File name:

CyberGhostVPNSetup.exe

Full analysis: https://app.any.run/tasks/fcbd7cca-d615-4a18-b7a0-fa7e10c4513e
Verdict: Malicious activity
Analysis date: November 18, 2024, 18:52:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

FD093F3100A56B710C50D41667DA7E2B

SHA1:

5EC9063E4380F642D2A551DA76FD4D3F00FD4C96

SHA256:

F6DFAE75FD23C0446EC1721994CF2530C66BD76366423176414747B39153BF58

SSDEEP:

3072:z5XPWSc4UShBSz2fxhlYjciFvcbFqpdpupIgZFgSDLxgbjl:hgwxhlGciFvcbFqpdMpIgZFPLWJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Dashboard.exe (PID: 2736)
      • Dashboard.Service.exe (PID: 7044)
      • wyUpdate.exe (PID: 5824)
      • Dashboard.Service.exe (PID: 6736)
      • devcon.exe (PID: 6708)
      • nvspbind.exe (PID: 6240)
      • nvspbind.exe (PID: 2844)
      • nvspbind.exe (PID: 3936)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6588)
      • Dashboard.exe (PID: 1516)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 924452ad-3425-47b2-94ca-11f5aa2a992a.exe (PID: 1752)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6588)

    • Executable content was dropped or overwritten

      • CyberGhostVPNSetup.exe (PID: 6516)
      • Dashboard.Service.exe (PID: 7044)
      • 924452ad-3425-47b2-94ca-11f5aa2a992a.exe (PID: 1752)
      • drvinst.exe (PID: 3924)
      • devcon.exe (PID: 6708)
      • drvinst.exe (PID: 6736)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6588)

    • Drops a system driver (possible attempt to evade defenses)

      • 924452ad-3425-47b2-94ca-11f5aa2a992a.exe (PID: 1752)
      • devcon.exe (PID: 6708)
      • drvinst.exe (PID: 6736)
      • drvinst.exe (PID: 3924)

    • The process drops C-runtime libraries

      • 924452ad-3425-47b2-94ca-11f5aa2a992a.exe (PID: 1752)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 6492)
      • Dashboard.Service.exe (PID: 7044)

    • Suspicious use of NETSH.EXE

      • Dashboard.Service.exe (PID: 7044)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 5476)

  • INFO

    • Manual execution by a user

      • Dashboard.exe (PID: 1516)
      • firefox.exe (PID: 3396)

    • Application launched itself

      • firefox.exe (PID: 3396)
      • firefox.exe (PID: 5004)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 5004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:13 09:25:01+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 80384
InitializedDataSize: 39424
UninitializedDataSize: -
EntryPoint: 0x1589e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.3.11.2
ProductVersionNumber: 8.3.11.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Installs CyberGhost 8 on your computer
CompanyName: CyberGhost S.R.L.
FileDescription: CyberGhost 8 Installer
FileVersion: 8.3.11.2
InternalName: WebBootstrapper.exe
LegalCopyright: Copyright © CyberGhost S.R.L. 2018-2022
LegalTrademarks: CyberGhost
OriginalFileName: WebBootstrapper.exe
ProductName: CyberGhost 8
ProductVersion: 8.3.11.2
AssemblyVersion: 8.3.11.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
48
Malicious processes
7
Suspicious processes
6

Behavior graph

Click at the process to see the details
start cyberghostvpnsetup.exe 924452ad-3425-47b2-94ca-11f5aa2a992a.exe dashboard.exe dashboard.service.exe no specs dashboard.service.exe wyupdate.exe wmiapsrv.exe no specs devcon.exe conhost.exe no specs drvinst.exe drvinst.exe netsh.exe no specs nvspbind.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs dashboard.exe no specs nvspbind.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs nvspbind.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe no specs wermgr.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs cyberghostvpnsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1396"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2928 -prefsLen 31121 -prefMapSize 244343 -jsInitHandle 1508 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd2c40db-127e-4455-b076-9159a6f1d504} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 1f7f2728d90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
1516"C:\Program Files\CyberGhost 8\Dashboard.exe" /firststartC:\Program Files\CyberGhost 8\Dashboard.exeexplorer.exe
User:
admin
Company:
CyberGhost S.R.L.
Integrity Level:
MEDIUM
Description:
CyberGhost 8
Version:
8.4.9.14426
1752"C:\Program Files\21c1cb9e-6fbd-4123-b02a-cbf055a9d926\924452ad-3425-47b2-94ca-11f5aa2a992a.exe" "C:\Users\admin\Desktop\CyberGhostVPNSetup.exe"C:\Program Files\21c1cb9e-6fbd-4123-b02a-cbf055a9d926\924452ad-3425-47b2-94ca-11f5aa2a992a.exe
CyberGhostVPNSetup.exe
User:
admin
Company:
CyberGhost S.A.
Integrity Level:
HIGH
Description:
CyberGhost 8 Installer
Exit code:
0
Version:
8.4.2.78
Modules
Images
c:\program files\21c1cb9e-6fbd-4123-b02a-cbf055a9d926\924452ad-3425-47b2-94ca-11f5aa2a992a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1952"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2180 -parentBuildID 20240213221259 -prefsHandle 2280 -prefMapHandle 2276 -prefsLen 30705 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d198d526-4d3f-4b6b-88fc-1ee97bfe4b58} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 1f7e0382110 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
2736"C:\Program Files\CyberGhost 8\Dashboard.exe" /installC:\Program Files\CyberGhost 8\Dashboard.exe
924452ad-3425-47b2-94ca-11f5aa2a992a.exe
User:
admin
Company:
CyberGhost S.R.L.
Integrity Level:
HIGH
Description:
CyberGhost 8
Exit code:
0
Version:
8.4.9.14426
Modules
Images
c:\program files\cyberghost 8\dashboard.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2844"C:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exe" "Local Area Connection" /e ms_tcpipC:\Program Files\CyberGhost 8\Applications\VPN\Data\Tools\nvspbind.exeDashboard.Service.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Hyper-V Network VSP Bind Application
Exit code:
0
Version:
6.1.7725.0 (fbl_core1_hyp_dev(kemange).091124-1220)
3024"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240213221259 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 30705 -prefMapSize 244343 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec9bb4e-b90d-484f-902b-caad1542df12} 5004 "\\.\pipe\gecko-crash-server-pipe.5004" 1f7ecee6910 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
3396"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
3772\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3904\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenvspbind.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
30 580
Read events
30 491
Write events
85
Delete events
4

Modification events

(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6516) CyberGhostVPNSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CyberGhostVPNSetup_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
519
Suspicious files
256
Text files
907
Unknown types
4

Dropped files

PID
Process
Filename
Type
1752924452ad-3425-47b2-94ca-11f5aa2a992a.exeC:\Windows\System32\config\systemprofile\AppData\Local\Temp\KAPE\Update\714a93b5-70e4-47e3-8ffa-a6039a01d300\5fa89509-b400-4c15-913e-a767e2886239.zip
MD5:
SHA256:
1752924452ad-3425-47b2-94ca-11f5aa2a992a.exeC:\Users\admin\AppData\Local\Temp\TmpCC23.tmptext
MD5:647F843626B023AAAA748F924F95AC25
SHA256:732DEE732E0261AFBFBA21ECA43008A5009CFC9E4C405ECE8826A9746564CCEB
6516CyberGhostVPNSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442Cbinary
MD5:6EA160D837E2029D7F216A39458FCC42
SHA256:1921608FDAD97687C7403DE679FFC52240319C7797CCF5FC6DE075F476DB78AB
1752924452ad-3425-47b2-94ca-11f5aa2a992a.exeC:\Users\admin\AppData\Local\Temp\TmpCBF4.tmptext
MD5:647F843626B023AAAA748F924F95AC25
SHA256:732DEE732E0261AFBFBA21ECA43008A5009CFC9E4C405ECE8826A9746564CCEB
1752924452ad-3425-47b2-94ca-11f5aa2a992a.exeC:\Program Files\CyberGhost 8\Castle.Core.dllexecutable
MD5:E64B123644BEAAA2B849AA7217299F4A
SHA256:A260594A3BA7CDB89A296DD6F9E1CC18FE2C93A3B4D25DE01D2B07A61F093993
6516CyberGhostVPNSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBbinary
MD5:89541B407FE59C77A11D5876879B0AFE
SHA256:F24D257DA56F788DE0B5D79029D5459A63FA7369F3B91459A9D1802816FDB713
6516CyberGhostVPNSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46E4040B4A28D439FBFA7E9FC642442Cder
MD5:B8CF08BA37BA2203AE324998E3F89BEE
SHA256:751225CDFD7663D23EF3FD486D5D7834D18D96E37DF40B3680043DDC7B57A667
6516CyberGhostVPNSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBder
MD5:D407D5257D0D53A96538F1A7E9B169BC
SHA256:5B1C8C416405DDC51D5E35E23978B9A1CA0BEA6EA6B26EF7B38771FF491ADC22
6516CyberGhostVPNSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225Fder
MD5:362F9B80FDC2B3BB2CF7EE350A3124E4
SHA256:86812DA6E5EC489C2F6FD040FF59888D1AC83B63604004F79989EE8F475046B1
6516CyberGhostVPNSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225Fbinary
MD5:4F874F36EB3F77E0AE0F0912FC6FBC7E
SHA256:30EA959FA6CC34D363BB0A0C9B4783955F0D71698FB96214BDBB95E90B332444
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
215
DNS requests
225
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6516
CyberGhostVPNSetup.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D
unknown
whitelisted
6516
CyberGhostVPNSetup.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEBCAEdkNAQ%2BVnslmQeaPkY8%3D
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6516
CyberGhostVPNSetup.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
4004
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5232
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4004
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7044
Dashboard.Service.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA%2B4p0C5FY0DUUO8WdnwQCk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5984
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.137:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4360
SearchApp.exe
92.123.104.14:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.137
  • 23.48.23.141
  • 23.48.23.156
  • 23.48.23.191
  • 23.48.23.169
  • 23.48.23.140
  • 23.48.23.178
  • 23.48.23.190
  • 23.48.23.183
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 142.250.185.206
whitelisted
www.bing.com
  • 92.123.104.14
  • 92.123.104.16
  • 92.123.104.25
  • 92.123.104.7
  • 92.123.104.18
  • 92.123.104.13
  • 92.123.104.9
  • 92.123.104.11
  • 92.123.104.29
  • 92.123.104.43
  • 92.123.104.44
  • 92.123.104.46
  • 92.123.104.54
  • 92.123.104.51
  • 92.123.104.47
  • 92.123.104.59
  • 92.123.104.53
  • 92.123.104.41
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
download.cyberghostvpn.com
  • 104.20.1.14
  • 104.20.0.14
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
api.cyberghostvpn.com
  • 104.20.1.14
  • 104.20.0.14
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Process
Message
Dashboard.exe
#### REINSTALLTAPV9DRIVER ####
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CyberGhostVPNSetup.exe