88fa1a52922482a0e80c5c410421c38e557514796a53f9e6839304fd049cd753

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2023 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UrbanVPN2.exe
Size

30.9MB
MD5

401ae8a7c8a882dd7846fd4c62b99f60
SHA1

4b77e688de4234376cf18f5c9db5466cd012b945
SHA256

88fa1a52922482a0e80c5c410421c38e557514796a53f9e6839304fd049cd753
SHA512

8a018e727d1b886381ae0ab0ce8b07c1fd044d9ab3dbd79d5c3108c1bba3114341c1066bc18d9e236b61e81b029f6b5fbfcf056a6903a14ec3cdf2356a05c6f6
SSDEEP

786432:TZSM7H/daLUKzGOEViOK+LJE4K9WnbtR5IX+1Qw:T7lbi8iOKqoWbL58+z

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

MsiExec.exe

flow pid process

70 1580 MsiExec.exe
71 1580 MsiExec.exe
71 1580 MsiExec.exe
70 1580 MsiExec.exe

flow	pid	process
70	1580	MsiExec.exe
71	1580	MsiExec.exe
71	1580	MsiExec.exe
70	1580	MsiExec.exe

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET7668.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET7668.tmp	DrvInst.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UrbanVPN2.exeMSI7AE5.tmpUrbanVPNUpdater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	UrbanVPN2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	MSI7AE5.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	UrbanVPNUpdater.exe

Executes dropped EXE 9 IoCs

Processes:

MSI6D93.tmptapinstall.exetapinstall.exeMSI7AE5.tmpUrbanVPNUpdater.exeurbanvpnserv.exeUrbanVPNUpdater.exeurbanvpn-gui.exeurbanvpn.exe

pid	process
4512	MSI6D93.tmp
5116	tapinstall.exe
4996	tapinstall.exe
1860	MSI7AE5.tmp
3968	UrbanVPNUpdater.exe
5776	urbanvpnserv.exe
6040	UrbanVPNUpdater.exe
5348	urbanvpn-gui.exe
4684	urbanvpn.exe

Loads dropped DLL 56 IoCs

Processes:

UrbanVPN2.exeMsiExec.exeMsiExec.exeMsiExec.exeMSI6D93.tmpMsiExec.exeurbanvpnserv.exeurbanvpn.exe

pid	process
2652	UrbanVPN2.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
1580	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
1580	MsiExec.exe
1580	MsiExec.exe
1580	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4244	MsiExec.exe
4512	MSI6D93.tmp
4512	MSI6D93.tmp
4512	MSI6D93.tmp
4512	MSI6D93.tmp
4512	MSI6D93.tmp
4512	MSI6D93.tmp
4244	MsiExec.exe
1580	MsiExec.exe
1580	MsiExec.exe
952	MsiExec.exe
952	MsiExec.exe
952	MsiExec.exe
5776	urbanvpnserv.exe
4244	MsiExec.exe
952	MsiExec.exe
4244	MsiExec.exe
4728	MsiExec.exe
4684	urbanvpn.exe
4684	urbanvpn.exe
4684	urbanvpn.exe
4684	urbanvpn.exe
4684	urbanvpn.exe
4684	urbanvpn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UrbanVPN = "C:\\Program Files\\UrbanVPN\\UrbanVPNUpdater.exe /checknow -minuseractions -startappfirst -restartapp \"C:\\Program Files\\UrbanVPN\\bin\\urbanvpn-gui.exe\" "	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

MsiExec.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini MsiExec.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

UrbanVPN2.exemsiexec.exeUrbanVPN2.exe

description	ioc	process
File opened (read-only)	\??\T:	UrbanVPN2.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	UrbanVPN2.exe
File opened (read-only)	\??\Z:	UrbanVPN2.exe
File opened (read-only)	\??\E:	UrbanVPN2.exe
File opened (read-only)	\??\W:	UrbanVPN2.exe
File opened (read-only)	\??\P:	UrbanVPN2.exe
File opened (read-only)	\??\R:	UrbanVPN2.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	UrbanVPN2.exe
File opened (read-only)	\??\X:	UrbanVPN2.exe
File opened (read-only)	\??\H:	UrbanVPN2.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	UrbanVPN2.exe
File opened (read-only)	\??\J:	UrbanVPN2.exe
File opened (read-only)	\??\Y:	UrbanVPN2.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	UrbanVPN2.exe
File opened (read-only)	\??\G:	UrbanVPN2.exe
File opened (read-only)	\??\F:	UrbanVPN2.exe
File opened (read-only)	\??\R:	UrbanVPN2.exe
File opened (read-only)	\??\K:	UrbanVPN2.exe
File opened (read-only)	\??\Z:	UrbanVPN2.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	UrbanVPN2.exe
File opened (read-only)	\??\G:	UrbanVPN2.exe
File opened (read-only)	\??\O:	UrbanVPN2.exe
File opened (read-only)	\??\Q:	UrbanVPN2.exe
File opened (read-only)	\??\P:	UrbanVPN2.exe
File opened (read-only)	\??\T:	UrbanVPN2.exe
File opened (read-only)	\??\I:	UrbanVPN2.exe
File opened (read-only)	\??\S:	UrbanVPN2.exe
File opened (read-only)	\??\U:	UrbanVPN2.exe
File opened (read-only)	\??\V:	UrbanVPN2.exe
File opened (read-only)	\??\W:	UrbanVPN2.exe
File opened (read-only)	\??\F:	UrbanVPN2.exe
File opened (read-only)	\??\J:	UrbanVPN2.exe
File opened (read-only)	\??\L:	UrbanVPN2.exe
File opened (read-only)	\??\B:	UrbanVPN2.exe
File opened (read-only)	\??\Y:	UrbanVPN2.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	UrbanVPN2.exe
File opened (read-only)	\??\S:	UrbanVPN2.exe
File opened (read-only)	\??\U:	UrbanVPN2.exe
File opened (read-only)	\??\N:	UrbanVPN2.exe
File opened (read-only)	\??\O:	UrbanVPN2.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	UrbanVPN2.exe
File opened (read-only)	\??\V:	UrbanVPN2.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	UrbanVPN2.exe
File opened (read-only)	\??\M:	UrbanVPN2.exe
File opened (read-only)	\??\X:	UrbanVPN2.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in System32 directory 16 IoCs

Processes:

DrvInst.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET730D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET731E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET731F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET731F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.PNF	tapinstall.exe
File created	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET730D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET731E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\tap0901.sys	DrvInst.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

MsiExec.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN MsiExec.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	MsiExec.exe

Drops file in Program Files directory 22 IoCs

Processes:

MSI6D93.tmpmsiexec.exesetup.exe

description	ioc	process
File created	C:\Program Files\TAP-Windows\Uninstall.exe	MSI6D93.tmp
File created	C:\Program Files\UrbanVPN\bin\libcrypto-1_1-x64.dll	msiexec.exe
File opened for modification	C:\Program Files\UrbanVPN\UrbanVPNUpdater.ini	msiexec.exe
File created	C:\Program Files\TAP-Windows\driver\OemVista.inf	MSI6D93.tmp
File created	C:\Program Files\TAP-Windows\license.txt	MSI6D93.tmp
File created	C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\libssl-1_1-x64.dll	msiexec.exe
File created	C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cbe97b2e-67a6-479b-960f-71382b301ae4.tmp	setup.exe
File created	C:\Program Files\TAP-Windows\bin\tapinstall.exe	MSI6D93.tmp
File created	C:\Program Files\TAP-Windows\bin\addtap.bat	MSI6D93.tmp
File created	C:\Program Files\TAP-Windows\bin\deltapall.bat	MSI6D93.tmp
File created	C:\Program Files\TAP-Windows\icon.ico	MSI6D93.tmp
File created	C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\libpkcs11-helper-1.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230308233545.pma	setup.exe
File created	C:\Program Files\TAP-Windows\driver\tap0901.cat	MSI6D93.tmp
File created	C:\Program Files\TAP-Windows\driver\tap0901.sys	MSI6D93.tmp
File created	C:\Program Files\UrbanVPN\bin\urbanvpn.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\openssl.exe	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\liblzo2-2.dll	msiexec.exe
File created	C:\Program Files\UrbanVPN\bin\urbanvpn.dll	msiexec.exe

Drops file in Windows directory 47 IoCs

Processes:

msiexec.exetapinstall.exeDrvInst.exesvchost.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI92D7.tmp	msiexec.exe
File created	C:\Windows\Installer\e574baf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{DDB06FF3-E7FC-4E3F-8003-276CB0918F48}\urbanvpngui_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI894F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e574baf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82E5.tmp	msiexec.exe
File created	C:\Windows\Installer\e574bb1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4FA9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65FA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\MSI5461.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DDB06FF3-E7FC-4E3F-8003-276CB0918F48}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI791D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4EAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5374.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9336.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI55C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CA7.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9644.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI53E3.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F4B.tmp	msiexec.exe
File created	C:\Windows\Installer\{DDB06FF3-E7FC-4E3F-8003-276CB0918F48}\urbanvpngui_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90F1.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI794D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9288.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5008.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5637.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5704.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exevssvc.exetapinstall.exeDrvInst.exeDrvInst.exetapinstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 212 Go-http-client/1.1
HTTP User-Agent header 95 Go-http-client/1.1
HTTP User-Agent header 97 Go-http-client/1.1

description	flow	ioc
HTTP User-Agent header	212	Go-http-client/1.1
HTTP User-Agent header	95	Go-http-client/1.1
HTTP User-Agent header	97	Go-http-client/1.1

Modifies data under HKEY_USERS 53 IoCs

Processes:

DrvInst.exemsiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6aa5dca8-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6aa5dca8-0000-0000-0000-d01200000000}	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6aa5dca8-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4"	MsiExec.exe

Modifies registry class 27 IoCs

Processes:

msedge.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D15EE4AAF3E53D9488CC68E460CB755B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\ProductIcon = "C:\\Windows\\Installer\\{DDB06FF3-E7FC-4E3F-8003-276CB0918F48}\\urbanvpngui_1.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Urban Security\\UrbanVPN 2.2.11\\install\\0918F48\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Urban Security\\UrbanVPN 2.2.11\\install\\0918F48\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FF60BDDCF7EF3E4083072C60B19F884\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\Version = "33685515"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FF60BDDCF7EF3E4083072C60B19F884\AIOtherFiles	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList\PackageName = "urbanvpninstaller.x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FF60BDDCF7EF3E4083072C60B19F884\AI64BitFiles	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D15EE4AAF3E53D9488CC68E460CB755B\3FF60BDDCF7EF3E4083072C60B19F884	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\ProductName = "UrbanVPN"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FF60BDDCF7EF3E4083072C60B19F884	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FF60BDDCF7EF3E4083072C60B19F884\PackageCode = "7F4B83170A8C9204285BB866877D556A"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

UrbanVPN2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

urbanvpn-gui.exe

pid process

5348 urbanvpn-gui.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

MsiExec.exemsiexec.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
3380	msiexec.exe
3380	msiexec.exe
2692	msedge.exe
2692	msedge.exe
2544	msedge.exe
2544	msedge.exe
2828	identity_helper.exe
2828	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

urbanvpn-gui.exe

pid process

5348 urbanvpn-gui.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2544 msedge.exe
2544 msedge.exe
2544 msedge.exe
2544 msedge.exe
2544 msedge.exe
2544 msedge.exe

pid	process
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeUrbanVPN2.exe

description	pid	process
Token: SeSecurityPrivilege	3380	msiexec.exe
Token: SeCreateTokenPrivilege	2652	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	2652	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	2652	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	2652	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	2652	UrbanVPN2.exe
Token: SeTcbPrivilege	2652	UrbanVPN2.exe
Token: SeSecurityPrivilege	2652	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	2652	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	2652	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	2652	UrbanVPN2.exe
Token: SeSystemtimePrivilege	2652	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	2652	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	2652	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	2652	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	2652	UrbanVPN2.exe
Token: SeBackupPrivilege	2652	UrbanVPN2.exe
Token: SeRestorePrivilege	2652	UrbanVPN2.exe
Token: SeShutdownPrivilege	2652	UrbanVPN2.exe
Token: SeDebugPrivilege	2652	UrbanVPN2.exe
Token: SeAuditPrivilege	2652	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	2652	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	2652	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	2652	UrbanVPN2.exe
Token: SeUndockPrivilege	2652	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	2652	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	2652	UrbanVPN2.exe
Token: SeManageVolumePrivilege	2652	UrbanVPN2.exe
Token: SeImpersonatePrivilege	2652	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	2652	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	2652	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	2652	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	2652	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	2652	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	2652	UrbanVPN2.exe
Token: SeTcbPrivilege	2652	UrbanVPN2.exe
Token: SeSecurityPrivilege	2652	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	2652	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	2652	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	2652	UrbanVPN2.exe
Token: SeSystemtimePrivilege	2652	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	2652	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	2652	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	2652	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	2652	UrbanVPN2.exe
Token: SeBackupPrivilege	2652	UrbanVPN2.exe
Token: SeRestorePrivilege	2652	UrbanVPN2.exe
Token: SeShutdownPrivilege	2652	UrbanVPN2.exe
Token: SeDebugPrivilege	2652	UrbanVPN2.exe
Token: SeAuditPrivilege	2652	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	2652	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	2652	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	2652	UrbanVPN2.exe
Token: SeUndockPrivilege	2652	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	2652	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	2652	UrbanVPN2.exe
Token: SeManageVolumePrivilege	2652	UrbanVPN2.exe
Token: SeImpersonatePrivilege	2652	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	2652	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	2652	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	2652	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	2652	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	2652	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	2652	UrbanVPN2.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

UrbanVPN2.exemsedge.exeurbanvpn-gui.exe

pid	process
2652	UrbanVPN2.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

urbanvpn-gui.exe

pid	process
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe
5348	urbanvpn-gui.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

UrbanVPN2.exeurbanvpn-gui.exe

pid process

2652 UrbanVPN2.exe
2652 UrbanVPN2.exe
5348 urbanvpn-gui.exe
5348 urbanvpn-gui.exe
5348 urbanvpn-gui.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeUrbanVPN2.exeMSI6D93.tmpsvchost.exeMSI7AE5.tmpmsedge.exe

description	pid	process	target process
PID 3380 wrote to memory of 4728	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 4728	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 4728	3380	msiexec.exe	MsiExec.exe
PID 2652 wrote to memory of 3476	2652	UrbanVPN2.exe	UrbanVPN2.exe
PID 2652 wrote to memory of 3476	2652	UrbanVPN2.exe	UrbanVPN2.exe
PID 2652 wrote to memory of 3476	2652	UrbanVPN2.exe	UrbanVPN2.exe
PID 3380 wrote to memory of 680	3380	msiexec.exe	srtasks.exe
PID 3380 wrote to memory of 680	3380	msiexec.exe	srtasks.exe
PID 3380 wrote to memory of 4244	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 4244	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 4244	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 1580	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 1580	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 4512	3380	msiexec.exe	MSI6D93.tmp
PID 3380 wrote to memory of 4512	3380	msiexec.exe	MSI6D93.tmp
PID 3380 wrote to memory of 4512	3380	msiexec.exe	MSI6D93.tmp
PID 4512 wrote to memory of 5116	4512	MSI6D93.tmp	tapinstall.exe
PID 4512 wrote to memory of 5116	4512	MSI6D93.tmp	tapinstall.exe
PID 4512 wrote to memory of 4996	4512	MSI6D93.tmp	tapinstall.exe
PID 4512 wrote to memory of 4996	4512	MSI6D93.tmp	tapinstall.exe
PID 3264 wrote to memory of 5064	3264	svchost.exe	DrvInst.exe
PID 3264 wrote to memory of 5064	3264	svchost.exe	DrvInst.exe
PID 3264 wrote to memory of 2140	3264	svchost.exe	DrvInst.exe
PID 3264 wrote to memory of 2140	3264	svchost.exe	DrvInst.exe
PID 3380 wrote to memory of 1860	3380	msiexec.exe	MSI7AE5.tmp
PID 3380 wrote to memory of 1860	3380	msiexec.exe	MSI7AE5.tmp
PID 3380 wrote to memory of 1860	3380	msiexec.exe	MSI7AE5.tmp
PID 1860 wrote to memory of 2544	1860	MSI7AE5.tmp	msedge.exe
PID 1860 wrote to memory of 2544	1860	MSI7AE5.tmp	msedge.exe
PID 2544 wrote to memory of 764	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 764	2544	msedge.exe	msedge.exe
PID 3380 wrote to memory of 952	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 952	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 952	3380	msiexec.exe	MsiExec.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe
PID 2544 wrote to memory of 3116	2544	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe
"C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe
"C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe" /i "C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\UrbanVPN" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UrbanVPN" SECONDSEQUENCE="1" CLIENTPROCESSID="2652" AI_MORE_CMD_LINE=1
2⤵
- Enumerates connected drives
PID:3476

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 61177BDF6AF8D51570C3C5CE52D397D0 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:680

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BDF449321D3A7F3B74EC265877163792
2⤵
- Loads dropped DLL
PID:4244

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E3A486EC8A00DA8F2A0C0E384163C8AE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:1580

C:\Windows\Installer\MSI6D93.tmp
"C:\Windows\Installer\MSI6D93.tmp" /S /SELECT_UTILITIES=1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4512

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5116

C:\Program Files\TAP-Windows\bin\tapinstall.exe
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4996

C:\Windows\Installer\MSI7AE5.tmp
"C:\Windows\Installer\MSI7AE5.tmp" https://www.urban-vpn.com/install-desk/
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.urban-vpn.com/install-desk/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85c3646f8,0x7ff85c364708,0x7ff85c364718
4⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
4⤵
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
4⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
4⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
4⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
4⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff77c975460,0x7ff77c975470,0x7ff77c975480
5⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
4⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
4⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
4⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,16439738458862309197,11386188883785738851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
4⤵
PID:6020

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7D69112445E1AD0FAAF156CD8D82406B E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
PID:952

C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe
"C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe" /configservice -name "UrbanVPNUpdater"
2⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{ad6ea96e-5a8f-294d-a6f9-272ffe246c2d}\oemvista.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\program files\tap-windows\driver"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5064

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901," "4d14a44ff" "0000000000000138"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4636

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:5500

C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe
"C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5776

C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe
"C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe" /checknow -minuseractions -startappfirst -restartapp "C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe" -restartappcmd "-f"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6040

C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe
"C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe" -f
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5348

C:\Program Files\UrbanVPN\bin\urbanvpn.exe
urbanvpn --version
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574bb0.rbs

Filesize
2.0MB

MD5
d4407e77a3b5f509d5314c2a190868a2

SHA1
60fc4f7236d7f6969bb005fd34a3b1e9095692ce

SHA256
97fc10173edcf2ca626dfb26d1911c444f75cf89e546ece0e7af58d0a8102c44

SHA512
097287365abfb001b1473e781de7ce71c75404f9b636bf8e9c248518e44f25ef7710ebf96a1c7a6c6295a23e3a461bee896426c939cc765059ba238d829109fb

Download Submit
C:\Config.Msi\e574bb2.rbs

Filesize
534B

MD5
39706fc8bf5ef80f73f8012cc0ebd1eb

SHA1
33584b389e88eac26252021e09ed8fe81ea5d61c

SHA256
a57ff2885544a27a26c36fcac1f4223e355df1646c1df20f6841cd0be512f95e

SHA512
2d71de3d06c9a92ff89b94b6bd5569c659420770626b8cd356b961869a3700799aaabaa8458c0522000a1ccb29c2241403d4a3b4ff84932e8bac0c9f3ce02890

Download Submit
C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe

Filesize
1.0MB

MD5
e746189d9da7c903d6fcb51a78c41f0e

SHA1
4bb889e5449025efcac65b1add09f8fe5854dee1

SHA256
180e2a193d4eadea7d6c2b3276cc471e62b3d617802bd8bcaebbc33b49917a07

SHA512
88b922d75b215db4989ccecfbe2ff2a90b0d71fe2510ae3f5ff688ec53f57c9edc58a792de35cdb276f64e38775a20757559c43752de16d01f7e12750a3364ef

Download Submit
C:\Program Files\UrbanVPN\UrbanVPNUpdater.ini

Filesize
299B

MD5
eb1d935546bb61a9b978db84a9f88736

SHA1
988bad6f53c5c85d29df3e5bfa1550534ad28162

SHA256
44f9bdd535b49b4afbfd78a38c9c2d9822d8da8796a59c8073843855e80ede57

SHA512
5d93f875797bf6d9ad8d75382580a47909291360172d403a18dc62d84404f4a7944baa735a2c771bfcde7f8807feea8b39caa166cfd067371f854e92e967157a

Download Submit
C:\ProgramData\UrbanVPN\updates\updates.aiu

Filesize
2KB

MD5
594b579043dfd7d968a298e4b201977c

SHA1
466a7a4734bcdf9d4420cab38d2953b8e2e0f4f4

SHA256
91490d8e9d7b5995f6d58bcf353558e282dfe3b2e858c8a23be00c94d331f1f4

SHA512
27fadde44df009c6447a6d3c796f4b0f833d0e128f8c0b123ac745d36c9ffca9f1aa4f97ad3bfb6c52e60c6747a7bb245c71e3f2ce61b48f971251318a938b4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
2ed8e7e16d93b0ca44e3e99bd36ccb05

SHA1
29fcd0e8fa478e85299d7bd74f5b7d2dae60c5db

SHA256
fd28fd4718155157d78bcd409929cfdc94b5d2b330f6c1a810ffa8ed19f089ba

SHA512
ed1cd2211cea6e3b4c63095b789d34612dc7ac05d909de5e8abbe6afe03d62f74d33569271682ccb15bb7c372e990a398ebe01443fac1cb23f8520e1aa5acb4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_731B836F03B166238E2AC93FBDDF5EBE

Filesize
727B

MD5
21b96a9658fef06b73f7f351ebf94f98

SHA1
3c3acd0cc26b7a54630b03b4469068122ad6e9ae

SHA256
32fc5877d64b86dc71e6bd9b1cb2af89bff52de9789af0eeebc4e4292cfe3f71

SHA512
c83d83dd64106dc7196ff8c16888ecc00c8ca53175be4acc2d5a4d73b736537fa11d06e9173d7936cf7a972c6408546c1312eaa362bd5cd71569243c8f1f8e0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7ac01b1a4ee3b046d5afa51cafecfe05

SHA1
6818b5468b59c76ef8115f8570f331c3fb34bb24

SHA256
d032d5a0a4115fe71264d9620dc5655ebe14adcd66a4d180d840440f58feb1a3

SHA512
87ecb95bdafdead0e47a124f2c0006e115c3c264cb7801fc424956f20de1901a52d3effce32f5a924ddfb5aa1f6231ce8bb9da2725c435a23c584762a738ae3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
8ba7e751fac35dfa1719b56eed4931d0

SHA1
560018d2b0f2fa539fefc83a999fa240eb2636bb

SHA256
4f7f54524d730d0e051868798d6b7215ecf56a8198e29f0c266ccb92975d3246

SHA512
a54629376673853f61c20a26dfe0c8d40070ee0c32d0aef979d1c583df67ac23983699e78e205d90a0a0acd4afd2040abccbb34b2fee31e58486669859ef64b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_731B836F03B166238E2AC93FBDDF5EBE

Filesize
408B

MD5
a833ff3d7b6d5e31c4d3069e62310c79

SHA1
9b619364db183554e7b58bea804bc28e126fbbe0

SHA256
37d792df08d1aa0ef9a67073ec947cef0fd98436902aea9092316337610a768e

SHA512
84adfe3f3ee05b392d999e51b28b42133a0c7662b737725b7b233a37bb525af1ae92c3b2f8920c88df67df8136719a3f4145864d13cf2b208651a9a0d3fd9091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
812218b817362c81abf0f6fcdeca69d7

SHA1
9b0c71b2602e4bcf1758d8e65d40677b3a763438

SHA256
6d2cab79a9f654bdecaed2568537835f2cd0e6429c564287f6809fc2aceed528

SHA512
3aa091ae55c68b5a72af1a8bbdc4cf97f7ff838b3f9d672d080d8798d5b16d1324eb45c24b7a4a251ea842f38eeee63b3e5166a2888f6d342297b98e6a56835e

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\tracking.ini

Filesize
84B

MD5
9c5b23dfc53a471a66ae2c99f5e8bebb

SHA1
e0d43e3c9115310cb9dbe5671579149498035a36

SHA256
560731f815062191c73a8fba6d9a8b0d73bee62f12b10b8c9cd3b242f945cc02

SHA512
c0234a326e3129a7b20cab28d5cb8b337eecf79968641e2adaf216712ce6213252e82ab2cc16f361fa0fa93e0774ea5f5bb21b8faf49655ce2ec476f73486721

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\tracking.ini

Filesize
84B

MD5
9c5b23dfc53a471a66ae2c99f5e8bebb

SHA1
e0d43e3c9115310cb9dbe5671579149498035a36

SHA256
560731f815062191c73a8fba6d9a8b0d73bee62f12b10b8c9cd3b242f945cc02

SHA512
c0234a326e3129a7b20cab28d5cb8b337eecf79968641e2adaf216712ce6213252e82ab2cc16f361fa0fa93e0774ea5f5bb21b8faf49655ce2ec476f73486721

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\{4AFFF19A-E2E0-4B56-970C-D6B86BD7A292}.session

Filesize
2KB

MD5
905fe7271f9e621328c7ba7693dbb89e

SHA1
9e82ce0a193e08b3d4940412e0a8c2b1139dedd0

SHA256
b42f1a31ee02ad59b9690dbcb3930ff9bbbd8b2083371d7e9a5cd8dac4637076

SHA512
fa46b73e6f216cd5dd2a3ad9c7145be0976c6455aee72fa29f2a470b5e570c9e551db60be3022072aaeccc3e45c4fa4ec912deb01f694c4af55428c00d58ef1c

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\{4AFFF19A-E2E0-4B56-970C-D6B86BD7A292}.session

Filesize
2KB

MD5
905fe7271f9e621328c7ba7693dbb89e

SHA1
9e82ce0a193e08b3d4940412e0a8c2b1139dedd0

SHA256
b42f1a31ee02ad59b9690dbcb3930ff9bbbd8b2083371d7e9a5cd8dac4637076

SHA512
fa46b73e6f216cd5dd2a3ad9c7145be0976c6455aee72fa29f2a470b5e570c9e551db60be3022072aaeccc3e45c4fa4ec912deb01f694c4af55428c00d58ef1c

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\{4AFFF19A-E2E0-4B56-970C-D6B86BD7A292}.session

Filesize
4KB

MD5
c6d4ade0df1767e130e9011c784ca3b9

SHA1
0ec2708576c218b113700a2644ed29d62d86073f

SHA256
15f4646afe25db865fe0c9a55844baff7b521d955a10b1657f828ee351c106c0

SHA512
a18e4bf8ea8fab054de32b7870e4989bc42a1f6f0a6f70cd4e8484537095b540f6620030e25a9c69bc08fb22376e25226f3c753b49b620621fae324b05061988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
cd8dcbe0f94a9b1e1e912e3fbd1be6a5

SHA1
cd1f3d7958dc2bfc50eaea79d68fa24a922e6bd6

SHA256
d572bbcca67fc6a7eae28668f797b52f9e98f461502173d0257c917c3fe1d87b

SHA512
fb602c6de991fa780e93f5f9498a2fd64d4fd4bc089c116ff44100719d43cc645cec738e61c5d515a123ca907971af9297e2876d4950e62e9609a31bfc578ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
9c521c20b6d5aa28275d4ea46bd2c741

SHA1
61457a9f503e2b73ddc8d4bfc4f64ff5ce9a275b

SHA256
a414d678bd263039ac6111233d4b16c3c62ee489495ee98088c24c08ddad1003

SHA512
ac26764ff51aa84c679f074127bed8e36311b254b4add61c1405c9be4b1a27c9b4df1d66dc0bc82dbc38feab7aaa1326db3ed46a46acb6494b6bd4bbc90216a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
ecb0b1ab3c70591b0d0a4ff2bea33e8c

SHA1
54dcf7c8941a86e22dd414bd79cc6bc51dac7c23

SHA256
bf6b1190d425cc613a0d398b74184b5aaf1227fb92c57584a866d0af7bc02d11

SHA512
acaccaf7f6a843b317103aee880a2dc58c64a8f7603f3d1c8a9a3c762a3d8180d0a12359e581b481b14dbcc86aa3dcf297c2d9d704e0dacd5fce50c9c669442f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
840a81ee70c6f1e91d52032ccd345dc5

SHA1
3d3550e66a9caae9855ecf988c7e30745c74c2ef

SHA256
7bfee260e15c2f90f3af3bce2da7a02681b1ddc0224c92744b6e69c735e68062

SHA512
d9f635f865c239e754b6a98089a521beb36a6022864dbe76fad1cc1b36f5aea7d6b9946d40cb9bf1df38bdcabe75929f1f8dec9224bfc40fdecde06941acbd11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
a2fb1b7d884f82651d09d0637174b1f4

SHA1
d2bf1ecf43c76a79d4b7ceca8e3942f3960cd9b8

SHA256
54ab2e388a5dcb213e45bb7bc60c0393a93ad9d34370e67cf6e50469c688cb21

SHA512
e7131341627c9edf97a7bdf98cfbb3d5ce896a33d8cdc3b041ff29623401a0a857fe058aebc5ed2a905eebee6699c0de63f5030c6516a1b250bb3509bd39e529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f4a1abf4730a10bc45be738d547a931

SHA1
61898e2289028fa686544ec0bb4f10243dfd6d2f

SHA256
5faf994e5825078c7d5f44c39ce8064f45cceac53a1485eec4fe6b4caf60cf00

SHA512
e757914d1459edc649d5b3fd89efc12a20db9383b3d51c99edf067281d1c023e389dcf42ec91ff2cab4f5140d4392bd4b5c8f4881cce2645dae24ed5729dd4a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
542d5d770fb0c1870e6262c2949021ee

SHA1
4222ef354d68cfc124adf7423de5cd299164147b

SHA256
afb631ccb49c4e6d22b12cd42ef12e97e0059a24c1e1924fdbb9311e1dd87fe7

SHA512
9cd05404f708b7e28112615383e97606ce7dd82cfcb20cbade595d4f19d3e0ef4dc167ed4d3a9827a2fb5b72bfc17bcdce5470a690278e0fc5d63754e48a92a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7664a8f28f8d3c6c9efef1fda6ae2281

SHA1
a23e4c7144564263fcd6abf0156b003b5c5bd6db

SHA256
f5990c0b4064d9a69f7ba4f0824395d86eb5a7948436c6fe8b60dd826786c5c2

SHA512
5927400dd0859da9fcd65a2afc01e9e2a2cab068443736259ec1cb16ca15f7e676882815362341cac786123dc68613f45afcc23796c195d1456a2774ebb55c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
e261b67a66e7f2f724812564881ccf53

SHA1
56328b3d4b7bc48df570cace28adb70bcc26d3e1

SHA256
18a2ddf3852144a7e0471d4686ef4abebf476d49503d1dcd2ddacacadbd9596e

SHA512
a67ad391193d7f2970b78f3e48bf72d73b3079ea78449a17493d2408a6316a0fc7cf735a883787a8d2b000c50462dbc96923bc3d6908a20eda17f4f1d22b027a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
07493d71481d22b579e2b5cda794ee4c

SHA1
519a4ce8517e7ac06a1a437a3862c1a7c63e4002

SHA256
d28167f6e43d085be16ff09e737f95d3141ab139bcb3851e55d95d7c5edb421e

SHA512
024aa9566b0d2e366c417e54b6ef37079d4254095737e2bbb90c15fa9ca85f4070e612259a871ff7ad2ffabb2c889268df6b9567d249f41d1ff5eb1430dc53b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
eaab25a25b199328c0c092fa0e22df99

SHA1
c4d1822bbb5502ecd14be65e4423a04dae9034de

SHA256
61ed93e4fea1a6c8bf8a7f759dfee9ed502b501466aae83c91d70ba5277970b4

SHA512
b72317a9c08862c2d22f065a7d53192bed1fa41af86abe61d4c29d693fd194edae0ebbb17062cf73a028ce9a146824d492b505bc72060727c9f3428a7bdc141b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2652\Access.png

Filesize
3KB

MD5
e3374ba6b9d850747d6afe58c690065a

SHA1
b6e4ae26d14d659a7b88198c4550a1c974de54d2

SHA256
7323cce0fee17fb2b3854b8bc4faffa3057dae5b27c6954327ac0a2dd136d515

SHA512
e6cfe7c298369699b8492cc5f0264969a20acb2f77d9202f817f938230628a436d7e9ab36ec9a481c39336f63f5f8f818150a9447cbe920c5c6d066d1f31d33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2652\Permission.png

Filesize
2KB

MD5
8b6c57e638b63dfcef96f256e3526148

SHA1
3a1d5206d8a1a032c39845aaf2f0fefc076c648d

SHA256
9c5f8efd7ab746f4cf07475fb9a8713847bac520b85f760bdb6a172151017d8e

SHA512
35ca7442d33ce0c4489866f9da1a335023b248dcb0c93e2131691bea6afff04e135756c4df67781e34690cd3b9c4f413696cacefb0d200e6442cee4cb6d43180

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2652\WhiteBack.png

Filesize
941B

MD5
3102ca8f44e282d3e20ea4cf54086eee

SHA1
37884011b94e10d079ccce5dda53790f159638e5

SHA256
fa2d568d744cf9883b48ca7ee828dcc92872fa73c0038c01d900b67c655fac09

SHA512
1747373d946c8c44f1e43829060f9929c432a6fc20397a3a724195803d1b3249b42bcd2783bfedaf7f9cedce5e2ffdbaca24f06afb79c7251e6e772c18d97e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2652\banner.jpg

Filesize
7KB

MD5
cc08338efa87c4f5ef6351f2598fc28f

SHA1
bb5cecc5fe4dfbc13165eb9d76c2a7c48fea8af7

SHA256
c14948f437d22f943c3f887ce082cbcc69862cb5f4e0fa6b1e9e18cac22ea038

SHA512
d81a0bd1d179854abef657d3baf9b0b1187f5c6ef3152426fb1ad1029c74eeb5d7cf89801c7d075786a3b49d58a55654cb44ba45876a871fee4b118374cec5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2652\dialog.jpg

Filesize
21KB

MD5
81b61102f7970a8c83ecd382c4ab6def

SHA1
165795d45b6fa70661d073bb8c791114c0e6748e

SHA256
9a9ab67db52355b3d091e0bd58275e5c6633adbffc300ddb6607db7bbda88a15

SHA512
2b58f4da52cd687073cae64a0f467c3666daaca14bd95e38e544ae76319c3a9e7b5a223db6de2d92848822e23a9028d2cc97c64d7b2133aebbea5876e81e9937

Download Submit
C:\Users\Admin\AppData\Local\Temp\INAB74E.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB7ED.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB7ED.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB8B9.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB8B9.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB2B.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB2B.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB99.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB99.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBB99.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBBF8.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBBF8.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBC18.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBC18.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBDEE.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBDEE.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBDEE.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBE7C.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBE7C.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBEDA.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBEDA.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC0CF.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC0CF.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC0F0.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC0F0.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC18D.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC18D.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC20B.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC20B.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban_TOS.html

Filesize
17KB

MD5
2bdee4dc8215cab9dceae022c8dec3e2

SHA1
e434938122e75f7527e8b73cbad7f7f6e69d6d53

SHA256
41e21c9fe6a5cd6085dd79484cff2df9cddc7758864db5b4d5bce939fbc9b37a

SHA512
fc6dd26c5b25662620731e2bd4fe780d2a1e0f3e5f787e354331f188e7e9f284ea66ba79d2a8c7e19469751fbb809f7f65d8159a7d04bc7034b57b72bf6502a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6E3D.tmp\ShellLink.dll

Filesize
4KB

MD5
aad75be0bdd1f1bac758b521c9f1d022

SHA1
5d444b8432c8834f5b5cd29225101856cebb8ecf

SHA256
d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7

SHA512
4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl6E3D.tmp\nsExec.dll

Filesize
6KB

MD5
50ba20cad29399e2db9fa75a1324bd1d

SHA1
3850634bb15a112623222972ef554c8d1eca16f4

SHA256
e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc

SHA512
893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiBF01.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiBF50.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiFAA1.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d4d00445ace8fb024292d3cf1310be97

SHA1
a2a96062886aaadc38948091e47a537eb0742c38

SHA256
65af8029fdf380208cd1a8302aa54a25d80c4f14d08d27b1d7812e312d86fad8

SHA512
387a5210bb1c46a4e170257c4cc1a36e2ab4ed899c44baba9ca2035c45a00907b1da7207af60ae2eb3a15298aaf34c9727e8acd3de81ac39c68d433551197969

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi

Filesize
8.9MB

MD5
9751a48e1777859f060f66b3642cf766

SHA1
63730681961647c704a1dcb889c7e341d9169d0d

SHA256
9425a49da070614a9b58dfcf7bad69ff4a34addb645a15ac99b12d5603169470

SHA512
db31839ab69521b975fde691c0be0a95feecfae2ea249b89197626ac66e05f01862ffdfccbdde582e4ef9fba09cbfedd5ddc2e5e80644de4aa31d288f183e55d

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi

Filesize
8.9MB

MD5
9751a48e1777859f060f66b3642cf766

SHA1
63730681961647c704a1dcb889c7e341d9169d0d

SHA256
9425a49da070614a9b58dfcf7bad69ff4a34addb645a15ac99b12d5603169470

SHA512
db31839ab69521b975fde691c0be0a95feecfae2ea249b89197626ac66e05f01862ffdfccbdde582e4ef9fba09cbfedd5ddc2e5e80644de4aa31d288f183e55d

Download Submit
C:\Windows\Installer\MSI4DE1.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI4DE1.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI4EAD.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI4EAD.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI4F4B.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Windows\Installer\MSI4F4B.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Windows\Installer\MSI4FA9.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Windows\Installer\MSI4FA9.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Windows\Installer\MSI5008.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI5008.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI5374.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Windows\Installer\MSI5374.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Windows\Installer\MSI5374.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Windows\Installer\MSI53E3.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI53E3.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI5461.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI5461.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI5461.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI55C9.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI55C9.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI5637.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI5637.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSI56A6.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI56A6.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Windows\Installer\MSI5704.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Windows\Installer\MSI5704.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Windows\Installer\MSI5704.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Windows\Installer\MSI65FA.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Windows\Installer\MSI65FA.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Windows\Installer\MSI6BDB.tmp

Filesize
291KB

MD5
97ac978af0c024d876ea81bb38dafbea

SHA1
3964e806329b08a8d47024a70ee539df98634125

SHA256
c96a9260281cdba8f9c3e417519a9dbebf7fce8c2beba3db321448304f593df2

SHA512
c8470c5e9533c700f9488f65c7be86c3f0161cb29ce7f1db25c3685f60aa10ab0d63cf9a0405ff0b4051ff425f0400274670c682e9d46950b7bd6c2827388bcc

Download Submit
C:\Windows\Installer\MSI894F.tmp

Filesize
331KB

MD5
7b94ce5b16bb47567fd43f73048e4f39

SHA1
f044f81c9c9c0ab4f0d9a8e4eb485983800767f6

SHA256
fa20bb513845744cde0d198cc50e9cc043e6a1180b1c986e6c354c39e89559d9

SHA512
88517a117c0f345f73fa6f30baf16e6d8c5b262c2a0f73c3ff8603af8ba1380dd5e63638bf51548948da8a42917de75b9dceda52b9e7a47979852c7672eebc51

Download Submit
C:\Windows\Installer\MSI9336.tmp

Filesize
723KB

MD5
f54579f44b076c053ba995e2e178c796

SHA1
2eb4d3baa3fe769d49a1b955e55dfef59db49fb0

SHA256
2c58305b81733c2c61cec16fa0f34fdccce01973a6704c17d13079b24401b18f

SHA512
7ae0daa8eadb69f0e1cb5fc8dd75990392670f85b4efe56bbbaa670bacfa1ddb61882cfc446e0841541cfe3834232825e1435991852ba9b620c01dda8710d581

Download Submit
C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET730D.tmp

Filesize
7KB

MD5
50d29ca2e3ddb8a696923420ec2ac4fa

SHA1
d85f4e65fe10f13ded1780ddbd074edfc75f2d25

SHA256
817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b

SHA512
03778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3

Download Submit
C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET731E.tmp

Filesize
10KB

MD5
225e7ba0e5e2d46813e5c858a4d0d5b0

SHA1
5dd49014764f634164520583fd0cec87ab1a1625

SHA256
b0baf5cb84fa4acb34b77a6231052061da6b8676d216833724b7a602622161fb

SHA512
9c77adf7e71aca94489dfeb536f796a017b7c05771962274bae2c614e2ae6799cceb36cc58ac470184c37f52deac75988bb14e6a329f432c6d7cedbca18272a8

Download Submit
C:\Windows\System32\DriverStore\Temp\{e412281c-19ee-3a43-a348-92d48c750cb1}\SET731F.tmp

Filesize
38KB

MD5
059e578d456043a8c3b76ec365b375f3

SHA1
42189b6a1b8c736397113bfc2283f5e1e1a44e8e

SHA256
a0170cf78105ce757e0549d79e4ae7c412240e8b81d262a24d76a047f181f881

SHA512
99e6b6af018d0e3509d9dbe00301a7d5d6645a2070a8144acff04842f8bbaccd81e7651578d08f47639cd2b7d00eb64acddfa8725bce9a073580b7fcf7964e6a

Download Submit
memory/3116-671-0x00007FF87AA10000-0x00007FF87AA11000-memory.dmp

Filesize
4KB

Download
memory/4684-981-0x0000000070960000-0x0000000070985000-memory.dmp

Filesize
148KB

Download
memory/4684-982-0x00000000708B0000-0x000000007095D000-memory.dmp

Filesize
692KB

Download
memory/4684-983-0x0000000070610000-0x00000000708A4000-memory.dmp

Filesize
2.6MB

Download
memory/4684-980-0x0000000070990000-0x00000000709CD000-memory.dmp

Filesize
244KB

Download
memory/4684-979-0x0000000000E40000-0x0000000000F4F000-memory.dmp

Filesize
1.1MB

Download
memory/5348-1112-0x00007FF72C2A0000-0x00007FF72D95C000-memory.dmp

Filesize
22.7MB

Download
memory/5348-1051-0x00007FF72C2A0000-0x00007FF72D95C000-memory.dmp

Filesize
22.7MB

Download
memory/5348-1031-0x00007FF72C2A0000-0x00007FF72D95C000-memory.dmp

Filesize
22.7MB

Download
memory/5348-1129-0x00007FF72C2A0000-0x00007FF72D95C000-memory.dmp

Filesize
22.7MB

Download
memory/5348-1162-0x00007FF72C2A0000-0x00007FF72D95C000-memory.dmp

Filesize
22.7MB

Download
memory/5776-1050-0x00007FF857140000-0x00007FF857FED000-memory.dmp

Filesize
14.7MB

Download
memory/5776-1111-0x00007FF857140000-0x00007FF857FED000-memory.dmp

Filesize
14.7MB

Download
memory/5776-1033-0x00007FF857140000-0x00007FF857FED000-memory.dmp

Filesize
14.7MB

Download
memory/5776-1124-0x00007FF857140000-0x00007FF857FED000-memory.dmp

Filesize
14.7MB

Download
memory/5776-978-0x00007FF857140000-0x00007FF857FED000-memory.dmp

Filesize
14.7MB

Download
memory/5776-976-0x00007FF606230000-0x00007FF606292000-memory.dmp

Filesize
392KB

Download
memory/5776-1159-0x00007FF857140000-0x00007FF857FED000-memory.dmp

Filesize
14.7MB

Download
memory/5776-1161-0x00007FF857140000-0x00007FF857FED000-memory.dmp

Filesize
14.7MB

Download