6e9c8eb31b66541ce3f9bc1a4576d95c6f85d3ceca4d75e6c3372b93e9d05050

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VyprVPN-4.3.1.10763-installer.exe
Size

10.7MB
MD5

9dd8c4b316a45f0fddcce8bc8b1da8d7
SHA1

ce61389ff40ecb9e054d72bd9b6b0bdf906c6cd4
SHA256

6e9c8eb31b66541ce3f9bc1a4576d95c6f85d3ceca4d75e6c3372b93e9d05050
SHA512

bf935f37f79964d1437afc14c8d0155e59c411c60e056f1f9051a7e9945d2000e7aa8482272aa4aa8c8bfa40c90c350904c39ea085f57621098f8e21d8d2dcf7
SSDEEP

196608:2FE+DnQumW2gy7VcNsjbmmU9uJIg/5tfSr9f/HHUYDucjnLn6NDXL3wzZ:4E+TDmW2gyJcNsjblLJIg/5tfKf/Hl9F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

devcon.exedevcon.exe

pid process

2112 devcon.exe
3684 devcon.exe

pid	process
2112	devcon.exe
3684	devcon.exe

Loads dropped DLL 11 IoCs

Processes:

VyprVPN-4.3.1.10763-installer.exe

pid	process
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe
4320	VyprVPN-4.3.1.10763-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8BB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8BC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8BC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8AB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8BB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8AB.tmp	DrvInst.exe

Drops file in Program Files directory 49 IoCs

Processes:

VyprVPN-4.3.1.10763-installer.exe

description	ioc	process
File created	C:\Program Files (x86)\VyprVPN\Config\ca.vyprvpn.com.crt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\ManagedCO.dll	VyprVPN-4.3.1.10763-installer.exe
File opened for modification	C:\Program Files (x86)\VyprVPN\ManagedWifi.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Licenses\CPOL.txt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Licenses\nsArray.txt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\vypr\liblzo2-2.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Licenses\wintun.txt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\driver\OemWin2k.inf	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\driver\tap0901.cat	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\liblzo2-2.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Docs\license.rtf	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Catel.Core.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\GoldenFrogVPN.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\System.Collections.Immutable.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\vypr\libpkcs11-helper-1.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Licenses\MIT.txt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\System.Runtime.CompilerServices.Unsafe.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\driver\OemVista.inf	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\openvpn.exe	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\libcrypto-1_1-x64.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Docs\ThirdPartySoftwareReadme.pdf	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\GoldenFrogUT.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\IPC.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Newtonsoft.Json.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\vypr\libeay32.dll	VyprVPN-4.3.1.10763-installer.exe
File opened for modification	C:\Program Files (x86)\VyprVPN\install.log	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Config\certs\goldenfrog-client.p12	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Licenses\WireGuard.txt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\driver\tapvyprvpn.cat	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\log4net.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Licenses\Boost_LICENSE_1_0.txt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exe	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\libpkcs11-helper-1.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Uninstall.exe	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Catel.MVVM.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\GoldenFrogIPC.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\System.Windows.Interactivity.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\vypr\ssleay32.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Microsoft.Expression.Interactions.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Licenses\APACHE-LICENSE-2.0.txt	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\GoldenFrogWFP.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\driver\tapvyprvpn.sys	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Config\certs\GoldenFrog-Inc.cer	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Hardcodet.Wpf.TaskbarNotification.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\Log.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\ManagedWifi.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\driver\tap0901.sys	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\libssl-1_1-x64.dll	VyprVPN-4.3.1.10763-installer.exe
File created	C:\Program Files (x86)\VyprVPN\OpenVPN\bin\vypr\openvpn-VyprVPN.exe	VyprVPN-4.3.1.10763-installer.exe

Drops file in Windows directory 3 IoCs

Processes:

devcon.exesvchost.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

devcon.exesvchost.exedevcon.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2088 tasklist.exe
2016 tasklist.exe
4424 tasklist.exe
4932 tasklist.exe
3120 tasklist.exe
4720 tasklist.exe

pid	process
2088	tasklist.exe
2016	tasklist.exe
4424	tasklist.exe
4932	tasklist.exe
3120	tasklist.exe
4720	tasklist.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

devcon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	devcon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	devcon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4424	tasklist.exe
Token: SeDebugPrivilege	4932	tasklist.exe
Token: SeDebugPrivilege	3120	tasklist.exe
Token: SeDebugPrivilege	4720	tasklist.exe
Token: SeDebugPrivilege	2088	tasklist.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeAuditPrivilege	2564	svchost.exe
Token: SeSecurityPrivilege	2564	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

VyprVPN-4.3.1.10763-installer.exesvchost.exeDrvInst.exe

description	pid	process	target process
PID 4320 wrote to memory of 4424	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4424	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4424	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4932	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4932	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4932	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 3120	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 3120	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 3120	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4720	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4720	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 4720	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 2088	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 2088	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 2088	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 2016	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 2016	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 2016	4320	VyprVPN-4.3.1.10763-installer.exe	tasklist.exe
PID 4320 wrote to memory of 2112	4320	VyprVPN-4.3.1.10763-installer.exe	devcon.exe
PID 4320 wrote to memory of 2112	4320	VyprVPN-4.3.1.10763-installer.exe	devcon.exe
PID 4320 wrote to memory of 3684	4320	VyprVPN-4.3.1.10763-installer.exe	devcon.exe
PID 4320 wrote to memory of 3684	4320	VyprVPN-4.3.1.10763-installer.exe	devcon.exe
PID 2564 wrote to memory of 3068	2564	svchost.exe	DrvInst.exe
PID 2564 wrote to memory of 3068	2564	svchost.exe	DrvInst.exe
PID 3068 wrote to memory of 3112	3068	DrvInst.exe	rundll32.exe
PID 3068 wrote to memory of 3112	3068	DrvInst.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\VyprVPN-4.3.1.10763-installer.exe
"C:\Users\Admin\AppData\Local\Temp\VyprVPN-4.3.1.10763-installer.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq vyprvpn.exe"
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq VyprVPNWireGuardService.exe"
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq openvpn-VyprVPN.exe"
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq openvpn.exe"
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq chameleon.exe"
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\tasklist.exe
tasklist /NH /FI "IMAGENAME eq vyprvpnservice.exe"
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exe
"C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon" hwids tap0901
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2112

C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exe
"C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon" install "C:\Program Files (x86)\VyprVPN\OpenVPN\driver\OemVista.inf" tap0901
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{c0b0721f-81b8-444f-b4f2-6e1e8cf9467a}\oemvista.inf" "9" "4d14a44ff" "00000000000000BC" "WinSta0\Default" "000000000000013C" "208" "c:\program files (x86)\vyprvpn\openvpn\driver"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{58931a81-4161-c14d-b62f-0f5102f5fe92} Global\{0e1b6dc7-c25d-974b-a870-26933d10485b} C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\tap0901.cat
3⤵
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VyprVPN\OpenVPN\driver\OemVista.inf
Filesize
7KB

MD5
b6d7ecafc4e8df42b49ec58bd55fe518

SHA1
6c257db0c94fa46773b1601ec77821bde48ee880

SHA256
4138ccc008ad2cbb3912df7801e2ebbbaf84402d15de2347b88661c1b2d015f0

SHA512
c03b5157a4c947ebc51753d45603f029d3a5608c6c11d460deaaeaf000a9c76f624342772ccca239c207ecd428f1ca3e7851d7b799ce14e4c1a95fb46f9b3c74

Download Submit
C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exe
Filesize
79KB

MD5
530dedeff00322be5f5a0fbf341db2ca

SHA1
b147ee2488fea4e14f3aa16423bff46f5c57d50c

SHA256
97cff42f8c0fe4fbdf991273159516bf78090625a933c3983ebd6f62284e329a

SHA512
7083a56f298c933ad83f982866cc80317579a74802b6e182e18fa254f70604fcd353b71b35c42208737b116f0c1045a71ece7fd99eef9e75d46816a380c093ac

Download Submit
C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exe
Filesize
79KB

MD5
530dedeff00322be5f5a0fbf341db2ca

SHA1
b147ee2488fea4e14f3aa16423bff46f5c57d50c

SHA256
97cff42f8c0fe4fbdf991273159516bf78090625a933c3983ebd6f62284e329a

SHA512
7083a56f298c933ad83f982866cc80317579a74802b6e182e18fa254f70604fcd353b71b35c42208737b116f0c1045a71ece7fd99eef9e75d46816a380c093ac

Download Submit
C:\Program Files (x86)\VyprVPN\OpenVPN\util\devcon.exe
Filesize
79KB

MD5
530dedeff00322be5f5a0fbf341db2ca

SHA1
b147ee2488fea4e14f3aa16423bff46f5c57d50c

SHA256
97cff42f8c0fe4fbdf991273159516bf78090625a933c3983ebd6f62284e329a

SHA512
7083a56f298c933ad83f982866cc80317579a74802b6e182e18fa254f70604fcd353b71b35c42208737b116f0c1045a71ece7fd99eef9e75d46816a380c093ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\InstallOptions.dll
Filesize
15KB

MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\InstallOptions.dll
Filesize
15KB

MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\InstallOptions.dll
Filesize
15KB

MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\ioSpecial.ini
Filesize
1KB

MD5
1d45ebaed5e5d296e309a5bbdffaa4e0

SHA1
b46d1da3dd2398cdca1a5d91d3fb0688d4910163

SHA256
9c1a2139b052e761a77214f7b4b0cd4c03a7f52a1fb8aef60c7efccda3a391e2

SHA512
7bb7c61fe80b98dedafb911ad76ab5f8578c2312677d567d6b540d5608c40da59be8673a01f39a1b51a03b512a332910c03fa8f8072878ed80487e58f5799e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\ioSpecial.ini
Filesize
1KB

MD5
904eabe58ad25469708ffe55dac07ea2

SHA1
6d4bada29e5bdef7b5d7afd901a77525d07031e4

SHA256
b067a0a57bef002713ffb13b438904163e950917a3c2b48bd70cf2e368f9d2de

SHA512
8d0597bda55953cf3c2b5c626655bb1bc63d6a695ecf0a36d0d03757adef4e4672dc8b67cab9edcf74e26186c7a0f056ef10ed785c568ff9490dcd5ee73df061

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl71DB.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C0B07~1\tap0901.cat
Filesize
9KB

MD5
0620c400058122f71130ed0091465467

SHA1
21e10fe9b3976aee74e711527156057208e04614

SHA256
6eaa163e0954f85356a0b2f599aebbf078fae0f8b3508ca42c921b1a2125e5a6

SHA512
0c6164e3a25bdba43e8e3f28c07316b0bebda43ae674b08c111bfff3d38b02591384923ff8b5fae773cfe7b4fc11f94a57838284569954f02b6446777c74d2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C0B07~1\tap0901.sys
Filesize
27KB

MD5
f36dfe9194f57de7805f746a3d917ee9

SHA1
92bae1356cd76cf95702f90d2b4909cb2a8844fe

SHA256
b221dfc9c56213dda9adc40ea88dfad0e6cda08dd7d896c3e86cd4a2d22a034e

SHA512
4948fcc724baec5b431f330650ee64bb92491e07aab9714a76c0521204f1ecff0fa25929a332ec1a826251d5fb35ffde294d86dc607775bc82579ac8db77d4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{c0b0721f-81b8-444f-b4f2-6e1e8cf9467a}\oemvista.inf
Filesize
7KB

MD5
b6d7ecafc4e8df42b49ec58bd55fe518

SHA1
6c257db0c94fa46773b1601ec77821bde48ee880

SHA256
4138ccc008ad2cbb3912df7801e2ebbbaf84402d15de2347b88661c1b2d015f0

SHA512
c03b5157a4c947ebc51753d45603f029d3a5608c6c11d460deaaeaf000a9c76f624342772ccca239c207ecd428f1ca3e7851d7b799ce14e4c1a95fb46f9b3c74

Download Submit
C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8AB.tmp
Filesize
7KB

MD5
b6d7ecafc4e8df42b49ec58bd55fe518

SHA1
6c257db0c94fa46773b1601ec77821bde48ee880

SHA256
4138ccc008ad2cbb3912df7801e2ebbbaf84402d15de2347b88661c1b2d015f0

SHA512
c03b5157a4c947ebc51753d45603f029d3a5608c6c11d460deaaeaf000a9c76f624342772ccca239c207ecd428f1ca3e7851d7b799ce14e4c1a95fb46f9b3c74

Download Submit
C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8BB.tmp
Filesize
9KB

MD5
0620c400058122f71130ed0091465467

SHA1
21e10fe9b3976aee74e711527156057208e04614

SHA256
6eaa163e0954f85356a0b2f599aebbf078fae0f8b3508ca42c921b1a2125e5a6

SHA512
0c6164e3a25bdba43e8e3f28c07316b0bebda43ae674b08c111bfff3d38b02591384923ff8b5fae773cfe7b4fc11f94a57838284569954f02b6446777c74d2e7

Download Submit
C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\SET8BC.tmp
Filesize
27KB

MD5
f36dfe9194f57de7805f746a3d917ee9

SHA1
92bae1356cd76cf95702f90d2b4909cb2a8844fe

SHA256
b221dfc9c56213dda9adc40ea88dfad0e6cda08dd7d896c3e86cd4a2d22a034e

SHA512
4948fcc724baec5b431f330650ee64bb92491e07aab9714a76c0521204f1ecff0fa25929a332ec1a826251d5fb35ffde294d86dc607775bc82579ac8db77d4e3

Download Submit
C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\oemvista.inf
Filesize
7KB

MD5
b6d7ecafc4e8df42b49ec58bd55fe518

SHA1
6c257db0c94fa46773b1601ec77821bde48ee880

SHA256
4138ccc008ad2cbb3912df7801e2ebbbaf84402d15de2347b88661c1b2d015f0

SHA512
c03b5157a4c947ebc51753d45603f029d3a5608c6c11d460deaaeaf000a9c76f624342772ccca239c207ecd428f1ca3e7851d7b799ce14e4c1a95fb46f9b3c74

Download Submit
C:\Windows\System32\DriverStore\Temp\{f79abb82-81ce-2d49-9174-136cdee4b638}\tap0901.cat
Filesize
9KB

MD5
0620c400058122f71130ed0091465467

SHA1
21e10fe9b3976aee74e711527156057208e04614

SHA256
6eaa163e0954f85356a0b2f599aebbf078fae0f8b3508ca42c921b1a2125e5a6

SHA512
0c6164e3a25bdba43e8e3f28c07316b0bebda43ae674b08c111bfff3d38b02591384923ff8b5fae773cfe7b4fc11f94a57838284569954f02b6446777c74d2e7

Download Submit
\??\c:\PROGRA~2\vyprvpn\openvpn\driver\tap0901.sys
Filesize
27KB

MD5
f36dfe9194f57de7805f746a3d917ee9

SHA1
92bae1356cd76cf95702f90d2b4909cb2a8844fe

SHA256
b221dfc9c56213dda9adc40ea88dfad0e6cda08dd7d896c3e86cd4a2d22a034e

SHA512
4948fcc724baec5b431f330650ee64bb92491e07aab9714a76c0521204f1ecff0fa25929a332ec1a826251d5fb35ffde294d86dc607775bc82579ac8db77d4e3

Download Submit
\??\c:\program files (x86)\vyprvpn\openvpn\driver\tap0901.cat
Filesize
9KB

MD5
0620c400058122f71130ed0091465467

SHA1
21e10fe9b3976aee74e711527156057208e04614

SHA256
6eaa163e0954f85356a0b2f599aebbf078fae0f8b3508ca42c921b1a2125e5a6

SHA512
0c6164e3a25bdba43e8e3f28c07316b0bebda43ae674b08c111bfff3d38b02591384923ff8b5fae773cfe7b4fc11f94a57838284569954f02b6446777c74d2e7

Download Submit