File name:

VyprVPN-5.1.2.0-installer.exe

Full analysis: https://app.any.run/tasks/c7386e57-bda0-4540-826d-00b64861c825
Verdict: Malicious activity
Analysis date: June 10, 2024, 00:51:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E6014A8B9474FAE333383AC7006319EB

SHA1:

4ABC4E01C431F4B6B53F69F8A583AB4631D32985

SHA256:

948293C3555A45673591CD6BD4B4084450DD3B3DDBC6ED20558914D34BF13EBF

SSDEEP:

98304:Iha4Kn44LmU9cA/UTYy4VmNZAscMv0post9iANt4KkbLqUf4sIYa3vV/COsaqZCD:eOluhFc5uUPWU/J6w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • drvinst.exe (PID: 5752)
      • devcon.exe (PID: 3728)
      • drvinst.exe (PID: 4484)
      • devcon.exe (PID: 2492)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4148)
      • msiexec.exe (PID: 2332)
      • msiexec.exe (PID: 5708)
      • drvinst.exe (PID: 4928)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 5752)
      • drvinst.exe (PID: 4484)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4148)
      • drvinst.exe (PID: 4928)
      • msiexec.exe (PID: 5708)
      • VyprVPNService.exe (PID: 2540)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • The process creates files with name similar to system file names

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • Get information on the list of running processes

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • Process drops legitimate windows executable

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • Creates a software uninstall entry

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • Executable content was dropped or overwritten

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • devcon.exe (PID: 3728)
      • drvinst.exe (PID: 5752)
      • drvinst.exe (PID: 4484)
      • drvinst.exe (PID: 2452)
      • devcon.exe (PID: 2492)
      • drvinst.exe (PID: 4148)
      • drvinst.exe (PID: 4928)

    • Drops a system driver (possible attempt to evade defenses)

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • devcon.exe (PID: 3728)
      • drvinst.exe (PID: 5752)
      • drvinst.exe (PID: 4484)
      • devcon.exe (PID: 2492)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4148)
      • msiexec.exe (PID: 5708)
      • drvinst.exe (PID: 4928)

    • Creates files in the driver directory

      • drvinst.exe (PID: 5752)
      • drvinst.exe (PID: 4484)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4148)
      • msiexec.exe (PID: 5708)
      • drvinst.exe (PID: 4928)

    • Checks Windows Trust Settings

      • devcon.exe (PID: 3728)
      • drvinst.exe (PID: 5752)
      • devcon.exe (PID: 2492)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4928)

    • Reads security settings of Internet Explorer

      • devcon.exe (PID: 3728)
      • devcon.exe (PID: 2492)
      • VyprVPNService.exe (PID: 2540)
      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • VyprVPN.exe (PID: 4148)
      • TextInputHost.exe (PID: 6268)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 4484)
      • drvinst.exe (PID: 4148)
      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 2332)

    • Executes as Windows Service

      • VyprVPNService.exe (PID: 2540)

    • Reads the date of Windows installation

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • VyprVPN.exe (PID: 4148)

    • Executing commands from a ".bat" file

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • Starts CMD.EXE for commands execution

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)

    • Adds/modifies Windows certificates

      • InstallCertificates.exe (PID: 4148)

  • INFO

    • Checks supported languages

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • devcon.exe (PID: 1100)
      • devcon.exe (PID: 3728)
      • drvinst.exe (PID: 5752)
      • drvinst.exe (PID: 4484)
      • devcon.exe (PID: 2484)
      • devcon.exe (PID: 2492)
      • devcon.exe (PID: 1100)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4148)
      • devcon.exe (PID: 2680)
      • msiexec.exe (PID: 2332)
      • msiexec.exe (PID: 5708)
      • drvinst.exe (PID: 4928)
      • msiexec.exe (PID: 5656)
      • VyprVPNService.exe (PID: 2540)
      • InstallCertificates.exe (PID: 4148)
      • VyprVPN.exe (PID: 4148)
      • identity_helper.exe (PID: 6276)
      • identity_helper.exe (PID: 6696)
      • TextInputHost.exe (PID: 6268)
      • identity_helper.exe (PID: 1744)

    • Reads the computer name

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • devcon.exe (PID: 3728)
      • drvinst.exe (PID: 4484)
      • drvinst.exe (PID: 5752)
      • devcon.exe (PID: 2492)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4148)
      • msiexec.exe (PID: 2332)
      • msiexec.exe (PID: 5656)
      • msiexec.exe (PID: 5708)
      • drvinst.exe (PID: 4928)
      • VyprVPNService.exe (PID: 2540)
      • InstallCertificates.exe (PID: 4148)
      • VyprVPN.exe (PID: 4148)
      • identity_helper.exe (PID: 6276)
      • identity_helper.exe (PID: 6696)
      • identity_helper.exe (PID: 1744)
      • TextInputHost.exe (PID: 6268)

    • Create files in a temporary directory

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • devcon.exe (PID: 3728)
      • devcon.exe (PID: 2492)

    • Creates files in the program directory

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • VyprVPNService.exe (PID: 2540)
      • InstallCertificates.exe (PID: 4148)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 5752)
      • devcon.exe (PID: 3728)
      • devcon.exe (PID: 2492)
      • drvinst.exe (PID: 2452)
      • drvinst.exe (PID: 4928)
      • VyprVPNService.exe (PID: 2540)
      • InstallCertificates.exe (PID: 4148)
      • VyprVPN.exe (PID: 4148)

    • Reads the software policy settings

      • devcon.exe (PID: 3728)
      • devcon.exe (PID: 2492)
      • drvinst.exe (PID: 5752)
      • rundll32.exe (PID: 1204)
      • drvinst.exe (PID: 2452)
      • rundll32.exe (PID: 5428)
      • drvinst.exe (PID: 4928)
      • VyprVPNService.exe (PID: 2540)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 1204)
      • rundll32.exe (PID: 5428)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 5752)
      • drvinst.exe (PID: 2452)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2332)
      • msiexec.exe (PID: 5708)

    • Application launched itself

      • msiexec.exe (PID: 2332)
      • msedge.exe (PID: 1864)
      • msedge.exe (PID: 6284)
      • msedge.exe (PID: 6552)
      • msedge.exe (PID: 7096)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2332)

    • Reads Environment values

      • VyprVPNService.exe (PID: 2540)

    • Disables trace logs

      • VyprVPNService.exe (PID: 2540)

    • Process checks computer location settings

      • VyprVPN-5.1.2.0-installer.exe (PID: 5536)
      • VyprVPN.exe (PID: 4148)

    • Creates files or folders in the user directory

      • VyprVPN.exe (PID: 4148)

    • Reads Microsoft Office registry keys

      • VyprVPN.exe (PID: 4148)
      • msedge.exe (PID: 1864)
      • msedge.exe (PID: 6284)
      • msedge.exe (PID: 7096)
      • msedge.exe (PID: 6552)

    • Manual execution by a user

      • msedge.exe (PID: 6284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 150528
UninitializedDataSize: 2048
EntryPoint: 0x3ae9
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.2.0
ProductVersionNumber: 5.1.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Traditional)
CharacterSet: Windows, Taiwan (Big5)
CompanyName: Certida LLC
FileDescription: VyprVPN 用於Windows v5.1.2.0 安裝
FileVersion: 5.1.2.0
LegalCopyright: Copyright © Certida LLC
LegalTrademarks: VyprVPN是Certida LLC的商标。
OriginalFileName: VyprVPN-5.1.2.0-installer.exe
ProductName: VyprVPN 5.1.2.0
ProductVersion: 5.1.2.0
SpecialBuild: ${RELEASE_TYPE}
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
232
Monitored processes
108
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start vyprvpn-5.1.2.0-installer.exe tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs devcon.exe no specs conhost.exe no specs devcon.exe conhost.exe no specs drvinst.exe rundll32.exe no specs drvinst.exe devcon.exe no specs conhost.exe no specs devcon.exe no specs conhost.exe no specs devcon.exe conhost.exe no specs drvinst.exe rundll32.exe no specs drvinst.exe devcon.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe drvinst.exe vyprvpnservice.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs installcertificates.exe no specs vyprvpn.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs textinputhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs vyprvpn-5.1.2.0-installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4668 --field-trial-handle=2304,i,1627875051850327994,8582767177010551522,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedevcon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
928\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedevcon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1100"C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon" hwids tap0901C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exeVyprVPN-5.1.2.0-installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.3.9600.17029 (winblue_gdr.140219-1702)
Modules
Images
c:\program files (x86)\vyprvpn\openvpn\util\devcon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1100"C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon" hwids tapvyprvpnC:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exeVyprVPN-5.1.2.0-installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.3.9600.17029 (winblue_gdr.140219-1702)
Modules
Images
c:\program files (x86)\vyprvpn\openvpn\util\devcon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1184C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files (x86)\VyprVPN\InstallCertificates.bat" SW_HIDE"C:\Windows\SysWOW64\cmd.exeVyprVPN-5.1.2.0-installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1204rundll32.exe C:\WINDOWS\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{65092901-2569-be4c-8561-2785e160b51a} Global\{59cd5efb-217a-dd46-904c-8057aeba85ba} C:\WINDOWS\System32\DriverStore\Temp\{ba7299f6-26a8-a84e-a5f4-ca7b48ce1363}\oemvista.inf C:\WINDOWS\System32\DriverStore\Temp\{ba7299f6-26a8-a84e-a5f4-ca7b48ce1363}\tap0901.catC:\Windows\System32\rundll32.exedrvinst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1588C:\WINDOWS\system32\net1 FILE C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1616"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4924 --field-trial-handle=2396,i,492110206205423898,848800627512185031,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1636tasklist /NH /FI "IMAGENAME eq VyprVPNWireGuardService.exe"C:\Windows\SysWOW64\tasklist.exeVyprVPN-5.1.2.0-installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
186 154
Read events
185 724
Write events
390
Delete events
40

Modification events

(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Certida LLC\VyprVPN
Operation:writeName:FreshInstall
Value:
1
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526B3DDC-6891-4F43-8F64-8B83DC9E4848}
Operation:writeName:DisplayName
Value:
VyprVPN
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526B3DDC-6891-4F43-8F64-8B83DC9E4848}
Operation:writeName:DisplayVersion
Value:
5.1.2.0
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526B3DDC-6891-4F43-8F64-8B83DC9E4848}
Operation:writeName:Publisher
Value:
Certida LLC
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526B3DDC-6891-4F43-8F64-8B83DC9E4848}
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\VyprVPN\VyprVPN.exe"
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526B3DDC-6891-4F43-8F64-8B83DC9E4848}
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\VyprVPN\uninstall.exe"
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526B3DDC-6891-4F43-8F64-8B83DC9E4848}
Operation:writeName:NoModify
Value:
1
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{526B3DDC-6891-4F43-8F64-8B83DC9E4848}
Operation:writeName:NoRepair
Value:
1
(PID) Process:(5536) VyprVPN-5.1.2.0-installer.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetworkLocationWizard
Operation:writeName:HideWizard
Value:
1
(PID) Process:(3728) devcon.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.dev.log
Value:
4096
Executable files
80
Suspicious files
268
Text files
228
Unknown types
9

Dropped files

PID
Process
Filename
Type
5536VyprVPN-5.1.2.0-installer.exeC:\Users\admin\AppData\Local\Temp\nsc4814.tmp\modern-wizard.bmpimage
MD5:B858EB4D395C0228BD25BEB5788F8562
SHA256:7AE8E9702965BEDC098068E55A5FA387C0214D4C7CC286FD155B7B4D504E2C4F
5536VyprVPN-5.1.2.0-installer.exeC:\Users\admin\AppData\Local\Temp\nsc4814.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
5536VyprVPN-5.1.2.0-installer.exeC:\Program Files (x86)\VyprVPN\Docs\license.rtftext
MD5:C1FD795CF35C25884EEC8426F46194BD
SHA256:AB501CD1933016E826073A70E50D5A3502A38EAAAF3733B5FC0373E099370E46
5536VyprVPN-5.1.2.0-installer.exeC:\Users\admin\AppData\Local\Temp\nsc4814.tmp\nsExec.dllexecutable
MD5:11092C1D3FBB449A60695C44F9F3D183
SHA256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
5536VyprVPN-5.1.2.0-installer.exeC:\Users\admin\AppData\Local\Temp\nsc4814.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
5536VyprVPN-5.1.2.0-installer.exeC:\Program Files (x86)\VyprVPN\Config\certs\goldenfrog-client.p12binary
MD5:E4036BA0B2794B15550D7EAD2B7E4A86
SHA256:F9417F0A32F8BED467EAD86B34C1539785F5561CB8F8E1F66FFF8B7C0A9868E2
5536VyprVPN-5.1.2.0-installer.exeC:\Program Files (x86)\VyprVPN\Docs\ThirdPartySoftwareReadme.pdfpdf
MD5:2EAB04FBE395411956C6ED54645A5324
SHA256:6A22BE55D357B3DE8F21C94158C0014DD6069B75FE0330DCB9A85A1397550A7A
5536VyprVPN-5.1.2.0-installer.exeC:\Program Files (x86)\VyprVPN\Uninstall.exeexecutable
MD5:1794181EFC263EF10A71689FF35106CF
SHA256:07797198AE08BC8A6D12BB00329ACECEC34762BA3C6574F3095EEDD098DED019
5536VyprVPN-5.1.2.0-installer.exeC:\Program Files (x86)\VyprVPN\Config\certs\GoldenFrog-Inc.cerbinary
MD5:84804CCEFC4CF8AB14FE13E40B05266E
SHA256:2EDF4E34D7D9C04A3FD02D52DBC5A083D0D9430F870CD40CF0241727945B53F0
5536VyprVPN-5.1.2.0-installer.exeC:\Program Files (x86)\VyprVPN\GoldenFrogIPC.dllexecutable
MD5:2F4A4DE9A32C9B76EDAD20E7AB3ADC62
SHA256:AB9931F687F5684451607404400658782F602C51C8781B37CDBA5689542DA944
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
187
TCP/UDP connections
143
DNS requests
59
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1636
RUXIMICS.exe
GET
200
72.247.176.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5504
svchost.exe
GET
200
72.247.176.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
72.247.176.73:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1636
RUXIMICS.exe
GET
200
23.61.152.46:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.61.152.46:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
216.168.12.185:443
https://api.netitude.net/ping
unknown
GET
200
216.168.11.220:443
https://api.goldenfrog.com/images/vpn_flags/32/sin.png
unknown
GET
200
216.168.11.221:443
https://api.goldenfrog.com/images/vpn_flags/32/mas.png
unknown
GET
200
216.168.11.220:443
https://api.goldenfrog.com/images/vpn_flags/32/phi.png
unknown
GET
200
216.168.11.221:443
https://api.goldenfrog.com/images/vpn_flags/32/tha.png
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
1636
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1636
RUXIMICS.exe
72.247.176.73:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
5504
svchost.exe
72.247.176.73:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
5140
MoUsoCoreWorker.exe
72.247.176.73:80
crl.microsoft.com
Akamai International B.V.
GB
unknown
1636
RUXIMICS.exe
23.61.152.46:80
www.microsoft.com
AKAMAI-AS
BR
unknown
5140
MoUsoCoreWorker.exe
23.61.152.46:80
www.microsoft.com
AKAMAI-AS
BR
unknown
5504
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 72.247.176.73
  • 95.101.63.66
whitelisted
www.microsoft.com
  • 23.61.152.46
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
api.netitude.net
  • 216.168.12.185
unknown
api.goldenfrog.com
  • 216.168.11.220
  • 216.168.11.221
unknown
api.inunison.net
  • 216.168.12.185
unknown
downloads.vyprvpn.com
  • 104.18.24.208
  • 104.18.25.208
unknown
validation.api.goldenfrog.com
  • 216.168.11.220
  • 216.168.11.221
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.vyprvpn.com
  • 104.18.25.208
  • 104.18.24.208
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Suspicious Challenge-Platform Page Request
Possible Social Engineering Attempted
SUSPICIOUS [ANY.RUN] Suspicious Challenge-Platform Page Request
Generic Protocol Command Decode
SURICATA HTTP Request abnormal Content-Encoding header
4 ETPRO signatures available at the full report
Process
Message
VyprVPNService.exe
log: 2024-06-10 00:52:19,182 [1] INFO VyprVPN Service 5.1.2.0
VyprVPNService.exe
log: 2024-06-10 00:52:19,214 [1] INFO Upgrading service settings
VyprVPNService.exe
log: 2024-06-10 00:52:19,401 [4] INFO Cleaning up configuration directory "C:\WINDOWS\system32\config\systemprofile\AppData\Local\Certida_LLC" for VyprVPNService.exe
VyprVPNService.exe
log: 2024-06-10 00:52:19,401 [1] INFO Detected registry key used to indicate first run after install; clearing key (Software\Certida LLC\VyprVPN, FreshInstall)
VyprVPNService.exe
log: 2024-06-10 00:52:19,479 [1] INFO Refreshed distinct ID on first run
VyprVPNService.exe
log: 2024-06-10 00:52:20,292 [1] INFO AccountSettingsProvider instantiated
VyprVPNService.exe
log: 2024-06-10 00:52:20,339 [1] INFO ConnectionSelfMonitor starting monitoring
VyprVPNService.exe
log: 2024-06-10 00:52:20,417 [1] WARN ConnectionSelfMonitor retrying query attempt in 50ms after unexpected error: Catel.IoC.TypeNotRegisteredException: The specified type 'VyprVPNService.IVyprConnectionManager, VyprVPNService, Version=5.1.2.0, Culture=neutral, PublicKeyToken=null' is not registered or could not be constructed. Please register type before using it. The type 'VyprVPNService.IVyprConnectionManager, VyprVPNService, Version=5.1.2.0, Culture=neutral, PublicKeyToken=null' is not registered at Catel.IoC.ServiceLocator.ThrowTypeNotRegisteredException(Type type, String message) at Catel.IoC.ServiceLocator.ResolveType(Type serviceType, Object tag) at Catel.IoC.ServiceLocatorExtensions.ResolveType[TService](IServiceLocator serviceLocator, Object tag) at VyprVPNService.ConnectionSelfMonitor.<MonitorConnectionsSelfAsync>d__47.MoveNext()
VyprVPNService.exe
log: 2024-06-10 00:52:20,432 [1] INFO VpnUsageProvider instantiated
VyprVPNService.exe
log: 2024-06-10 00:52:20,479 [4] WARN ConnectionSelfMonitor retrying query attempt in 100ms after unexpected error: Catel.IoC.TypeNotRegisteredException: The specified type 'GoldenFrogVPN.Interfaces.IVyprVpnManager, GoldenFrogVPN, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' is not registered or could not be constructed. Please register type before using it. The type 'GoldenFrogVPN.Interfaces.IVyprVpnManager, GoldenFrogVPN, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' is not registered at Catel.IoC.ServiceLocator.ThrowTypeNotRegisteredException(Type type, String message) at Catel.IoC.ServiceLocator.ResolveType(Type serviceType, Object tag) at Catel.IoC.ServiceLocatorExtensions.ResolveType[TService](IServiceLocator serviceLocator, Object tag) at GoldenFrogUT.Utilities.ObjectExtensions.Resolve[T](Object o) at VyprVPNService.ConnectionSelfMonitor.<MonitorConnectionsSelfAsync>d__47.MoveNext()
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VyprVPN-5.1.2.0-installer.exe