purelogs | f6dfae75fd23c0446ec1721994cf2530c66bd76366423176414747b39153bf58

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	CyberGhostVPNSetup (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	Dashboard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	Dashboard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	CefSharp.BrowserSubprocess.exe

Executes dropped EXE 17 IoCs

pid	Process
5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
3560	Dashboard.exe
4272	Dashboard.Service.exe
4984	Dashboard.Service.exe
1136	wyUpdate.exe
1320	tap-windows-9.21.2.exe
4176	tapinstall.exe
4376	tapinstall.exe
4648	nvspbind.exe
2404	nvspbind.exe
3644	Dashboard.exe
3944	nvspbind.exe
1320	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5404	CefSharp.BrowserSubprocess.exe
5364	CefSharp.BrowserSubprocess.exe

Loads dropped DLL 42 IoCs

pid	Process
1320	tap-windows-9.21.2.exe
1320	tap-windows-9.21.2.exe
1320	tap-windows-9.21.2.exe
1320	tap-windows-9.21.2.exe
1320	tap-windows-9.21.2.exe
1320	tap-windows-9.21.2.exe
1320	tap-windows-9.21.2.exe
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5404	CefSharp.BrowserSubprocess.exe
5404	CefSharp.BrowserSubprocess.exe
5404	CefSharp.BrowserSubprocess.exe
5404	CefSharp.BrowserSubprocess.exe
5404	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
5364	CefSharp.BrowserSubprocess.exe
5364	CefSharp.BrowserSubprocess.exe
5364	CefSharp.BrowserSubprocess.exe
5364	CefSharp.BrowserSubprocess.exe
5364	CefSharp.BrowserSubprocess.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CyberGhost = "\"C:\\Program Files\\CyberGhost 8\\Dashboard.exe\" /autostart /min"	Dashboard.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\SET1AD6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\SET1B07.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\tap0901.sys	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wyUpdate.exe.log	wyUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	wyUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	wyUpdate.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D	wyUpdate.exe
File created	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\SET1AD6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D	wyUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\908D6E8C00F147F66A3BDC489B360B37	wyUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C	Dashboard.Service.exe
File created	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\SET1B06.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\908D6E8C00F147F66A3BDC489B360B37	wyUpdate.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\SET1B07.tmp	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Temp\KAPE\Update\c320e2f8-1fdf-43f4-9d04-518b975c1cb3\a38f5d7d-e91e-4bb9-8955-3c01dd657224.zip	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C	Dashboard.Service.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	Dashboard.Service.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\SET1B06.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\TL.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\Hardcodet.NotifyIcon.Wpf.txt	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\WF.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Data\Assets\Default\Flags\64\GB.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Backgrounds\background.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\FR.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\PF.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\CL.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\DG.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\AntiVirus.dll.config	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Ghosties\[email protected]	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Logos\[email protected]	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\PF.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\ST.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\ca.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\System.Numerics.Vectors.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Onboarding\NewDot.svg	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\LU.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\TaskScheduler.txt	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\PL.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\LaunchDarkly.ClientSdk.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\LaunchDarkly.EventSource.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Serilog.Formatting.Compact.Reader.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Logos\privacyguardGray.svg	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\CU.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\IQ.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\BV.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\EC.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\System.Linq.Async.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\it\Microsoft.Win32.TaskScheduler.resources.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Ghosties\ghostie_briefly.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\NP.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\TO.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Data\Assets\Default\Logos\shield+[email protected]	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\AN.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File opened for modification	C:\Program Files\CyberGhost 8\debug.log	CefSharp.BrowserSubprocess.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\pt\PrivacyGuard.resources.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\de\Updater.resources.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\OM.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\Microsoft.Management.Infrastructure.txt	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\BD.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\OpenVPN\x64\tap-windows-9.21.2.exe	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Ghosties\ghostie_family_welcome_slim.svg	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\AR.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\CW.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\SM.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\OpenVPN\x64\vcruntime140.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\PropertyChanged.Fody.txt	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x86\openssl.exe	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\OpenVPN\x86\openssl.txt	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\GW.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Data\Assets\Default\Backgrounds\background.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\DarkTheme\Logos\[email protected]	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Microsoft.Bcl.HashCode.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Serilog.Formatting.Compact.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\de\CyberGhost.VPN.resources.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\ko\CyberGhost.VPN.resources.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\GF.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\CO.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\SB.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File opened for modification	C:\Program Files\CyberGhost 8\debug.log	CefSharp.BrowserSubprocess.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\fr\CyberGhost.VPN.resources.dll	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\MF.png	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\sk.pak	Dashboard.Service.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Dashboard.exe = "1"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\Dashboard.exe = "1"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\Dashboard.exe = "1"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Dashboard.exe = "0"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Dashboard.exe = "1"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Dashboard.exe = "11000"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\Dashboard.exe = "0"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Dashboard.exe = "0"	Dashboard.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Dashboard.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Dashboard.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wyUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CyberGhostVPNSetup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CyberGhostVPNSetup (1).exe
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	CyberGhostVPNSetup (1).exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	CyberGhostVPNSetup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CyberGhostVPNSetup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CyberGhostVPNSetup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CyberGhostVPNSetup (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
4984	Dashboard.Service.exe
1320	CefSharp.BrowserSubprocess.exe
1320	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5508	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe
5496	CefSharp.BrowserSubprocess.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
676	Process not Found
676	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	CyberGhostVPNSetup (1).exe
Token: SeSecurityPrivilege	1948	CyberGhostVPNSetup (1).exe
Token: SeDebugPrivilege	5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
Token: SeSecurityPrivilege	5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
Token: SeDebugPrivilege	3560	Dashboard.exe
Token: SeDebugPrivilege	4984	Dashboard.Service.exe
Token: SeDebugPrivilege	1136	wyUpdate.exe
Token: SeAuditPrivilege	3928	svchost.exe
Token: SeSecurityPrivilege	3928	svchost.exe
Token: SeDebugPrivilege	3644	Dashboard.exe
Token: SeLoadDriverPrivilege	4376	tapinstall.exe
Token: SeRestorePrivilege	4076	DrvInst.exe
Token: SeBackupPrivilege	4076	DrvInst.exe
Token: SeLoadDriverPrivilege	4076	DrvInst.exe
Token: SeLoadDriverPrivilege	4076	DrvInst.exe
Token: SeLoadDriverPrivilege	4076	DrvInst.exe
Token: SeDebugPrivilege	1320	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	5508	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	5496	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	5404	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeDebugPrivilege	5364	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe
Token: SeCreatePagefilePrivilege	3644	Dashboard.exe
Token: SeShutdownPrivilege	3644	Dashboard.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
3644	Dashboard.exe
3888	firefox.exe
3888	firefox.exe
3888	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3888	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 5072	1948	CyberGhostVPNSetup (1).exe	89
PID 1948 wrote to memory of 5072	1948	CyberGhostVPNSetup (1).exe	89
PID 5072 wrote to memory of 3560	5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe	94
PID 5072 wrote to memory of 3560	5072	7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe	94
PID 3560 wrote to memory of 4272	3560	Dashboard.exe	96
PID 3560 wrote to memory of 4272	3560	Dashboard.exe	96
PID 4984 wrote to memory of 1136	4984	Dashboard.Service.exe	98
PID 4984 wrote to memory of 1136	4984	Dashboard.Service.exe	98
PID 3560 wrote to memory of 1320	3560	Dashboard.exe	104
PID 3560 wrote to memory of 1320	3560	Dashboard.exe	104
PID 3560 wrote to memory of 1320	3560	Dashboard.exe	104
PID 1320 wrote to memory of 4176	1320	tap-windows-9.21.2.exe	107
PID 1320 wrote to memory of 4176	1320	tap-windows-9.21.2.exe	107
PID 1320 wrote to memory of 4376	1320	tap-windows-9.21.2.exe	109
PID 1320 wrote to memory of 4376	1320	tap-windows-9.21.2.exe	109
PID 3928 wrote to memory of 4224	3928	svchost.exe	112
PID 3928 wrote to memory of 4224	3928	svchost.exe	112
PID 4224 wrote to memory of 4284	4224	DrvInst.exe	113
PID 4224 wrote to memory of 4284	4224	DrvInst.exe	113
PID 4984 wrote to memory of 4648	4984	Dashboard.Service.exe	118
PID 4984 wrote to memory of 4648	4984	Dashboard.Service.exe	118
PID 4984 wrote to memory of 4648	4984	Dashboard.Service.exe	118
PID 4984 wrote to memory of 2404	4984	Dashboard.Service.exe	122
PID 4984 wrote to memory of 2404	4984	Dashboard.Service.exe	122
PID 4984 wrote to memory of 2404	4984	Dashboard.Service.exe	122
PID 4984 wrote to memory of 3944	4984	Dashboard.Service.exe	125
PID 4984 wrote to memory of 3944	4984	Dashboard.Service.exe	125
PID 4984 wrote to memory of 3944	4984	Dashboard.Service.exe	125
PID 4984 wrote to memory of 4016	4984	Dashboard.Service.exe	127
PID 4984 wrote to memory of 4016	4984	Dashboard.Service.exe	127
PID 3928 wrote to memory of 4076	3928	svchost.exe	129
PID 3928 wrote to memory of 4076	3928	svchost.exe	129
PID 3644 wrote to memory of 1320	3644	Dashboard.exe	131
PID 3644 wrote to memory of 1320	3644	Dashboard.exe	131
PID 3644 wrote to memory of 5496	3644	Dashboard.exe	135
PID 3644 wrote to memory of 5496	3644	Dashboard.exe	135
PID 3644 wrote to memory of 5508	3644	Dashboard.exe	134
PID 3644 wrote to memory of 5508	3644	Dashboard.exe	134
PID 3644 wrote to memory of 5364	3644	Dashboard.exe	133
PID 3644 wrote to memory of 5364	3644	Dashboard.exe	133
PID 3644 wrote to memory of 5404	3644	Dashboard.exe	132
PID 3644 wrote to memory of 5404	3644	Dashboard.exe	132
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3480 wrote to memory of 3888	3480	firefox.exe	137
PID 3888 wrote to memory of 4228	3888	firefox.exe	138
PID 3888 wrote to memory of 4228	3888	firefox.exe	138
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139
PID 3888 wrote to memory of 1484	3888	firefox.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CyberGhostVPNSetup (1).exe
"C:\Users\Admin\AppData\Local\Temp\CyberGhostVPNSetup (1).exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\caba9c68-f7b6-40ce-b3a3-30ab74513f45\7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe
  "C:\Program Files\caba9c68-f7b6-40ce-b3a3-30ab74513f45\7cebc91a-50eb-4bc5-953f-e3f4d48bf272.exe" "C:\Users\Admin\AppData\Local\Temp\CyberGhostVPNSetup (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Program Files\CyberGhost 8\Dashboard.exe
    "C:\Program Files\CyberGhost 8\Dashboard.exe" /install
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Program Files\CyberGhost 8\Dashboard.Service.exe
      "C:\Program Files\CyberGhost 8\Dashboard.Service.exe" --install
      4⤵
      Executes dropped EXE
      PID:4272
  - - C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\tap-windows-9.21.2.exe
      "C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\tap-windows-9.21.2.exe" /S
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Program Files\TAP-Windows\bin\tapinstall.exe
        
        "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:4176
    - - C:\Program Files\TAP-Windows\bin\tapinstall.exe
        
        "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376

C:\Program Files\CyberGhost 8\Dashboard.Service.exe
"C:\Program Files\CyberGhost 8\Dashboard.Service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Program Files\CyberGhost 8\wyUpdate.exe
  "C:\Program Files\CyberGhost 8\wyUpdate.exe" /justcheck /quickcheck /noerr -server="https://download.cyberghostvpn.com/windows/updates/8/nt/wyserver.wys"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe
  "C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "TAP-Windows Adapter" /d *
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe
  "C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "TAP-Windows Adapter" /e ms_tcpip
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe
  "C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "TAP-Windows Adapter" /e ms_tcpip6
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\system32\netsh.exe
  "netsh" interface ipv6 set teredo disable
  2⤵
  PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6e5f89a3-708b-114a-8b68-26be3443f754}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files\tap-windows\driver"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{e86b83f7-f6cd-bf43-9d0a-bc59e7a3bc6f} Global\{4ce572d9-1ad0-9f4c-bf4e-2a48ec13e67f} C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{a40bd26e-670c-d547-bac7-3c34dfbf993a}\tap0901.cat
    3⤵
    - Modifies system certificate store
    PID:4284
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:672

C:\Program Files\CyberGhost 8\Dashboard.exe
"C:\Program Files\CyberGhost 8\Dashboard.exe" /firststart
1⤵
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe
  "C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CyberGhost" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Program Files\CyberGhost 8\debug.log" --mojo-platform-channel-handle=5020 --field-trial-handle=5528,i,3700070062129455843,12962906432620753668,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion /prefetch:2 --host-process-id=3644
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe
  "C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CyberGhost" --cefsharpexitsub --no-sandbox --log-file="C:\Program Files\CyberGhost 8\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=6892 --field-trial-handle=5528,i,3700070062129455843,12962906432620753668,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion --host-process-id=3644 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5404
- C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe
  "C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CyberGhost" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Program Files\CyberGhost 8\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=6884 --field-trial-handle=5528,i,3700070062129455843,12962906432620753668,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion --host-process-id=3644 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5364
- C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe
  "C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CyberGhost" --cefsharpexitsub --log-file="C:\Program Files\CyberGhost 8\debug.log" --mojo-platform-channel-handle=6500 --field-trial-handle=5528,i,3700070062129455843,12962906432620753668,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion /prefetch:8 --host-process-id=3644
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe
  "C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CyberGhost" --cefsharpexitsub --log-file="C:\Program Files\CyberGhost 8\debug.log" --mojo-platform-channel-handle=6484 --field-trial-handle=5528,i,3700070062129455843,12962906432620753668,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion /prefetch:8 --host-process-id=3644
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.0.725251219\1505844178" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20808 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db8d5c59-adb4-4c70-8233-762bee1fd46d} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 1992 224461dda58 gpu
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.1.1825924198\1011016347" -parentBuildID 20221007134813 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 20844 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f620bf2-f61f-41bb-8a4f-5579f5691d55} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 2392 22445931a58 socket
    3⤵
    PID:1484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.2.1067768280\1782320341" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3020 -prefsLen 20947 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cece814-7d5a-4cc1-a641-14be40ec9aa2} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 3056 22449cc7558 tab
    3⤵
    PID:5940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.3.63459766\1835060955" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3564 -prefsLen 26126 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9ebd49-e44d-40fd-ac6b-eafe6ce2fd18} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 3588 2244a1c4158 tab
    3⤵
    PID:1240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.4.1861129418\901138081" -childID 3 -isForBrowser -prefsHandle 4628 -prefMapHandle 4620 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5fae124-b9cf-4c99-ba66-d9d5bc9d0f8a} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 4640 22449fbca58 tab
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.5.100236403\603155164" -childID 4 -isForBrowser -prefsHandle 5020 -prefMapHandle 5052 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38b91412-ac1c-4998-827b-267f4233fb1a} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 5032 2244b246258 tab
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.7.1790814875\1346728472" -childID 6 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49e9dcee-d159-410d-9ee9-ceea257aa186} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 5348 2244c2c1d58 tab
    3⤵
    PID:1536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.6.1879260763\1584915562" -childID 5 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26185 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b58b4696-2ba8-4786-a170-77e7fff374d4} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 5156 2244c2c2358 tab
    3⤵
    PID:1212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3888.8.1460896703\1166063332" -childID 7 -isForBrowser -prefsHandle 3044 -prefMapHandle 2900 -prefsLen 26520 -prefMapSize 233444 -jsInitHandle 1092 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0716e760-2715-4a0e-b8fa-2109c4f8fa8f} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 5708 22448e31458 tab
    3⤵
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery