Configuration.Extension&LocationDetails=Location&LocationString=Vinnitsa, 23&UserAgent=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)&Page=http://results.hloginnow.net:8080/s?uid=8764d2ad-28c9-4cad-9a35-a27313574bb5&uc=20180227&source=s-ccc3-lp0-bb8-sbe&i_id=email_&ap=appfocus1&IsBot=False&UserId=8764d2ad-28c9-4cad-9a35-a27313574bb5&Implementation=email_&Adprovider=appfocus1&OSName=windows&rootdomain=hloginnow.net&layout=email&Browser=IE&BrowserData=System.Web.HttpBrowserCapabilitiesWrapper&UserClass=02/27/2018 00:00:00&Uc=20180227&Source=s-ccc3-lp0-bb8-sbe&DisplayHostName=Hard coded!&RouteValues=System.Web.Routing.RouteValueDictionary&Signature=6664000D03BF58884A03DD6601E96699&IsInit=False&IsBB8=True&IsChrome=False&IsEdge=False&IsFirefox=False&IsIE=True&IsSafari=False | 52.205.62.215 |
| hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c | |
| hxxp://tools.l.google.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe | |
| hxxp://x.ss2.us/x.cer | 52.84.197.208 |
| hxxp://r5.sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529467397&mv=m&pcm2cms=yes&pl=24&shardbypass=yes |  |
| hxxp://cs10.wpc.v0cdn.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://a279.dscq.akamai.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg= |  |
| hxxp://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1+30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw== | 52.84.197.205 |
| hxxp://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ/lEoqJ83z+sKuKwH5CO65xMY= | 52.84.197.170 |
| hxxp://ocsp.rootg2.amazontrust.com/rootg2.crl | 52.84.197.170 |
| hxxp://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8+5VZ5/a9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ/lFeFh+isd96yUzJbvJmLVg0= | 52.84.197.170 |
| hxxp://crl.rootg2.amazontrust.com/rootca1.crl | 52.84.197.170 |
| hxxp://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEApbk/4BlUadr9cXmIYSGBo= | 52.84.197.161 |
| hxxp://crl.sca1b.amazontrust.com/sca1b.crl | 52.84.197.140 |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY+EA= | |
| hxxp://tools.l.google.com/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0= | |
| hxxp://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAYLX38Bqy95bTj0ZrB69Ag= | 52.84.197.161 |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx/h0Ztl+z8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g/6+rkS7QYXjzkCEAyO4MkNaokViAQGHuJB+a8= | |
| hxxp://tools.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM | |
| hxxp://rvip1.ue.cachefly.net/DigiCertGlobalRootG2.crl | |
| hxxp://tools.l.google.com/GTSGIAG3.crl | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl | |
| hxxp://cs9.wac.phicdn.net/DigiCertGlobalRootG2.crl | |
| hxxp://cs9.wpc.v0cdn.net/IE9CompatViewList.xml | |
| hxxp://crl.microsoft.com/pki/crl/products/tspca.crl | 77.222.148.96 |
| hxxp://r5---sn-q5u5bgv02-3c2z.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe?cms_redirect=yes&mip=77.222.144.250&mm=28&mn=sn-q5u5bgv02-3c2z&ms=nvh&mt=1529467397&mv=m&pcm2cms=yes&pl=24&shardbypass=yes | 80.91.179.80 |
| hxxp://apps.identrust.com/roots/dstrootcax3.p7c | 192.35.177.64 |
| hxxp://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf/EFWCFiRACEAoBQUIAAAFThXNqC4Xspwg= |  2.21.89.48 |
| hxxp://crl4.digicert.com/DigiCertGlobalRootG2.crl | 66.225.197.197 |
| hxxp://crl.pki.goog/GTSGIAG3.crl | 172.217.21.206 |
| hxxp://redirector.gvt1.com/edgedl/release2/update2/LRsxN5n35Q8_1.3.33.17/GoogleUpdateSetup.exe | 172.217.21.206 |
| hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM | 172.217.21.206 |
| hxxp://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8+5VZ5/a9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ/lFeFh+isd96yUzJbvJmLVg0= | 52.84.197.112 |
| hxxp://crl.rootca1.amazontrust.com/rootca1.crl | 52.84.197.159 |
| hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | 68.232.34.200 |
| hxxp://crl.rootg2.amazontrust.com/rootg2.crl | 52.84.197.170 |
| hxxp://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0= | 172.217.21.206 |
| hxxp://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml | 152.199.19.161 |
| hxxp://crl3.digicert.com/DigiCertGlobalRootG2.crl | 93.184.220.29 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx/h0Ztl+z8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g/6+rkS7QYXjzkCEAyO4MkNaokViAQGHuJB+a8= | 93.184.220.29 |
| hxxp://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEGMYDTj7gJd4qdA1oxYY+EA= |  23.51.123.27 |
| update.googleapis.com | 172.217.21.195 |
| api.rss2json.com | 178.62.50.120 |
| www.gstatic.com | 172.217.21.195 |
| tools.google.com | 172.217.21.206 |
| pushible.com | 52.204.187.139 |
| d3ff8olul1r3ot.cloudfront.net | 52.84.197.92 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY PE EXE or DLL Windows file download HTTP
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3552
GoogleUpdate.exe:2868
GoogleUpdate.exe:3952
GoogleUpdate.exe:4068
GoogleUpdate.exe:2932
GoogleUpdate.exe:288
GoogleUpdate.exe:3268
GoogleUpdateSetup.exe:2660 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8D.tmp\npHelper.dll (13985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Login Now.exe (38544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8C.tmp (55302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Uninstall.exe (9428 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslDE8D.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\settings[1] (976 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab2ACB.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\down-arrow[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1554.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gradient[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\main[1] (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Sprite_Email_V6[1] (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.newsTicker[1] (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\api[1].js (18373 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1555.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1566.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1710 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1556.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1944 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\main_email[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery_min[1] (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ie[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\search-icon[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar2ACC.tmp (2712 bytes)
%Program Files%\Google\Update\Install\{DFDEFC36-7121-4D40-BC53-F993F9F529BD}\GoogleUpdateSetup.exe (7596 bytes)
%Program Files%\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.33.17\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-CN.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_id.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_nl.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_is.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_cs.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_mr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_th.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ml.dll (95 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_am.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdate.dll (34489 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_kn.dll (89 bytes)
%Program Files%\GUM891C.tmp\goopdateres_en.dll (45 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateHelper.msi (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pl.dll (88 bytes)
%Program Files%\GUM891C.tmp\goopdate.dll (49 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es-419.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ms.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\psmachine_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bg.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ko.dll (78 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateBroker.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_no.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler.exe (4210 bytes)
%Program Files%\Google\Update\1.3.33.17\psuser_64.dll (3778 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_gu.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_et.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_it.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lt.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ru.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ar.dll (86 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_iw.dll (80 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fa.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateSetup.exe (22576 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ta.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-PT.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ur.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_lv.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_vi.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sl.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_en-GB.dll (87 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\npGoogleUpdate3.dll (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_bn.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ro.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_de.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ca.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_el.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hu.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_es.dll (94 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_pt-BR.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateOnDemand.exe (1738 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sw.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleCrashHandler64.exe (6250 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fi.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_zh-TW.dll (76 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_te.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_uk.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_tr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateCore.exe (12490 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdate.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_da.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fr.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_sv.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_fil.dll (89 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_ja.dll (79 bytes)
%Program Files%\Google\Update\1.3.33.17\goopdateres_hr.dll (88 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateComRegisterShell64.exe (1954 bytes)
%Program Files%\Google\Update\1.3.33.17\GoogleUpdateWebPlugin.exe (1738 bytes)
%Program Files%\Google\Update\1.3.31.5 (28 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ta.dll (45 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateCore.exe (838 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateComRegisterShell64.exe (173 bytes)
%Program Files%\GUM891C.tmp\goopdateres_de.dll (45 bytes)
%Program Files%\GUM891C.tmp\goopdateres_id.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sv.dll (43 bytes)
%Program Files%\GUM891C.tmp\npGoogleUpdate3.dll (838 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ar.dll (41 bytes)
%Program Files%\GUM891C.tmp\goopdateres_en-GB.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pl.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ml.dll (46 bytes)
%Program Files%\GUM891C.tmp\psmachine_64.dll (248 bytes)
%Program Files%\GUM891C.tmp\goopdateres_iw.dll (40 bytes)
%Program Files%\GUM891C.tmp\goopdateres_es-419.dll (43 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateHelper.msi (40 bytes)
%Program Files%\GUM891C.tmp\goopdateres_et.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_da.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_nl.dll (44 bytes)
%Program Files%\GUM891C.tmp\psuser.dll (206 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fi.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_am.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fil.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sw.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_bn.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_zh-CN.dll (36 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateBroker.exe (96 bytes)
%Program Files%\GUM891C.tmp\psuser_64.dll (248 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fa.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ms.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_gu.dll (44 bytes)
%Program Files%\GUM891C.tmp\GoogleCrashHandler.exe (550 bytes)
%Program Files%\GUM891C.tmp\goopdateres_tr.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ja.dll (39 bytes)
%Program Files%\GUM891C.tmp\GoogleCrashHandler64.exe (550 bytes)
%Program Files%\GUM891C.tmp\psmachine.dll (206 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ro.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_cs.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_lv.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_fr.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ko.dll (38 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateSetup.exe (7547 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sr.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_vi.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sl.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_it.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_mr.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hu.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_th.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_lt.dll (42 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ur.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_el.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_es.dll (45 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hr.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_zh-TW.dll (36 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pt-BR.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ca.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_hi.dll (43 bytes)
%Program Files%\GUT891D.tmp (7 bytes)
%Program Files%\GUM891C.tmp\goopdateres_bg.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_sk.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_kn.dll (44 bytes)
%Program Files%\GUM891C.tmp\goopdateres_te.dll (44 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdate.exe (308 bytes)
%Program Files%\GUM891C.tmp\goopdateres_is.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_pt-PT.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_uk.dll (43 bytes)
%Program Files%\GUM891C.tmp\goopdateres_no.dll (43 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateOnDemand.exe (96 bytes)
%Program Files%\GUM891C.tmp\GoogleUpdateWebPlugin.exe (96 bytes)
%Program Files%\GUM891C.tmp\goopdateres_ru.dll (42 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Login Now" = "C:\Users\"%CurrentUserName%"\AppData\Local\Login Now\Login Now.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
