654a286d076e81869399959d8700c68883300e07ef5f8ad7ef4f38ee15b02221

Analysis

max time kernel
649s
max time network
507s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2022, 16:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Size

119KB
MD5

92afa514c40cbcfab9380561b127f657
SHA1

eea59b3b1ba3ec27d80968aec0642956647dc047
SHA256

654a286d076e81869399959d8700c68883300e07ef5f8ad7ef4f38ee15b02221
SHA512

adff54cfc926474012e8ea02a7a76dec486f299142ddb643d636250d9e69bffb902d252956fd4a82e0b395de2a470e201f9d1f10a60384563121be0b6ae78da6
SSDEEP

3072:3SojD9bzGtzJShh8N7q5AdYGgbVileLxBp/B6:CojxOzPtq5di0L3FB6

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
4564	tmp7EF9.tmp.exe
5032	Dashboard.exe
4592	Dashboard.Service.exe
1944	Dashboard.Service.exe
3040	wyUpdate.exe
856	tmp7EF9.tmp.exe
4712	tmp7EF9.tmp.exe
5116	tmp2F0B.tmp.exe
3532	Dashboard.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp7EF9.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Dashboard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp2F0B.tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD	Dashboard.Service.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wyUpdate.exe.log	wyUpdate.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Dashboard.Service.exe.log	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD	Dashboard.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Data\Assets\Default\Logos\shield+[email protected]	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\OM.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\UM.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\FR.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\Microsoft.Win32.TaskScheduler.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\System.ValueTuple.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\Logos\[email protected]	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\FR.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\BQ.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\CD.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Svg2Xaml.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\Ghosties\ghostie_worldwide.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\PS.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Backgrounds\[email protected]	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\ST.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\pt\CyberGhost.Controls.resources.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Logos\privacyguardYellow.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Data\Assets\Default\Logos\shield+PrivacyGuard_white.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\GH.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Logos\shield+[email protected]	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Serilog.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\System.Memory.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\CI.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\MU.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Icons\shield_checkmark_icon.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Onboarding\NewDot.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\DO.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\PL.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\Ghosties\ghostie_sad.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\MK.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\MQ.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\CW.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\Data\Assets\Default\Logos\PoweredBy.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\ZA.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\ko\CyberGhost.VPN.resources.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\MR.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\BI.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\CI.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\Ghosties\ghostie_error.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\BV.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\HU.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\MG.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Flags\64\AB.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Ghosties\ghostie_sad.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\PF.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Logos\shield+[email protected]	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\ME.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Logos\updater.svg	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\openssl.exe	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\vcruntime140.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\Newtonsoft.Json.txt	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\AN.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\EC.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\LB.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\ru\Updater.Core.resources.dll	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\ZW.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\DK.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\VG.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\LT.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\Logos\[email protected]	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\PH.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\OpenVPN.txt	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\BH.png	tmp7EF9.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\BL.png	tmp7EF9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Dashboard.exe = "11000"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\Dashboard.exe = "1"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\Dashboard.exe = "0"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Dashboard.exe = "1"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Dashboard.exe = "1"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\Dashboard.exe = "1"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Dashboard.exe = "0"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Dashboard.exe = "0"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Dashboard.exe

Modifies data under HKEY_USERS 61 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Dashboard.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Dashboard.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Dashboard.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Dashboard.Service.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Dashboard.Service.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	taskmgr.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Dashboard.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa25c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	tmp7EF9.tmp.exe
4564	tmp7EF9.tmp.exe
4564	tmp7EF9.tmp.exe
4564	tmp7EF9.tmp.exe
4564	tmp7EF9.tmp.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1944	Dashboard.Service.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1668	taskmgr.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
664	Process not Found
664	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Token: SeDebugPrivilege	4564	tmp7EF9.tmp.exe
Token: SeDebugPrivilege	5032	Dashboard.exe
Token: SeDebugPrivilege	1944	Dashboard.Service.exe
Token: SeDebugPrivilege	3040	wyUpdate.exe
Token: SeDebugPrivilege	1668	taskmgr.exe
Token: SeSystemProfilePrivilege	1668	taskmgr.exe
Token: SeCreateGlobalPrivilege	1668	taskmgr.exe
Token: SeDebugPrivilege	856	tmp7EF9.tmp.exe
Token: SeDebugPrivilege	4712	tmp7EF9.tmp.exe
Token: SeDebugPrivilege	4408	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Token: SeDebugPrivilege	5116	tmp2F0B.tmp.exe
Token: SeDebugPrivilege	3532	Dashboard.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4564	tmp7EF9.tmp.exe
4564	tmp7EF9.tmp.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4564	tmp7EF9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4564	2740	cgsetup_en_52vCnuXs6nskn3wQwksK.exe	84
PID 2740 wrote to memory of 4564	2740	cgsetup_en_52vCnuXs6nskn3wQwksK.exe	84
PID 4564 wrote to memory of 5032	4564	tmp7EF9.tmp.exe	92
PID 4564 wrote to memory of 5032	4564	tmp7EF9.tmp.exe	92
PID 5032 wrote to memory of 4592	5032	Dashboard.exe	94
PID 5032 wrote to memory of 4592	5032	Dashboard.exe	94
PID 1944 wrote to memory of 3040	1944	Dashboard.Service.exe	96
PID 1944 wrote to memory of 3040	1944	Dashboard.Service.exe	96
PID 4408 wrote to memory of 5116	4408	cgsetup_en_52vCnuXs6nskn3wQwksK.exe	115
PID 4408 wrote to memory of 5116	4408	cgsetup_en_52vCnuXs6nskn3wQwksK.exe	115
PID 5116 wrote to memory of 3532	5116	tmp2F0B.tmp.exe	116
PID 5116 wrote to memory of 3532	5116	tmp2F0B.tmp.exe	116

C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe
"C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Program Files\CyberGhost 8\Dashboard.exe
    "C:\Program Files\CyberGhost 8\Dashboard.exe" /install
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Program Files\CyberGhost 8\Dashboard.Service.exe
      "C:\Program Files\CyberGhost 8\Dashboard.Service.exe" --install
      4⤵
      Executes dropped EXE
      PID:4592

C:\Program Files\CyberGhost 8\Dashboard.Service.exe
"C:\Program Files\CyberGhost 8\Dashboard.Service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\CyberGhost 8\wyUpdate.exe
  "C:\Program Files\CyberGhost 8\wyUpdate.exe" /justcheck /quickcheck /noerr -server="https://download.cyberghostvpn.com/windows/updates/8/nt/wyserver.wys"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:4900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe
"C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\tmp2F0B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2F0B.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Program Files\CyberGhost 8\Dashboard.exe
    "C:\Program Files\CyberGhost 8\Dashboard.exe" /install
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CyberGhost 8\Applications\AntiVirus\AntiVirus.Core.dll

Filesize
192KB

MD5
cf3470d9973c42648d55f78bcdca5988

SHA1
cfa85508dbf92123019e3512795e0d05b1c73b64

SHA256
25e2b0ebee93407b7a429802161b0929a5e9ebc6d1432eeea35db25bcf175df3

SHA512
854e6d11178ee10263365f6ff74d3b6978fb078db17e79ec27bc5482d54ad4e088257b6ef42f1fe6066518c15091309d14b7e1480bbc146ec44de0c3b04a4b3d

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\AntiVirus.dll

Filesize
340KB

MD5
81f60bb3c4825cc411873c92ff403077

SHA1
2ab32b4a1c3fac14a198d427077c87d01923af92

SHA256
57127853974396db826cdaa56058d39749e8654baf6ba595f3a4712a7230e731

SHA512
8a9fa259e93ae0f5d1efbfecdebad754abddbb11499ae6182454999c954b04a1fc286e21ad9c922fa494a81fedc5aa54cc32a286e6192325eb46bb55a457557b

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\Autofac.dll

Filesize
236KB

MD5
34d8f4f45649fc4ad5cdc4adf5a6e239

SHA1
f5bce502b030583b997956c1cfb6f6c33958093d

SHA256
c75170e48db3ffa8ee42df4364cb7dd279555e43ca9aa9ee8f61346913c9809d

SHA512
5981c27d6a9106459fe450501001af5f437bf66864167415380766bd6d6459f210fe55400a4d8434cbbb6e011580c230d704af763d16d823f0f0ab203b212ed2

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\de\AntiVirus.resources.dll

Filesize
45KB

MD5
4a84fe49c141454d7a7fdfab7a585b05

SHA1
957c80767d401c7a1a77b4c816f461cb9d8e343c

SHA256
f7bb9719140876134ad140c0a76385606c0178d9aec66808060388dba8be043a

SHA512
a5eb7504b166b825faa85f51f5a6226e96bdb2d6911bdc18a5d0def6f63b8c18a71e933e150e327526c500d84636693735c9c2f83c1632b4344a5eecf8ed2b7b

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\es\AntiVirus.resources.dll

Filesize
44KB

MD5
b4a422c2186b47adc1894ac541b3ee3f

SHA1
190f1f8c7eb6bcb1769709f0b3c6712c4ec8bf42

SHA256
d76fd4047b6dfc302f15e1b5bff9c2a4d96e0cfaf33d5ea9e98d1f414ddea9fe

SHA512
642b8ba71ece44f62bf85cc1d906b6cd77b03c35fefec59e78748b7c6ba8c6096a209c07e777933f2834012a004b34e53497ce5b69619ef3f51179bbc546fd35

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\fr\AntiVirus.resources.dll

Filesize
45KB

MD5
97304a6abb3fb99508ed7406e2858d9b

SHA1
9ca87a0a769d32a6915df523adf514883d6e82c7

SHA256
bfa4067f4b05f14e0bae211560c32a2760854f98557963ce722adf0fa1752bd4

SHA512
1f4e557462e11eb1ca48573b429a5dca48c0bce0bc16a919cf740c62a6b8c1e70b0b01cc9e317e43a6b5294297666a9ab6e1189b2e9ddeea881a8c87c2d90bd4

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\it\AntiVirus.resources.dll

Filesize
43KB

MD5
3cd0bfca4eddac8db74c014af21a8548

SHA1
acc529315444a2ddf6aa46fcd348a56fd94d941b

SHA256
12c7556ed210084af5beb092db6953546c2d56703efa588f4843ff8b9fbb0f2d

SHA512
b935164b9096f8b02eb355416046b9e4864f2ab3947ea5df46903e20396ef5e3262a1a88e28686a1e3c73e74755681aa80715ec161bae5542df952b241318f16

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\ko\AntiVirus.resources.dll

Filesize
45KB

MD5
7247b0e62bc9feae2a8af111168a3709

SHA1
e7bec38f736d044801b323cb311e25ec83f2a294

SHA256
006aaacc4a019bcce12743d51a90dcb5d7e84bb421cf97f0d073051e73fbc38d

SHA512
07ad162657f579a291d1725a18bfa47a2a8fba6b2b422ebd4bcb33a0238b19d8cc2e91b1bb009eb4f8a4241b4bb916eed54e64088d6734ff41aeb8f0623849f2

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\pl\AntiVirus.resources.dll

Filesize
45KB

MD5
6ec3b373e29e75a2b463338fd890c139

SHA1
c0fd66e6085483577d00fabdd0ea625ad13593a0

SHA256
51780f4862ad6f8f976155033a8f2d718acd5dfcad87750c611ad2799c5d076a

SHA512
d49537de5a1029c8b99cb90cfc70d01a5c7a79b7e23f9df4de0288d12033a055cd0d92ea76ac6ddfae1c95f70fd326d4aa02d402d110379160ff18749c7d7036

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\pt\AntiVirus.resources.dll

Filesize
44KB

MD5
469044d152eb52abaeeb7dfea17a191b

SHA1
431fb01abbd859f270cd82d789bd25575997bbda

SHA256
4c79450abeec535f1da0ef8dd26d3fde39931f2aa2d83984d8ec8c6801cd34a7

SHA512
f42074c7f70230bf94be8cb7b3fed45e6fbc91a25c1c0ae80e74ae1e40f8e4f9872a0433864853dfcfa1261e3d574da570b9c10fbde069b1e85da27768a7b458

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\ro\AntiVirus.resources.dll

Filesize
45KB

MD5
c11216cf9308108dff1915757391de43

SHA1
c02849012b6ae9bede29af85aede65d79f46e0ca

SHA256
efb51a2c1f207ca7d7584152623da6300d40b9576bb41b534fdef9ffec73a97c

SHA512
2d7746b8c5f96be383141929efdd3e94c059444abb048b42c89f2e3f29023a08f8ab760239076fc325a71eb0a14ae29ff37965296017eccb42ca4ff8ac43d281

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\ru\AntiVirus.resources.dll

Filesize
52KB

MD5
a21f5b24c43a0aa44e2d61573bf29cce

SHA1
3de190bf2ab14b9c4b2e81c1273ec99a88ee69be

SHA256
296afeeafbbac27e8464dab6df874c85c673cf70b022f8e4d99cfd6f634fb04e

SHA512
81867d4cb7e5714a693e6236c2aa32c4dcc79bcabf07379cb8c72903b14b65f2a15a5ff1a811c1b0ba3875baa36b4fb9e751415240db3382c8b64a7da9439d12

Download Submit
C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Autofac.dll

Filesize
236KB

MD5
bacc88b6d0c4002872abe8c5b5ca0c1a

SHA1
99c2c00415f6b7774aa1fbdc8068f523280747c2

SHA256
03c501e0869d34f235f93d91f63098e4f8dc4825c2210b36047917d2460182f6

SHA512
08d27881c8f02aa4c784bc81428b6d5803a9ce872e8ce26379b249cce4df6193a05ca1bd514f46a3efdcb8b5684c2a436127e261df3a37a0e685e86a91cb918f

Download Submit
C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\PrivacyGuard.dll

Filesize
720KB

MD5
35fb1fac6aa7f463dd45fdf8127957ba

SHA1
3498289cd937fae788cb1bec1667a47b77b736b8

SHA256
87b81d01eb2626092683fddbd5692386619ef7ace6510b7e1d35c3bb750a1c9f

SHA512
855e92a34820b354642cc0c64f382adb4ef8ea62c6cb50fc7f6fbbe49cf159ec5cbe172b8970b4370f90e7918acb5552865ecc86d6326141e8fae9670cc59b07

Download Submit
C:\Program Files\CyberGhost 8\Applications\Updater\Autofac.dll

Filesize
236KB

MD5
a00d9bd8144235bb6bd18deba6f2cc41

SHA1
a201c40aa610728553966f164ce300e23c17cb76

SHA256
c2399ca8346bae7bb05be912e59a5d767922cfe744f562112c9ebccbdfbe23cc

SHA512
9b3670aa6f6c5a8dd2c4b505199e136de1ae8ff34889b7849f3d2d70aa17a53dab3f1b5ed4b29fe5648c12fbb385b3e0e8e548ebdaac519ba36e8e052c0f1255

Download Submit
C:\Program Files\CyberGhost 8\Applications\Updater\Updater.Core.dll

Filesize
122KB

MD5
8c54aca3db2f9eb590b5de6ba62e3181

SHA1
c719a692853a09e34fad3f61b3e8f7e46f337d41

SHA256
ac25d54127ca5ec39756608f21611133913f19dfad8c6dbd0db25bd2c3943ff9

SHA512
f726cb71d5e542e1def61ead8ce463e7840d593182475a5263c997eaaeb6e800aff97a0f77fb93fd591fb2f57daf56887eac2f7d205bd20874fee54d63f30074

Download Submit
C:\Program Files\CyberGhost 8\Applications\Updater\Updater.dll

Filesize
164KB

MD5
340aca31d12b5db1ec09a832a785db85

SHA1
7e8d56e9df6facef36c0dcceac3e83abc67cd3e3

SHA256
617140e904d6ff2d7a2b5fc429d49125ed2bd2baf86be949fe655584c8331a7e

SHA512
b25c9185c71bdac6c9cea67a1a9cbac00122bd7cb9fd18bebed3909c533de743e0d5631531fcf3cd42087be929634320faffb7ceeb3770145aed7c2b8a78a37f

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\Autofac.dll

Filesize
236KB

MD5
4f95818842615dbcd3a40827eab6c998

SHA1
53d925eb2f39d3ac21c1907e90c43ab8eb0e6d7f

SHA256
16049d979ffdcd2ff093195a451e6ecc9c897eb0a3555d66b221e7236adbc2d4

SHA512
dbecab0ff04af47099355f6dbc0a5d4222d073e6900d7035afa41fc67c70f4e39a8e82c354a3e95487957e9a3bb7574ed069400cbccc1b9f1c35d9d016b21541

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\CyberGhost.VPN.dll

Filesize
780KB

MD5
d358e17c209efa0df4664979bf66b346

SHA1
2928bf1b9fe2554f0bc74124958b9f097218c848

SHA256
5d03a081059954a4fb82e4ed12fa9359c1ca3cf69745f0206fcfd7321b4e0518

SHA512
7bfc9ef33ba8b36b512f7c2db0c8ab92bcb4e7fbe61e32e51f35fdb449cd7b0d5222d7b09991b4ba30ca27c7e253fa9b1c20da3ad55565307afa5722c267e493

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\CyberGhost.VPNServices.dll

Filesize
131KB

MD5
2aac3217721297c371023a76e00b9ffb

SHA1
95df1d68df0724ca3c0facd37db459e7458ca459

SHA256
7d01ab4a8ea71cd1ca5c84aa25fde8b84982a3c593b99d4fa6475ab04046f46b

SHA512
0655a28fd38023937d0b0ca22f568725232e5b5fb123b23afb0f9e0bed46222053a0858e94c4b9ee08f8e6bb17b751fa5fa8cac6d91eea7f8ec442ff824b99be

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\System.Collections.Immutable.dll

Filesize
178KB

MD5
40c94e82beaaac10f61450dc01db5a38

SHA1
993e7a89fb91434f3a613f119270dc4fec58765c

SHA256
690f3179fa1630583d7e41395343e4f0394b084bbce81889b35cdd895d585da8

SHA512
5297f07c8ee537904ac694e755a5f5f7f8c86c8cad5894c15dd9e1f013d2802ded322374c90d0bd4dd197b8963d1a0d686be338ec9f7c5c0413b38f4aba2134b

Download Submit
C:\Program Files\CyberGhost 8\Autofac.dll

Filesize
236KB

MD5
4967eb74a5173cc966bc08a434363701

SHA1
49fb8a69ed216db994e23a1f45c793d5315bba7b

SHA256
81e91ad464f377fcca6f04fbc8f2eecdec41bf667185f7df5cb3159fcd07f133

SHA512
92dec397a4f608176d229e92558fbb5391b153012ac8551bbea72373b06e0ed6382c92b26b216a180213fdaffc17a269406a244ebe139855b7277ee93c34c00b

Download Submit
C:\Program Files\CyberGhost 8\Castle.Core.dll

Filesize
441KB

MD5
5be78750c920cd6160ec18b5861dc885

SHA1
c9274ad66be5e3f2bf999c9e929c1a8b771a0e73

SHA256
e270fdd3ed9962f552f66d6f9f2e81fbab4c193d153e746d6e3b089f42b752d3

SHA512
ef6eb4a264d56687b4874280022f278660a7742be3bf8d8c6af8908d2542bf8e67005f06dcc1ee72499a8c94d4e88ca9f9091451a0bd089ab27bb67112f2de70

Download Submit
C:\Program Files\CyberGhost 8\CyberGhost.Browser.dll

Filesize
53KB

MD5
f5eaf73a0a001f0dddd2ce00f00928c2

SHA1
8ea883fbcc1fb763ac19dc0da58e86cbc725fd1e

SHA256
69fa255a13c9d3bcad72421d99bcec91ed8b35cb64e54984409d9f125dcac1ff

SHA512
16cad47c0ee30164a6b8a8935893422c8c12b0812c6d36125a8ff8e5ef5311973bb9546b61511c2cc2e9f950cd3daf4504d2d83b6e5fb1dccc37271c51d43e61

Download Submit
C:\Program Files\CyberGhost 8\CyberGhost.Controls.dll

Filesize
627KB

MD5
c76fe990bd6945db1601b74a842ac730

SHA1
3994bc13be6e98b4ee1760280e626cb8cdbce85d

SHA256
50a6729c8d0e10cccfefe6764acb9ba00ed066ab10a549d577e88d4c0c739f42

SHA512
b383ba984ea3657016618ffcfe604fa5531462d50bb6f0c728bf33603a5f885b611d7342d9e51f26b0319035fe71989c1b7ae6c36f19647b1b73ba6c6d1c6675

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Contracts.dll

Filesize
204KB

MD5
a00b936d6cf4c11a2c68167fa1e28ef5

SHA1
97f4f758951c610e3e0945f42a4e9f7bb2c72a17

SHA256
172c89fdd4210a0ebdd45334f3716f213fd4f412978286aa787eb2a22231e7d0

SHA512
161cd7b7b25b0509c6b4f76ad995361a595ba9c64f9582c8024cb7eb2ddabd69d5beb6d68cae8dd33386486a72ad83ef2b47e08d350f81645e806f30deea590e

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Core.dll

Filesize
197KB

MD5
ed9bf0893419f045d6c487f9aa104b49

SHA1
bfda2909e3168825df27d7e08727305335d8a453

SHA256
5dde49e4c8ab75a57de568d3aaab850070be60b550f5f4bf2c614d16dc50bfd7

SHA512
9d7ea22f2b4cf87f55c7a2e7fd71d2019f8b0db8e5fa118bf4f3327960b70c3e9d8f53b1128430f33759977a08869a8141449830b6b0b378539557a82f12ae49

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.MPAHelper.dll

Filesize
156KB

MD5
14f256faf16b929b13b77a69969e231e

SHA1
577e0ec20aa649ae6239ceb461a56dac1e06e253

SHA256
7557fa442f150ff10b7096ff9682df4728b5d6d4729c59c0401b756fde7a2c8c

SHA512
78bd22f755bcc7205a9f4df38c95f9984876c1462a6a98a1bf583de220150ab12fa993512a8a97a39eef5455f7dbd410a492402789c825ba4eb95dedfb926caa

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Pipes.dll

Filesize
31KB

MD5
f15ef1481c42ed7170fa10c3c5b7d507

SHA1
5a487bf04d5cccd53d9f70ebf7f192375a6003ee

SHA256
d410d3fda23710385c088d84b9a846e51c5be6829a77b5c1637634be1a089c62

SHA512
e23e841238f83bc613ebac53067c3f1cc278eb80712538ef13fae023867cf976ba357c5b3565308df2a00431e4acb0822a373d3af31c8add21144d8b9a64c753

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Service.exe

Filesize
67KB

MD5
84a05773da0ff681ca0fcba762006fb1

SHA1
5490d36af2117eaccb43d60c7aba1f72f0eb06bc

SHA256
070abd144e4e0dabf783fe108b32eb38bd452726c7955263594682da74df6de1

SHA512
6befca2dccb8af3b4d81e2d725efc9f6bd1432563018f2b27db85991a86897c12e89feb6bdf9f2bc7c68e7da593430cee95f0a78792ba1af078501015cd66905

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Service.exe

Filesize
67KB

MD5
84a05773da0ff681ca0fcba762006fb1

SHA1
5490d36af2117eaccb43d60c7aba1f72f0eb06bc

SHA256
070abd144e4e0dabf783fe108b32eb38bd452726c7955263594682da74df6de1

SHA512
6befca2dccb8af3b4d81e2d725efc9f6bd1432563018f2b27db85991a86897c12e89feb6bdf9f2bc7c68e7da593430cee95f0a78792ba1af078501015cd66905

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Service.exe

Filesize
67KB

MD5
84a05773da0ff681ca0fcba762006fb1

SHA1
5490d36af2117eaccb43d60c7aba1f72f0eb06bc

SHA256
070abd144e4e0dabf783fe108b32eb38bd452726c7955263594682da74df6de1

SHA512
6befca2dccb8af3b4d81e2d725efc9f6bd1432563018f2b27db85991a86897c12e89feb6bdf9f2bc7c68e7da593430cee95f0a78792ba1af078501015cd66905

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Service.exe.config

Filesize
909B

MD5
e2338d4401885fc1abec3ed8bbccd958

SHA1
fe9007da5f2e1ef7a456b4267b58106a6e3b1645

SHA256
eb9201e1687c3ccbe326897dc10ffd4f5ce172be9c3b17c4e154fcb70ce76133

SHA512
03041eb66dfd15c356f4de60d10c435809833bfa66f67d951ed54495dbd0e0985a871febd69c5d6104845adc3de4c984bf9d55e46399ac1956011a485273dff6

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.exe

Filesize
1.3MB

MD5
b9479bf714837d1f60f9880f8e290f33

SHA1
af5c53c8efb5c30a8e7c69da1960c696aeb17683

SHA256
dbfff227020c3d5e840571a910490f379b1e103aed251b636f52ee5b9709f698

SHA512
c8c97b34e93793893a72c79bb5cfd31e5053f0d07f0a87d5eab0173dd9c12b40244efb4d9894046bc180e67c6ab464e0a4aae315f78744c2edc5b5bedea0a560

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.exe

Filesize
1.3MB

MD5
b9479bf714837d1f60f9880f8e290f33

SHA1
af5c53c8efb5c30a8e7c69da1960c696aeb17683

SHA256
dbfff227020c3d5e840571a910490f379b1e103aed251b636f52ee5b9709f698

SHA512
c8c97b34e93793893a72c79bb5cfd31e5053f0d07f0a87d5eab0173dd9c12b40244efb4d9894046bc180e67c6ab464e0a4aae315f78744c2edc5b5bedea0a560

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.exe.config

Filesize
1KB

MD5
ef7fb38a6da851e9b2ad3c62002607dd

SHA1
b74e836936794952b5d739f0d75eb3ee50f3a61c

SHA256
870949fd91b0595a9d237dbc3fc3ce3b6b9126c721182116877550e6d1010989

SHA512
0e3df69fc8c1294f1a37d150e3f205a9f61fad4c8c64bc6306df9c08a3c3debc2444c5bae78140ba8cea5b91d42aa3e138f4fb92705842201c11a50476aeeb01

Download Submit
C:\Program Files\CyberGhost 8\MobileConcepts45.dll

Filesize
596KB

MD5
f8010c6631166cbbafa224bc625dbeae

SHA1
b65d7a3333472b8b78d7e61b3aaaa3e2547f9aa3

SHA256
b7093d349cd231cea5955c75ec8d7b4964437fb1da6af9157463d5624b81149e

SHA512
ff5d014007da753ffe23a52090e408f23105884ec4b80856ebb351d9fa41cd225362a6d9a93f1b35943c36fbf058ee09fc234f1e0d94d5b31150060fa57014b6

Download Submit
C:\Program Files\CyberGhost 8\Newtonsoft.Json.dll

Filesize
687KB

MD5
cc857ef8da12c7e6c0e7842c54037fd3

SHA1
5ec4f486b3d10e2158bfb9ff5adc32bfd42d81cf

SHA256
e0205d1b03cbb1bd88eee8ebd8188939445a169c600449d4915b896080ce9ab7

SHA512
24cecec9eb9ab3ef03bccf1ff01628d1394e9da6a2fe86d04592537a16bbceeec951d518d466b5f5aa3823d4d7d0e96e77d5d540126d579abebf5b08e972b0b4

Download Submit
C:\Program Files\CyberGhost 8\Serilog.Formatting.Compact.dll

Filesize
18KB

MD5
553d6ae051c09266847d04ef9049cdc9

SHA1
c1f845a787297d710eef675fcb4f7353a1c7ee1b

SHA256
8d211708bf43edb971100a8110090b2537cc87b3490c359c24978b9c78ba9f7d

SHA512
043e1f9c293ca8122765771f30cd609a4a3a00388ac1d3dca2b80dcfdda72f62c1e2c92dee9eb15e87112d5f1ef2759caffddee9a44ef3c5b5f15522dc29b4fe

Download Submit
C:\Program Files\CyberGhost 8\Serilog.dll

Filesize
133KB

MD5
310269a204fc70ee6cb52b9b2fce638e

SHA1
630f0bc9e6d9b9bea0c852875bb6e0aac83c5615

SHA256
93632d93396c8da17cdd4f6b92e9aa162bcf0d0ddf9a262477f769e0df926d12

SHA512
7e60693276b0df0ee33ef9eff51199af63aa0f3b9efdc6c1739cec6c13965f6393c06e4b365cf648591fc01d291c348850473269bab629bfb107d31e50cbbca0

Download Submit
C:\Program Files\CyberGhost 8\SharpRaven.dll

Filesize
100KB

MD5
a183f0d155bd482f1e36c83c6eb0f6ba

SHA1
4345e30aed0f06402bafbe741e98a06af96069f6

SHA256
dbee5b72b6c0f4edded375c224abb31d9387087946a53c5f5b12c4e6223aa471

SHA512
19b46dae942df4751353d2c3cd949f51fde13fa6be6aaed5816f95ef4465e645bba9459a83537ba5e7db7db06e09f3477395e18280f2df568bf3ddafb50817b5

Download Submit
C:\Program Files\CyberGhost 8\WPFLocalizeExtension.dll

Filesize
87KB

MD5
d73e77745045915f4d6618cc28b6d801

SHA1
463e4efa398ab4c1a3c6a833437eb28a8c52537a

SHA256
652e84820a7671bbf64798b114e16a5b630e4fbd57e32f4ac4d8e23e8cb6801f

SHA512
f856ab8787c50b09ac36c81649e0e5f647e6708c92099a5b9d21ca00215fa95b6dd840065dc035ed9febd9f5a40422395a663ca6bc52f43451e9da622ae491b6

Download Submit
C:\Program Files\CyberGhost 8\XAMLMarkupExtensions.dll

Filesize
39KB

MD5
e4a7061bfe27358a3cafa17f3ef3e427

SHA1
9178f8f84b48ae9de63ee24d920c00b8e87b4606

SHA256
aa7764b37122eb98d73c1ed2cb1eb5a01287841d117da8fc7da4f5029c851c6e

SHA512
edda7a5a759abd4db1095a53831f4d30b6035243f4ec5a2cadcd0d0e24e13492f73001b9a73b8cf09dc7e2040e398dcd0485fe075089e538a390db20e193a20b

Download Submit
C:\Program Files\CyberGhost 8\client.wyc

Filesize
59KB

MD5
307378bf672e6acc8305770327c75774

SHA1
9b8051fe2feb80c87f8f47438e1da1138205e2cb

SHA256
97efeb97eef27f7ebf7186cfcfc0558d20b4d264a3d88c3f428afc147294115d

SHA512
e4efe77a264d4516a71766d4e7e0a97b3dcb6629fc3fcc7fa23063c5ad18593841f18d65da7ff85d7846f2ccd155dde4698be4747ae9537de2e03cbf79114110

Download Submit
C:\Program Files\CyberGhost 8\de\Dashboard.resources.dll

Filesize
54KB

MD5
0ffba0bd317a5f1b816ed94959bb04de

SHA1
8d912dd61cb10875ff126b231520e16887738f66

SHA256
7453a5f385ab1fefa997eed9c7fc7f8c386436ee678a61815f6a96edfdecdd30

SHA512
13196a42aab1b16978d766ef6a875d2d5874db12a2d14a12219e7df8809d9b5a694b4469d4fbb52066625a899255e07ba1f92989d268a3fc2cd65515814bba98

Download Submit
C:\Program Files\CyberGhost 8\es\Dashboard.resources.dll

Filesize
53KB

MD5
25cf6ab0cac29eb349db3464404c9c3c

SHA1
d27e6e40dace1c3b7902db5d83c375c1d2e64fb2

SHA256
438afd73513bef44150b82f38b8333be8180a71ccdf1bb9d5d3f727241e1dc0e

SHA512
f72657f7de65a2638f8ec523241ff8dea182e3411fb820b255c6acb37e3107f331530e8f4e73d05ff901cf15ed39a8f3deb3e200a80b2b34ca826793003209c9

Download Submit
C:\Program Files\CyberGhost 8\fr\Dashboard.resources.dll

Filesize
55KB

MD5
992256a89a9f44297f21a18023b056a3

SHA1
9d5665d4cdc845814ab1a750649b410e21a7c5c7

SHA256
a9c3fde4f39c89908f3bee6c887f6d26d8dff19ea641d4d87799f7402f4966c1

SHA512
4f5db8f58b189ad9004abfec08793ba75eab37e2e941a5257f943c58120d128b79c0a523f792f4497e5f0b276252fef1110135a7a162d752ac0a3b8ef93abd9f

Download Submit
C:\Program Files\CyberGhost 8\it\Dashboard.resources.dll

Filesize
53KB

MD5
02b8579731f5356c2ae673b7a1b59f38

SHA1
073daba18846b86fcfa568b69abfa7b06eb2a626

SHA256
e0f76dd226f76ff309fb02c8209b9d7887da0986c1c6cd0e35723a8f99706f78

SHA512
d9552720e2f5addc786553fffa1588da00f4f594b45a454b031acc404cf22a941654c721c388041b7b2da2d2b91ad1b0e66eea1955e376c92bdfeace6cc0a8a0

Download Submit
C:\Program Files\CyberGhost 8\ko\Dashboard.resources.dll

Filesize
55KB

MD5
d1574cdcc01ff9d988ce042d921e302a

SHA1
b3db8dc6c1bb46d9704bde60d172f4a99b878895

SHA256
5309e4672b27f3c1572f75adac9642fc9a9291cc7a76aac8269a8bb9c77dd702

SHA512
b662c676d786ecf4acfa78a71a4c7c9ee659380bf0aa1746aba037bebc2ac673766bc94947f4851a71368fcf6e05833827dc136788d293367f2398c43355e7be

Download Submit
C:\Program Files\CyberGhost 8\pl\Dashboard.resources.dll

Filesize
54KB

MD5
6d18c5a53367596576b6a08b10615053

SHA1
2c46e3b7fa2db74388746dee1479bc9443f4265e

SHA256
cbad5cc4d28ba271495c7e03b64bd1ba83a9df17fbeea84e76ae11e6eae897d4

SHA512
f0f4f2dda448ced53328c076ebee6d92121f4586ab34d4c90910617d3e6f0e220ced2e53d482a129f1bb822266d6c51973ac1269d80ccebd167a7e9cd48de54e

Download Submit
C:\Program Files\CyberGhost 8\pt\Dashboard.resources.dll

Filesize
54KB

MD5
1ac624c1083c06c48eaf09c988cf856a

SHA1
de2d4933550f9780b9a3c9f8af7b32928b9863b2

SHA256
4edcbc9ba40aebf6997a9fb4db6523b50b7082d72e6ab00dd33df42297fc7788

SHA512
07a7bfe3cb807d3520a8f140517fc88097f03f10efba4d3395f5d3daad4b569708c22467f31f6068fca928fc0251e1cbd2e7a9e50ff93a5a4bfe1194f93867e7

Download Submit
C:\Program Files\CyberGhost 8\wyUpdate.exe

Filesize
426KB

MD5
2bc3df2af6a5df53327a52f29ef7fdd5

SHA1
fdddbd3aad9cef21f11e2dc5a0fc1c9115be2b7d

SHA256
282ce0ea78b42ff7313b0026abfeb7fe500caa1b2fa3556c141488f673817b34

SHA512
6adb1118bd77ac10a076577e9785ca96ed05c85b8f45d059a0eb16956b5d7001d279d2779ff1accd5142f3eb9f258153a488626111a2ed9b07234adfcd906557

Download Submit
C:\Program Files\CyberGhost 8\wyUpdate.exe

Filesize
426KB

MD5
2bc3df2af6a5df53327a52f29ef7fdd5

SHA1
fdddbd3aad9cef21f11e2dc5a0fc1c9115be2b7d

SHA256
282ce0ea78b42ff7313b0026abfeb7fe500caa1b2fa3556c141488f673817b34

SHA512
6adb1118bd77ac10a076577e9785ca96ed05c85b8f45d059a0eb16956b5d7001d279d2779ff1accd5142f3eb9f258153a488626111a2ed9b07234adfcd906557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
41c62ce39ff727b9dae51efaa700c1f5

SHA1
ece85b2cea22e7d7f42e08a0ec00629fb4f25cfc

SHA256
03c3ddc3af747d175a16dd7539b5fb47b95a954c2c8cb3d2172705f6756b5bdf

SHA512
f4072fee4dc92eca162d02c37b5822f4e1f5633199aa07fd497e40c4466ebc2ad378d777255ec086a4e415a8247b4ca99c5cd73b34340fd17a1ed2cbdd2ff656

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
bae107243c3c1cc23eb066f981b79948

SHA1
ed066a4326ae4eb5db4b00b0bb0290f006ad456c

SHA256
7d2ba9f4e363368512dc2388d792c3f971d18699234c4edab57ddd4053870026

SHA512
67a0ba993ab7abab0973683f134d71ed96cbff33368b222fc84e57def50c57d1c6d1c64362738baa9efa8cd84a3ccee30cc67284b2cd8ea53cbb8d1bfed94764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_A85F08594F51262D9129FEF521EBFED1

Filesize
509B

MD5
445375f4e1c09333af3dd16c85dc13b9

SHA1
3873ab02cf180583298196c1a03563020b59356e

SHA256
c6be89270d003dc7a91853e7163354659c244b28989ee69b5451efae8ea7a81f

SHA512
6d47b3d46000cdcba603d8cdf18e5fe6691cd98482fe3b13dd9bc793f2e9ad10c42f37bf19b718fb0c105f3abce170b0ceb21b5eb7ea2b6a5c916adcc80bc974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
c9987d87c066564f907741bc1ca104e8

SHA1
7e4e9ffb82641f0c385a5a0b3961aca7244779e6

SHA256
962a21d4188373f46e18ff6709874fefe533c5a62be690d460facb38aaabeb9c

SHA512
d0eafd6935be72d503a4044027d49c4b3f002b8409293734d51fb37fba1ae0d320b24ae11c1820827071c90f2ecb2b1ae162819d005b9af5b260455170a52d42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
e7929ad239765a2001f3bf7242ab411f

SHA1
710cab23ab5175783c5c0b31505e1b1f5a03765f

SHA256
16cf361f672ddf9aff7f6de832e568ced40e13ee6a2bd551a095139bfee20b75

SHA512
c5e96b7555dd9268503a8be385999702c0563228fa590d6e215cac5ea3711f233373ff4b3721e1820e355f9dfc386ac96c7b5e49b38706203c08002b99b3ee3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_A85F08594F51262D9129FEF521EBFED1

Filesize
480B

MD5
562a2c01d29a0ee3b6243addb21a2057

SHA1
f0e3f7fefea707ff4911c5b6bbed326e98de7919

SHA256
5d68af5bba577a79b8f7ac83f85de6bdb4f22b2ceb07a58b79939b1335f3d324

SHA512
e03f51a78063b0692a8a978ab73177528a27e3e23f48dc0466c8024fb6f1ea4a68cd3c24eccf98067c4ba959bc0a3cba3f27953eaadbe2582bab2a7fc9f7504c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cgsetup_en_52vCnuXs6nskn3wQwksK.exe.log

Filesize
1KB

MD5
feca64f8b473ed1960e6795a70c84d07

SHA1
233c9c95d93ae8b7c2ac48d0d5d4b0569bd3c5a7

SHA256
d4b3815a0645e7b703393ead3d1d67bd0cbead14c37e319c83335841e1b3f94b

SHA512
1d455699f15447a7d1dca9b7c20f9183b4fe422c1be2fdc936ab9ffe05174faf885c7a10438b07951e5484a60339f1dc57c3f971e06ea301198f9143eeb7fa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe

Filesize
2.6MB

MD5
df4c8d0e98e86ec434ff4e8416355ffc

SHA1
92ca94a3e7d5d2ebadeef424c962b4a254bf9c0a

SHA256
9dbc253908010bad0656634f55da3b9939e2d8ce9889156f643eead673ba4f60

SHA512
0e987cd3ce5cc87e779be8f0ded05c59e9674655b6dcb5c9e5f90aa57b0d13d1fe6f09c9062e4775c685628245126f7715308e16ca21e0e907845d9ac737b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe

Filesize
2.6MB

MD5
df4c8d0e98e86ec434ff4e8416355ffc

SHA1
92ca94a3e7d5d2ebadeef424c962b4a254bf9c0a

SHA256
9dbc253908010bad0656634f55da3b9939e2d8ce9889156f643eead673ba4f60

SHA512
0e987cd3ce5cc87e779be8f0ded05c59e9674655b6dcb5c9e5f90aa57b0d13d1fe6f09c9062e4775c685628245126f7715308e16ca21e0e907845d9ac737b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe

Filesize
2.6MB

MD5
df4c8d0e98e86ec434ff4e8416355ffc

SHA1
92ca94a3e7d5d2ebadeef424c962b4a254bf9c0a

SHA256
9dbc253908010bad0656634f55da3b9939e2d8ce9889156f643eead673ba4f60

SHA512
0e987cd3ce5cc87e779be8f0ded05c59e9674655b6dcb5c9e5f90aa57b0d13d1fe6f09c9062e4775c685628245126f7715308e16ca21e0e907845d9ac737b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EF9.tmp.exe

Filesize
2.6MB

MD5
df4c8d0e98e86ec434ff4e8416355ffc

SHA1
92ca94a3e7d5d2ebadeef424c962b4a254bf9c0a

SHA256
9dbc253908010bad0656634f55da3b9939e2d8ce9889156f643eead673ba4f60

SHA512
0e987cd3ce5cc87e779be8f0ded05c59e9674655b6dcb5c9e5f90aa57b0d13d1fe6f09c9062e4775c685628245126f7715308e16ca21e0e907845d9ac737b85a

Download Submit
memory/1944-214-0x00000222C3CF0000-0x00000222C3D62000-memory.dmp

Filesize
456KB

Download
memory/1944-240-0x00000222C4130000-0x00000222C4154000-memory.dmp

Filesize
144KB

Download
memory/1944-201-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/1944-236-0x00000222C4B00000-0x00000222C4BC8000-memory.dmp

Filesize
800KB

Download
memory/1944-210-0x00000222C3B10000-0x00000222C3B1C000-memory.dmp

Filesize
48KB

Download
memory/1944-224-0x00000222C3E40000-0x00000222C3E6E000-memory.dmp

Filesize
184KB

Download
memory/1944-230-0x00000222C3E70000-0x00000222C3E92000-memory.dmp

Filesize
136KB

Download
memory/1944-219-0x00000222C46D0000-0x00000222C4788000-memory.dmp

Filesize
736KB

Download
memory/2740-132-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/2740-140-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-135-0x000000001E0D0000-0x000000001E5F8000-memory.dmp

Filesize
5.2MB

Download
memory/2740-134-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-133-0x000000001D9D0000-0x000000001DB92000-memory.dmp

Filesize
1.8MB

Download
memory/3040-205-0x00000000000D0000-0x000000000013C000-memory.dmp

Filesize
432KB

Download
memory/3040-231-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/3040-215-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-155-0x0000014CFD5B0000-0x0000014CFD5BA000-memory.dmp

Filesize
40KB

Download
memory/4564-144-0x0000014CFC060000-0x0000014CFC098000-memory.dmp

Filesize
224KB

Download
memory/4564-145-0x0000014CFC030000-0x0000014CFC03E000-memory.dmp

Filesize
56KB

Download
memory/4564-143-0x0000014CF9600000-0x0000014CF9608000-memory.dmp

Filesize
32KB

Download
memory/4564-142-0x0000014CF95F0000-0x0000014CF95F8000-memory.dmp

Filesize
32KB

Download
memory/4564-141-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-146-0x0000014CFC140000-0x0000014CFC162000-memory.dmp

Filesize
136KB

Download
memory/4564-147-0x0000014CFC050000-0x0000014CFC058000-memory.dmp

Filesize
32KB

Download
memory/4564-148-0x0000014CFC260000-0x0000014CFC272000-memory.dmp

Filesize
72KB

Download
memory/4564-149-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-150-0x0000014CFC5F0000-0x0000014CFC5FA000-memory.dmp

Filesize
40KB

Download
memory/4564-139-0x0000014CF27F0000-0x0000014CF2A94000-memory.dmp

Filesize
2.6MB

Download
memory/4564-151-0x0000014CFC630000-0x0000014CFC638000-memory.dmp

Filesize
32KB

Download
memory/4564-152-0x0000014CFD580000-0x0000014CFD588000-memory.dmp

Filesize
32KB

Download
memory/4564-153-0x0000014CFD590000-0x0000014CFD598000-memory.dmp

Filesize
32KB

Download
memory/4564-154-0x0000014CFD5A0000-0x0000014CFD5A8000-memory.dmp

Filesize
32KB

Download
memory/4564-156-0x0000014CFD610000-0x0000014CFD660000-memory.dmp

Filesize
320KB

Download
memory/4564-188-0x0000014CF51EA000-0x0000014CF51EF000-memory.dmp

Filesize
20KB

Download
memory/4564-157-0x0000014CFD6E0000-0x0000014CFD756000-memory.dmp

Filesize
472KB

Download
memory/4592-197-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-196-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/4592-193-0x0000027B7FC50000-0x0000027B7FC64000-memory.dmp

Filesize
80KB

Download
memory/4592-194-0x0000027B7FEE0000-0x0000027B7FEF2000-memory.dmp

Filesize
72KB

Download
memory/4592-195-0x0000027B7FFC0000-0x0000027B7FFFC000-memory.dmp

Filesize
240KB

Download
memory/5032-207-0x000001D66BDB0000-0x000001D66BE0A000-memory.dmp

Filesize
360KB

Download
memory/5032-182-0x000001D650580000-0x000001D650588000-memory.dmp

Filesize
32KB

Download
memory/5032-238-0x000001D66BED0000-0x000001D66BEE0000-memory.dmp

Filesize
64KB

Download
memory/5032-200-0x000001D66BB10000-0x000001D66BB4E000-memory.dmp

Filesize
248KB

Download
memory/5032-221-0x000001D66BD80000-0x000001D66BD90000-memory.dmp

Filesize
64KB

Download
memory/5032-226-0x000001D66BD90000-0x000001D66BDA0000-memory.dmp

Filesize
64KB

Download
memory/5032-235-0x000001D66BEC0000-0x000001D66BECE000-memory.dmp

Filesize
56KB

Download
memory/5032-229-0x000001D66BDA0000-0x000001D66BDB0000-memory.dmp

Filesize
64KB

Download
memory/5032-242-0x000001D66BEE0000-0x000001D66BEF0000-memory.dmp

Filesize
64KB

Download
memory/5032-245-0x000001D66BEF0000-0x000001D66BF00000-memory.dmp

Filesize
64KB

Download
memory/5032-187-0x000001D66B6F0000-0x000001D66B702000-memory.dmp

Filesize
72KB

Download
memory/5032-183-0x00007FF9C1930000-0x00007FF9C23F1000-memory.dmp

Filesize
10.8MB

Download
memory/5032-185-0x000001D66B870000-0x000001D66B87E000-memory.dmp

Filesize
56KB

Download
memory/5032-212-0x000001D66BE80000-0x000001D66BEB4000-memory.dmp

Filesize
208KB

Download
memory/5032-180-0x000001D66A650000-0x000001D66A66C000-memory.dmp

Filesize
112KB

Download
memory/5032-178-0x000001D66A620000-0x000001D66A64C000-memory.dmp

Filesize
176KB

Download
memory/5032-176-0x000001D66A600000-0x000001D66A61A000-memory.dmp

Filesize
104KB

Download
memory/5032-174-0x000001D651E60000-0x000001D651E86000-memory.dmp

Filesize
152KB

Download
memory/5032-172-0x000001D66B720000-0x000001D66B7D0000-memory.dmp

Filesize
704KB

Download
memory/5032-170-0x000001D66A5C0000-0x000001D66A5F6000-memory.dmp

Filesize
216KB

Download
memory/5032-168-0x000001D66B5D0000-0x000001D66B66A000-memory.dmp

Filesize
616KB

Download
memory/5032-166-0x000001D651EA0000-0x000001D651ED6000-memory.dmp

Filesize
216KB

Download
memory/5032-164-0x000001D66B440000-0x000001D66B4E0000-memory.dmp

Filesize
640KB

Download
memory/5032-162-0x000001D650030000-0x000001D650184000-memory.dmp

Filesize
1.3MB

Download