f715fd70ffa8bae01641ab0954dddfb4604586b63361b49f681801e68252eee3

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/12/2022, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UrbanVPN2.exe
Size

30.9MB
MD5

87d504827ef7eb568d6dcecfad38d1f9
SHA1

e7b8e8bfd973a932b3a32422b1d5e58924ea1955
SHA256

f715fd70ffa8bae01641ab0954dddfb4604586b63361b49f681801e68252eee3
SHA512

1134bfd74c43b6a110c6536e9e542c5b8c2379ecb380ccc33475aba7f7ee4f328a6d1986d781955c26523f5bb2726af56fb796a147fdb6fd74d1223da187df41
SSDEEP

786432:fmT7jot5Kn402EbWJyMSt8NAi0KoK0PYuQM:fYmQ402qWJ6t8OJKol

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	1068	msiexec.exe
11	608	MsiExec.exe
12	608	MsiExec.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET7031.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET7031.tmp	DrvInst.exe

Executes dropped EXE 10 IoCs

pid	Process
2248	MSIE881.tmp
2280	tapinstall.exe
2308	tapinstall.exe
2624	MSI771E.tmp
2960	UrbanVPNUpdater.exe
3012	urbanvpnserv.exe
1616	UrbanVPNUpdater.exe
1596	urbanvpn-gui.exe
1012	urbanvpn.exe
2924	urbanvpn.exe

Loads dropped DLL 63 IoCs

pid	Process
1292	UrbanVPN2.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1156	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
608	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
608	MsiExec.exe
608	MsiExec.exe
608	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
1252	MsiExec.exe
2248	MSIE881.tmp
2248	MSIE881.tmp
2248	MSIE881.tmp
2248	MSIE881.tmp
2248	MSIE881.tmp
2248	MSIE881.tmp
2248	MSIE881.tmp
1252	MsiExec.exe
608	MsiExec.exe
608	MsiExec.exe
2884	MsiExec.exe
2884	MsiExec.exe
2884	MsiExec.exe
460	Process not Found
3012	urbanvpnserv.exe
1252	MsiExec.exe
2884	MsiExec.exe
1252	MsiExec.exe
1156	MsiExec.exe
1616	UrbanVPNUpdater.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1452	Process not Found
1012	urbanvpn.exe
1012	urbanvpn.exe
1012	urbanvpn.exe
1012	urbanvpn.exe
3012	urbanvpnserv.exe
2924	urbanvpn.exe
2924	urbanvpn.exe
2924	urbanvpn.exe
2924	urbanvpn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UrbanVPN = "C:\\Program Files\\UrbanVPN\\UrbanVPNUpdater.exe /checknow -minuseractions -startappfirst -restartapp \"C:\\Program Files\\UrbanVPN\\bin\\urbanvpn-gui.exe\" "	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI771E.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	UrbanVPN2.exe
File opened (read-only)	\??\I:	UrbanVPN2.exe
File opened (read-only)	\??\L:	UrbanVPN2.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	UrbanVPN2.exe
File opened (read-only)	\??\G:	UrbanVPN2.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	UrbanVPN2.exe
File opened (read-only)	\??\M:	UrbanVPN2.exe
File opened (read-only)	\??\P:	UrbanVPN2.exe
File opened (read-only)	\??\W:	UrbanVPN2.exe
File opened (read-only)	\??\Y:	UrbanVPN2.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	UrbanVPN2.exe
File opened (read-only)	\??\O:	UrbanVPN2.exe
File opened (read-only)	\??\V:	UrbanVPN2.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	UrbanVPN2.exe
File opened (read-only)	\??\T:	UrbanVPN2.exe
File opened (read-only)	\??\Z:	UrbanVPN2.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	UrbanVPN2.exe
File opened (read-only)	\??\S:	UrbanVPN2.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	UrbanVPN2.exe
File opened (read-only)	\??\X:	UrbanVPN2.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	UrbanVPN2.exe
File opened (read-only)	\??\J:	UrbanVPN2.exe
File opened (read-only)	\??\N:	UrbanVPN2.exe
File opened (read-only)	\??\R:	UrbanVPN2.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_6d4bec28a2ef0cdf\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_6d4bec28a2ef0cdf\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\SETEFFB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\SETF00C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\SETF00B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\SETEFFB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\SETF00B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\SETF00C.tmp	DrvInst.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\UrbanVPN\bin\libcrypto-1_1-x64.dll	msiexec.exe
File created	C:\Program Files\TAP-Windows\license.txt	MSIE881.tmp
File created	C:\Program Files\TAP-Windows\Uninstall.exe	MSIE881.tmp
File created	C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\openssl.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\liblzo2-2.dll	msiexec.exe
File created	C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\urbanvpn.dll	msiexec.exe
File opened for modification	C:\Program Files\UrbanVPN\UrbanVPNUpdater.ini	msiexec.exe
File created	C:\Program Files\TAP-Windows\bin\tapinstall.exe	MSIE881.tmp
File created	C:\Program Files\TAP-Windows\driver\OemVista.inf	MSIE881.tmp
File created	C:\Program Files\TAP-Windows\driver\tap0901.cat	MSIE881.tmp
File created	C:\Program Files\TAP-Windows\bin\addtap.bat	MSIE881.tmp
File created	C:\Program Files\UrbanVPN\bin\libpkcs11-helper-1.dll	msiexec.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.sys	MSIE881.tmp
File created	C:\Program Files\TAP-Windows\icon.ico	MSIE881.tmp
File created	C:\Program Files\UrbanVPN\bin\urbanvpn.exe	msiexec.exe
File created	C:\Program Files\TAP-Windows\bin\deltapall.bat	MSIE881.tmp
File created	C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\libssl-1_1-x64.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\custicon	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\exclamic	UrbanVPN2.exe
File opened for modification	C:\Windows\Installer\MSIE1B6.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\repairic	UrbanVPN2.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6cc60e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cc60e.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSID969.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9636.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\URL7743.url	MSI771E.tmp
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\dialog.jpg	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\cmdlinkarrow	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\NetFirewall.dll	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\lzmaextractor.dll	UrbanVPN2.exe
File created	C:\Windows\Installer\6cc60f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\ShortcutFlags.dll	UrbanVPN2.exe
File opened for modification	C:\Windows\Installer\MSID4F4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI771E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9740.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\URL7743.url:favicon	IEXPLORE.EXE
File created	C:\Windows\SystemTemp\URL7743.url\:favicon:$DATA	IEXPLORE.EXE
File opened for modification	C:\Windows\Installer\MSIE861.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\6cc60f.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\Button2.jpg	UrbanVPN2.exe
File opened for modification	C:\Windows\Installer\MSID9B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA46.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75C4.tmp	msiexec.exe
File created	C:\Windows\Installer\6cc611.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE61B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\Up	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\InstallerHelperDLL.dll	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\Privacy.png	UrbanVPN2.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSICCC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID457.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE841.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI92F9.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\completi	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\tabback	UrbanVPN2.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC8AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDA0.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSID68B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI986D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\WhiteBack.png	UrbanVPN2.exe
File opened for modification	C:\Windows\Installer\MSIE881.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9625.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\URL7743.url	IEXPLORE.EXE
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\insticon	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\banner.jpg	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_1292\Permission.png	UrbanVPN2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000014145-99.dat	nsis_installer_2

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	43	Go-http-client/1.1
HTTP User-Agent header	45	Go-http-client/1.1
HTTP User-Agent header	134	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.urban-vpn.com\ = "79"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8041605fca1ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.urban-vpn.com\ = "158"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "39"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.urban-vpn.com\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000ac469adefc0d80006fa29397d9f4ce14312baf03ee049a514d9a9b29d29add9c000000000e800000000200002000000022dc9ffc7d55c742ee50bf194aa17df22d6e3b4d1fa6e1a1fccf4c4c90cb1dda20000000b2f5f53aa533a640f5b93fb83ca5da28198e69ebcd0f131889e956b8dd57b56f400000001b2cdb6ee6d6e7d218d04af10185eb5d547ea73f74b0f98a3f371b7c4dfe3bf03f95119d4f426a382e8c60e67218dc1b70d26f5e578f2871d55aeb4e34f793ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.urban-vpn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.urban-vpn.com\ = "39"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "79"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\urban-vpn.com\Total = "79"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\urban-vpn.com\Total = "118"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000056042eab9057b3f678ec6860df966f79ff0ca129f4ed358f4566f69db61e3299000000000e8000000002000020000000d39bd8d595576f62a28ee592ca37233ba3415b3950a19aa3e22292fe9c5465879000000023fb9c0659b9763fa343088765623e457f1f3fd746977ac50084283a5c4c85336ee9236fbec7aad66af50420e542482531a96baf13d7ebed03a257980891e159b0df3ea229b3bea76c13b7599a93e7651a22074a7ba543a7092713e5ca61e9c378e7b61c1ac276722b798386f3ee4e9eea3645db3fae840e46700eadc91ca25e2d4e4ed5046c512da22dc30ad599215e40000000e5a0c3450664ed14730e68733be62b4b59b2ec29d354fb9afb56759c4a454a8f8e62a2a14f876dfce24739ad8c9a1896c4bb638f94e38e8280ac64f2621fc802	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	UrbanVPN2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\urban-vpn.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\urban-vpn.com\Total = "39"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84A2A551-86BD-11ED-8553-72598884447E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\urban-vpn.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\urban-vpn.com\Total = "158"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sstpsvc.dll,-203 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32008 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Urban Security\\UrbanVPN 2.2.10\\install\\9295F50\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75B3CDDBE68DA104B9F9FAFD9E92F505\AI64BitFiles	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\ProductIcon = "C:\\Windows\\Installer\\{BDDC3B57-D86E-401A-9B9F-AFDFE9295F50}\\urbanvpngui_1.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Urban Security\\UrbanVPN 2.2.10\\install\\9295F50\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75B3CDDBE68DA104B9F9FAFD9E92F505\AIOtherFiles	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList\PackageName = "urbanvpninstaller.x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75B3CDDBE68DA104B9F9FAFD9E92F505\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\ProductName = "UrbanVPN"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\Version = "33685514"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D15EE4AAF3E53D9488CC68E460CB755B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D15EE4AAF3E53D9488CC68E460CB755B\75B3CDDBE68DA104B9F9FAFD9E92F505	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75B3CDDBE68DA104B9F9FAFD9E92F505	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\PackageCode = "9D3BA3E675B6905458EBE6C37847E1FC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75B3CDDBE68DA104B9F9FAFD9E92F505\SourceList\Media\1 = ";"	msiexec.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	urbanvpn-gui.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	UrbanVPNUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	UrbanVPNUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	UrbanVPNUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	UrbanVPNUpdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	urbanvpn-gui.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	UrbanVPNUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	UrbanVPNUpdater.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\URL7743.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\wwwA15E.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Windows\SystemTemp\URL7743.url\:favicon:$DATA	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1596	urbanvpn-gui.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1156	MsiExec.exe
1156	MsiExec.exe
1068	msiexec.exe
1068	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1596	urbanvpn-gui.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1068	msiexec.exe
Token: SeTakeOwnershipPrivilege	1068	msiexec.exe
Token: SeSecurityPrivilege	1068	msiexec.exe
Token: SeCreateTokenPrivilege	1292	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	1292	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	1292	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	1292	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	1292	UrbanVPN2.exe
Token: SeTcbPrivilege	1292	UrbanVPN2.exe
Token: SeSecurityPrivilege	1292	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	1292	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	1292	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	1292	UrbanVPN2.exe
Token: SeSystemtimePrivilege	1292	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	1292	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	1292	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	1292	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	1292	UrbanVPN2.exe
Token: SeBackupPrivilege	1292	UrbanVPN2.exe
Token: SeRestorePrivilege	1292	UrbanVPN2.exe
Token: SeShutdownPrivilege	1292	UrbanVPN2.exe
Token: SeDebugPrivilege	1292	UrbanVPN2.exe
Token: SeAuditPrivilege	1292	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	1292	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	1292	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	1292	UrbanVPN2.exe
Token: SeUndockPrivilege	1292	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	1292	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	1292	UrbanVPN2.exe
Token: SeManageVolumePrivilege	1292	UrbanVPN2.exe
Token: SeImpersonatePrivilege	1292	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	1292	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	1292	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	1292	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	1292	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	1292	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	1292	UrbanVPN2.exe
Token: SeTcbPrivilege	1292	UrbanVPN2.exe
Token: SeSecurityPrivilege	1292	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	1292	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	1292	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	1292	UrbanVPN2.exe
Token: SeSystemtimePrivilege	1292	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	1292	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	1292	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	1292	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	1292	UrbanVPN2.exe
Token: SeBackupPrivilege	1292	UrbanVPN2.exe
Token: SeRestorePrivilege	1292	UrbanVPN2.exe
Token: SeShutdownPrivilege	1292	UrbanVPN2.exe
Token: SeDebugPrivilege	1292	UrbanVPN2.exe
Token: SeAuditPrivilege	1292	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	1292	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	1292	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	1292	UrbanVPN2.exe
Token: SeUndockPrivilege	1292	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	1292	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	1292	UrbanVPN2.exe
Token: SeManageVolumePrivilege	1292	UrbanVPN2.exe
Token: SeImpersonatePrivilege	1292	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	1292	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	1292	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	1292	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	1292	UrbanVPN2.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1292	UrbanVPN2.exe
2672	iexplore.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1292	UrbanVPN2.exe
1292	UrbanVPN2.exe
2672	iexplore.exe
2672	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
1596	urbanvpn-gui.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1156	1068	msiexec.exe	29
PID 1068 wrote to memory of 1156	1068	msiexec.exe	29
PID 1068 wrote to memory of 1156	1068	msiexec.exe	29
PID 1068 wrote to memory of 1156	1068	msiexec.exe	29
PID 1068 wrote to memory of 1156	1068	msiexec.exe	29
PID 1068 wrote to memory of 1156	1068	msiexec.exe	29
PID 1068 wrote to memory of 1156	1068	msiexec.exe	29
PID 1292 wrote to memory of 1768	1292	UrbanVPN2.exe	31
PID 1292 wrote to memory of 1768	1292	UrbanVPN2.exe	31
PID 1292 wrote to memory of 1768	1292	UrbanVPN2.exe	31
PID 1292 wrote to memory of 1768	1292	UrbanVPN2.exe	31
PID 1292 wrote to memory of 1768	1292	UrbanVPN2.exe	31
PID 1292 wrote to memory of 1768	1292	UrbanVPN2.exe	31
PID 1292 wrote to memory of 1768	1292	UrbanVPN2.exe	31
PID 1068 wrote to memory of 1252	1068	msiexec.exe	35
PID 1068 wrote to memory of 1252	1068	msiexec.exe	35
PID 1068 wrote to memory of 1252	1068	msiexec.exe	35
PID 1068 wrote to memory of 1252	1068	msiexec.exe	35
PID 1068 wrote to memory of 1252	1068	msiexec.exe	35
PID 1068 wrote to memory of 1252	1068	msiexec.exe	35
PID 1068 wrote to memory of 1252	1068	msiexec.exe	35
PID 1068 wrote to memory of 608	1068	msiexec.exe	36
PID 1068 wrote to memory of 608	1068	msiexec.exe	36
PID 1068 wrote to memory of 608	1068	msiexec.exe	36
PID 1068 wrote to memory of 608	1068	msiexec.exe	36
PID 1068 wrote to memory of 608	1068	msiexec.exe	36
PID 1068 wrote to memory of 2248	1068	msiexec.exe	38
PID 1068 wrote to memory of 2248	1068	msiexec.exe	38
PID 1068 wrote to memory of 2248	1068	msiexec.exe	38
PID 1068 wrote to memory of 2248	1068	msiexec.exe	38
PID 2248 wrote to memory of 2280	2248	MSIE881.tmp	39
PID 2248 wrote to memory of 2280	2248	MSIE881.tmp	39
PID 2248 wrote to memory of 2280	2248	MSIE881.tmp	39
PID 2248 wrote to memory of 2280	2248	MSIE881.tmp	39
PID 2248 wrote to memory of 2308	2248	MSIE881.tmp	41
PID 2248 wrote to memory of 2308	2248	MSIE881.tmp	41
PID 2248 wrote to memory of 2308	2248	MSIE881.tmp	41
PID 2248 wrote to memory of 2308	2248	MSIE881.tmp	41
PID 2352 wrote to memory of 2376	2352	DrvInst.exe	44
PID 2352 wrote to memory of 2376	2352	DrvInst.exe	44
PID 2352 wrote to memory of 2376	2352	DrvInst.exe	44
PID 1068 wrote to memory of 2624	1068	msiexec.exe	46
PID 1068 wrote to memory of 2624	1068	msiexec.exe	46
PID 1068 wrote to memory of 2624	1068	msiexec.exe	46
PID 1068 wrote to memory of 2624	1068	msiexec.exe	46
PID 1068 wrote to memory of 2624	1068	msiexec.exe	46
PID 1068 wrote to memory of 2624	1068	msiexec.exe	46
PID 1068 wrote to memory of 2624	1068	msiexec.exe	46
PID 2672 wrote to memory of 2728	2672	iexplore.exe	48
PID 2672 wrote to memory of 2728	2672	iexplore.exe	48
PID 2672 wrote to memory of 2728	2672	iexplore.exe	48
PID 2672 wrote to memory of 2728	2672	iexplore.exe	48
PID 1068 wrote to memory of 2884	1068	msiexec.exe	50
PID 1068 wrote to memory of 2884	1068	msiexec.exe	50
PID 1068 wrote to memory of 2884	1068	msiexec.exe	50
PID 1068 wrote to memory of 2884	1068	msiexec.exe	50
PID 1068 wrote to memory of 2884	1068	msiexec.exe	50
PID 1068 wrote to memory of 2884	1068	msiexec.exe	50
PID 1068 wrote to memory of 2884	1068	msiexec.exe	50
PID 1068 wrote to memory of 2960	1068	msiexec.exe	51
PID 1068 wrote to memory of 2960	1068	msiexec.exe	51
PID 1068 wrote to memory of 2960	1068	msiexec.exe	51
PID 1068 wrote to memory of 2960	1068	msiexec.exe	51
PID 1068 wrote to memory of 2960	1068	msiexec.exe	51

C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe
"C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe
  "C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe" /i "C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.10\install\9295F50\urbanvpninstaller.x64.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\UrbanVPN" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UrbanVPN" SECONDSEQUENCE="1" CLIENTPROCESSID="1292" AI_MORE_CMD_LINE=1
  2⤵
  PID:1768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27D7ADDC4351C25C31A8DF46292998DF C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCA46E81A5A4991B0565D0A1B624A059
  2⤵
  - Loads dropped DLL
  PID:1252
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B7DDDE0F32C0F1AA9FA31F27EB0E5E5D
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:608
- C:\Windows\Installer\MSIE881.tmp
  "C:\Windows\Installer\MSIE881.tmp" /S /SELECT_UTILITIES=1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files\TAP-Windows\bin\tapinstall.exe
    "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Program Files\TAP-Windows\bin\tapinstall.exe
    "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies system certificate store
    PID:2308
- C:\Windows\Installer\MSI771E.tmp
  "C:\Windows\Installer\MSI771E.tmp" https://www.urban-vpn.com/install-desk/
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  PID:2624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 53F3D4E15E7351FC0396555FD081A793 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2884
- C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe
  "C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe" /configservice -name "UrbanVPNUpdater"
  2⤵
  - Executes dropped EXE
  PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:588

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000003AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1940

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1ec63871-cbad-75ab-8a82-b82275668c6d}\oemvista.inf" "9" "6d14a44ff" "00000000000002B8" "WinSta0\Default" "0000000000000498" "208" "c:\program files\tap-windows\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5f9d3856-c1d9-5e60-29d3-6b098e5b7572} Global\{46f209aa-fa67-1427-8f4b-e570e41cb064} C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{4a543fd7-f437-7616-04e5-d85665dd5c4c}\tap0901.cat
  2⤵
  PID:2376

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.2.601:tap0901" "6d14a44ff" "00000000000002B8" "00000000000005E4" "00000000000005D4"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:2728

C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe
"C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012
- C:\Program Files\UrbanVPN\bin\urbanvpn.exe
  urbanvpn --log "C:\Users\Admin\UrbanVPN\log\TR.Europe.Turkey R1.log" --config "TR.Europe.Turkey R1.ovpn" --setenv IV_GUI_VER "UrbanVPN GUI" --service 63c00000b54 0 --auth-retry interact --management 127.0.0.1 25388 stdin --management-query-passwords --management-hold --remap-usr1 SIGTERM --connect-timeout 60 --msg-channel 644
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2924

C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe
"C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe" /checknow -minuseractions -startappfirst -restartapp "C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe" -restartappcmd "-f"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1616
- C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe
  "C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe" -f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1596
- - C:\Program Files\UrbanVPN\bin\urbanvpn.exe
    urbanvpn --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
da5a9f149955d936a31dc5e456666aac

SHA1
195238d41c1e13448f349f43bb295ef2d55cb47a

SHA256
79ac574c7c45144bb35b59ff79c78dc59b66592715dea01b389e3620db663224

SHA512
60d7d1f5405470ba1e6b80066af2e78240acbea8db58b5a03660874605178aebaa9ce342ca97f17798109e7411e82466db5af064e39eaddc05410f2abe672f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_731B836F03B166238E2AC93FBDDF5EBE

Filesize
727B

MD5
a2a10bed9641fa6ce59054123223ea8e

SHA1
c08d48cc964f3bc333e5c6a2fb0106cb083e160c

SHA256
7c9a8f0c55e25499430df807e7e5c1ab163f7f2b4c761e346146b56de1eb3641

SHA512
d146ee83e0f49e1a31d08bfea9d0f809458eb28c213f863e5727dce151a1e9a7589149bc67cb920785acfae6da1349e92c2345791b5ef42fc653acb695004750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
ddaabfaeb5297284372f878514b35e01

SHA1
ebc6206a3396ec69635c289ab7dad4fb4715afd7

SHA256
d1b21e9ad22843f78e6f82422505f8396c06416a919bf97bf61383a44690be14

SHA512
24383dc912ec843f686751c3f3ec21d4c52396fbddd255e4990afbfd41c69057c73c580deb792769d766e5aff16c5ad4dbbc8e88a2972f85902dc661a5e41abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
059af5edc1701761575e2fc70d69b245

SHA1
0515b0cfc89ddd4fbd044eeb53db5d12d218056a

SHA256
b65aeed2d0e81275344459b97d3e8e2f6b116fd988274ef8a49040ad8931fe62

SHA512
5256ea4937e8bc9167dc567b92aca853e59eba3736ac5ef115d5a3e6eb1022f5489a8708bff7d0cde2e1e9d18841dbf718e29817d85700f2beb32287ca9f5397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_731B836F03B166238E2AC93FBDDF5EBE

Filesize
438B

MD5
e43aadb1db79d36a6c05171d2f8f0df7

SHA1
decef0d7e151f20c5eb1cdd8b613ee694ce45264

SHA256
0c8a33376e745233a7615c8bd9770a6979ab540f7cfbd595d25f9452fa80fa83

SHA512
23460017e5428d6e0f8a4c248c24a9557985a514c38586508a9e9f43cff2cb991a15b104625fe96b7140ba1f28194dc5a7ae3c58cd8a0d60f5f21334a0f1d6a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45baae3df52d2551e95f1925b9951566

SHA1
9e8ed32c66443d24c7e66d6911d129868917a3d9

SHA256
81020b14fc508cbe5c505f5b3ea0d7a517036a001c7739c3d0d7d35fb88b8fcf

SHA512
ee4ee853a4d8954d9fd63ad58e95373b1f0f50c0fe654ba75c4ac3ba124b3923d60fd0e347333a5ebec70c923ed8bb5ded0f2421b1e3556b5001644f89dbe731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
442B

MD5
7aa8fc7693870a39246c15de0b3df29a

SHA1
d9901bc76d63cc15ef11095dfc4170fcc2f26650

SHA256
8e4edbfe6f60b4a80b01ec967aaac582a39b097d5f2a5948dede44abacff38a8

SHA512
67e7e643c48e1b175748e5e641daa9080c462afb336aa4dd214289cde5828f325782a86d4e46dc699fdab2bc915aced8ca8d7439884ba22e634b508119abbc01

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.10\tracking.ini

Filesize
84B

MD5
fe83cfe17ec93f91b3e8e34456efaf85

SHA1
94d2c8116c917e322d5b04a1693f3626da63fadf

SHA256
c788e9f7f40cb6bca9e42508498574bf2fbeeccbcbf74e295e03f361aa0af239

SHA512
75f805671211ececf53c329945bc9791f1b4a91d5bceff5de3bb89f552ab9817797a0e81eeebdce5cb38549d044f5661cb06a49ce767fffbcfc87fc5e6a8096e

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.10\tracking.ini

Filesize
69B

MD5
822bec55221dd76d70d74630653530c4

SHA1
7c05d034c261fd1233859b91f3af8605df2b9352

SHA256
812c54abed78334128fa44680b55875e8a31e43271794b1621b31f5e1bef29fd

SHA512
4ace15d65626815cf79fae20ae9d5a164e35f3a5fe18944a80320602163152e6c6714e706c403a57183ffb20022efcf12f9eda356b679903c69f58beb7f7d1c1

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.10\{094FD2D6-E108-4206-9521-F7229CFBD683}.session

Filesize
23KB

MD5
ac6ecd594f801bac576e2f9ef37844d4

SHA1
9acd91d84a73c3dd67506c9f6f6c662a186c3bf4

SHA256
09f423e68a6305c980bbb18b4175d5ed7db63e0172bc56674d185bfa042567d2

SHA512
ea413ade8a8f23b37b9b405d8b74fd846c03c1f8c9e5890a7ee26979d117ce8b86c8f466759befaf796482333059a2b6831ed25f9e0c00a4e551e3a97d2da65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2315.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI248C.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FD.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI29EB.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2AA7.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2C1F.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2CFA.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2DA7.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2EEF.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2F6D.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3077.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3114.tmp

Filesize
203KB

MD5
83ab902128343371bd2a659a6a068338

SHA1
f30df8094d3058fb621dd4ca602c8e9aa296599f

SHA256
0b3276d71ef9a69802e43f40764f4b2cfe80de36ef6a8ea324274740099c324d

SHA512
f71d6efddf39cdd13fc543d2c717a9c4f631f92e033345c5d97704cbdd1b84f9524df51b7c6898a7d9156b0c9333ce23d483b95ddc2b3cec2b35538ad26e182f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban_TOS.html

Filesize
24KB

MD5
993c38c176078ec82cf3d5e21e24cdc0

SHA1
153b97b354ee42cce9dce40b9559577bf37ec303

SHA256
34a4cfe3fbf3172596a779b960b6f92702137ec2d005d144a5d5fd41b7d64221

SHA512
6e52a2be3d012411cb51148a13e554e3b87d3fb278f898e0bc510ba4c23172623c79857da66c2f10b8957e542674c1fd7a24d99bcde8b1e37031055060910e59

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.10\install\9295F50\urbanvpninstaller.x64.msi

Filesize
8.8MB

MD5
0ad8768d476db3072081f733838822ed

SHA1
05a98803bf5ee0ddd7dcc4d148ccccc9a5f13d85

SHA256
78bdc4180e02e87b5e6881e896105cb5dd89fbd14b1d3d97e31e9f8447211526

SHA512
94a7968f47eb7ad80f403294203bc0181a2ee5cb3aa2faece4d2d0e9deacfc48f44f9c99d2bf5e73f74cd6a8791d789bb3f25796b479995026e0383c6436ecf3

Download Submit
C:\Windows\Installer\MSIC8AF.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSICCC5.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Windows\Installer\MSICDA0.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
C:\Windows\Installer\MSID188.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSID418.tmp

Filesize
203KB

MD5
83ab902128343371bd2a659a6a068338

SHA1
f30df8094d3058fb621dd4ca602c8e9aa296599f

SHA256
0b3276d71ef9a69802e43f40764f4b2cfe80de36ef6a8ea324274740099c324d

SHA512
f71d6efddf39cdd13fc543d2c717a9c4f631f92e033345c5d97704cbdd1b84f9524df51b7c6898a7d9156b0c9333ce23d483b95ddc2b3cec2b35538ad26e182f

Download Submit
C:\Windows\Installer\MSID457.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSID4F4.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSID68B.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSID969.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSID9B8.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Windows\Installer\MSIDA46.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
C:\Windows\Installer\MSIE1B6.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Windows\Installer\MSIE56E.tmp

Filesize
721KB

MD5
bc18e14d4d14a9251947e3a816d26eda

SHA1
73401e6ea5ec1aa3412ec4a55e1d8c8ade4c0aad

SHA256
5dd523be946ab86b00f5fab6fc208946d9c3f8d0c599da9ffd40879b1540c086

SHA512
2a06df9eeaa8bcaf4a0849b77f4375a12e4d65c3ba30f6ee0c3af98a190eea57b0f2a6b14abb7199437c19757bcc64448f7a85d199095b9ae0d91ed767d00ca8

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2315.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Users\Admin\AppData\Local\Temp\MSI248C.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
\Users\Admin\AppData\Local\Temp\MSI26FD.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Users\Admin\AppData\Local\Temp\MSI29EB.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2AA7.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2C1F.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2CFA.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2DA7.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2EEF.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Users\Admin\AppData\Local\Temp\MSI2F6D.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3077.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3114.tmp

Filesize
203KB

MD5
83ab902128343371bd2a659a6a068338

SHA1
f30df8094d3058fb621dd4ca602c8e9aa296599f

SHA256
0b3276d71ef9a69802e43f40764f4b2cfe80de36ef6a8ea324274740099c324d

SHA512
f71d6efddf39cdd13fc543d2c717a9c4f631f92e033345c5d97704cbdd1b84f9524df51b7c6898a7d9156b0c9333ce23d483b95ddc2b3cec2b35538ad26e182f

Download Submit
\Windows\Installer\MSIC8AF.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Windows\Installer\MSICCC5.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
\Windows\Installer\MSICDA0.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
\Windows\Installer\MSID188.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
\Windows\Installer\MSID418.tmp

Filesize
203KB

MD5
83ab902128343371bd2a659a6a068338

SHA1
f30df8094d3058fb621dd4ca602c8e9aa296599f

SHA256
0b3276d71ef9a69802e43f40764f4b2cfe80de36ef6a8ea324274740099c324d

SHA512
f71d6efddf39cdd13fc543d2c717a9c4f631f92e033345c5d97704cbdd1b84f9524df51b7c6898a7d9156b0c9333ce23d483b95ddc2b3cec2b35538ad26e182f

Download Submit
\Windows\Installer\MSID457.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Windows\Installer\MSID4F4.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
\Windows\Installer\MSID68B.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
\Windows\Installer\MSID969.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
\Windows\Installer\MSID9B8.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
\Windows\Installer\MSIDA46.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
\Windows\Installer\MSIE1B6.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
\Windows\Installer\MSIE56E.tmp

Filesize
721KB

MD5
bc18e14d4d14a9251947e3a816d26eda

SHA1
73401e6ea5ec1aa3412ec4a55e1d8c8ade4c0aad

SHA256
5dd523be946ab86b00f5fab6fc208946d9c3f8d0c599da9ffd40879b1540c086

SHA512
2a06df9eeaa8bcaf4a0849b77f4375a12e4d65c3ba30f6ee0c3af98a190eea57b0f2a6b14abb7199437c19757bcc64448f7a85d199095b9ae0d91ed767d00ca8

Download Submit
\Windows\SystemTemp\INA2297.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
memory/1068-55-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/1292-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1292-97-0x0000000070C71000-0x0000000070C73000-memory.dmp

Filesize
8KB

Download
memory/1596-158-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/1596-156-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1596-155-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download