Trojan.Generic.12555347_430f7a17ff – Adaware

Trojan-Dropper.Win32.Agent.pfaq (Kaspersky), Trojan.Generic.12555347 (B) (Emsisoft), Trojan.Generic.12555347 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 430f7a17ff6bd4f5a8e129583e1b8a23

SHA1: 047cd149f0683d0f7f111d0773e4543f475b424b

SHA256: 93ba219839ab0fd1a8c16d012688d7b7f41f3f7c099216451b8985112630d45f

SSDeep: 12288:AoucvQQACqe5gcEfjpo24PKCNRD2BsnmIvL7m1uMMM7 fiuGXLL:A3cvQYefjZFCNRyBsnxTi15T qb

Size: 732680 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Destiny Media

Created at: 2014-12-10 23:16:41

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

CatalinaUpdate.exe:1964
CatalinaUpdate.exe:332
CatalinaUpdate.exe:260
%original file name%.exe:440

The Trojan injects its code into the following process(es):

CatalinaUpdate.exe:1668
CatalinaUpdate.exe:480

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process CatalinaUpdate.exe:332 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\Install (0 bytes)

The process CatalinaUpdate.exe:480 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll (22 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll (26 bytes)

The process %original file name%.exe:440 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp (0 bytes)

Registry activity

The process CatalinaUpdate.exe:1964 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"CLSID" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}]
"(Default)" = "ICatalinaUpdate3WebSecurity"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}]
"(Default)" = "IAppBundle"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}\InProcServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\NumMethods]
"(Default)" = "39"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\NumMethods]
"(Default)" = "13"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}]
"(Default)" = "ICredentialDialog"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}]
"(Default)" = "ICatalinaUpdate"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}]
"(Default)" = "Update3COMClass"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}]
"(Default)" = "IAppVersionWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}]
"(Default)" = "IOneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}]
"(Default)" = "ICoCreateAsync"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}]
"(Default)" = "ICurrentState"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}]
"(Default)" = "IAppBundleWeb"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}]
"(Default)" = "IApp"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\NumMethods]
"(Default)" = "5"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\CLSID\{554335BD-87F8-43DA-806A-741504EEFF62}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 0F E4 E2 59 99 9F 9A C4 9C A6 4A E7 85 EC 7A"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\NumMethods]
"(Default)" = "44"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\VersionIndependentProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\NumMethods]
"(Default)" = "9"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\NumMethods]
"(Default)" = "6"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"Policy" = "3"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}]
"(Default)" = "ICatalinaUpdateCore"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\ProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CurVer]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}]
"(Default)" = "ICatalinaUpdate3"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}]
"(Default)" = "IJobObserver"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}]
"(Default)" = "IAppVersion"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}]
"(Default)" = "ICatalinaUpdate3Web"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}]
"(Default)" = "IBrowserHttpRequest2"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}]
"(Default)" = "IPackage"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\ProxyStubClsid32]
"(Default)" = "{554335BD-87F8-43DA-806A-741504EEFF62}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\LocalServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}]
"(Default)" = "IAppWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}]
"(Default)" = "IProcessLauncher"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\ProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}]
"(Default)" = "IProgressWndEvents"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}]
"(Default)" = "IRegistrationUpdateHook"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{D6C70234-3948-4009-8568-A538F47646CB}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:332 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 01 09 A6 B2 14 7C 8A 41 CB BA 2A 55 70 95 92"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"tttoken"
"iid"

The process CatalinaUpdate.exe:260 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 99 C7 81 ED DD B8 D2 9A F8 01 29 07 10 DE 68"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "03 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "05 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:1668 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 86 8D 61 11 2C D2 F6 FC 07 EC 55 F9 5F 89 07"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

The process CatalinaUpdate.exe:480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"Policy" = "3"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\ProgID]
"(Default)" = "CatalinaGroup.OneClickCtrl.9"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"iid" = "{CD3BB725-90A5-49B2-B11E-B14F3713DCD6}"

[HKCU\Software\CatalinaGroup\Update]
"UID" = "{06B9B04D-EBAB-411B-BD4E-3CEEFF48E59E}"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.oneclickctrl.9]
"CLSID" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9\CLSID]
"(Default)" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"Policy" = "3"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.update3webcontrol.3]
"CLSID" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppName" = "CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update]
"Version" = "1.3.25.215"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"Name" = "Catalina Update"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"InstallTime" = "1425726202"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Description" = "CatalinaGroup Update"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Description" = "CatalinaGroup Update"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"vendor" = "Catalina Group Ltd."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.215"
"brand" = "GGLS"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3\CLSID]
"(Default)" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppName" = "CatalinaUpdateOnDemand.exe"

[HKCU\Software\CatalinaGroup\Update]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update]
"CatalinaUpdate.exe" = "CatalinaGroup Update"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 0A 32 33 D0 1E BB E0 05 B2 1B 57 BF 83 BC 2F"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.215"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\ProgID]
"(Default)" = "CatalinaGroup.Update3WebControl.3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=9]
"Version" = "9"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\MozillaPlugins\@catalinahub.com/CatalinaGroup Update;version=3]
"Version" = "3"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"
"ui"
"LastChecked"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableSince"
"UpdateAvailableCount"

The process %original file name%.exe:440 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 50 D4 33 C3 EE A8 D3 8C AC A0 12 EF EF 9E 52"

Dropped PE files

MD5	File path
6cea215160ae4188fee4a92ef15dda05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe
6cea215160ae4188fee4a92ef15dda05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe
7ad1bcd40606876cb6680d83c9ec989a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe
2b3cf7ea69432a594e10f40cb922ac26	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe
2c2b5f94feeb782f83bb15f016a6bf68	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll
aaf96cdd105289e7ff35394d325cc3dc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll
a399a7747af02e7f6289398aa2265c3c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll
c3b2b4701849ea07b96fa137a6e94e02	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll
de800351848d365dd563631771f5b5b0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll
d8e741a14434f59b778db9e562625838	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll
6e27092a569dda3f4b0aa1a9948089a2	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll
c72c8072a466e9a32d2a926071bc400c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll
387cc6ea3e3b20fb7e55be314cf41ef9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll
fa3a9047608e216c68e83f3b3f4e62ec	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll
c18e8508c8b691aad860de077390d9d3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll
f8e1288bb72f67c25c367e5a61651bca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll
e67f2ba7b2d5e2841e7f317080f3fd62	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll
4a80f1645d7dd9e9b1392841ad02d970	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll
d83ed084a47c3352d5e68404500ce4af	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll
a420edd640c17822899c730af0d516ad	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll
028b1d4af503a3209383ad0a2e1c6dac	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll
428a992a1329cebe4c48bb7d54ba44d7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll
6805edac4a9be23a70947c5d990dbf8c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll
f7e7d920bf9c0e98d350dd19a0dff5c3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll
05770102a6c300aa14d917b773b13f72	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll
4c7c2b2f13eb1d17fdeb8974f1b9a1ab	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll
5ae0ab73c27fa94752554f811e54548e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll
571702223ba20e311291c4641db8a0e5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll
b60ad05c51a0deb944c9b6d515ba3f75	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll
d140749f5da947cad9d95a568c92a412	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll
7572629ccdc27e59f98185b0b100a81d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll
e00fc2475ee6221a470f7a02304ef577	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll
1f9c169f28c96a84ad699ad7d8e8ecea	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll
5426cd1549caf223134627d50c8f2fd7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll
fcedbb1d3960e1ed1f208e426b461e47	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll
677c82aee1a8e1bc1d8679051a7a7ef6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll
5adbacbe7871978d5487e50d4f9d5fd9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll
7a7e9bbf621bd0310b27a29dae338b25	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll
f55cca95c0ce7bb9dd0df7426d0850b7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll
b635337f96458e4240d6d36a0f1ad0c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll
a9d7acb329bb58291371783bfd765747	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll
151e2197c465d69f0531f1eda0ae723e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll
16f588b707fa9574c2c4c033442a54bc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll
742c5173ad19be9995323f9aa55c7ce6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll
9187e5a69439016f6d87d2400433652f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll
1088f9f75d48492f9a59b327a1b4150f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll
7aa2aa0182bf743aee50f0da6211fc25	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll
9f97e32ab67e6176a310f80750195055	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll
80d3b8af8f5ea5fabc59f6c3871f8c8b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll
172d968afada4520e29d1fd274f89a4f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll
7fc9f569c18a6dea813dd9a596aedb59	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll
ef7097038ed66124b148e2a796f591c3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll
30ff6ccc5934ac9b9feec18c17534324	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll
3405f18d69e7a10e02258f0cee5ca9a4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll
d07cd67deabd1d6bcbfd581eddb55191	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll
b5a72b466f81ab67a4efb1e8925fc4bc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll
cec3e2877c12ec603e0f0c523909717e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll
b31627a3b5d15e05b94c1261f3b3b85a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll
b397baf228f38e28e2690ddb20852bce	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll
1b0dea6bce09f17beec9646bae225517	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll
5d092b19ed729ece612a2247cf45c358	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll
4c3a99424c4a6fa0cfde4261b8c784d5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll
6c87927c9537cc20f16943bded647e30	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll
6cea215160ae4188fee4a92ef15dda05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe
6cea215160ae4188fee4a92ef15dda05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe
6cea215160ae4188fee4a92ef15dda05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe
7ad1bcd40606876cb6680d83c9ec989a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe
2b3cf7ea69432a594e10f40cb922ac26	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe
2c2b5f94feeb782f83bb15f016a6bf68	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdate.dll
aaf96cdd105289e7ff35394d325cc3dc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll
a399a7747af02e7f6289398aa2265c3c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll
c3b2b4701849ea07b96fa137a6e94e02	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll
de800351848d365dd563631771f5b5b0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll
d8e741a14434f59b778db9e562625838	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll
6e27092a569dda3f4b0aa1a9948089a2	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll
c72c8072a466e9a32d2a926071bc400c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll
387cc6ea3e3b20fb7e55be314cf41ef9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll
fa3a9047608e216c68e83f3b3f4e62ec	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll
c18e8508c8b691aad860de077390d9d3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll
f8e1288bb72f67c25c367e5a61651bca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll
e67f2ba7b2d5e2841e7f317080f3fd62	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll
4a80f1645d7dd9e9b1392841ad02d970	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll
d83ed084a47c3352d5e68404500ce4af	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll
a420edd640c17822899c730af0d516ad	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll
028b1d4af503a3209383ad0a2e1c6dac	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll
428a992a1329cebe4c48bb7d54ba44d7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll
6805edac4a9be23a70947c5d990dbf8c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll
f7e7d920bf9c0e98d350dd19a0dff5c3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll
05770102a6c300aa14d917b773b13f72	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll
4c7c2b2f13eb1d17fdeb8974f1b9a1ab	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll
5ae0ab73c27fa94752554f811e54548e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll
571702223ba20e311291c4641db8a0e5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll
b60ad05c51a0deb944c9b6d515ba3f75	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll
d140749f5da947cad9d95a568c92a412	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll
7572629ccdc27e59f98185b0b100a81d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll
e00fc2475ee6221a470f7a02304ef577	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll
1f9c169f28c96a84ad699ad7d8e8ecea	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll
5426cd1549caf223134627d50c8f2fd7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll
fcedbb1d3960e1ed1f208e426b461e47	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll
677c82aee1a8e1bc1d8679051a7a7ef6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll
5adbacbe7871978d5487e50d4f9d5fd9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll
7a7e9bbf621bd0310b27a29dae338b25	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll
f55cca95c0ce7bb9dd0df7426d0850b7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll
b635337f96458e4240d6d36a0f1ad0c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll
a9d7acb329bb58291371783bfd765747	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll
151e2197c465d69f0531f1eda0ae723e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll
16f588b707fa9574c2c4c033442a54bc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll
742c5173ad19be9995323f9aa55c7ce6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll
9187e5a69439016f6d87d2400433652f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll
1088f9f75d48492f9a59b327a1b4150f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll
7aa2aa0182bf743aee50f0da6211fc25	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll
9f97e32ab67e6176a310f80750195055	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll
80d3b8af8f5ea5fabc59f6c3871f8c8b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll
172d968afada4520e29d1fd274f89a4f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll
7fc9f569c18a6dea813dd9a596aedb59	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll
ef7097038ed66124b148e2a796f591c3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll
30ff6ccc5934ac9b9feec18c17534324	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll
3405f18d69e7a10e02258f0cee5ca9a4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll
d07cd67deabd1d6bcbfd581eddb55191	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll
b5a72b466f81ab67a4efb1e8925fc4bc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll
cec3e2877c12ec603e0f0c523909717e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll
b31627a3b5d15e05b94c1261f3b3b85a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll
b397baf228f38e28e2690ddb20852bce	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll
1b0dea6bce09f17beec9646bae225517	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll
5d092b19ed729ece612a2247cf45c358	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll
4c3a99424c4a6fa0cfde4261b8c784d5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psmachine.dll
6c87927c9537cc20f16943bded647e30	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\GUM1.tmp\psuser.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
CatalinaUpdate.exe:1964
CatalinaUpdate.exe:332
CatalinaUpdate.exe:260
%original file name%.exe:440
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateOnDemand.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ja.dll (22 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003Core.job (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fi.dll (26 bytes)
%WinDir%\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-1844237615-1960408961-1801674531-1003UA.job (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaCrashHandler.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\npCatalinaUpdate3.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psmachine.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdate.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\psuser.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdate.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\1.3.25.215\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_gu.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUT2.tmp (22433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_nl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_te.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sk.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_el.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ru.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es-419.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_iw.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_no.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_tr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en-GB.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_da.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ro.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_uk.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-TW.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bn.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ms.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ta.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateBroker.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_es.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdate.dll (1990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sw.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_de.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_is.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_sv.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fr.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_en.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_cs.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_mr.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-BR.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fa.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_kn.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_bg.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pt-PT.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_id.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ja.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\npCatalinaUpdate3.dll (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psuser.dll (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ml.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ko.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_th.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ca.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_vi.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hi.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_zh-CN.dll (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lv.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hu.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdate.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ar.dll (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_pl.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_hr.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateHelper.msi (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_lt.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_et.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_am.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\psmachine.dll (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaCrashHandler.exe (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_it.dll (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_fil.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\goopdateres_ur.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUM1.tmp\CatalinaUpdateOnDemand.exe (58 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe /c"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Catalina Group Ltd.
Product Name: CatalinaGroup Update
Product Version: 1.3.25.215
Legal Copyright: Copyright 2013 Catalina Group Ltd.
Legal Trademarks:
Original Filename: CatalinaUpdateSetup.exe
Internal Name: CatalinaGroup Update Setup
File Version: 1.3.25.215
File Description: CatalinaGroup Update Setup
Comments:
Language: Language Neutral

Company Name: Catalina Group Ltd.Product Name: CatalinaGroup UpdateProduct Version: 1.3.25.215Legal Copyright: Copyright 2013 Catalina Group Ltd.Legal Trademarks: Original Filename: CatalinaUpdateSetup.exeInternal Name: CatalinaGroup Update SetupFile Version: 1.3.25.215File Description: CatalinaGroup Update SetupComments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	47535	47616	4.63666	da072aeedacb67c58ca3952875d79a2b
.rdata	53248	10788	11264	3.70551	cc85a67bbda310b5aa377cecaa3156cf
.data	65536	6428	3584	1.72368	8e425fbedc6927dfabb8fdfaaf8e8d97
.rsrc	73728	659744	659968	5.30312	89169e477c01dd8186928471af10e787
.reloc	737280	5598	5632	2.64966	17957bd86fff892742280f82a0bf537a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 33
52e93d93473e442df41b45a8df00f628
8197dcd6af91174c7e4ed99cda1f5dd8
155df244efb56d5ac4452b8b5c5db144
a79d1eb06eff95b9fd9f933f8e280429
9d2d18977465aba1ce38b83220d20f09
e33aaa5782ab6d3573291c0b9dfe654c
0de1dedf8f8ff314658761edf266c472
5bd2a434b0f8a0d27023e9a8d66da0ad
450cb8a32997ae1522fa340e659da7f9
f3f9747c4d9a40cf8b05b1a2356b9602
47bdf3d199e467f3d1613d69dcf63f3e
05cd4d2811937ace563cb37b346eb562
6fea5b8d14c637c20a7e4c3b7d0af70e
78ca8c9f73fa1bd81cb2a3324e3b719e
d427e63df9cc884606db9221fb5856e5
5b460db94f90f3f40a17374bd3779a4e
f05c747876d3fecd499eeebb3d35cd23
f1351428b3e81bf3a6b8972c71a26f0d
54377355d4b7290a0a998471c7846e24
d832665608fcf53ef06453b7932a39d2
bf20e4684fc070983c29557b1f2b8728
3f4b2b26245f3679f51cedafcfbb7815
f36dddc368f66380c5a0dcae5f68a86a
7596819db358e116e206821a6508a77a
d5920889911ace49d013c03ea70a0526

Network Activity

URLs

URL	IP
hxxp://catalinahub.com/update/ping
hxxp://catalinahub.com/update/check?w=3:QtFYNqGc4nYq7pl7A5gFLxxLHmZs5NzFCxWE4eEjv4wyhM-cAr7wabMYXODRvmysIrKWTtcl5JU7brjHHJ1QZ7ptEY-fQaMKa5plUmNRwKcuFdbANkxsbZht_ZTQeOQhTrDBd97cgge1NHLr48hWJE9-nnonh6sRNfvpJb4znhA
hxxp://catalinahub.com/update/check
hxxp://catalinahub.silvercdn.com/download/citrio_40.0.2214.251_1.exe
hxxp://static.citrio.com/download/citrio_40.0.2214.251_1.exe	46.234.113.79

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /update/check?w=3:QtFYNqGc4nYq7pl7A5gFLxxLHmZs5NzFCxWE4eEjv4wyhM-cAr7wabMYXODRvmysIrKWTtcl5JU7brjHHJ1QZ7ptEY-fQaMKa5plUmNRwKcuFdbANkxsbZht_ZTQeOQhTrDBd97cgge1NHLr48hWJE9-nnonh6sRNfvpJb4znhA HTTP/1.1

User-Agent: Google Update/1.3.25.215;winhttp;cup

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

If-Match: "6MPMLHVS3zu5gH1A0HPHqXN-_Xs"

Host: catalinahub.com

Content-Length: 567

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.215" ismachine="0" sessionid="{8E0E8503-7027-4418-BE2F-5AD82FF82503}" userid="{06B9B04D-EBAB-411B-BD4E-3CEEFF48E59E}" installsource="taggedmi" testsource="auto" requestid="{DD6B9168-2711-4108-9AC0-B0F6D62ABC6B}"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{CD3BB725-90A5-49B2-B11E-B14F3713DCD6}"><updatecheck/></app></request>

HTTP/1.1 200 OK

Date: Sat, 07 Mar 2015 11:03:56 GMT

Server: Apache-Coyote/1.1

Content-Type: application/xml;charset=UTF-8

Connection: close

Transfer-Encoding: chunked

2a6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><response protocol="3.0" server="dist"><dayStart elapsed_seconds="39836"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" status="ok"><updatecheck status="ok"><urls><url codebase="hXXp://static.citrio.com/download/"/></urls><manifest version="40.0.2214.251"><packages><package hash="k3oSAxc6BDlGjvsPlTwGMZTd9O4=" name="citrio_40.0.2214.251_1.exe" required="true" size="55183760"/></packages><actions><action arguments="--chrome --do-not-launch-chrome" event="install" run="citrio_40.0.2214.251_1.exe"/><action event="postinstall" onsuccess="exitsilentlyonlaunchcmd"/></actions></manifest></updatecheck></app></response>..0..

POST /update/check HTTP/1.1

User-Agent: Google Update/1.3.25.215;winhttp

X-Last-HR: 0x80040880

X-Last-HTTP-Status-Code: 200

X-Retry-Count: 0

Host: catalinahub.com

Content-Length: 567

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Date: Sat, 07 Mar 2015 11:03:56 GMT

Server: Apache-Coyote/1.1

Content-Type: application/xml;charset=UTF-8

Connection: close

Transfer-Encoding: chunked

HEAD /download/citrio_40.0.2214.251_1.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: static.citrio.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 07 Mar 2015 07:39:43 GMT

Server: Apache-Coyote/1.1

ETag: W/"55183760-1425390425000"

Last-Modified: Tue, 03 Mar 2015 13:47:05 GMT

Content-Type: application/octet-stream;charset=UTF-8

Age: 12254

Content-Length: 55183760

Connection: close

HEAD /download/citrio_40.0.2214.251_1.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: static.citrio.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 07 Mar 2015 07:39:43 GMT

Server: Apache-Coyote/1.1

ETag: W/"55183760-1425390425000"

Last-Modified: Tue, 03 Mar 2015 13:47:05 GMT

Content-Type: application/octet-stream;charset=UTF-8

Age: 12243

Content-Length: 55183760

Connection: close

GET /download/citrio_40.0.2214.251_1.exe HTTP/1.1

Accept: */*

Accept-Encoding: identity

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

User-Agent: Microsoft BITS/6.7

Host: static.citrio.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 07 Mar 2015 07:39:43 GMT

Server: Apache-Coyote/1.1

ETag: W/"55183760-1425390425000"

Last-Modified: Tue, 03 Mar 2015 13:47:05 GMT

Content-Type: application/octet-stream;charset=UTF-8

Age: 12255

Content-Length: 55183760

Connection: close

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............]...]...]...]...]9.K]...]...]...]..)]...]..e]...]..,]...]Rich...]........PE..L......T................."....I......!.......@....@..........................@J......DJ......................................P..P....`....I...........I......0J.p.......8............................................P...............................text...t!.......".................. ..`.data........@......................@....idata.......P.......&..............@..@.rsrc.....I..`....I..,..............@..@.reloc..p....0J.......I.............@..B.......................................................................................................................................................................................................................................................................................................................................................................................T........g...L...L..........T....................{.9.2.F.8.A.2.1.9.-.E.7.4.0.-.4.9.D.5.-.B.7.8.5.-.B.9.6.2.A.D.8.1.9.7.2.4.}.....{.E.9.F.2.4.A.7.C.-.1.3.C.A.-.4.2.F.B.-.A.4.D.9.-.7.9.C.3.C.9.D.2.1.B.2.8.}.....{.0.1.0.5.E.A.0.2.-.8.0.2.D.-.4.B.3.7.-.8.1.6.1.-.4.E.D.2.5.C.4.9.3.2.6.6.}.....{.D.E.2.8.A.2.E.A.-.7.7.F.A.-.4.F.2.B.-.8.2.5.2.-.C.3.B.5.8.4.4.F.6.4.5.5.}.....{.F.0.B.5.0.D.5.A.-.4.B.B.A.-.4.5.1.4.-.A.D.2.C.-.E.B.A.5.0.C.2.9.C.4.6.0.}.....-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.h.r.o.m.e.....-.-.c.h.

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_440:

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

mi_exe_stub.pdb

GetCPInfo

KERNEL32.dll

SHLWAPI.dll

GetProcessHeap

ole32.dll

USER32.dll

c:\%original file name%.exe

7&ftP

4.Ppi

1.Mx.e

y.Ar`

%X/|0

P@5=%d

.uBSQ

Ja%F' LG3R

Xgl.ES

d".qp

)p.Rq

X:\.f

.Pz ;

^%FT7

lWB%S

X;.RG

x%9s\

v.ls?

TBs.Vz

=q6%D

t%1Xg

N7N.rta

%U:NT

?.NLp

t#$%S

a.mW3

_%F!R

.yBoo

.UfX~

L%u`=m=W

M0.aZ

.Mc0W

o0.NJ

TÃŸR!

C%Fn'6

.zfqLg

%x$/a44

EFTP

*_r.Cd

k.lhx

pK.gJ

:sssh

: :%:/:=:}:

3'3,30343]3

mscoree.dll

KERNEL32.DLL

appguid={92F8A219-E740-49D5-B785-B962AD819724}&installerargs=--make-chrome-default

Windows 2000 Service Pack 4

Windows 2000

lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi

m Windows 2000 Service Pack 4 nebo nov

ver Windows 2000 Service Pack 4 eller bedre.

r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h

Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.

Windows 2000 Service Pack 4:n tai uudemman.

cessite Windows

je Windows 2000 Service Pack 4-et vagy frissebb verzi

krefst Windows 2000

Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.

Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.

Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.

. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.

o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.

it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar

ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.

m Windows 2000 Service Pack 4 alebo nov

ver Windows 2000 Service Pack 4 eller b

kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras

Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej

uab rakendust Windows 2000 hoolduspakett 4 v

ama Windows

Windows 2000

u Windows 2000 G

Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.

. Windows 2000

Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.

n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.

o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.

n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.

1.3.25.215

CatalinaUpdateSetup.exe

CatalinaUpdate.exe_480:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

WINTRUST.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

###7777_{

###____777

###````87{

3 3$3(3,30343~3

5 5$5(5,5

?$?(?,?4?

= =$=@=`=

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\GUM1.tmp\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.215

2007-2010

CatalinaUpdate.exe_1668:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

WINTRUST.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

###7777_{

###____777

###````87{

3 3$3(3,30343~3

5 5$5(5,5

?$?(?,?4?

= =$=@=`=

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.215

2007-2010

CatalinaUpdate.exe_332:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

WINTRUST.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

###7777_{

###____777

###````87{

3 3$3(3,30343~3

5 5$5(5,5

?$?(?,?4?

= =$=@=`=

%Documents and Settings%\%current user%\Local Settings\Application Data\CatalinaGroup\Update\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.215

2007-2010