654a286d076e81869399959d8700c68883300e07ef5f8ad7ef4f38ee15b02221

Resubmissions

17/12/2023, 10:14

231217-l96cjsebfp 8

05/11/2023, 05:36

05/11/2023, 05:32

05/11/2023, 05:30

05/11/2023, 05:28

Analysis

max time kernel
291s
max time network
268s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
17/12/2023, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Size

119KB
MD5

92afa514c40cbcfab9380561b127f657
SHA1

eea59b3b1ba3ec27d80968aec0642956647dc047
SHA256

654a286d076e81869399959d8700c68883300e07ef5f8ad7ef4f38ee15b02221
SHA512

adff54cfc926474012e8ea02a7a76dec486f299142ddb643d636250d9e69bffb902d252956fd4a82e0b395de2a470e201f9d1f10a60384563121be0b6ae78da6
SSDEEP

3072:3SojD9bzGtzJShh8N7q5AdYGgbVileLxBp/B6:CojxOzPtq5di0L3FB6

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\SETA75C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SETA75C.tmp	DrvInst.exe

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc040000000100000010000000c759d588bceb1c8a8c8a4d2c00103ba10f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617531400000001000000140000009afe50cc7c723e76b49c036a97a88c8135cb6651190000000100000010000000ea06916833e9ecb6dac092d5c3482ff15c000000010000000400000000080000180000000100000010000000c7c2cda336016dcb1d1c518e4c192b4b4b0000000100000044000000320036004100440030003100460039004300300030003200460041004400330037003400320037004500370033003400330030003200330038003300440038005f0000002000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\ICounter = "1"	Dashboard.exe

Executes dropped EXE 12 IoCs

pid	Process
5116	tmp52A4.tmp.exe
1728	Dashboard.exe
1104	Dashboard.Service.exe
1828	Dashboard.Service.exe
1376	wyUpdate.exe
2556	tap-windows-9.21.2.exe
1932	tapinstall.exe
1092	tapinstall.exe
1188	nvspbind.exe
4716	Dashboard.exe
4848	nvspbind.exe
3432	nvspbind.exe

Loads dropped DLL 7 IoCs

pid	Process
2556	tap-windows-9.21.2.exe
2556	tap-windows-9.21.2.exe
2556	tap-windows-9.21.2.exe
2556	tap-windows-9.21.2.exe
2556	tap-windows-9.21.2.exe
2556	tap-windows-9.21.2.exe
2556	tap-windows-9.21.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\CyberGhost = "\"C:\\Program Files\\CyberGhost 8\\Dashboard.exe\" /autostart /min"	Dashboard.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B65.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B65.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B67.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	wyUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\908D6E8C00F147F66A3BDC489B360B37	wyUpdate.exe
File created	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B66.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	wyUpdate.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D	wyUpdate.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B66.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}	DrvInst.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Temp\KAPE\Update\2ba38040-fe25-4bfb-93a5-8884390078b1\5b89cd0d-812f-4e64-8120-1a158b4fdfbd.zip	tmp52A4.tmp.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wyUpdate.exe.log	wyUpdate.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C	Dashboard.Service.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B67.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	Dashboard.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\908D6E8C00F147F66A3BDC489B360B37	wyUpdate.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D	wyUpdate.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\tap0901.sys	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\SH.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\ja.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\pl\CyberGhost.VPN.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\openssl.txt	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\Ghosties\[email protected]	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\DarkTheme\Onboarding\favorite_description.svg	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\MW.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\KR.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\PG.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\TD.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\System.Text.Encoding.CodePages.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Microsoft.Bcl.AsyncInterfaces.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\ko\Updater.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\NA.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\Data\Assets\Default\Logos\updaterRed.svg	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Microsoft.Xaml.Behaviors.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\de\Updater.Core.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\pt\Updater.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\Data\Assets\Default\Ghosties\cg_updater.svg	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\pt-BR.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\AntiVirus.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\Hardcodet.NotifyIcon.Wpf.txt	tmp52A4.tmp.exe
File opened for modification	C:\Program Files\CyberGhost 8\Dashboard.Service.InstallLog	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\af.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Icons\disabled.ico	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\da.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\sw.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x86\openssl.txt	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\EE.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\VG.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\sr.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\tr.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Logos\logo_text.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Logos\dashboardGray.svg	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\de\PrivacyGuard.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\BA.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\FM.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\VI.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\vulkan-1.dll	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\fr\Updater.Core.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\PS.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Castle.Windsor.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\CsvHelper.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\TN.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\NI.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\README.txt	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\XamlBehaviors.Wpf.txt	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\WF.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\MY.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\Data\Assets\Default\Logos\[email protected]	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\CyberGhost\DarkTheme\Logos\[email protected]	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\fr\CyberGhost.Controls.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\LaunchDarkly.EventSource.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\Updater\System.Threading.Tasks.Extensions.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Licenses\log4net.txt	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\ET.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\AntiVirus\es\Microsoft.Win32.TaskScheduler.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Applications\VPN\pt\CyberGhost.VPN.resources.dll	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Ghosties\ghostie_family_welcome.svg	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\CyberGhost\Ghosties\[email protected]	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\th.pak	Dashboard.Service.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\IO.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Assets\Default\Flags\64\JE.png	tmp52A4.tmp.exe
File created	C:\Program Files\CyberGhost 8\Data\Cef\116.0.23\x64\locales\ru.pak	Dashboard.Service.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	nvspbind.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	nvspbind.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	nvspbind.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Dashboard.exe = "11000"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\Dashboard.exe = "0"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Dashboard.exe = "0"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Dashboard.exe = "0"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\Dashboard.exe = "1"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\Dashboard.exe = "1"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Dashboard.exe = "1"	Dashboard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\Dashboard.exe = "1"	Dashboard.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	Dashboard.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Dashboard.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Dashboard.Service.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wyUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Dashboard.Service.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Dashboard.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Dashboard.Service.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Dashboard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Dashboard.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
5116	tmp52A4.tmp.exe
5116	tmp52A4.tmp.exe
5116	tmp52A4.tmp.exe
5116	tmp52A4.tmp.exe
5116	tmp52A4.tmp.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe
1828	Dashboard.Service.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
652	Process not Found
652	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	cgsetup_en_52vCnuXs6nskn3wQwksK.exe
Token: SeDebugPrivilege	5116	tmp52A4.tmp.exe
Token: SeSecurityPrivilege	5116	tmp52A4.tmp.exe
Token: SeDebugPrivilege	1728	Dashboard.exe
Token: SeDebugPrivilege	1828	Dashboard.Service.exe
Token: SeDebugPrivilege	1376	wyUpdate.exe
Token: SeAuditPrivilege	2884	svchost.exe
Token: SeSecurityPrivilege	2884	svchost.exe
Token: SeLoadDriverPrivilege	1092	tapinstall.exe
Token: SeRestorePrivilege	2308	DrvInst.exe
Token: SeBackupPrivilege	2308	DrvInst.exe
Token: SeLoadDriverPrivilege	2308	DrvInst.exe
Token: SeLoadDriverPrivilege	2308	DrvInst.exe
Token: SeLoadDriverPrivilege	2308	DrvInst.exe
Token: SeDebugPrivilege	4716	Dashboard.exe
Token: SeLoadDriverPrivilege	4556	svchost.exe
Token: SeLoadDriverPrivilege	4556	svchost.exe
Token: SeLoadDriverPrivilege	4556	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4716	Dashboard.exe
4716	Dashboard.exe
4716	Dashboard.exe
4716	Dashboard.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4716	Dashboard.exe
4716	Dashboard.exe
4716	Dashboard.exe
4716	Dashboard.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 5116	3376	cgsetup_en_52vCnuXs6nskn3wQwksK.exe	81
PID 3376 wrote to memory of 5116	3376	cgsetup_en_52vCnuXs6nskn3wQwksK.exe	81
PID 5116 wrote to memory of 1728	5116	tmp52A4.tmp.exe	83
PID 5116 wrote to memory of 1728	5116	tmp52A4.tmp.exe	83
PID 1728 wrote to memory of 1104	1728	Dashboard.exe	85
PID 1728 wrote to memory of 1104	1728	Dashboard.exe	85
PID 1828 wrote to memory of 1376	1828	Dashboard.Service.exe	92
PID 1828 wrote to memory of 1376	1828	Dashboard.Service.exe	92
PID 1728 wrote to memory of 2556	1728	Dashboard.exe	93
PID 1728 wrote to memory of 2556	1728	Dashboard.exe	93
PID 1728 wrote to memory of 2556	1728	Dashboard.exe	93
PID 2556 wrote to memory of 1932	2556	tap-windows-9.21.2.exe	95
PID 2556 wrote to memory of 1932	2556	tap-windows-9.21.2.exe	95
PID 2556 wrote to memory of 1092	2556	tap-windows-9.21.2.exe	96
PID 2556 wrote to memory of 1092	2556	tap-windows-9.21.2.exe	96
PID 2884 wrote to memory of 396	2884	svchost.exe	99
PID 2884 wrote to memory of 396	2884	svchost.exe	99
PID 396 wrote to memory of 1372	396	DrvInst.exe	100
PID 396 wrote to memory of 1372	396	DrvInst.exe	100
PID 2884 wrote to memory of 2308	2884	svchost.exe	101
PID 2884 wrote to memory of 2308	2884	svchost.exe	101
PID 1828 wrote to memory of 1188	1828	Dashboard.Service.exe	103
PID 1828 wrote to memory of 1188	1828	Dashboard.Service.exe	103
PID 1828 wrote to memory of 1188	1828	Dashboard.Service.exe	103
PID 1828 wrote to memory of 236	1828	Dashboard.Service.exe	104
PID 1828 wrote to memory of 236	1828	Dashboard.Service.exe	104
PID 1828 wrote to memory of 1928	1828	Dashboard.Service.exe	109
PID 1828 wrote to memory of 1928	1828	Dashboard.Service.exe	109
PID 1828 wrote to memory of 4848	1828	Dashboard.Service.exe	114
PID 1828 wrote to memory of 4848	1828	Dashboard.Service.exe	114
PID 1828 wrote to memory of 4848	1828	Dashboard.Service.exe	114
PID 1828 wrote to memory of 3432	1828	Dashboard.Service.exe	116
PID 1828 wrote to memory of 3432	1828	Dashboard.Service.exe	116
PID 1828 wrote to memory of 3432	1828	Dashboard.Service.exe	116
PID 1828 wrote to memory of 2828	1828	Dashboard.Service.exe	119
PID 1828 wrote to memory of 2828	1828	Dashboard.Service.exe	119
PID 1828 wrote to memory of 1196	1828	Dashboard.Service.exe	121
PID 1828 wrote to memory of 1196	1828	Dashboard.Service.exe	121
PID 1828 wrote to memory of 2752	1828	Dashboard.Service.exe	123
PID 1828 wrote to memory of 2752	1828	Dashboard.Service.exe	123

C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe
"C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\cgsetup_en_52vCnuXs6nskn3wQwksK.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Program Files\CyberGhost 8\Dashboard.exe
    "C:\Program Files\CyberGhost 8\Dashboard.exe" /install
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Program Files\CyberGhost 8\Dashboard.Service.exe
      "C:\Program Files\CyberGhost 8\Dashboard.Service.exe" --install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1104
  - - C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\tap-windows-9.21.2.exe
      "C:\Program Files\CyberGhost 8\Applications\VPN\Data\OpenVPN\x64\tap-windows-9.21.2.exe" /S
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Program Files\TAP-Windows\bin\tapinstall.exe
        
        "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:1932
    - - C:\Program Files\TAP-Windows\bin\tapinstall.exe
        
        "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092

C:\Program Files\CyberGhost 8\Dashboard.Service.exe
"C:\Program Files\CyberGhost 8\Dashboard.Service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Program Files\CyberGhost 8\wyUpdate.exe
  "C:\Program Files\CyberGhost 8\wyUpdate.exe" /justcheck /quickcheck /noerr -server="https://download.cyberghostvpn.com/windows/updates/8/nt/wyserver.wys"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe
  "C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "Ethernet 2" /d *
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1188
- C:\Windows\system32\netsh.exe
  "netsh" interface ip set address "Ethernet 2" static 169.254.123.81 255.255.0.0
  2⤵
  PID:236
- C:\Windows\system32\netsh.exe
  "netsh" interface set interface "Ethernet 2" DISABLED
  2⤵
  PID:1928
- C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe
  "C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "Ethernet 2" /e ms_tcpip
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4848
- C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe
  "C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "Ethernet 2" /e ms_tcpip6
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3432
- C:\Windows\system32\netsh.exe
  "netsh" interface ipv6 set teredo disable
  2⤵
  PID:2828
- C:\Windows\system32\netsh.exe
  "netsh" interface set interface "Ethernet 2" ENABLED
  2⤵
  PID:1196
- C:\Windows\system32\netsh.exe
  "netsh" interface ip set address "Ethernet 2" static 169.254.123.229 255.255.0.0
  2⤵
  PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d0a75831-fe42-564c-9d9a-0bc218dd1a72}\oemvista.inf" "9" "4d14a44ff" "000000000000015C" "WinSta0\Default" "00000000000000EC" "208" "c:\program files\tap-windows\driver"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{375F62F8-4233-44D9-B006-01F9E326B27F} Global\{9797BB38-992B-4BDA-9C00-58D764E02900} C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\tap0901.cat
    3⤵
    - Modifies system certificate store
    PID:1372
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000015C" "cf59"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4028

C:\Program Files\CyberGhost 8\Dashboard.exe
"C:\Program Files\CyberGhost 8\Dashboard.exe" /firststart
1⤵
- Manipulates Digital Signatures
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CyberGhost 8\Applications\AntiVirus\AntiVirus.Core.dll

Filesize
193KB

MD5
0aafef4fc89f0289b76b14a0eeb14853

SHA1
53b93adf83d3f19601cd81de04fbbf770a3d1489

SHA256
b0d16f265ed3369d05ed9ecad78e922ab6c52c02848bf472093b1c02b5de26eb

SHA512
e3e789780931ddeed6d6a8e90f64ed4a9c9033f747c1334858976103cca8a7d73ecb1dd79504ab00eac7c42bc7279239f628ffa4345094014c2b4119a83607ea

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\AntiVirus.dll

Filesize
342KB

MD5
03b650080896ce8b7e05ded0f0793f60

SHA1
4be3fd0e455d169f4e315e6055cdbe476a3d4b8e

SHA256
915affda0ec64efe02db1ed058bfc53b398eaab48c2759e3ea3dc5559670eee3

SHA512
2c222fe00b3812d52ced6e39b50a7653e094c7494d24d58f452982ef9f8482882b831820775f65b94060c4a8dd712b5e2f86904a7164db0f14ff820c20d456a2

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\Data\Assets\Default\Logos\antivirus.svg

Filesize
4KB

MD5
0bcd519bc47d8f289ba01fb8e37c1aa5

SHA1
d10057b61b65268f17162d135b6d67105fcf3d3d

SHA256
98b63c9fa091c300e73ce1369f010f4cdc43d24b8dc45a1ad7e00d212a49fab5

SHA512
f73cfe41c1f96cf8169c7641d47185f60fa469c9d89dd7d3ab5ddb44980c6c9ab397a81edf3c14de1f1ef7f3ac903ca2a672fda073f5abab5ebe432f653f0cba

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\de\AntiVirus.resources.dll

Filesize
46KB

MD5
dae6ed586a0804e6093ea6903fc8f290

SHA1
6a777d6043a1b5429a5eab15b2bf144a76eb8db1

SHA256
77b0c2f23ec7d31be1dab2b2e3359a37d4c94cfe0d9e98e08b5e83835b1a9b37

SHA512
9eebc76061986613d6b927198fd9f399c485ec6622af6ab8f887a541feeca01de3f6a57824e560000f7a1ce9c2f93d3af87bbe47386ea47c5a78bf6eafcfec57

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\es\AntiVirus.resources.dll

Filesize
45KB

MD5
befb0312fd6d980c97a0c86c36d3dfe1

SHA1
3bfd37779d09454afcab2bb810afd0b21993916a

SHA256
7d9d67535d359298a92ce2ca07fc854e116b066ff89e54b4b148dbeaa7bdb51a

SHA512
f908547fe3710c8d8050986dbc96ebd3bcbfa8cc0e5f598d46879a775269bd702d1a06b3337ace9898f21e428c0b82b7417bf5b5c2ea903b5cc5be6bb6c5d5e5

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\fr\AntiVirus.resources.dll

Filesize
46KB

MD5
c8c15ae769f7f35515ddd5022788b82b

SHA1
27cab4d8519ce7ad512336b83a2d8e6a3e499994

SHA256
d4274b588454f595dae43df79d468b700915507594ced25714d845c566192bbd

SHA512
cb2148755df9384d12509c8445ef7cab00c5450aa805375e77597e11fc3d6bacfd8b51eaee734aa47047a0ba9b90f46898a39916c6b63950dd9ac6d2e79b9bc2

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\it\AntiVirus.resources.dll

Filesize
44KB

MD5
13212ad3e12837db8136d5f79956d1e3

SHA1
732ca160f04855352c920bb532e7d9fbcb9b1aba

SHA256
870330f75080a275c34f0724bbb99eecbe823395e4ed82fa8084b200e3daf820

SHA512
ef4b9483443a0c4c0c2a57c8ed689827ff7c9bdfff225ef1b76665a64980ee22fbf53e28b47bfe504f935142140cc4e007c5ed6b02bd4ca59dd34b537d8a440d

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\ko\AntiVirus.resources.dll

Filesize
46KB

MD5
35ae8b6abb52277deab96b831b0d9b0e

SHA1
dc37dea9fe7ac365d855614b35ecb32ec74e5e46

SHA256
936051498492f0d2dbfe8bd03c9da551e8bd1d677560df714884fb1b0c0d8c31

SHA512
14e48e37fa22d29bd07c21e7f776012e70821c6a8850b3728e4da94a37d70722964e9ae911244b2d9eed2dd52308bb4bca62508385d9bc5db24814ea9b018d13

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\pl\AntiVirus.resources.dll

Filesize
46KB

MD5
4fc794245c74474010ae5b4aced82871

SHA1
96a965fa790c991b9c2024e24e4523d6acccab51

SHA256
bbe1c0857d7fa2679c1271f9cd44849071f4a01dafdbb3c893d265b63ccabda2

SHA512
74275e0c2598c0ea68ff78b746bfa71ace09747b6ed19c0d58f1a52eed43d3d868f851d7d63dd327d3a659c5d6247eb34b0457e063a7c6a2b730b994e7a6b3b0

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\pt\AntiVirus.resources.dll

Filesize
45KB

MD5
25793fe442adfca9c9d2d53d1eae6fd9

SHA1
c40b46e6954af8db65b9701af89adbc9c0686f48

SHA256
aa0763338d8a13f841ae829a7e8b7c8172c431c9717ae8ab738b2d93dbcc20f6

SHA512
4ebe78013c68ba3dda3a64c823e82a8dd3cc6732eb6641f255d171f786bbaf59e5b15546c2994198b3f6063d145ab16d0d1a72509d774ee472c91f311228b507

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\ro\AntiVirus.resources.dll

Filesize
46KB

MD5
5bc044ffcb62737b2d4225968c8c363f

SHA1
c6b0a61973134eabb8cfa0519671b55fe93fefb2

SHA256
6a09195d50fe869db0d45230073c7f32a6be7cc5e6373182f67555739fcfb3fb

SHA512
c5963f64f2297bdc1ecb3120935777a6e515b35e075f5d4a1159ca1153336709df98a82587e72f7639e9a897d478d4c3818486d8a9f11b36b54cddde2bb50946

Download Submit
C:\Program Files\CyberGhost 8\Applications\AntiVirus\ru\AntiVirus.resources.dll

Filesize
53KB

MD5
0cf01fbfb8543454e60c571c77fffad9

SHA1
085b500df40dc1f017bbc0707392470f990e5ca2

SHA256
03343cfa8279c66db2c8fd1c1aad31392568d7c795fe5016564dd8d95404901b

SHA512
7354f9f4e88bedb96975fc2ba7f0dbc06aeceb647967194624962d30a69932e61cad2c997287505939d33a026929df5de96408b53f339a90678ee99ac8d60318

Download Submit
C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\PrivacyGuard.dll

Filesize
723KB

MD5
a7272eb829d0a00425ad9e3d3f3dcb97

SHA1
9287c45b76a94fc5041ef229d7bc57f8adcd2761

SHA256
8573333cc11f6674e72c7f5fa7ec59633e04070f810d12ce44fab12cf088662b

SHA512
6861be776b317d91ba635758a2bd102a5fed0e3052cf306ffdcfec65e6926ec1e403df5269de1167249b1376c1dda4579966b5fce038cf27f113ede6a6ae22fd

Download Submit
C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\de\PrivacyGuard.resources.dll

Filesize
96KB

MD5
13ea7a6204b46f427e5ceec9c89bb0c8

SHA1
b9ed46a57ec0ec1ab8980a0a078e3bda75895a0c

SHA256
b3c02f3745ec0eeb2448614830dc820ff543d4e89681cc2e6b8200cd9f38b4f6

SHA512
36f12ee3e56c8445c06c26d00ba008ad2b46a829a0dcc93c2ce1d4355fd4990808f480e0f8f4313243c3064aceada66503e3aaedd88fe58eb4dcd05818fa706e

Download Submit
C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\es\PrivacyGuard.resources.dll

Filesize
93KB

MD5
be0f3f651271374960e3d38364070833

SHA1
88bb31efabdbee9b7a01b8f46ccedbd5baa204f7

SHA256
8d0d8a52191037ac38f05f4f48af64f934937ba321ae7d5493f45e9978e6ecb5

SHA512
b81eb6c28425fa5dd981c26567327f969f8ee0d2566cff69e3688e581df60d27b3a13fb6bfff8886c1f570f6cfe13a61d83e0117d02ec24e94714ae05669e7c2

Download Submit
C:\Program Files\CyberGhost 8\Applications\PrivacyGuard\fr\PrivacyGuard.resources.dll

Filesize
97KB

MD5
275930890018e56f8617bd31c2485a19

SHA1
d75ecf5b20e1772760f5b6be99e49a3985b555b0

SHA256
b5108a249e44c623a7029e2b5d400c97c99bee534d7cbe948d019ea89613b562

SHA512
07bbf9b550449e7cd12c19dd1b99d1d679933c6067ee820187303cdd7daae761c964cac9f8c9511af8de9fd683ced4130534d13da6391ef6faeb7bf7125ee424

Download Submit
C:\Program Files\CyberGhost 8\Applications\Updater\Updater.Core.dll

Filesize
116KB

MD5
4f86fbfcc35043e0331c1e7df5119e30

SHA1
ed3432543b9b560b60826b0fb226382867d6396b

SHA256
40eac3bcd7ea1710f8cc1d8f90d81477bcc713406069a284149a104bdeccdfbc

SHA512
ae1ba56ea09255aa2c3eaa21e0086dd19f70cebe5f0cd444e05600c06668209fcf3e62081adffac00fa755337bda8ffdd4cee803b19b5f5664e86d8dc25131f0

Download Submit
C:\Program Files\CyberGhost 8\Applications\Updater\Updater.dll

Filesize
165KB

MD5
150e454ceb778cc7c30f564926b57cf8

SHA1
7489a57c66ab0bb5b9698461705cecca57a11524

SHA256
b3ee31842d97a280c7368f94ba34a18618ebfe9f3655bb53c248ddb0aa9a5c04

SHA512
729fc6a3b459bfadd3606659f195eef67a550730170dc7824007b1c15d093acecf12f34b8ee1d7bd495e00c4cb1865348462c0f4d56c7e9943d61dfeb785bf75

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\CyberGhost.VPN.dll

Filesize
789KB

MD5
fb7477873ada2787c6385b4bdb8b1d5f

SHA1
72f5afe8c21a58ddceb3bf3b907b0e3e3aff9b55

SHA256
94168e7bef9856f35b73656865c60d119c0fd8148eab307709fb36cd6d4cc1f8

SHA512
6aab1f90f5bdd0f018b4dd4526551895c2fadf1d3609134ef3cd6dbcd54d92dbcaa55639623f5112c4902377fceaf85b5a5a87a956d2c9407d3c8cc133bc5114

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\CyberGhost.VPNServices.dll

Filesize
139KB

MD5
fe8c46f884ee39e2d6f3eeb8c0cbef4f

SHA1
d6068ed07b911eee61fc90e2bd9828efbd672ff8

SHA256
b30895a85fc5f9d3addd12bb91adcf5c12f6c33561e4193ab67b59de2aa4006c

SHA512
b2f373054da8616b65d87d49acf2c591a14bbbcfc0ffcbf0fd75347a4546e55a13ca1baa3bfd86b2e994ec077513d26aeb7f308f657abc8190ca9af918ac0b1d

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\CP.png

Filesize
136B

MD5
30bea326e5024b6a9b0136a000403d75

SHA1
0b6e65e87f670af6fbc4a28171aedf4db4daa0a5

SHA256
e58c331133d8f780738133e2aa966c8bcb5b17a07c860a990bc401afd6382e1a

SHA512
43362cef837497bc264a46dd70a67c3129d854cf7a9866bee4a33a4f62acb833ba96b4720441c6d6db56301c9b49f8c29f1465363b5c057ec6e16a213f06caac

Download Submit
C:\Program Files\CyberGhost 8\Applications\VPN\Data\Assets\Default\Flags\64\FR.png

Filesize
114B

MD5
42c4c4ecb4448888421a7c1180b4cd08

SHA1
bb515751cc2f7616fe41929d2577fc965c69b51a

SHA256
1ef1946b6e352f2d5a4b003367b968374d6af122c5b645c6b4d9577645fb819d

SHA512
0e8d4b1c124b86d696e979d9b3aae007c80258672202f66fe3d2ea72e64d205f8dace52333d6749feab74abbd090173f6811490e9b09c3a06682f58b14e5fcbf

Download Submit
C:\Program Files\CyberGhost 8\Castle.Core.dll

Filesize
145KB

MD5
ba801a7ee74a84effcc394a7a017609b

SHA1
05d26a8a40a3cd6e4ab066d241d78bc8e4c7d6e2

SHA256
785f5ce15a5365d8d48e5686b9ab45c32da133d39fb759afd91158d1b831671c

SHA512
33276e9d3b0d3bc96b2f6e42cac4ce8e978812967934f286b4cb1905804564a6fe33267219b42796a6b9876d0e7aed849e2389dfefd13df00eb39a71d52542c1

Download Submit
C:\Program Files\CyberGhost 8\Castle.Windsor.dll

Filesize
227KB

MD5
4842365b936b41f7ab4f7ee75b8f8732

SHA1
a2cc9fef142bd590fbb0e441bfd2d2f9b78e4118

SHA256
9e50ebd41872cf5541384f9f1011e8f76b24dcd3fe215fa36dd7b14df6959ebd

SHA512
39c986e1838610cbbfe3c77557ca61f23964d59259c6e5dad48728c92612291a1a75da9444634a90daa721face5bff6d7d553be1207e99867f7ae5815dda9c05

Download Submit
C:\Program Files\CyberGhost 8\CyberGhost.Browser.dll

Filesize
56KB

MD5
03078811f20b56679fc59511b6154043

SHA1
96f38f0dabaea07b5aafc8d6b835f9ac36994f00

SHA256
e0b479349bc514d0bd86cb59ae75ee730c20baf0e7bff0041023ef284cda3fbe

SHA512
5865cc3334c7fb838a0f23f698352fd830e5ccc69299cb5bfccc3d8420252464516cadc94adca07414ee3854f629fda8e2b06938b5beb608fb9826cab5d16852

Download Submit
C:\Program Files\CyberGhost 8\CyberGhost.Controls.dll

Filesize
278KB

MD5
dc215eada052496fd4ae4f48e5a2907d

SHA1
317e49cff2415098baa1f7c16789eabceb6cf723

SHA256
38bd4dd0bedfa132f3ba7bf0489df8ac2d6488d074c307386fca66f6684e822f

SHA512
0a277f57acb4a7b70135a8ca79ab571def7a4e0464c21deb84c4762ed6259fb40cb0dee96faceca330d959b7d3c17cb09f0ce46e0c65b09e630d284b166e126c

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Contracts.dll

Filesize
207KB

MD5
a639fdca2929b1412b2b73f4bae21d41

SHA1
5da5f12f92907229599c9193e4168b79c0b63b04

SHA256
08b3d075f51dbe212a6c93e8fad1aac15447a1bde1e90561e9d9f63f85f2382e

SHA512
da2baeef77a75230e267c703ff7eb9b844c4218df558809005c1ee513b5e869be48c5457c18ee75a10b2a093c8e765b59fd98280a1824af442b1bab93b3fa0e3

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Core.dll

Filesize
200KB

MD5
806c933fedbc89fe020a586dd3420261

SHA1
65234a00651e7d25f70166017cd5326bb164dc15

SHA256
f5733d169a52cefbbb86ff99d9d9115da3ca79d29d0145e73d96f33ae30480c2

SHA512
d2509e638d66909ba59d37e98f0ca2dc026a905c296c8220728586f9f95d0a91927647578450c688daa2c18b363d2dec56aee7c7e1c6e7be1284357b276ce5db

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.MPAHelper.dll

Filesize
39KB

MD5
50adc12dbb637d6fb5b5e359b8e90c69

SHA1
85a34a96d0c8a8c23913d1fe78596e5b8bd10f90

SHA256
ccce869e399e1e48b15fb1cf6c7dcb466b708cb5b4e0b187101c4d185d871a0e

SHA512
9b7be7ea931eeb93b67fc5364487b01fbe4e883bc4813024f97fb09473f79e7e9c21e72e736dde50c7cbbddace0288cc1cbf9691c56b7c41ac543b093637ba73

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Pipes.dll

Filesize
31KB

MD5
e5791f1579337e659780f6ed1a10a3f8

SHA1
a401f650a432b41a1d418fa797908934e535b2a5

SHA256
61eecc585cd86ef3ad0e03887e750e4295df488d1e2bc46e45a3b3d8d1f049e6

SHA512
2fff69a5eeebd24117671af3618173b764eb3852f7827e5c61c238b745f27b34fee77e800f90576795958809106c0025af2edb38474337336ad609515c66c839

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Service.InstallLog

Filesize
439B

MD5
7f45be626acd834af4bc05aec26a70b7

SHA1
e4595250912835dc7c92fa0a09b62e03eba7b9a3

SHA256
9dcc45001296eb80ac59c4291839a9bed4910bfe818751cdd73ba998c35bf0bd

SHA512
3d693476a0eef6cc6f493443dd320cc16db8858844f4332d2388df55860d3ae0c8e685563f2b6c6533cb25019b90df5645136f50eb783a0a654cf3e5ec00cdc2

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Service.exe

Filesize
71KB

MD5
d83103ceb262d7b402fa518d0364b3f0

SHA1
d1b9fca1341ba17184e8b8db9d0ae5719f4eb4fc

SHA256
51214325c5ba09c6aff0ab08ed2cd3a4dc174ccde55ab91953f91bd513900665

SHA512
7a6a06e1ea77673d64082cbb8caaa5b5da8ba5230799184279f1b7cab94239ed4fdbb740e17eb85d314ffe4af2a131c2ff992f9195c0be85b706e72371c0a5ac

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.Service.exe.config

Filesize
3KB

MD5
594b609d1b0b91f92ed36f59bf431555

SHA1
ab5a419d98f2d3abfa602513bc1f43615932c1fc

SHA256
478004e9145ef9db15781ce66a4334c76347cab3da033e1be8831bd4bedd484e

SHA512
8efb48c17461df3bc765889ff9bfa6a85a325e285119aad76dc4abd2320b9d25bb8453a254aa0f20a76a4029087eafbfb9e61b56d8d8a66fee02b8eb1a862b12

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.exe

Filesize
1.3MB

MD5
cbc338a63b1d6ac3b7f5ccdeb982681e

SHA1
9568bee51696d0cc0f0720247b9d408564d412b5

SHA256
aac795a311506cca3d53d409f15f88fba704fb8751587cc3599da3af12c9a27b

SHA512
b409f6c46bdc3a3c03a599df94f073a2c23a95873e6da8043b099341c140df6367744f626136cb3277fc22bf4d81ece285af43b709acc6c8b66ea1f9fe99119e

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.exe

Filesize
914KB

MD5
d857a3793088aa600a602fd4f37ac1da

SHA1
0ecc11c327b700e1f7227aba03dddff94ddb4267

SHA256
e9d5bc2e0c537d3c118d9dc73553180f88d35904fe902ca8185536ab7f23ab52

SHA512
f670b28fb6bc43571ba82179be7849ee1a8b603f70acdcb42413399ac40292e28f7e00b4918b9c4a5bbfcb4686fe3264947b749884a3f58d873f92f38719d709

Download Submit
C:\Program Files\CyberGhost 8\Dashboard.exe.config

Filesize
3KB

MD5
dbad1342429edce620d2e96b1e44e179

SHA1
38ae22086e612f3b8f5e1f48d725799bebaa71c9

SHA256
0a44b47433ae1cfd272368b9bfc8e963aae80a833cf094a2a8136879c41cd1f1

SHA512
89965204168dc28556838d9cc392f2aa10eed06f60aeda0a3a189b34a01bb6c9236a63f01fba67093ba3f4f092677507f9dfeaa38fe039aec3368deb2ae9508f

Download Submit
C:\Program Files\CyberGhost 8\Microsoft.Bcl.AsyncInterfaces.dll

Filesize
23KB

MD5
55d694ec8829ab9b387443481948d009

SHA1
2c4c4225046bf001cb9470bd9cdffb5c8b18a18f

SHA256
a77fa714482b381585ac547f5ec7d15b4ca826840438335823a65d853d5263a5

SHA512
4092e5b89711190617d7b245a576aeb2204706a4fee9b2b22d603bf3ed99b55c045791b5647b90cc4cac9245e547f6a9f5677c4a27aa505d4bdd122ae6d27fd5

Download Submit
C:\Program Files\CyberGhost 8\MobileConcepts45.dll

Filesize
209KB

MD5
c402e247f13a0007f7ab2ea6047d9cea

SHA1
39a07b4b44e3acd76f0177199add5e5391a68334

SHA256
84d5329c2ee4d2aba97c5a8c60b12c3dd687f120a875d21ce0379f42e75f810d

SHA512
e7a99374091635c23c0daccf41a911ec4e284a242acf59715dc4ecbe941a89c1293acda6524c53eb12e8f80d591fb0885dfd7c916fced57c77425fc56a4240f2

Download Submit
C:\Program Files\CyberGhost 8\Newtonsoft.Json.dll

Filesize
694KB

MD5
4fe3513b96d0dfdb5ef9c460b7b91be2

SHA1
72ebe2f9d363dfcb42cfe88bdd0d0a1e74e30e17

SHA256
ed44bb69014cc8fbbe6b417b8015e78a2124cab7970f5a1bce6bb58b42ed48fd

SHA512
4fcf9ff4baabfd7a1d3b7ec099c16c4f1362271af25d7bf394a2fbd7365a93657d196a867a220b2e9075564855a33021a588bb760f81f73c5954bab4eedb184f

Download Submit
C:\Program Files\CyberGhost 8\Serilog.Formatting.Compact.dll

Filesize
19KB

MD5
7f107c6e72354c56b955a7259385b911

SHA1
bd88a82263b394a59fdeb612407985e413371b92

SHA256
e8fc24d46022726ac75ece30ef33991e8ecfa1eb815b4478e0b5877ac3423c84

SHA512
d06c6c622ab158af1b03e160c1459f4b8490d3db9df76afb8061ea9b5dab7226190d570cd0fd86ec7e343bef29ca41aa0b8e098f63ca38ccdda9c00fd31a3446

Download Submit
C:\Program Files\CyberGhost 8\Serilog.dll

Filesize
148KB

MD5
b5f0f440182b068697d9beba2520351a

SHA1
c44071ac4b71ff2d65c622854dad02350083cecc

SHA256
856d2b7b4f27d429feee7d9e5750f307b8319b416714f3a1df214ea56f2ef05c

SHA512
d271d555003ce0421c8c92bcfa49e4c5dcf2d3cd7391da841d5263db47f64a9bc655e386e6c25d761ad8d83d8c02398ce2f910bd8d632c3b378a1efda819670e

Download Submit
C:\Program Files\CyberGhost 8\Svg2Xaml.dll

Filesize
70KB

MD5
c52135ae97acc2aaf1c1d82c7ad90587

SHA1
766ef52f4227b469bb13b4c3f498e429384a252a

SHA256
9ba6e2529cb9887b1a6494646670ac32000e363e1884ab36b87b985a9d9ee61b

SHA512
6e42b27a65f9187b8486731d75c0edb2b5b703ebaaff3516f6913c0f5e0e0e0116fa30586c3bacbc74c8aedc9934ad7c545e082dbeaab18ae0bba76e71cc0d4a

Download Submit
C:\Program Files\CyberGhost 8\System.Threading.Tasks.Extensions.dll

Filesize
27KB

MD5
78c12041faf6d1b7149334f9f613e8f6

SHA1
0946f11644eb36f984019b764ca317d457c537a4

SHA256
1a68e35ef2b8bff7b7abf2af24464896e2b0122d5230c92ea303cf3ed19a90ac

SHA512
8b6e0f313a7e17168da63c757493f241c89e06bd6e31366870f52a8c8886df9908fa367afc9c7f77d49d3b3149453f71fdf949c9c263699e0e3d89de8458f881

Download Submit
C:\Program Files\CyberGhost 8\WPFLocalizeExtension.dll

Filesize
22KB

MD5
f6d826122964e3f6492b61dc3841d490

SHA1
cc9aa1939c33e79ed17fc35ce6bf194c9a2a05c6

SHA256
43882aec33b2ef778a59ab42dd1911ae0a6b156fedc297cd31ab7fa5f42fe367

SHA512
0aa0710c48c313387307f40fef25f54cdb7f8693e4d093b5ee1e8b7bb22a4c785153ae47c389ef86f19e409b730344710f973b46d07fa480d145b49b3c31d215

Download Submit
C:\Program Files\CyberGhost 8\XAMLMarkupExtensions.dll

Filesize
40KB

MD5
42ba9c4412d7702f50c11ee66af5363c

SHA1
ceb7ccafd0ef29f79e6f1b3c285951acfb9014aa

SHA256
bef379302bbf0f47ab6cc12021abf3d6cb57602373ae56e16aa0b10d67082e6f

SHA512
1e29e5f66ec5371111b015e7102b9d424f630cb2c9e81c1659781269bf517baaebfbffd89eeb320f3137986e64e1c857eeadd69cae54dc896aac9068b27c87d1

Download Submit
C:\Program Files\CyberGhost 8\de\Dashboard.resources.dll

Filesize
55KB

MD5
5f3ed1255002d0af5e0d0be7f58f0915

SHA1
0818f7e4bf92d89a8ff464f6c4ad46b638250658

SHA256
c4267a6f3b02e680174a8519c87399385e0f885bd89f08cf018c2ddff35fc796

SHA512
8b7ec3183c32751669b6fdfb15ef9fffbe6fe5f8b6d04d414ba06d4be687d7d154cd801746b029c4b557dcb7abbe754679509bac67d18346d665a4197da5d182

Download Submit
C:\Program Files\CyberGhost 8\es\Dashboard.resources.dll

Filesize
54KB

MD5
bbcadf8aaa9eea827ae4545fe91c537d

SHA1
f55c1e548acf019454e67571c72820ef9503ba61

SHA256
20330428db303686ed54dfa6024054faf4f01fa86d23ceac124db274d23fa4e0

SHA512
3a85cc825b1ac44ec3ee0115ed9cdc233bddf15278c075f37f7e540cc47ee13020f1443cd6cf43298357c1e667f861d8581e9447dbd6f69551d50cc377678088

Download Submit
C:\Program Files\CyberGhost 8\fr\Dashboard.resources.dll

Filesize
56KB

MD5
d61b19d9f506aa9ac82c34aa0d5bfa2c

SHA1
904d3d4b7c1bcccb8fc6b6888baf60862d57f56d

SHA256
2c60fcc768d60bc201f6207fb042947be8efa05edb2e1efe5a530937fade5da7

SHA512
3b9015351bdda626d4dfe792646f7400b6a04ed301ca6c3fcbfc11e675cf05edddd7957fa629fa1aeb6e9d7d830d2d2bf23fd13a290907244ddbea24e06ba99f

Download Submit
C:\Program Files\CyberGhost 8\it\Dashboard.resources.dll

Filesize
54KB

MD5
9b14900e91dcb403d3700e864bafd04f

SHA1
7d1d2ded761c6e7699f3083ad50bf0f8cbb0dc7d

SHA256
38cdbfa94a71fb09e7ea2fbc750553c978ca7e3c416e4e8edd2f385932cb25df

SHA512
7c6e14d208fba4d3ce015e86fc3c74e478000bd78d24f536f8abd2452c3785805f113e1def84f4046d5b9713ac97f0c1ff2939454a05cf89562b62d89e7c235e

Download Submit
C:\Program Files\CyberGhost 8\ko\Dashboard.resources.dll

Filesize
56KB

MD5
1ced359e3200ee66ef78d831fe703907

SHA1
a3707289653f974cd677501fc664b2e9fdb60ff9

SHA256
1855701c081f55824a476a11fb65ffdfc1cad7b14c40f2aeb67e3bcfc54f9f75

SHA512
60b3d2b5bd4fae0443cbbbaa1a3369cd329036b6934a3f2ae7c9fc4c00f76f1ea826e15a458226b2b6722d783da43f4d9402fee3f90e46d6d2b087dd612be68e

Download Submit
C:\Program Files\CyberGhost 8\pl\Dashboard.resources.dll

Filesize
55KB

MD5
c6d6cb4e53c5035bd061a1680aee6cb4

SHA1
8f600f3a6103033c2681cbd1e0a5a10fd911e46f

SHA256
4454d32f137d4a8a6a6e494da6657ab56b637971e6e78ed7130597851fc1713b

SHA512
9a1e188e0576c0f0712f270e8ae6baee74e5ed07277579bf8172c12c2b4f221a8fab120b5f9084d50a870a92911fce59d8a4e00e72a4c0442362a549d6c348a5

Download Submit
C:\Program Files\CyberGhost 8\pt\Dashboard.resources.dll

Filesize
55KB

MD5
e04b554d8fd7c46fd77ff75e782665f0

SHA1
bef13fd0d4ede79479ce94cbca11e2482ec109d5

SHA256
bb468dd897ba03d319aa3ec4ad96b8ec859d66b058f1731ce9f3cfe37de3d8d2

SHA512
e714dac4dbd21fda2d01ef1d43e9c48360adab2740df35980ace691f8560ddabf1cec1e43fe988c95b0f40d14b1e656accfaa432d963be363945ef036590a0a4

Download Submit
C:\Program Files\CyberGhost 8\ro\Dashboard.resources.dll

Filesize
55KB

MD5
bde29bd0d8f7f327e39dd0c14c36bd42

SHA1
32bc9ad382558b9684561ea01cfec4be4b162f8e

SHA256
896db347802a6dce8688ef70b98b73362798226a38a74294d786ae3857cb66bd

SHA512
66887a5a5c9ea10b38ecaaea3253a108bcdab88524bc185dcc2a8453645fa69d6645b2d0cdaecdb6f9bd681061447fc01e69933a1754603a6ba7d83c4ecf1af4

Download Submit
C:\Program Files\CyberGhost 8\ru\Dashboard.resources.dll

Filesize
65KB

MD5
03dfaa0372b17dd4d1a00759068048c4

SHA1
74ec4087d81bae4e1e535c69d9db0c5f2911e32a

SHA256
ab69af171385b3948ca9e2c1d8e9a7f5329b359c9d51c9844ecf22baa78b1117

SHA512
76b33191cdca17bfaa1ecf2010f8cc5d74711d79f598154d10d30e5fb65c8d5131f67444bc68c30972d228a9ab1f9356e7dd4d50ec3e1d4de44e05b8856eb76d

Download Submit
C:\Program Files\CyberGhost 8\wyUpdate.exe

Filesize
119KB

MD5
d06f0ea4435ffcca5493bd7e998b324a

SHA1
ea2a0f4191b69e6015c8779301f8f71c6b73dc98

SHA256
cea860a68bff553a61bf4f7852ad40d8db9f83ab58263a5e1507bfd44795996a

SHA512
64bf245b4b6399aaccdabb7d3f85e1da0bc18ec53257ffe7230b7c0703dd20059273d9ffb03c261e5e80a43b61acc8ebaef11e78afc89078f844bd0135623253

Download Submit
C:\Program Files\CyberGhost 8\wyUpdate.new

Filesize
191KB

MD5
e9c83ffed14884d404301d2219e55614

SHA1
13cb5570e070a165a7887b6d049e012d9fcf1479

SHA256
82ce819c0b34f87dd910ea548cd50874d0d21d45cd445914aa6989f08d410905

SHA512
d4698e0c078007b51cca695a9742ba69e69e85b1658264e5c41ad763bc255c799eab03433282d87160456433ba7678879681bd6c9310c0c2580fda8fb50249fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
b83d7bb49fe22eb6600ac7849b3cc1ad

SHA1
742318da6a1630ef1175f1642b3ca1d2b07ca1eb

SHA256
40943413621d5f09ddea63a51d1a80a93cc622cc7a82ea425065ead97db03cae

SHA512
e728bfd20e0bc3463a5f3b3b68bb5c03e9aea8a200806a9490473ad4116ae6eec232148dedde2b512a8a1007360a3821b77959cffebde9c22a36776d1b4ef16f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C

Filesize
637B

MD5
83d97461c1d219cfde74fc643eedb938

SHA1
9d50257af9c5aaa54e77cf709d5a57484b34f781

SHA256
045bb4acc750a480301e40207538df54842da8150dfe9d1af80b4906567f2a65

SHA512
c0260b85f11858443ea0a024d7c93777b1f41d35d13bb6b0ac9dd3ab207c1a88c4b6413e5c1a8d598dec6b18c1d2faa7f9e19f0c0346aad5ca725082cfb2464a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
53cbbb364a1f80597a3f25fb419f3f69

SHA1
436bb2b1847980729289361540bcdacb1327a720

SHA256
1ed94de5a21b86f733efc99dabe160fe3d96772f847aae871b2b117cfd96c822

SHA512
53a5cd18d17c6c68afb90f0394c76d761faf6857c321ed78ea0e43ac83a314539fba897af8e73d95a96422beff1bfe9ea6a959f23ec0ede419bbe5a0994ec099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
67d3ca937067ed20b539d439e3d13216

SHA1
9e82797897ebd23483da78c9112ace025aba005a

SHA256
49cfcfd2e8ce43601328ac335dc16d9cb42f1fd4631358536d391f3de4045d9d

SHA512
c603f71239ba4e42da5a7ee1bc90f134469c5cea6197608ce6c4fb5b94677e406cd8426ece39864bb086e086b376afb39862d8023dc8298c05bc3fa77a502506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442C

Filesize
488B

MD5
cd937662f95c4a29a0e071b06b5841da

SHA1
93d7f8aa9a1d593c91c50deae703b8098b120d09

SHA256
3c3635e4b2f7601e82f99cf0279e8719e87bc1b0e1d5bc0a14ea4e2bbefaab25

SHA512
8cf29fa6c0d252cbbf07ac4e0f58e59538549e2f1cd5bc9e650d9807d70417a19039137d7bf6383c56983efd4756ca572c66b902202272d83f9e9439799d6d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
352dc18bf9807550abdf9e2138a175c5

SHA1
988e0c03128685ae1a7f78bd8ef217d4c4e902fd

SHA256
379ef004dc1973c677564d603c3a1728133e0f99ca3c2feeb64d9b108a219e42

SHA512
163c9e155d25964d505ad9848acc09d51dbd6dda18c5a948e4a1e02df146dc0aba82fa0d0c3525413018b3c86fcb09504f9dce131c380d78682e6f048df07cf7

Download Submit
C:\Users\Admin\AppData\Local\IsolatedStorage\0weqa4zv.50a\zszhoxdu.b2l\StrongName.1r34rtndphgwhqowmyxywu5guyuf1gh2\StrongName.bx0ds5js14qgmnal5bhexnafezsd5pyy\Files\LaunchDarkly_QUEtxzTz76Ad8h9-oQ6Z5qLlzl8ZwK6bWWpos3tjUh4=\flags_ARh86W3tyiKWd4W8lkKuAOKfbiHcEvrOusAXRtWkfn4=

Filesize
17KB

MD5
a300246eb6afd3a64c95f027ba792760

SHA1
4ac69f63ade862d54f1a9d2eae2836b2fcb51254

SHA256
7ab8b34def4b6e0992ddeff48033bd0e9beb91b5bbc76aa5983ef1e3654e0cd0

SHA512
7680fd875ff90a4d1deb980347f0da9edf7d9b9a5681e0e311f6eb8d79c3cfdbf19d5f99ba6998b942c5cb690d0e2acb34f39384d50f6b2b366fa7d90500d2af

Download Submit
C:\Users\Admin\AppData\Local\IsolatedStorage\0weqa4zv.50a\zszhoxdu.b2l\StrongName.1r34rtndphgwhqowmyxywu5guyuf1gh2\StrongName.bx0ds5js14qgmnal5bhexnafezsd5pyy\Files\LaunchDarkly_QUEtxzTz76Ad8h9-oQ6Z5qLlzl8ZwK6bWWpos3tjUh4=\index

Filesize
64B

MD5
faf81ffe26afbbd72f33fbeec71c47ab

SHA1
e7534b419eb42deb969c53b6eb0ca4a653158f53

SHA256
ab96dd2afa3a6d0d1a56679ee9e3f05f97ae299f730e48e0038df71dd1b2b16f

SHA512
08a00ceb0bbed35305bc6f8f2e62b56d81e195c8d1b0f9517ac16a01ae4ee13ddf3431b76b0da2a4205a573ec706420cb897c09a444b9d0cbd79e103b893ce81

Download Submit
C:\Users\Admin\AppData\Local\IsolatedStorage\0weqa4zv.50a\zszhoxdu.b2l\StrongName.1r34rtndphgwhqowmyxywu5guyuf1gh2\StrongName.bx0ds5js14qgmnal5bhexnafezsd5pyy\identity.dat

Filesize
529B

MD5
b81dfaf8c0f7f1e2f170f4c6cb8c5634

SHA1
c24612cfc0b9c1067c311b4a9e6f7a98feda645f

SHA256
1f8da753d2cdc1c999a1cf1331c7ce4156c3cccf9ac6ed14b6621e6697566fdf

SHA512
980f1be6a48154a65cfd92d45a5737b53b20e2da48f1d88afb0e8186cb0cd9079436d4f6ad422012e8a7bcacba5b5452558ed3fddf904cb1e5c5bbb6dae0c051

Download Submit
C:\Users\Admin\AppData\Local\IsolatedStorage\0weqa4zv.50a\zszhoxdu.b2l\StrongName.1r34rtndphgwhqowmyxywu5guyuf1gh2\identity.dat

Filesize
516B

MD5
e2b3b163c689e1d90a8eb78200fb6a5a

SHA1
4f0bfa1d0fc9b80d1b3b9277933527b558324fe2

SHA256
5e992874a8fc49b8a61f59d8729aec96e85406f40f14ec24f4b2b9fbd7c4e1be

SHA512
017eabac9acc8e56f782f66b410f76d63aac01fb176c10a32059e1c4511abb6a39195c5704b7286b7c16cd642885344c7733fccd07eb31a491ed75782118d9c3

Download Submit
C:\Users\Admin\AppData\Local\IsolatedStorage\0weqa4zv.50a\zszhoxdu.b2l\StrongName.1r34rtndphgwhqowmyxywu5guyuf1gh2\info.dat

Filesize
64B

MD5
2ef996a37bbbfbf93bccefd549f2fa41

SHA1
3a9bcdba3bb5874c787c4e663641fd77003d12bd

SHA256
864b1312bf46b8a9b48d090dc1535e0c3d430b327e0107d79d980b810d38cf1c

SHA512
64c2038c1346a97c5cadbab5525cfdf52cf3698a9878b9fd1f4e12908f6cfad9dfdf640728f322f3ef697e00b5520950280cb6d53419c1ead81d83f1774e9923

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp5F75.tmp

Filesize
2KB

MD5
647f843626b023aaaa748f924f95ac25

SHA1
652cacf99409e3dcd39b6eb8839c16d22b1800e8

SHA256
732dee732e0261afbfba21eca43008a5009cfc9e4c405ece8826a9746564cceb

SHA512
61093dcbe07efa5bdffec4933243168bf40b8159bc5a9840552bc3ea8e7c129156276a8548c658e5267bf0b8c4448dcb5c8ab10140c72ed48eb8910c075022fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9A2E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9A2E.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd9A2E.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.exe

Filesize
853KB

MD5
5ab09962f6250471995477c6ec042792

SHA1
582786b1f57afba4c82c4c95e84a3b791b6f3a79

SHA256
72b58a7e51f973b7d55dfe6ecd2f18d217e65ab29c3123f31aba5c07840beb33

SHA512
2fe09bce063ff6c2c4272cb1e8e851c4917c6364e26aed361311ef3281b90bc096a1ff525abf40930485b47a2ba4642728a5a60e4d8075530a80d55ecaa2822d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.exe

Filesize
501KB

MD5
801a525ab709e000499a8e1749e60247

SHA1
0a88abbdc194a3242eaf1752d0024bd831b1f01f

SHA256
94a7d55ccfa1534fbbaca8c83a7f048c1d1ed95a1c18d668baf9e0dfd1ebe64e

SHA512
44114d10f1fc1e008a8f44794fa2f73c7d882a16cb81a8616aa277c378c34710f8c9a34b41dc50c927d496a00107d141a3ca3e1ce4edb7207eb349e9c7df7916

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.exe

Filesize
608KB

MD5
19dde957854d7e2bb5a19ac0153c1473

SHA1
6f4a767e4859b85cdf1fcaca1bd8433a4acba252

SHA256
4480d918d207b7526a9be4f20e4ffdbd18cc91df24e6b91cea42acde63d1bc71

SHA512
6c8f88c946bd49ac9696b30f529ba87efc4446eef0ac1537d5b7454ee2415cc5085259b3566a88c1696ccffa150eb85f62e5928b741433384b39ffb104b8082f

Download Submit
C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B65.tmp

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B66.tmp

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\System32\DriverStore\Temp\{b205b637-00d3-e941-bb04-61f34137df52}\SET9B67.tmp

Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
memory/1728-1279-0x0000024A016F0000-0x0000024A01700000-memory.dmp

Filesize
64KB

Download
memory/1728-1275-0x0000024A7FFB0000-0x0000024A8004A000-memory.dmp

Filesize
616KB

Download
memory/1728-1282-0x0000024A800C0000-0x0000024A8012E000-memory.dmp

Filesize
440KB

Download
memory/1728-1280-0x0000024A016F0000-0x0000024A01700000-memory.dmp

Filesize
64KB

Download
memory/1728-1278-0x0000024A7FF10000-0x0000024A7FF6C000-memory.dmp

Filesize
368KB

Download
memory/1728-1273-0x0000024A7FD80000-0x0000024A7FDB8000-memory.dmp

Filesize
224KB

Download
memory/1728-1271-0x0000024A7FE20000-0x0000024A7FEBE000-memory.dmp

Filesize
632KB

Download
memory/1728-1268-0x0000024A65E90000-0x0000024A65FE2000-memory.dmp

Filesize
1.3MB

Download
memory/1728-1269-0x00007FFCF4C00000-0x00007FFCF56C2000-memory.dmp

Filesize
10.8MB

Download
memory/3376-0-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/3376-1-0x00007FFCF4C00000-0x00007FFCF56C2000-memory.dmp

Filesize
10.8MB

Download
memory/3376-2-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/3376-3-0x000000001BF30000-0x000000001C0F2000-memory.dmp

Filesize
1.8MB

Download
memory/3376-4-0x000000001C630000-0x000000001CB58000-memory.dmp

Filesize
5.2MB

Download
memory/3376-50-0x00007FFCF4C00000-0x00007FFCF56C2000-memory.dmp

Filesize
10.8MB

Download
memory/5116-79-0x0000028EF6D40000-0x0000028EF6D48000-memory.dmp

Filesize
32KB

Download
memory/5116-69-0x0000028EF45F0000-0x0000028EF45F8000-memory.dmp

Filesize
32KB

Download
memory/5116-106-0x0000028EF8DB0000-0x0000028EF8E42000-memory.dmp

Filesize
584KB

Download
memory/5116-103-0x0000028EF0360000-0x0000028EF0370000-memory.dmp

Filesize
64KB

Download
memory/5116-82-0x0000028EF71D0000-0x0000028EF7208000-memory.dmp

Filesize
224KB

Download
memory/5116-102-0x0000028EF7B30000-0x0000028EF7B42000-memory.dmp

Filesize
72KB

Download
memory/5116-83-0x0000028EF71A0000-0x0000028EF71AE000-memory.dmp

Filesize
56KB

Download
memory/5116-85-0x0000028EF79A0000-0x0000028EF79DA000-memory.dmp

Filesize
232KB

Download
memory/5116-101-0x0000028EF7A80000-0x0000028EF7B32000-memory.dmp

Filesize
712KB

Download
memory/5116-100-0x0000028EF7A40000-0x0000028EF7A7A000-memory.dmp

Filesize
232KB

Download
memory/5116-98-0x0000028EF7A10000-0x0000028EF7A32000-memory.dmp

Filesize
136KB

Download
memory/5116-99-0x0000028EF71B0000-0x0000028EF71BA000-memory.dmp

Filesize
40KB

Download
memory/5116-84-0x0000028EF7210000-0x0000028EF7248000-memory.dmp

Filesize
224KB

Download
memory/5116-81-0x0000028EF0360000-0x0000028EF0370000-memory.dmp

Filesize
64KB

Download
memory/5116-80-0x0000028EF0360000-0x0000028EF0370000-memory.dmp

Filesize
64KB

Download
memory/5116-78-0x0000028EF6D30000-0x0000028EF6D38000-memory.dmp

Filesize
32KB

Download
memory/5116-108-0x0000028EF7F00000-0x0000028EF7F08000-memory.dmp

Filesize
32KB

Download
memory/5116-77-0x0000028EF0360000-0x0000028EF0370000-memory.dmp

Filesize
64KB

Download
memory/5116-76-0x0000028EF4B50000-0x0000028EF4B66000-memory.dmp

Filesize
88KB

Download
memory/5116-75-0x0000028EF49F0000-0x0000028EF49F8000-memory.dmp

Filesize
32KB

Download
memory/5116-74-0x0000028EF4970000-0x0000028EF4978000-memory.dmp

Filesize
32KB

Download
memory/5116-70-0x0000028EF4650000-0x0000028EF4658000-memory.dmp

Filesize
32KB

Download
memory/5116-73-0x0000028EF4890000-0x0000028EF4898000-memory.dmp

Filesize
32KB

Download
memory/5116-71-0x0000028EF4690000-0x0000028EF4698000-memory.dmp

Filesize
32KB

Download
memory/5116-72-0x0000028EF4830000-0x0000028EF4838000-memory.dmp

Filesize
32KB

Download
memory/5116-107-0x0000028EF8E40000-0x0000028EF8E66000-memory.dmp

Filesize
152KB

Download
memory/5116-68-0x0000028EF4550000-0x0000028EF4558000-memory.dmp

Filesize
32KB

Download
memory/5116-67-0x0000028EF3F50000-0x0000028EF3F58000-memory.dmp

Filesize
32KB

Download
memory/5116-66-0x0000028EF39F0000-0x0000028EF39F8000-memory.dmp

Filesize
32KB

Download
memory/5116-65-0x0000028EF26A0000-0x0000028EF26A8000-memory.dmp

Filesize
32KB

Download
memory/5116-63-0x0000028EF2690000-0x0000028EF269E000-memory.dmp

Filesize
56KB

Download
memory/5116-64-0x0000028EF38E0000-0x0000028EF390A000-memory.dmp

Filesize
168KB

Download
memory/5116-61-0x0000028EF1D70000-0x0000028EF1D8A000-memory.dmp

Filesize
104KB

Download
memory/5116-62-0x0000028EF3750000-0x0000028EF3796000-memory.dmp

Filesize
280KB

Download
memory/5116-60-0x0000028EF35C0000-0x0000028EF3660000-memory.dmp

Filesize
640KB

Download
memory/5116-58-0x0000028EF03A0000-0x0000028EF03AA000-memory.dmp

Filesize
40KB

Download
memory/5116-59-0x0000028EF03B0000-0x0000028EF03BA000-memory.dmp

Filesize
40KB

Download
memory/5116-53-0x0000028EF1C90000-0x0000028EF1D26000-memory.dmp

Filesize
600KB

Download
memory/5116-54-0x0000028EF0360000-0x0000028EF0370000-memory.dmp

Filesize
64KB

Download
memory/5116-57-0x0000028EF3530000-0x0000028EF35C4000-memory.dmp

Filesize
592KB

Download
memory/5116-56-0x0000028EF03C0000-0x0000028EF03C8000-memory.dmp

Filesize
32KB

Download
memory/5116-55-0x0000028EF0380000-0x0000028EF0388000-memory.dmp

Filesize
32KB

Download
memory/5116-109-0x0000028EF7EE0000-0x0000028EF7EEA000-memory.dmp

Filesize
40KB

Download
memory/5116-52-0x0000028EEFA50000-0x0000028EEFF60000-memory.dmp

Filesize
5.1MB

Download
memory/5116-51-0x00007FFCF4C00000-0x00007FFCF56C2000-memory.dmp

Filesize
10.8MB

Download
memory/5116-1245-0x0000028EF8EC0000-0x0000028EF8F10000-memory.dmp

Filesize
320KB

Download
memory/5116-1246-0x0000028EF8F90000-0x0000028EF9006000-memory.dmp

Filesize
472KB

Download
memory/5116-1276-0x00007FFCF4C00000-0x00007FFCF56C2000-memory.dmp

Filesize
10.8MB

Download
memory/5116-1283-0x0000028EF0360000-0x0000028EF0370000-memory.dmp

Filesize
64KB

Download