8177bf9adfc318fef55967e6e98f1166b22555c769fcaeb66d61b70338b94183

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-en-20211014
submitted
21-10-2021 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GuardCatAVSetup-Silent.exe.bin.exe
Size

9.3MB
MD5

127850a751efe17017e9c9be35dad10c
SHA1

45b18c91a7da7616838b89b4d4c9b465d60d619a
SHA256

8177bf9adfc318fef55967e6e98f1166b22555c769fcaeb66d61b70338b94183
SHA512

76ff77e65a34b2f5ff78d2be469119eefe740f38b350b7d572a430c54cabed6634ba473bbb2fa0595c060a410a3fbe01c27e163058c250abd31153647b00237d

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 20 IoCs

Processes:

AVInstaller.exeAVSetup.exeInstCtrl.exeGuardCatAV.exeServiceInstaller.exeInstCtrl.exeInstCtrl.exeInstCtrl.exeInstCtrl.exeInstCtrl.exeUpdaterSvc.exeInstCtrl.exeInstCtrl.exeInstCtrl.exeInstCtrl.exeInstCtrl.exeInstCtrl.exeGuardCatAV.exeUpdaterSvc.exeInstCtrl.exe

pid	process
112	AVInstaller.exe
1048	AVSetup.exe
904	InstCtrl.exe
992	GuardCatAV.exe
836	ServiceInstaller.exe
1068	InstCtrl.exe
1764	InstCtrl.exe
1956	InstCtrl.exe
564	InstCtrl.exe
1828	InstCtrl.exe
864	UpdaterSvc.exe
1628	InstCtrl.exe
1456	InstCtrl.exe
1968	InstCtrl.exe
1352	InstCtrl.exe
1732	InstCtrl.exe
1812	InstCtrl.exe
1456	GuardCatAV.exe
564	UpdaterSvc.exe
1828	InstCtrl.exe

Loads dropped DLL 64 IoCs

Processes:

GuardCatAVSetup-Silent.exe.bin.exeAVInstaller.exeAVSetup.exeInstCtrl.exeGuardCatAV.exeServiceInstaller.exe

pid	process
868	GuardCatAVSetup-Silent.exe.bin.exe
868	GuardCatAVSetup-Silent.exe.bin.exe
112	AVInstaller.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
904	InstCtrl.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe
836	ServiceInstaller.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GuardCatAV.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\GuardCatAV = "\"C:\\Program Files (x86)\\GuardCat AV\\GuardCatAV.exe\" /minimize"	GuardCatAV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

AVSetup.exeInstCtrl.exe

description	ioc	process
File created	C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\fr\Toaster.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\libavunrar.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\README.txt	InstCtrl.exe
File created	C:\Program Files (x86)\GuardCat AV\AvServiceEngine.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\SecDel.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\da\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\libavunrar_iface.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\libeay32.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\uninstall.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ssleay32.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe.config	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\LabelSetup.ini	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\SecDel.exe.config	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\TaskTool.exe.config	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\sr-Latn-RS\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\msvcp120.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Push.exe.config	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\TaskTool.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\es\Toaster.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ServiceInstaller.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\terms\terms.docx	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\da\Toaster.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\es\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ru\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\SecDelShell32.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\pt\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\sr-Cyrl-RS\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\updater.ini	InstCtrl.exe
File created	C:\Program Files (x86)\GuardCat AV\Runner.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ja\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\pt\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ru\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\sr-Latn-RS\Toaster.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Newtonsoft.Json.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Updater.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\de\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\nl\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ComponentFactory.Krypton.Toolkit.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\InstCtrl.exe.config	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Push.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Setup.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\de\Toaster.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\es\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Helper.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ICSharpCode.SharpZipLib.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\nl\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\SecDelShell64.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\fr\SecDel.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\InstCtrl.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ja\Toaster.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\sr-Cyrl-RS\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\UpdaterSvc.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\updater.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Bo.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Toaster.exe	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\ja\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\sr-Latn-RS\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\avlib.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\avupdate.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Microsoft.Win32.TaskScheduler.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\Toaster.exe.config	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\da\GuardCatAV.resources.dll	AVSetup.exe
File created	C:\Program Files (x86)\GuardCat AV\nl\Toaster.resources.dll	AVSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\AVSetup\AVSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\AVSetup\AVSetup.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\AvSetup\AvSetup.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\AvSetup\AvSetup.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\AvSetup\AvSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\AvSetup\AvSetup.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeAVSetup.exe

pid process

1928 powershell.exe
1048 AVSetup.exe
1048 AVSetup.exe
1048 AVSetup.exe
1048 AVSetup.exe
1048 AVSetup.exe
1048 AVSetup.exe

pid	process
1928	powershell.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe
1048	AVSetup.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeInstCtrl.exeGuardCatAV.exeInstCtrl.exeInstCtrl.exe

description	pid	process
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	904	InstCtrl.exe
Token: SeDebugPrivilege	992	GuardCatAV.exe
Token: SeDebugPrivilege	1732	InstCtrl.exe
Token: SeDebugPrivilege	1812	InstCtrl.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

GuardCatAV.exeGuardCatAV.exe

pid process

1456 GuardCatAV.exe
1456 GuardCatAV.exe
992 GuardCatAV.exe
992 GuardCatAV.exe
992 GuardCatAV.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

GuardCatAV.exeGuardCatAV.exe

pid process

1456 GuardCatAV.exe
1456 GuardCatAV.exe
992 GuardCatAV.exe
992 GuardCatAV.exe
992 GuardCatAV.exe

pid	process
1456	GuardCatAV.exe
1456	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe

pid	process
1456	GuardCatAV.exe
1456	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe
992	GuardCatAV.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GuardCatAVSetup-Silent.exe.bin.exeAVInstaller.exeAVSetup.exe

description	pid	process	target process
PID 868 wrote to memory of 112	868	GuardCatAVSetup-Silent.exe.bin.exe	AVInstaller.exe
PID 868 wrote to memory of 112	868	GuardCatAVSetup-Silent.exe.bin.exe	AVInstaller.exe
PID 868 wrote to memory of 112	868	GuardCatAVSetup-Silent.exe.bin.exe	AVInstaller.exe
PID 868 wrote to memory of 112	868	GuardCatAVSetup-Silent.exe.bin.exe	AVInstaller.exe
PID 868 wrote to memory of 112	868	GuardCatAVSetup-Silent.exe.bin.exe	AVInstaller.exe
PID 868 wrote to memory of 112	868	GuardCatAVSetup-Silent.exe.bin.exe	AVInstaller.exe
PID 868 wrote to memory of 112	868	GuardCatAVSetup-Silent.exe.bin.exe	AVInstaller.exe
PID 112 wrote to memory of 1896	112	AVInstaller.exe	schtasks.exe
PID 112 wrote to memory of 1896	112	AVInstaller.exe	schtasks.exe
PID 112 wrote to memory of 1896	112	AVInstaller.exe	schtasks.exe
PID 112 wrote to memory of 1896	112	AVInstaller.exe	schtasks.exe
PID 112 wrote to memory of 1048	112	AVInstaller.exe	AVSetup.exe
PID 112 wrote to memory of 1048	112	AVInstaller.exe	AVSetup.exe
PID 112 wrote to memory of 1048	112	AVInstaller.exe	AVSetup.exe
PID 112 wrote to memory of 1048	112	AVInstaller.exe	AVSetup.exe
PID 112 wrote to memory of 1048	112	AVInstaller.exe	AVSetup.exe
PID 112 wrote to memory of 1048	112	AVInstaller.exe	AVSetup.exe
PID 112 wrote to memory of 1048	112	AVInstaller.exe	AVSetup.exe
PID 1048 wrote to memory of 1928	1048	AVSetup.exe	powershell.exe
PID 1048 wrote to memory of 1928	1048	AVSetup.exe	powershell.exe
PID 1048 wrote to memory of 1928	1048	AVSetup.exe	powershell.exe
PID 1048 wrote to memory of 1928	1048	AVSetup.exe	powershell.exe
PID 1048 wrote to memory of 904	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 904	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 904	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 904	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1068	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1068	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1068	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1068	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1956	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1956	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1956	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1956	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1764	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1764	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1764	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1764	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 564	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 564	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 564	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 564	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1828	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1828	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1828	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1828	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1628	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1628	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1628	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1628	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1456	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1456	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1456	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1456	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1968	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1968	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1968	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1968	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1352	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1352	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1352	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1352	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1732	1048	AVSetup.exe	InstCtrl.exe
PID 1048 wrote to memory of 1732	1048	AVSetup.exe	InstCtrl.exe

C:\Users\Admin\AppData\Local\Temp\GuardCatAVSetup-Silent.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\GuardCatAVSetup-Silent.exe.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Roaming\AvSetup\AVInstaller.exe
"C:\Users\Admin\AppData\Roaming\AvSetup\AVInstaller.exe" /q
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AVInstaller" /f
3⤵
PID:1896

C:\Users\Admin\AppData\Roaming\AVSetup\AVSetup.exe
"C:\Users\Admin\AppData\Roaming\AVSetup\AVSetup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst3F8.tmp\DisableWD.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" updatedefs
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" mastertask
4⤵
- Executes dropped EXE
PID:1068

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" popuptask
4⤵
- Executes dropped EXE
PID:1956

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" defaultschedule
4⤵
- Executes dropped EXE
PID:1764

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" runservicetask
4⤵
- Executes dropped EXE
PID:564

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" createini
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1828

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" startserviceavsrv
4⤵
- Executes dropped EXE
PID:1628

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" startserviceavupdsrv
4⤵
- Executes dropped EXE
PID:1456

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" pendingfilerenameoperations
4⤵
- Executes dropped EXE
PID:1968

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" sbamdone
4⤵
- Executes dropped EXE
PID:1352

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" installpage
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" installstats
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe
"C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe" afterinstallrun
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1456

C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe
"C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:992

C:\Program Files (x86)\GuardCat AV\ServiceInstaller.exe
"C:\Program Files (x86)\GuardCat AV\ServiceInstaller.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836

C:\Program Files (x86)\GuardCat AV\UpdaterSvc.exe
"C:\Program Files (x86)\GuardCat AV\UpdaterSvc.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Program Files (x86)\GuardCat AV\UpdaterSvc.exe
"C:\Program Files (x86)\GuardCat AV\UpdaterSvc.exe"
1⤵
- Executes dropped EXE
PID:564

C:\Windows\system32\taskeng.exe
taskeng.exe {ED9F510D-5F84-4C5E-A06D-FD94B104CE03} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
PID:864

C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
"C:\Program Files (x86)\GuardCat AV\InstCtrl.exe" modifytask
2⤵
- Executes dropped EXE
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GuardCat AV\AvServiceEngine.dll
MD5
c8d0dbb87812756d55f4fd06511eef3d

SHA1
24d61c85f6479a49fd9c654e2ed3e17d9e174979

SHA256
2e9004feedfadff38e327dc3e419c2251a8bc5fd9a68d0fedcdf40f7a1da3894

SHA512
eabc627564874b5ad658c7a9cb48d0ffca662fb95ee163092ff8ddd6f317ddc182f9d75e69016b333a3f44f2db8c4920a902551166423e224b3f1c28854efdee

Download Submit
C:\Program Files (x86)\GuardCat AV\Bo.dll
MD5
f7386458e4bf63e01c7a9b7e34e4c777

SHA1
7194e0f16c10f27b71c695b4b8f337ee9f268544

SHA256
d595d2f704e89c3a31d07ce7c5c031d7f7dca0eb41945717c03b9b5ae531d167

SHA512
8f4bc1c8499509de291f29f6cfca6938c7a4b13e149c6d88fa97ec3c47920de05154aedf36886472ec6453483219e4d34969fdd682a84a31e221a61c47489de1

Download Submit
C:\Program Files (x86)\GuardCat AV\ComponentFactory.Krypton.Toolkit.dll
MD5
4aa46ecabd3073852f3a778d28d9edae

SHA1
0011708b8549bfbcbe0596c7a9459d61b072d16f

SHA256
956ad7e5c070ee129e70a3e7f5d44038d5bb43ade2d24b5119a0f0e763e6a8a9

SHA512
08c025d77fc5e1936b2dd695dea1d4533e3f98e84861ccf5a72da1f63152cc3b10a603c5d8490fc29ff76c79b46d399ac6e443faa52036bd05a130d287a10a45

Download Submit
C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe
MD5
bcfb84850f1571b38126087fffad0ee9

SHA1
26375629658097ecdd67996d7ccf39784eddf868

SHA256
bd31e5f82d126b6f7f2af4838f793be08bfc50d107cf507d59d6dd8478c73772

SHA512
5bedd625a7f20b0d7b83d906f82cb6b877e3faf9e184b9a108349c4619477fabf79f6edc28926808a58a153fb42712f1a710aabb936ecbfaf6a4b0e4f56f26f3

Download Submit
C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe
MD5
bcfb84850f1571b38126087fffad0ee9

SHA1
26375629658097ecdd67996d7ccf39784eddf868

SHA256
bd31e5f82d126b6f7f2af4838f793be08bfc50d107cf507d59d6dd8478c73772

SHA512
5bedd625a7f20b0d7b83d906f82cb6b877e3faf9e184b9a108349c4619477fabf79f6edc28926808a58a153fb42712f1a710aabb936ecbfaf6a4b0e4f56f26f3

Download Submit
C:\Program Files (x86)\GuardCat AV\GuardCatAV.exe.config
MD5
d7e34c804307e2f538c8163566c5bc8a

SHA1
d886faf11729a16e223004c3907c9519129f0fb2

SHA256
af720719f9b6cf63ada070c72144146ad4fdef81acef6db427091de2a0382941

SHA512
9a72e705572809dae8363a87865e14b4dfe79d523008bb0cac36f330e8b162f30bf0334fc712591ddf18b535cc51acbc08152884c7f8498b0a1813b58c38ba6c

Download Submit
C:\Program Files (x86)\GuardCat AV\Helper.dll
MD5
3f28993890b629a16db75ba443be54c9

SHA1
3fcc08b188a5214bc3cd0e7d8811d6c3fcca4e0d

SHA256
650c92e0578a789ac18c43b75ef640463cc3799348e5f0a5df7122e751d17595

SHA512
375d00e8381e7f6128d1fee0569570d112717c37bc7134ee3d4e0ec87b002adff215f03e999851c8383b9c3dd432d2ca5d94b067314fa9206fcec57b9cef871b

Download Submit
C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
MD5
8920128b6b03a2aee3ffac8cb3467720

SHA1
42abdd6ca848e1af7383d592954f4ccace00622c

SHA256
1be6c4fabe45e7598dfb82fba30c4c257b614d6cb5fa88d2858da4b9e37d692e

SHA512
2685108c10cc0042fcc44aaf2ff97dbf2745bb2a9bbebc2812ecbfa6a4a7183a415229c9fa9477e0a45fe26f112d2cf27fc7c398ea06ad194e20e272d1ad1465

Download Submit
C:\Program Files (x86)\GuardCat AV\InstCtrl.exe
MD5
8920128b6b03a2aee3ffac8cb3467720

SHA1
42abdd6ca848e1af7383d592954f4ccace00622c

SHA256
1be6c4fabe45e7598dfb82fba30c4c257b614d6cb5fa88d2858da4b9e37d692e

SHA512
2685108c10cc0042fcc44aaf2ff97dbf2745bb2a9bbebc2812ecbfa6a4a7183a415229c9fa9477e0a45fe26f112d2cf27fc7c398ea06ad194e20e272d1ad1465

Download Submit
C:\Program Files (x86)\GuardCat AV\InstCtrl.exe.config
MD5
8810b832f11b6e5a1afab929618059f2

SHA1
5e198d58851231b69595a5800739f06b875cca3d

SHA256
68cbb1295389a1bd6b830debfd0a8bb0a88bee2522304f5894c710912021194c

SHA512
b7ff97e5be1a9585a53a570445f25070e2124f3a8d8eed760dc062ca41a9828dc7e3a53136faf68673cabedfc8512cc02333ec5556c62050232f9be8e8337b64

Download Submit
C:\Program Files (x86)\GuardCat AV\LabelSetup.ini
MD5
28f9a5b68f30dda8fc976fd8fbd13cb5

SHA1
ea69d4ca0a7fcbebf70a7d57c153a2a0bda2761e

SHA256
fd6344e313fbbf64dff188931ff0c546ce1675e4395cd34e9539b6921f3c0630

SHA512
f5a60d7d42cbfc07ec08f6ae9bfd3ba32987a6d9d9d4dc9849874c8abbf7cbb0f2d15e2b8246112bb06cbe2f4ac82b4776a8655d92bee0b86923eaf9393864f5

Download Submit
C:\Program Files (x86)\GuardCat AV\Microsoft.Win32.TaskScheduler.dll
MD5
1cf1286a1cf06f4639421b90dc339ad6

SHA1
94c9d790eeebeafd507daba305d4d87f7461aa0c

SHA256
0aac410273e043c6668678566b2f426525d12d7838216da2d9ec6786a9613906

SHA512
c0009e9484e4be9a0ff1012184bf3595c1c292fb597926aa86ffe8ab8fb04bae90db52a5a2700eabce591bcf692a290b02622c865741ed2aa03c33b05352cc76

Download Submit
C:\Program Files (x86)\GuardCat AV\Newtonsoft.Json.dll
MD5
fa73f73f9fe28203471ed1c3c5c45594

SHA1
10df008f193355a272562f5640722d496f8f2703

SHA256
823b09bc480f8d3c3c20703c7df328687f0872a9f923871808e371e822a7f433

SHA512
1a1e6322429717aab8dfcc42da1290fa4a3fe5c4ddec85eaae41d1944cc56a353e1c46809339a6803d812fdecfb5334feac54b6882679e95f08ed4346f7036d1

Download Submit
C:\Program Files (x86)\GuardCat AV\Runner.dll
MD5
fa62a014e33251b9b76a6913d42d5b1c

SHA1
66f1adde19b58e4003ea0bb1ce249d341deb71f1

SHA256
389cbfadad3c526a71829865744007c446eaafe9da6271a05583a925c9881e11

SHA512
bbcfcf85d4feab021b155ce3b6d51ae404e2ee4d92669e4255ef8260a2de1570462fd0229309a33260f035c425d729f6bbc9728bd625e431ac016f79a44df810

Download Submit
C:\Program Files (x86)\GuardCat AV\Setup.dll
MD5
a371eb6357697a2fd8bfa9248d7b6367

SHA1
af1189d8b1de97e9a18a183e6e4eaa0bc5907e84

SHA256
56f0f44dd19f37c89d0e5920865957ce66c8090fa24b9d471bb2136e6d94db0a

SHA512
e8ef77c2d3d82bb634e1d4d29e54d1c26335d13f3957704d88fd804bc6364794242ee06febc8d00a107c0ead37f769c3e5cf539c3acbd3413f5c1ed24b68344d

Download Submit
C:\Program Files (x86)\GuardCat AV\Updater.dll
MD5
f0e0050f106c8d73ab2bda29d745009c

SHA1
08c7ac054b1c6131ab3f4aa511c9f0fdde951440

SHA256
facaefcc5828c09b752eab19bae96fd1fd6dcc1c8d608686f91858403656a62d

SHA512
06875a518f5bd50faa2ca5c59a47f72576472d69ccf9dbaec50cd9c18f16572249b2cd3df815e5908f620a9fecd2cfb2154745a816ed9aea15dc4fbb451efa4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3F8.tmp\DisableWD.ps1
MD5
515b997d0f2a706315303d849b1ca8ec

SHA1
ed79bd1513c1a6e78cdcf8d4676eece7253470d7

SHA256
d0c8923439a6daeef5b6a08defe5ca19c61601647b92c92c3368791bbb8fea99

SHA512
2b7d7dc169d2c8330bc7908626d7995bf3020da29376a611c1c439acb0ff54dcb5aad18a97fd45dab475b37e50c0e2a53c6b3f477baa70cf36039714e0210e67

Download Submit
C:\Users\Admin\AppData\Roaming\AVSetup\AVSetup.exe
MD5
89bdb6f4a7940b8666b5935ce6c0932e

SHA1
67aa59372d2598f30abc2502ca52a9dcca3d7b8e

SHA256
7ab45c4b53a7139aed87fec0e85ba635f9cdc2276b4e2ab4aa8ea977f31b5d18

SHA512
d219a64685149fc5d930bb08fb4001aa7a5033dd6f647304b5613d6011bda1f006debb99f3a5f88f0f74f39115ee21502e3cc6cc041b01da40da2f19d8237708

Download Submit
C:\Users\Admin\AppData\Roaming\AvSetup\AVInstaller.exe
MD5
3ff7c59d879e2f64b460df751c63294c

SHA1
8b0edc0b80b29ab21ec2a0d82dd463a0f5fe7bf0

SHA256
3098ce1ed846491c587220605255e0080d89901019cc0f93f344c03418b0c94a

SHA512
034808553897a92ebf39bf892f47dbe2f99805464193dd86362396cf4786a736ea8a6861ffee8d60525992f2462e6f71b5d62de95f927274e98c0f75508dd4a6

Download Submit
C:\Users\Admin\AppData\Roaming\AvSetup\AvSetup.exe
MD5
89bdb6f4a7940b8666b5935ce6c0932e

SHA1
67aa59372d2598f30abc2502ca52a9dcca3d7b8e

SHA256
7ab45c4b53a7139aed87fec0e85ba635f9cdc2276b4e2ab4aa8ea977f31b5d18

SHA512
d219a64685149fc5d930bb08fb4001aa7a5033dd6f647304b5613d6011bda1f006debb99f3a5f88f0f74f39115ee21502e3cc6cc041b01da40da2f19d8237708

Download Submit
C:\Users\Admin\AppData\Roaming\GuardCat AV\AvSvc.settings
MD5
ce79f1023dc35b2b77615f8936b5bd7c

SHA1
b4acd617d08a305ac7c5943c3a2bce96e5e1ed50

SHA256
27c3e43f3ad4d911227ce62af5be814d4c0f866f9e51a2341ed479811daca65c

SHA512
ba0698b6b7f19fede80ca4061d86609687f1fdc8537229dcf12a2ae56358ff30b779ff3e99d2b7a6839b3ccb4ca9163c7d8fd1b3a83a64317d5fd683825d6c27

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\GuardCat AV\AvServiceEngine.dll
MD5
c8d0dbb87812756d55f4fd06511eef3d

SHA1
24d61c85f6479a49fd9c654e2ed3e17d9e174979

SHA256
2e9004feedfadff38e327dc3e419c2251a8bc5fd9a68d0fedcdf40f7a1da3894

SHA512
eabc627564874b5ad658c7a9cb48d0ffca662fb95ee163092ff8ddd6f317ddc182f9d75e69016b333a3f44f2db8c4920a902551166423e224b3f1c28854efdee

Download Submit
\Program Files (x86)\GuardCat AV\AvServiceEngine.dll
MD5
c8d0dbb87812756d55f4fd06511eef3d

SHA1
24d61c85f6479a49fd9c654e2ed3e17d9e174979

SHA256
2e9004feedfadff38e327dc3e419c2251a8bc5fd9a68d0fedcdf40f7a1da3894

SHA512
eabc627564874b5ad658c7a9cb48d0ffca662fb95ee163092ff8ddd6f317ddc182f9d75e69016b333a3f44f2db8c4920a902551166423e224b3f1c28854efdee

Download Submit
\Program Files (x86)\GuardCat AV\AvServiceEngine.dll
MD5
c8d0dbb87812756d55f4fd06511eef3d

SHA1
24d61c85f6479a49fd9c654e2ed3e17d9e174979

SHA256
2e9004feedfadff38e327dc3e419c2251a8bc5fd9a68d0fedcdf40f7a1da3894

SHA512
eabc627564874b5ad658c7a9cb48d0ffca662fb95ee163092ff8ddd6f317ddc182f9d75e69016b333a3f44f2db8c4920a902551166423e224b3f1c28854efdee

Download Submit
\Program Files (x86)\GuardCat AV\AvServiceEngine.dll
MD5
c8d0dbb87812756d55f4fd06511eef3d

SHA1
24d61c85f6479a49fd9c654e2ed3e17d9e174979

SHA256
2e9004feedfadff38e327dc3e419c2251a8bc5fd9a68d0fedcdf40f7a1da3894

SHA512
eabc627564874b5ad658c7a9cb48d0ffca662fb95ee163092ff8ddd6f317ddc182f9d75e69016b333a3f44f2db8c4920a902551166423e224b3f1c28854efdee

Download Submit
\Program Files (x86)\GuardCat AV\Bo.dll
MD5
f7386458e4bf63e01c7a9b7e34e4c777

SHA1
7194e0f16c10f27b71c695b4b8f337ee9f268544

SHA256
d595d2f704e89c3a31d07ce7c5c031d7f7dca0eb41945717c03b9b5ae531d167

SHA512
8f4bc1c8499509de291f29f6cfca6938c7a4b13e149c6d88fa97ec3c47920de05154aedf36886472ec6453483219e4d34969fdd682a84a31e221a61c47489de1

Download Submit
\Program Files (x86)\GuardCat AV\Bo.dll
MD5
f7386458e4bf63e01c7a9b7e34e4c777

SHA1
7194e0f16c10f27b71c695b4b8f337ee9f268544

SHA256
d595d2f704e89c3a31d07ce7c5c031d7f7dca0eb41945717c03b9b5ae531d167

SHA512
8f4bc1c8499509de291f29f6cfca6938c7a4b13e149c6d88fa97ec3c47920de05154aedf36886472ec6453483219e4d34969fdd682a84a31e221a61c47489de1

Download Submit
\Program Files (x86)\GuardCat AV\ComponentFactory.Krypton.Toolkit.dll
MD5
4aa46ecabd3073852f3a778d28d9edae

SHA1
0011708b8549bfbcbe0596c7a9459d61b072d16f

SHA256
956ad7e5c070ee129e70a3e7f5d44038d5bb43ade2d24b5119a0f0e763e6a8a9

SHA512
08c025d77fc5e1936b2dd695dea1d4533e3f98e84861ccf5a72da1f63152cc3b10a603c5d8490fc29ff76c79b46d399ac6e443faa52036bd05a130d287a10a45

Download Submit
\Program Files (x86)\GuardCat AV\ComponentFactory.Krypton.Toolkit.dll
MD5
4aa46ecabd3073852f3a778d28d9edae

SHA1
0011708b8549bfbcbe0596c7a9459d61b072d16f

SHA256
956ad7e5c070ee129e70a3e7f5d44038d5bb43ade2d24b5119a0f0e763e6a8a9

SHA512
08c025d77fc5e1936b2dd695dea1d4533e3f98e84861ccf5a72da1f63152cc3b10a603c5d8490fc29ff76c79b46d399ac6e443faa52036bd05a130d287a10a45

Download Submit
\Program Files (x86)\GuardCat AV\GuardCatAV.exe
MD5
bcfb84850f1571b38126087fffad0ee9

SHA1
26375629658097ecdd67996d7ccf39784eddf868

SHA256
bd31e5f82d126b6f7f2af4838f793be08bfc50d107cf507d59d6dd8478c73772

SHA512
5bedd625a7f20b0d7b83d906f82cb6b877e3faf9e184b9a108349c4619477fabf79f6edc28926808a58a153fb42712f1a710aabb936ecbfaf6a4b0e4f56f26f3

Download Submit
\Program Files (x86)\GuardCat AV\GuardCatAV.exe
MD5
bcfb84850f1571b38126087fffad0ee9

SHA1
26375629658097ecdd67996d7ccf39784eddf868

SHA256
bd31e5f82d126b6f7f2af4838f793be08bfc50d107cf507d59d6dd8478c73772

SHA512
5bedd625a7f20b0d7b83d906f82cb6b877e3faf9e184b9a108349c4619477fabf79f6edc28926808a58a153fb42712f1a710aabb936ecbfaf6a4b0e4f56f26f3

Download Submit
\Program Files (x86)\GuardCat AV\Helper.dll
MD5
3f28993890b629a16db75ba443be54c9

SHA1
3fcc08b188a5214bc3cd0e7d8811d6c3fcca4e0d

SHA256
650c92e0578a789ac18c43b75ef640463cc3799348e5f0a5df7122e751d17595

SHA512
375d00e8381e7f6128d1fee0569570d112717c37bc7134ee3d4e0ec87b002adff215f03e999851c8383b9c3dd432d2ca5d94b067314fa9206fcec57b9cef871b

Download Submit
\Program Files (x86)\GuardCat AV\Helper.dll
MD5
3f28993890b629a16db75ba443be54c9

SHA1
3fcc08b188a5214bc3cd0e7d8811d6c3fcca4e0d

SHA256
650c92e0578a789ac18c43b75ef640463cc3799348e5f0a5df7122e751d17595

SHA512
375d00e8381e7f6128d1fee0569570d112717c37bc7134ee3d4e0ec87b002adff215f03e999851c8383b9c3dd432d2ca5d94b067314fa9206fcec57b9cef871b

Download Submit
\Program Files (x86)\GuardCat AV\Helper.dll
MD5
3f28993890b629a16db75ba443be54c9

SHA1
3fcc08b188a5214bc3cd0e7d8811d6c3fcca4e0d

SHA256
650c92e0578a789ac18c43b75ef640463cc3799348e5f0a5df7122e751d17595

SHA512
375d00e8381e7f6128d1fee0569570d112717c37bc7134ee3d4e0ec87b002adff215f03e999851c8383b9c3dd432d2ca5d94b067314fa9206fcec57b9cef871b

Download Submit
\Program Files (x86)\GuardCat AV\Helper.dll
MD5
3f28993890b629a16db75ba443be54c9

SHA1
3fcc08b188a5214bc3cd0e7d8811d6c3fcca4e0d

SHA256
650c92e0578a789ac18c43b75ef640463cc3799348e5f0a5df7122e751d17595

SHA512
375d00e8381e7f6128d1fee0569570d112717c37bc7134ee3d4e0ec87b002adff215f03e999851c8383b9c3dd432d2ca5d94b067314fa9206fcec57b9cef871b

Download Submit
\Program Files (x86)\GuardCat AV\InstCtrl.exe
MD5
8920128b6b03a2aee3ffac8cb3467720

SHA1
42abdd6ca848e1af7383d592954f4ccace00622c

SHA256
1be6c4fabe45e7598dfb82fba30c4c257b614d6cb5fa88d2858da4b9e37d692e

SHA512
2685108c10cc0042fcc44aaf2ff97dbf2745bb2a9bbebc2812ecbfa6a4a7183a415229c9fa9477e0a45fe26f112d2cf27fc7c398ea06ad194e20e272d1ad1465

Download Submit
\Program Files (x86)\GuardCat AV\Microsoft.Win32.TaskScheduler.dll
MD5
1cf1286a1cf06f4639421b90dc339ad6

SHA1
94c9d790eeebeafd507daba305d4d87f7461aa0c

SHA256
0aac410273e043c6668678566b2f426525d12d7838216da2d9ec6786a9613906

SHA512
c0009e9484e4be9a0ff1012184bf3595c1c292fb597926aa86ffe8ab8fb04bae90db52a5a2700eabce591bcf692a290b02622c865741ed2aa03c33b05352cc76

Download Submit
\Program Files (x86)\GuardCat AV\Microsoft.Win32.TaskScheduler.dll
MD5
1cf1286a1cf06f4639421b90dc339ad6

SHA1
94c9d790eeebeafd507daba305d4d87f7461aa0c

SHA256
0aac410273e043c6668678566b2f426525d12d7838216da2d9ec6786a9613906

SHA512
c0009e9484e4be9a0ff1012184bf3595c1c292fb597926aa86ffe8ab8fb04bae90db52a5a2700eabce591bcf692a290b02622c865741ed2aa03c33b05352cc76

Download Submit
\Program Files (x86)\GuardCat AV\Newtonsoft.Json.dll
MD5
fa73f73f9fe28203471ed1c3c5c45594

SHA1
10df008f193355a272562f5640722d496f8f2703

SHA256
823b09bc480f8d3c3c20703c7df328687f0872a9f923871808e371e822a7f433

SHA512
1a1e6322429717aab8dfcc42da1290fa4a3fe5c4ddec85eaae41d1944cc56a353e1c46809339a6803d812fdecfb5334feac54b6882679e95f08ed4346f7036d1

Download Submit
\Program Files (x86)\GuardCat AV\Runner.dll
MD5
fa62a014e33251b9b76a6913d42d5b1c

SHA1
66f1adde19b58e4003ea0bb1ce249d341deb71f1

SHA256
389cbfadad3c526a71829865744007c446eaafe9da6271a05583a925c9881e11

SHA512
bbcfcf85d4feab021b155ce3b6d51ae404e2ee4d92669e4255ef8260a2de1570462fd0229309a33260f035c425d729f6bbc9728bd625e431ac016f79a44df810

Download Submit
\Program Files (x86)\GuardCat AV\Runner.dll
MD5
fa62a014e33251b9b76a6913d42d5b1c

SHA1
66f1adde19b58e4003ea0bb1ce249d341deb71f1

SHA256
389cbfadad3c526a71829865744007c446eaafe9da6271a05583a925c9881e11

SHA512
bbcfcf85d4feab021b155ce3b6d51ae404e2ee4d92669e4255ef8260a2de1570462fd0229309a33260f035c425d729f6bbc9728bd625e431ac016f79a44df810

Download Submit
\Program Files (x86)\GuardCat AV\Runner.dll
MD5
fa62a014e33251b9b76a6913d42d5b1c

SHA1
66f1adde19b58e4003ea0bb1ce249d341deb71f1

SHA256
389cbfadad3c526a71829865744007c446eaafe9da6271a05583a925c9881e11

SHA512
bbcfcf85d4feab021b155ce3b6d51ae404e2ee4d92669e4255ef8260a2de1570462fd0229309a33260f035c425d729f6bbc9728bd625e431ac016f79a44df810

Download Submit
\Program Files (x86)\GuardCat AV\Runner.dll
MD5
fa62a014e33251b9b76a6913d42d5b1c

SHA1
66f1adde19b58e4003ea0bb1ce249d341deb71f1

SHA256
389cbfadad3c526a71829865744007c446eaafe9da6271a05583a925c9881e11

SHA512
bbcfcf85d4feab021b155ce3b6d51ae404e2ee4d92669e4255ef8260a2de1570462fd0229309a33260f035c425d729f6bbc9728bd625e431ac016f79a44df810

Download Submit
\Program Files (x86)\GuardCat AV\Setup.dll
MD5
a371eb6357697a2fd8bfa9248d7b6367

SHA1
af1189d8b1de97e9a18a183e6e4eaa0bc5907e84

SHA256
56f0f44dd19f37c89d0e5920865957ce66c8090fa24b9d471bb2136e6d94db0a

SHA512
e8ef77c2d3d82bb634e1d4d29e54d1c26335d13f3957704d88fd804bc6364794242ee06febc8d00a107c0ead37f769c3e5cf539c3acbd3413f5c1ed24b68344d

Download Submit
\Program Files (x86)\GuardCat AV\Setup.dll
MD5
a371eb6357697a2fd8bfa9248d7b6367

SHA1
af1189d8b1de97e9a18a183e6e4eaa0bc5907e84

SHA256
56f0f44dd19f37c89d0e5920865957ce66c8090fa24b9d471bb2136e6d94db0a

SHA512
e8ef77c2d3d82bb634e1d4d29e54d1c26335d13f3957704d88fd804bc6364794242ee06febc8d00a107c0ead37f769c3e5cf539c3acbd3413f5c1ed24b68344d

Download Submit
\Program Files (x86)\GuardCat AV\Setup.dll
MD5
a371eb6357697a2fd8bfa9248d7b6367

SHA1
af1189d8b1de97e9a18a183e6e4eaa0bc5907e84

SHA256
56f0f44dd19f37c89d0e5920865957ce66c8090fa24b9d471bb2136e6d94db0a

SHA512
e8ef77c2d3d82bb634e1d4d29e54d1c26335d13f3957704d88fd804bc6364794242ee06febc8d00a107c0ead37f769c3e5cf539c3acbd3413f5c1ed24b68344d

Download Submit
\Program Files (x86)\GuardCat AV\Setup.dll
MD5
a371eb6357697a2fd8bfa9248d7b6367

SHA1
af1189d8b1de97e9a18a183e6e4eaa0bc5907e84

SHA256
56f0f44dd19f37c89d0e5920865957ce66c8090fa24b9d471bb2136e6d94db0a

SHA512
e8ef77c2d3d82bb634e1d4d29e54d1c26335d13f3957704d88fd804bc6364794242ee06febc8d00a107c0ead37f769c3e5cf539c3acbd3413f5c1ed24b68344d

Download Submit
\Program Files (x86)\GuardCat AV\Updater.dll
MD5
f0e0050f106c8d73ab2bda29d745009c

SHA1
08c7ac054b1c6131ab3f4aa511c9f0fdde951440

SHA256
facaefcc5828c09b752eab19bae96fd1fd6dcc1c8d608686f91858403656a62d

SHA512
06875a518f5bd50faa2ca5c59a47f72576472d69ccf9dbaec50cd9c18f16572249b2cd3df815e5908f620a9fecd2cfb2154745a816ed9aea15dc4fbb451efa4e

Download Submit
\Program Files (x86)\GuardCat AV\Updater.dll
MD5
f0e0050f106c8d73ab2bda29d745009c

SHA1
08c7ac054b1c6131ab3f4aa511c9f0fdde951440

SHA256
facaefcc5828c09b752eab19bae96fd1fd6dcc1c8d608686f91858403656a62d

SHA512
06875a518f5bd50faa2ca5c59a47f72576472d69ccf9dbaec50cd9c18f16572249b2cd3df815e5908f620a9fecd2cfb2154745a816ed9aea15dc4fbb451efa4e

Download Submit
\Program Files (x86)\GuardCat AV\Updater.dll
MD5
f0e0050f106c8d73ab2bda29d745009c

SHA1
08c7ac054b1c6131ab3f4aa511c9f0fdde951440

SHA256
facaefcc5828c09b752eab19bae96fd1fd6dcc1c8d608686f91858403656a62d

SHA512
06875a518f5bd50faa2ca5c59a47f72576472d69ccf9dbaec50cd9c18f16572249b2cd3df815e5908f620a9fecd2cfb2154745a816ed9aea15dc4fbb451efa4e

Download Submit
\Program Files (x86)\GuardCat AV\Updater.dll
MD5
f0e0050f106c8d73ab2bda29d745009c

SHA1
08c7ac054b1c6131ab3f4aa511c9f0fdde951440

SHA256
facaefcc5828c09b752eab19bae96fd1fd6dcc1c8d608686f91858403656a62d

SHA512
06875a518f5bd50faa2ca5c59a47f72576472d69ccf9dbaec50cd9c18f16572249b2cd3df815e5908f620a9fecd2cfb2154745a816ed9aea15dc4fbb451efa4e

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\FindProcDLL.dll
MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\FindProcDLL.dll
MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\SimpleSC.dll
MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\StdUtils.dll
MD5
e6e1b2fa0f634b3a92cd798d7e1d1fcb

SHA1
f7e85f5117cfd4441f64601445b1e6976573e8a2

SHA256
9736e0e0d56e312b3f04f3e4e3af47b3968b92e221084eba35982c4de63c93d0

SHA512
ed7a69f0c6468b23eed478937fc79b9cfdc409d0f2c4c72592bf4e6637f013b14527cf166606ab787014fc2d45789d614f8b7a700af73f3483dc0b979dcf591b

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\System.dll
MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\nst3F8.tmp\nsExec.dll
MD5
b5a1f9dc73e2944a388a61411bdd8c70

SHA1
dc9b20df3f3810c2e81a0c54dea385704ba8bef7

SHA256
288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

SHA512
b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

Download Submit
\Users\Admin\AppData\Local\Temp\nstF690.tmp\System.dll
MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Roaming\AvSetup\AVInstaller.exe
MD5
3ff7c59d879e2f64b460df751c63294c

SHA1
8b0edc0b80b29ab21ec2a0d82dd463a0f5fe7bf0

SHA256
3098ce1ed846491c587220605255e0080d89901019cc0f93f344c03418b0c94a

SHA512
034808553897a92ebf39bf892f47dbe2f99805464193dd86362396cf4786a736ea8a6861ffee8d60525992f2462e6f71b5d62de95f927274e98c0f75508dd4a6

Download Submit
\Users\Admin\AppData\Roaming\AvSetup\AvSetup.exe
MD5
89bdb6f4a7940b8666b5935ce6c0932e

SHA1
67aa59372d2598f30abc2502ca52a9dcca3d7b8e

SHA256
7ab45c4b53a7139aed87fec0e85ba635f9cdc2276b4e2ab4aa8ea977f31b5d18

SHA512
d219a64685149fc5d930bb08fb4001aa7a5033dd6f647304b5613d6011bda1f006debb99f3a5f88f0f74f39115ee21502e3cc6cc041b01da40da2f19d8237708

Download Submit
memory/112-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/112-58-0x0000000000000000-mapping.dmp

Download
memory/564-189-0x0000000000000000-mapping.dmp

Download
memory/564-229-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/564-368-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/836-171-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/836-184-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/836-185-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/836-404-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/864-197-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/864-225-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/868-55-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/904-119-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/904-94-0x0000000000000000-mapping.dmp

Download
memory/904-98-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/904-130-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/904-103-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/904-108-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/904-129-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/904-114-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/904-124-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/992-406-0x00000000022BD000-0x00000000022BE000-memory.dmp

Filesize
4KB

Download
memory/992-402-0x00000000022BA000-0x00000000022BB000-memory.dmp

Filesize
4KB

Download
memory/992-396-0x00000000022B6000-0x00000000022B7000-memory.dmp

Filesize
4KB

Download
memory/992-162-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/992-169-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/992-134-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/992-160-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/992-170-0x00000000022A5000-0x00000000022B6000-memory.dmp

Filesize
68KB

Download
memory/992-400-0x00000000022B8000-0x00000000022B9000-memory.dmp

Filesize
4KB

Download
memory/992-399-0x00000000022B7000-0x00000000022B8000-memory.dmp

Filesize
4KB

Download
memory/992-183-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/992-166-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/992-405-0x00000000022BC000-0x00000000022BD000-memory.dmp

Filesize
4KB

Download
memory/992-401-0x00000000022B9000-0x00000000022BA000-memory.dmp

Filesize
4KB

Download
memory/992-403-0x00000000022BB000-0x00000000022BC000-memory.dmp

Filesize
4KB

Download
memory/1048-86-0x0000000000381000-0x000000000038D000-memory.dmp

Filesize
48KB

Download
memory/1048-64-0x0000000000000000-mapping.dmp

Download
memory/1068-186-0x0000000000000000-mapping.dmp

Download
memory/1068-192-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1068-257-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1352-345-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1352-304-0x0000000000000000-mapping.dmp

Download
memory/1456-311-0x0000000000000000-mapping.dmp

Download
memory/1456-276-0x0000000000000000-mapping.dmp

Download
memory/1456-397-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1456-332-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1628-261-0x0000000000000000-mapping.dmp

Download
memory/1628-272-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1732-305-0x0000000000000000-mapping.dmp

Download
memory/1732-336-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1764-259-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1764-188-0x0000000000000000-mapping.dmp

Download
memory/1812-351-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1812-306-0x0000000000000000-mapping.dmp

Download
memory/1828-398-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1828-258-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1828-190-0x0000000000000000-mapping.dmp

Download
memory/1828-382-0x0000000000000000-mapping.dmp

Download
memory/1896-61-0x0000000000000000-mapping.dmp

Download
memory/1928-73-0x000007FEF24B0000-0x000007FEF300D000-memory.dmp

Filesize
11.4MB

Download
memory/1928-71-0x0000000000000000-mapping.dmp

Download
memory/1928-72-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1928-74-0x0000000002480000-0x0000000002482000-memory.dmp

Filesize
8KB

Download
memory/1928-75-0x0000000002482000-0x0000000002484000-memory.dmp

Filesize
8KB

Download
memory/1928-76-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1928-77-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1928-79-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/1956-187-0x0000000000000000-mapping.dmp

Download
memory/1968-340-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1968-290-0x0000000000000000-mapping.dmp

Download