MD5: 55e7df1f7aa07bca9147b5eca2a9660f
SHA1: 3b2a0493ecdabb637dd5e7c62227ee0470516770
SHA256: 56f660f8a0f6f0a0a84503bd72182caf01bb7f06cf0c52a9f70dd2b3073b2d8f
SSDeep: 12288:plotJ0AEXYDrX9xVsLhbl3VcomJeKjN/DHpqfIAanWd1kRvEEe GXLb6:p06AEUrt8hl3VcobKjN/DqIA4z 6
Size: 726224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Catalina Group Ltd.
Created at: 2017-02-18 05:46:57
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

%original file name%.exe:3700
CatalinaUpdate.exe:3036
CatalinaUpdate.exe:2356
CatalinaUpdate.exe:1672

The not-a-virus injects its code into the following process(es):

CatalinaUpdate.exe:2616
CatalinaUpdate.exe:2296

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3700 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ta.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_is.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdate.dll (1702 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_hi.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fi.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_zh-CN.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_mr.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_pt-PT.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_th.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_hr.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_et.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ro.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\psuser.dll (162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ja.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_de.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fr.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_no.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_pt-BR.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_id.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUT8F16.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_hu.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_es-419.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\npCatalinaUpdate3.dll (237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_da.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_tr.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_en.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_es.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_nl.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_en-GB.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaCrashHandler.exe (132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fa.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_kn.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_gu.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_vi.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdate.exe (267 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_uk.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sk.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ko.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ur.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sv.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_cs.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ar.dll (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ca.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_it.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_lt.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_el.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fil.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdateBroker.exe (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sw.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_bg.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_am.dll (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_iw.dll (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sr.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_lv.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\psmachine.dll (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_pl.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_te.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_bn.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ru.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdateOnDemand.exe (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sl.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ml.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_zh-TW.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ms.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdateHelper.msi (40 bytes)

The not-a-virus deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp (0 bytes)

The process CatalinaUpdate.exe:2616 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ja.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_am.dll (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_kn.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_gu.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_pt-BR.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_cs.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ur.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fil.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_hu.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_is.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_es.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaCrashHandler.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ro.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdate.dll (802 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_no.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fa.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ta.dll (29 bytes)
C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-732923889-1296844034-1208581001-1000UA.job (930 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fr.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_nl.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_vi.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_lt.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ko.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_hr.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_da.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_it.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_th.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sk.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fi.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_en.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psmachine.dll (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_pl.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_hi.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_id.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateOnDemand.exe (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_mr.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_uk.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sv.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_en.dll (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_zh-TW.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_bn.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_te.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ml.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sl.dll (28 bytes)
C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-732923889-1296844034-1208581001-1000Core.job (878 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdate.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\npCatalinaUpdate3.dll (1522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_bg.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_zh-CN.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_de.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ms.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_en-GB.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sr.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psuser.dll (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_el.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ca.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ar.dll (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_pt-PT.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_tr.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateBroker.exe (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_lv.dll (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_et.dll (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_iw.dll (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_es-419.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sw.dll (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdate.dll (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateHelper.msi (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ru.dll (27 bytes)

The process CatalinaUpdate.exe:3036 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdate.dll (802 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psuser.dll (163 bytes)

The process CatalinaUpdate.exe:2296 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_en.dll (28 bytes)

The process CatalinaUpdate.exe:1672 makes changes in the file system.
The not-a-virus deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\Install (0 bytes)

Registry activity

The process CatalinaUpdate.exe:2616 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"vendor" = "Catalina Group Ltd."
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"iid" = "{48E451FE-3B5C-4E43-B3CB-97F017157A6E}"

[HKCU\Software\CatalinaGroup\Update]
"UID" = "{00617329-FE24-488F-9375-0C611D024CFE}"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.oneclickctrl.9]
"CLSID" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9\CLSID]
"(Default)" = "{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"Policy" = "3"

[HKCU\Software\Classes\MIME\Database\Content Type\application/x-vnd.catalinahub.update3webcontrol.3]
"CLSID" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppName" = "CatalinaUpdate.exe"

[HKCU\Software\CatalinaGroup\Update]
"Version" = "1.3.25.224"

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Description" = "CatalinaGroup Update"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"Name" = "Catalina Update"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"InstallTime" = "1491978178"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\npCatalinaUpdate3.dll"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"Policy" = "3"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\ProgID]
"(Default)" = "CatalinaGroup.OneClickCtrl.9"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\npCatalinaUpdate3.dll"

[HKCU\Software\Classes\CLSID\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Description" = "CatalinaGroup Update"
"ProductName" = "CatalinaGroup Update"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{841F4080-C687-4E9C-BD6E-EB5EECF4FAE6}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"vendor" = "Catalina Group Ltd."

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\npCatalinaUpdate3.dll"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=9]
"Version" = "9"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.224"

[HKCU\Software\Classes\CatalinaGroup.Update3WebControl.3\CLSID]
"(Default)" = "{71216BD6-4D03-4387-BD01-7FE8D9512541}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"AppName" = "CatalinaUpdateOnDemand.exe"

[HKCU\Software\CatalinaGroup\Update]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Version" = "3"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"pv" = "1.3.25.224"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}\ProgID]
"(Default)" = "CatalinaGroup.Update3WebControl.3"

[HKCU\Software\MozillaPlugins\@catalinahub.net/CatalinaGroup Update;version=3]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\npCatalinaUpdate3.dll"

[HKCU\Software\Classes\CatalinaGroup.OneClickCtrl.9]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\Classes\CLSID\{71216BD6-4D03-4387-BD01-7FE8D9512541}]
"(Default)" = "CatalinaGroup Update Plugin"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"brand" = "GGLS"

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CatalinaGroup Update" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe /c"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"
"ui"
"LastChecked"

[HKCU\Software\CatalinaGroup\Update\ClientState\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}]
"UpdateAvailableSince"
"UpdateAvailableCount"

The process CatalinaUpdate.exe:3036 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"CLSID" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}]
"(Default)" = "ICatalinaUpdate3WebSecurity"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}]
"(Default)" = "IAppBundle"

[HKCU\Software\Classes\CLSID\{6541F196-A2B8-449C-8741-CC884D8F0F89}\InProcServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psuser.dll"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}]
"(Default)" = "ICoCreateAsyncStatus"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\NumMethods]
"(Default)" = "39"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CLSID\{6541F196-A2B8-449C-8741-CC884D8F0F89}]
"(Default)" = "PSFactoryBuffer"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\NumMethods]
"(Default)" = "13"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}]
"(Default)" = "ICredentialDialog"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}]
"(Default)" = "ICatalinaUpdate"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}]
"(Default)" = "Update3COMClass"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\Interface\{FCD277CC-8D3E-4264-80D3-98E7B05E2E8A}]
"(Default)" = "IAppVersionWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}]
"(Default)" = "IOneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}]
"(Default)" = "ICoCreateAsync"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}]
"(Default)" = "ICurrentState"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser.1.0"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}]
"(Default)" = "IAppBundleWeb"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}]
"(Default)" = "IApp"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\NumMethods]
"(Default)" = "5"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "06 00 00 00 00 00 00 00"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\CLSID\{EF5751F9-BCAF-4203-A1BB-DF20470F9432}\InprocHandler32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\Interface\{A1E6F38D-8C9E-4BDA-86A2-1940472A8429}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKCU\Software\Classes\Interface\{D085AC3B-E5CC-40C9-8366-C12ADC489967}\NumMethods]
"(Default)" = "44"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\VersionIndependentProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\Interface\{C1D8630A-9D2D-4E0E-A4A1-8AA5CA3FAE57}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}\NumMethods]
"(Default)" = "9"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\NumMethods]
"(Default)" = "6"

[HKCU\Software\Classes\CLSID\{6541F196-A2B8-449C-8741-CC884D8F0F89}\InProcServer32]
"ThreadingModel" = "Both"

[HKCU\Software\Classes\CLSID\{EF5751F9-BCAF-4203-A1BB-DF20470F9432}\InprocHandler32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psuser.dll"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13660822-39AC-408C-BA99-702EBEE3EF26}]
"Policy" = "3"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\Interface\{0E09406F-1420-4BF4-B6EB-F0994674AD68}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}\NumMethods]
"(Default)" = "14"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\ProgID]
"(Default)" = "CatalinaGroupUpdate.Update3WebUser.1.0"

[HKCU\Software\Classes\Interface\{7C9F9415-9947-482C-A62B-24A0BD92B8A7}]
"(Default)" = "ICatalinaUpdateCore"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\NumMethods]
"(Default)" = "10"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{051D14B3-CF0F-4CCA-B8FE-AF9E007ACD43}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CLSID\{13660822-39AC-408C-BA99-702EBEE3EF26}\ProgID]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\Interface\{CBAC6FCC-819A-443D-98BB-E7A122DCCAE3}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser\CurVer]
"(Default)" = "CatalinaGroup.OneClickProcessLauncherUser.1.0"

[HKCU\Software\Classes\CLSID\{2823499B-60F3-4940-8042-2C16D5829A39}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}\NumMethods]
"(Default)" = "10"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "01 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Interface\{FFC6ECB2-25E8-40EE-BF37-5AA25CBCBA63}]
"(Default)" = "ICatalinaUpdate3"

[HKCU\Software\Classes\Interface\{263B5A28-834A-4D1B-AB71-A28E882CC59B}]
"(Default)" = "IJobObserver"

[HKCU\Software\Classes\Interface\{0CD725CD-5650-4F13-91DA-E42FAA9687E8}]
"(Default)" = "IAppVersion"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}]
"(Default)" = "ICatalinaUpdate3Web"

[HKCU\Software\Classes\Interface\{F009E353-D4BD-42FE-994E-F6C315055F9B}\NumMethods]
"(Default)" = "8"

[HKCU\Software\Classes\Interface\{A2589E53-1490-4C0A-BFC7-A47B7A88E3D8}\NumMethods]
"(Default)" = "4"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\VersionIndependentProgID]
"(Default)" = "CatalinaGroupUpdate.Update3COMClassUser"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}]
"(Default)" = "IBrowserHttpRequest2"

[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psuser.dll"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser.1.0\CLSID]
"(Default)" = "{2823499B-60F3-4940-8042-2C16D5829A39}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser.1.0]
"(Default)" = "Update3COMClass"

[HKCU\Software\Classes\Interface\{789E3792-8514-4ED5-90F3-5B525275B953}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\Interface\{84BA4DAC-82EA-4DC8-BCB0-B69DD6E95670}]
"(Default)" = "IPackage"

[HKCU\Software\Classes\Interface\{23185EAB-61B0-4B70-BE89-589585B91392}]
"(Default)" = "IRegistrationUpdateHook"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateOnDemand.exe"

[HKCU\Software\Classes\Interface\{3EA78C6E-8267-4554-8EC6-8982D5AF539A}\ProxyStubClsid32]
"(Default)" = "{6541F196-A2B8-449C-8741-CC884D8F0F89}"

[HKCU\Software\Classes\CLSID\{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe"

[HKCU\Software\Classes\Interface\{6B6DE56F-09F2-4343-80AD-28E5D6CB78F9}]
"(Default)" = "IAppWeb"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser.1.0\CLSID]
"(Default)" = "{C8362D5A-4303-4E22-8668-BB10D65B95BD}"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3WebUser]
"(Default)" = "GoogleUpdate Update3Web"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser]
"(Default)" = "CatalinaGroup.OneClickProcessLauncher"

[HKCU\Software\Classes\Interface\{F9F2D675-F172-42F2-A26E-6453B80EA7F1}\NumMethods]
"(Default)" = "24"

[HKCU\Software\Classes\CatalinaGroup.OneClickProcessLauncherUser.1.0\CLSID]
"(Default)" = "{13660822-39AC-408C-BA99-702EBEE3EF26}"

[HKCU\Software\Classes\Interface\{EC3867B7-B9EF-494E-B42B-BA009D57D90E}]
"(Default)" = "IProcessLauncher"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CLSID\{C8362D5A-4303-4E22-8668-BB10D65B95BD}\ProgID]
"(Default)" = "CatalinaGroupUpdate.OnDemandCOMClassUser.1.0"

[HKCU\Software\Classes\CatalinaGroupUpdate.Update3COMClassUser\CLSID]
"(Default)" = "{3C564FFE-55F7-43AC-886C-7E9E9091CB2A}"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser\CurVer]
"(Default)" = "CatalinaGroupUpdate.CredentialDialogUser.1.0"

[HKCU\Software\Classes\Interface\{34F067BE-C79C-4C5F-8E64-622A3CC59055}]
"(Default)" = "IProgressWndEvents"

[HKCU\Software\Classes\CatalinaGroupUpdate.OnDemandCOMClassUser]
"(Default)" = "Google Update Legacy On Demand"

[HKCU\Software\Classes\CLSID\{73436A91-85A6-4850-A7D0-375C4E369A5A}]
"(Default)" = "GoogleUpdate CredentialDialog"

[HKCU\Software\Classes\CatalinaGroupUpdate.CredentialDialogUser.1.0\CLSID]
"(Default)" = "{73436A91-85A6-4850-A7D0-375C4E369A5A}"

[HKCU\Software\Classes\Interface\{7A1A1D82-1E2B-41B8-9FA3-F40D8DD3EEF0}\NumMethods]
"(Default)" = "4"

The not-a-virus deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{EF5751F9-BCAF-4203-A1BB-DF20470F9432}]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}\InprocServer32]
[HKCU\Software\Classes\CLSID\{EF5751F9-BCAF-4203-A1BB-DF20470F9432}\InprocHandler32]
[HKCU\Software\Classes\CLSID\{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}]

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:2356 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_sp_major_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_minor_version" = "01 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_main" = "02 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Integers]
"windows_major_version" = "06 00 00 00 00 00 00 00"

[HKCU\Software\CatalinaGroup\Update\UsageStats\Daily\Counts]
"goopdate_constructor" = "02 00 00 00 00 00 00 00"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\network\secure]
"sk"
"c"

The process CatalinaUpdate.exe:2296 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"usagestats" = "1"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update]
"eulaaccepted"

The process CatalinaUpdate.exe:1672 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKCU\Software\CatalinaGroup\Update]
"LastServerAddress" = "1"

[HKCU\Software\CatalinaGroup\Update\proxy]
"source" = "IE"

The not-a-virus deletes the following value(s) in system registry:

[HKCU\Software\CatalinaGroup\Update\ClientState\{92F8A219-E740-49D5-B785-B962AD819724}]
"tttoken"
"iid"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Catalina Group Ltd.
Product Name: CatalinaGroup Update
Product Version: 1.3.25.224
Legal Copyright: Copyright 2013 Catalina Group Ltd.
Legal Trademarks:
Original Filename: CatalinaUpdateSetup.exe
Internal Name: CatalinaGroup Update Setup
File Version: 1.3.25.224
File Description: CatalinaGroup Update Setup
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
d7c0b23d01560206a9f061a797a5e190
edbf2c37d10c6b576e0c12fae86862e3
871ddbfa7e57dcf6d04adaaf63e52f7a

URLs

URL	IP
hxxp://catalinahub.net/update/ping	204.155.149.44
hxxp://catalinahub.com/update/check	204.155.149.27
hxxp://gs1.wpc.v2cdn.net/80A164/ch-cdn/download/citrio_50.0.2661.275_1.exe
wpc.a164.taucdn.net	93.184.221.133

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /80A164/ch-cdn/download/citrio_50.0.2661.275_1.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

User-Agent: Microsoft BITS/7.5

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: wpc.a164.taucdn.net

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/octet-stream;charset=UTF-8

Date: Wed, 12 Apr 2017 05:23:38 GMT

Etag: W/"59423104-1488794754000"

Last-Modified: Mon, 06 Mar 2017 10:05:54 GMT

Server: ECAcc (frf/87F3)

X-Cache: HIT

Content-Length: 59423104
....


GET /80A164/ch-cdn/download/citrio_50.0.2661.275_1.exe HTTP/1.1

Connection: Keep-Alive

Accept: */*

Accept-Encoding: identity

If-Unmodified-Since: Mon, 06 Mar 2017 10:05:54 GMT

User-Agent: Microsoft BITS/7.5

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Host: wpc.a164.taucdn.net

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/octet-stream;charset=UTF-8

Date: Wed, 12 Apr 2017 05:23:38 GMT

Etag: W/"59423104-1488794754000"

Last-Modified: Mon, 06 Mar 2017 10:05:54 GMT

Server: ECAcc (frf/87F3)

X-Cache: HIT

Content-Length: 59423104
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........W...6...6..
.6..d.?..6...6...6...O...6...d/..6...6c..6...O*..6..Rich.6............
..............PE..L......X.................&..........:#.......@....@.
......................................................................
...P..P....`..Xy..............................8.......................
.....................P...............................text...'%.......&
.................. ..`.data........@......................@....idata..
.....P.......*..............@..@.rsrc...Xy...`...z...0..............@.
.@.reloc..............................@..B............................
......................................................................
......................................................................
......................................................................
......................................................................
...................................................X........m... ... .
.........X....................{.9.2.F.8.A.2.1.9.-.E.7.4.0.-.4.9.D.5.-.
B.7.8.5.-.B.9.6.2.A.D.8.1.9.7.2.4.}.....{.E.9.F.2.4.A.7.C.-.1.3.C.A.-.
4.2.F.B.-.A.4.D.9.-.7.9.C.3.C.9.D.2.1.B.2.8.}.....{.D.E.2.8.A.2.E.A.-.
7.7.F.A.-.4.F.2.B.-.8.2.5.2.-.C.3.B.5.8.4.4.F.6.4.5.5.}.....{.F.0.B.5.
0.D.5.A.-.4.B.B.A.-.4.5.1.4.-.A.D.2.C.-.E.B.A.5.0.C.2.9.C.4.6.0.}.....
..@.-.-.c.h.r.o.m.e.-.s.x.s.....-.-.c.h.r.o.m.e.....-.-.c.h.r.o.m.e.-.
f.r.a.m.e.....-.-.m.u.l.t.i.-.i.n.s.t.a.l.l...-.-.s.y.s.t.e.m.-.l.
<<< skipped >>>

POST /update/check HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: Google Update/1.3.25.224;winhttp

X-Last-HR: 0x80072ee2

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 1

Content-Length: 567

Host: catalinahub.com

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.224" ismachine="0" sessionid="{AC8E9B76-BEBF-4C08-86AA-AB8AEE294FB0}" userid="{00617329-FE24-488F-9375-0C611D024CFE}" installsource="taggedmi" testsource="auto" requestid="{D1EA79DE-EF7F-45E6-906B-8C86D1C41E91}"><os platform="win" version="6.1" sp="Service Pack 1" arch="x86"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" version="" nextversion="" buildtype="1" lang="en" brand="" client="" installage="-1" iid="{48E451FE-3B5C-4E43-B3CB-97F017157A6E}"><updatecheck/></app></request>
HTTP/1.1 200 OK

Date: Wed, 12 Apr 2017 05:23:27 GMT

Server: Apache-Coyote/1.1

X-Citrio-Timestamp: nfZXpWJzA9Pw4dAT2RZM0JeFF o=

Content-Type: application/xml;charset=UTF-8

Connection: close

Transfer-Encoding: chunked
2b6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><
response protocol="3.0" server="dist"><dayStart elapsed_seconds=
"19407"/><app appid="{92F8A219-E740-49D5-B785-B962AD819724}" sta
tus="ok"><updatecheck status="ok"><urls><url codebas
e="hXXp://wpc.A164.taucdn.net/80A164/ch-cdn/download/"/></urls&g
t;<manifest version="50.0.2661.275"><packages><package 
hash="t9l sMrc9W5IMcOFSY9FDgSxk5s=" name="citrio_50.0.2661.275_1.exe" 
required="true" size="59423104"/></packages><actions>&l
t;action arguments="--chrome --do-not-launch-chrome" event="install" r
un="citrio_50.0.2661.275_1.exe"/><action event="postinstall" ons
uccess="exitsilentlyonlaunchcmd"/></actions></manifest>
</updatecheck></app></response>..0..

POST /update/ping HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: Google Update/1.3.25.224;winhttp

X-Last-HR: 0x0

X-Last-HTTP-Status-Code: 0

X-Retry-Count: 0

Content-Length: 613

Host: catalinahub.net

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.25.224" ismachine="0" sessionid="{AC8E9B76-BEBF-4C08-86AA-AB8AEE294FB0}" userid="{00617329-FE24-488F-9375-0C611D024CFE}" installsource="taggedmi" testsource="auto" requestid="{85E87993-E012-407F-BF0B-9C80A1D3233E}"><os platform="win" version="6.1" sp="Service Pack 1" arch="x86"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" version="" nextversion="1.3.25.224" buildtype="" lang="en" brand="" client="" iid="{48E451FE-3B5C-4E43-B3CB-97F017157A6E}"><event eventtype="2" eventresult="1" errorcode="0" extracode1="0"/></app></request>
HTTP/1.1 200 OK

Date: Wed, 12 Apr 2017 05:22:37 GMT

Server: Apache-Coyote/1.1

X-Citrio-Timestamp: WvyGhJZjxt/gPD94yLgM89exMYY=

Content-Type: application/xml;charset=UTF-8

Connection: close

Transfer-Encoding: chunked
e6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><r
esponse protocol="3.0" server="dist"><dayStart elapsed_seconds="
19357"/><app appid="{6C598730-F715-407B-A7AE-A8F10D0F8FA7}" stat
us="ok"><event status="ok"/></app></response>..0.
.

The not-a-virus connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

mi_exe_stub.pdb

GetCPInfo

KERNEL32.dll

SHLWAPI.dll

GetProcessHeap

ole32.dll

USER32.dll

c:\%original file name%.exe

.).EE

`.tU^

|.GV(

.nI nj

2.hu1

/B%xC

.DEw,k`

.my4u

EWg.iZ

i6Å

u".tSb

!_%FM'

O-sU}

|.Xk3Kc

'Ü%$

X-Pq}

rf.NO|-h

.lq B

N%S8n

!Z.qS

uBY.Fv4N

2U%d?

qZ*%S

ZT,}

H.BWY

U-.lU

!7-%x0

D.NF4I

.Mh]2

Z{.IR

%Dpz,

%d)W!

W-xp}

.td5I%d-

T.xx)

%SHF2

.sT&ts

"z%Uh

j pG:.Jo

D,.zV@

5hv4l%x

>.JlW,

úK7

v%DLD

&K1.Cm

`%frq7

.Oy-~

X%D";T

.atzF1X)

k]tcP

nq7%dZ{

C$z.HZ

?.VKg

Bf%cj

0Z%0X

k.lhx

pK.gJ

:sssh 

7:<<<6000

<requestedExecutionLevel level="asInvoker" />

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--This Id value indicates the application supports Windows 10.0 functionality-->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />

: :%:/:=:}:

3'3,30343]3

mscoree.dll

KERNEL32.DLL

appguid={92F8A219-E740-49D5-B785-B962AD819724}&installerargs=--make-chrome-default

Windows 2000 Service Pack 4

Windows 2000

lador de %1!s! requereix Windows 2000 amb Service Pack 4 o una versi

m Windows 2000 Service Pack 4 nebo nov

ver Windows 2000 Service Pack 4 eller bedre.

r den %1!s!-Installer wird Windows 2000 Service Pack 4 oder h

Unknown Installer ErrorTInstallation failed. %1!s! Installer requires Windows 2000 Service Pack 4 or better.

Windows 2000 Service Pack 4:n tai uudemman.

cessite Windows

je Windows 2000 Service Pack 4-et vagy frissebb verzi

krefst Windows 2000

Google#Programma di installazione di %1!s!!Errore sconosciuto dell'installertInstallazione non riuscita. Il programma di installazione di %1!s! richiede Windows 2000 Service Pack 4 o superiore.

Installatieprogramma van %1!s!'Onbekende fout van installatieprogrammasDe installatie is mislukt. Voor het installatieprogramma van %1!s! is Windows 2000 Service Pack 4 of hoger vereist.

Ukjent installasjonsfeilgInstallasjonen mislyktes. %1!s! installasjonsprogrammet krever Windows 2000 Service Pack 4 eller nyere.

. Instalator %1!s! wymaga systemu Windows 2000 z dodatkiem Service Pack 4 lub nowszego.

o. O instalador do %1!s! requer o Windows 2000 Service Pack 4 ou posterior.

it. %1!s! Programul de instalare are nevoie de Windows 2000 Service Pack 4 sau de o versiune superioar

ka alata za instalacijulInstalacija nije uspjela. Za instalacijski program %1!s! potreban je Windows 2000 Service Pack 4 ili noviji.

m Windows 2000 Service Pack 4 alebo nov

ver Windows 2000 Service Pack 4 eller b

kleyicisi Windows 2000 Hizmet Paketi 4 veya sonras

Program pemasang %1!s!!Kesalahan Installer Tak DiketahuiePemasangan gagal. Program pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

na. Za namestitveni program za %1!s! potrebujete Windows 2000 s servisnim paketom SP 4 ali novej

uab rakendust Windows 2000 hoolduspakett 4 v

ama Windows

Windows 2000

u Windows 2000 G

Pemasang %1!s!#Ralat Pemasang yang Tidak Diketahui]Pemasangan gagal. Pemasang %1!s! memerlukan Windows 2000 Service Pack 4 atau yang lebih baik.

Kisakinishi cha %1!s!%Hitilafu ya Kisakinishi Isiyojulikana_Usakinishaji haukufaulu. Kisakinishi cha %1!s! kinahitaji Windows 2000 Service Pack 4 au zaidi.

. Windows 2000

Installer ng %1!s! Hindi Alam na Error ng InstallerlNabigo ang pag-install. Nangangailangan ang Installer ng %1!s! ng Windows 2000 Service Pack 4 o mas mahusay.

n. %1!s! El instalador requiere Windows 2000 Service Pack 4 o superior.

o %1!s! necessita do Windows 2000 Service Pack 4 ou superior.

n. %1!s! Installer requiere Windows 2000 Service Pack 4 o versiones posteriores.

1.3.25.224

CatalinaUpdateSetup.exe

CatalinaUpdate.exe_2616:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--This Id value indicates the application supports Windows 10.0 functionality-->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

###7777_{

###____777

###````87{

2 2$2(2,20242~2

4 4$4(4,4

?$?(?,?4?

> >@>\>`>

? ?@?\?`?

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.224

2007-2010

2007-2010

CatalinaUpdate.exe_2296:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--This Id value indicates the application supports Windows 10.0 functionality-->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

###7777_{

###____777

###````87{

2 2$2(2,20242~2

4 4$4(4,4

?$?(?,?4?

> >@>\>`>

? ?@?\?`?

C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.224

2007-2010

2007-2010

CatalinaUpdate.exe_1672:

.text

`.data

.text/DE

@.rsrc

@.reloc

SHELL32.dll

USER32.dll

SHLWAPI.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

CatalinaUpdate_unsigned.pdb

RegOpenKeyExW

ADVAPI32.dll

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

<requestedExecutionLevel level="asInvoker" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--This Id value indicates the application supports Windows 8 functionality-->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--This Id value indicates the application supports Windows 8.1 functionality-->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--This Id value indicates the application supports Windows 10.0 functionality-->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

###7777_{

###____777

###````87{

2 2$2(2,20242~2

4 4$4(4,4

?$?(?,?4?

> >@>\>`>

? ?@?\?`?

C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe

KERNEL32.DLL

mscoree.dll

goopdate.dll

CatalinaUpdate.exe

Software\CatalinaGroup\Update\Clients\{6C598730-F715-407B-A7AE-A8F10D0F8FA7}

1.3.25.224

2007-2010

2007-2010

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3700
   CatalinaUpdate.exe:3036
   CatalinaUpdate.exe:2356
   CatalinaUpdate.exe:1672

2. Delete the original not-a-virus file.
   
3. Delete or disinfect the following files created/modified by the not-a-virus:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ta.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_is.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdate.dll (1702 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_hi.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fi.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_zh-CN.dll (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_mr.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_pt-PT.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_th.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_hr.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_et.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ro.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\psuser.dll (162 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ja.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_de.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fr.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_no.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_pt-BR.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_id.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUT8F16.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_hu.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_es-419.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\npCatalinaUpdate3.dll (237 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_da.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_tr.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_en.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_es.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_nl.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_en-GB.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaCrashHandler.exe (132 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fa.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_kn.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_gu.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_vi.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdate.exe (267 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_uk.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sk.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ko.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ur.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sv.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_cs.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ar.dll (25 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ca.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_it.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_lt.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_el.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_fil.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdateBroker.exe (59 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sw.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_bg.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_am.dll (24 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_iw.dll (25 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sr.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_lv.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\psmachine.dll (156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_pl.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_te.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_bn.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ru.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdateOnDemand.exe (59 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_sl.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ml.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_zh-TW.dll (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\goopdateres_ms.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\GUM8F15.tmp\CatalinaUpdateHelper.msi (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ja.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_am.dll (24 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_kn.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_gu.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_pt-BR.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_cs.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ur.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fil.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_hu.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_is.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_es.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaCrashHandler.exe (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ro.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_no.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fa.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ta.dll (29 bytes)
   C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-732923889-1296844034-1208581001-1000UA.job (930 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fr.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_nl.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_vi.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_lt.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ko.dll (23 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_hr.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_da.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_it.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_th.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sk.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_fi.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psmachine.dll (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_pl.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_hi.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_id.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateOnDemand.exe (59 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_mr.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_uk.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sv.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_en.dll (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_zh-TW.dll (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_bn.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_te.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ml.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sl.dll (28 bytes)
   C:\Windows\Tasks\CatalinaGroupUpdateTaskUserS-1-5-21-732923889-1296844034-1208581001-1000Core.job (878 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdate.exe (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\npCatalinaUpdate3.dll (1522 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_bg.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_zh-CN.dll (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_de.dll (30 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ms.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_en-GB.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sr.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\psuser.dll (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_el.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ca.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ar.dll (25 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_pt-PT.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_tr.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateBroker.exe (59 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_lv.dll (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_et.dll (27 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_iw.dll (25 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_es-419.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_sw.dll (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdate.dll (5873 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe (808 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\CatalinaUpdateHelper.msi (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\1.3.25.224\goopdateres_ru.dll (27 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "CatalinaGroup Update" = "C:\Users\"%CurrentUserName%"\AppData\Local\CatalinaGroup\Update\CatalinaUpdate.exe /c"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.