d3f2691303c0c4dcbbf61a84cfadeda0de0e889e6f562b8e2f6a8f1cd4ca15ca

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07-08-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UrbanVPN (1).exe
Size

30.0MB
MD5

f553a0a47479d9a8effccb124cd5433b
SHA1

ef0ef671915f3ad0df9d0e35bbd5c8ce3728bbf7
SHA256

d3f2691303c0c4dcbbf61a84cfadeda0de0e889e6f562b8e2f6a8f1cd4ca15ca
SHA512

a9e7c95c65bd0880b06c6b97d22ff7a393c70af62126a9854e2b0d89b30c308b6371004419bb7e733a5771140c3f6048dd7ef1c8dd43bec82fc78f60813d9031
SSDEEP

786432:jt/PXq/QuUM3MmPt2RaP4y/HW0UvsFIyoAD5QX:RPXIrd3P2RaQecyoAY

Score

6^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	1012	MsiExec.exe
16	1012	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	UrbanVPN (1).exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	UrbanVPN (1).exe
File opened (read-only)	\??\V:	UrbanVPN (1).exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	UrbanVPN (1).exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	UrbanVPN (1).exe
File opened (read-only)	\??\E:	UrbanVPN (1).exe
File opened (read-only)	\??\L:	UrbanVPN (1).exe
File opened (read-only)	\??\P:	UrbanVPN (1).exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	UrbanVPN (1).exe
File opened (read-only)	\??\N:	UrbanVPN (1).exe
File opened (read-only)	\??\W:	UrbanVPN (1).exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	UrbanVPN (1).exe
File opened (read-only)	\??\T:	UrbanVPN (1).exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	UrbanVPN (1).exe
File opened (read-only)	\??\T:	UrbanVPN (1).exe
File opened (read-only)	\??\H:	UrbanVPN (1).exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	UrbanVPN (1).exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	UrbanVPN (1).exe
File opened (read-only)	\??\O:	UrbanVPN (1).exe
File opened (read-only)	\??\Y:	UrbanVPN (1).exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	UrbanVPN (1).exe
File opened (read-only)	\??\P:	UrbanVPN (1).exe
File opened (read-only)	\??\S:	UrbanVPN (1).exe
File opened (read-only)	\??\Q:	UrbanVPN (1).exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	UrbanVPN (1).exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	UrbanVPN (1).exe
File opened (read-only)	\??\J:	UrbanVPN (1).exe
File opened (read-only)	\??\S:	UrbanVPN (1).exe
File opened (read-only)	\??\G:	UrbanVPN (1).exe
File opened (read-only)	\??\G:	UrbanVPN (1).exe
File opened (read-only)	\??\R:	UrbanVPN (1).exe
File opened (read-only)	\??\A:	UrbanVPN (1).exe
File opened (read-only)	\??\L:	UrbanVPN (1).exe
File opened (read-only)	\??\M:	UrbanVPN (1).exe
File opened (read-only)	\??\U:	UrbanVPN (1).exe
File opened (read-only)	\??\W:	UrbanVPN (1).exe
File opened (read-only)	\??\B:	UrbanVPN (1).exe
File opened (read-only)	\??\Z:	UrbanVPN (1).exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	UrbanVPN (1).exe
File opened (read-only)	\??\Z:	UrbanVPN (1).exe
File opened (read-only)	\??\M:	UrbanVPN (1).exe
File opened (read-only)	\??\U:	UrbanVPN (1).exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	UrbanVPN (1).exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB876.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB876.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB878.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB877.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB877.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB878.tmp	DrvInst.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	MsiExec.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\TAP-Windows\bin\addtap.bat	MSIB5AF.tmp
File created	C:\Program Files\TAP-Windows\bin\deltapall.bat	MSIB5AF.tmp
File created	C:\Program Files\TAP-Windows\license.txt	MSIB5AF.tmp
File created	C:\Program Files\TAP-Windows\icon.ico	MSIB5AF.tmp
File created	C:\Program Files\TAP-Windows\bin\tapinstall.exe	MSIB5AF.tmp
File created	C:\Program Files\TAP-Windows\driver\OemVista.inf	MSIB5AF.tmp
File created	C:\Program Files\TAP-Windows\driver\tap0901.cat	MSIB5AF.tmp
File created	C:\Program Files\TAP-Windows\driver\tap0901.sys	MSIB5AF.tmp

Drops file in Windows directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f770454.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF4F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4DE.tmp	msiexec.exe
File created	C:\Windows\Installer\f770455.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\MSI8AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB57E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI774.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF7E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI830.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB54D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB54E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770454.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB51E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB58F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI502.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5AF.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIAF3E.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1500	MSIB5AF.tmp
2672	tapinstall.exe
1624	tapinstall.exe

Loads dropped DLL 42 IoCs

pid	Process
2244	UrbanVPN (1).exe
2244	UrbanVPN (1).exe
2244	UrbanVPN (1).exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
2984	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1012	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1012	MsiExec.exe
1012	MsiExec.exe
1012	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
2244	UrbanVPN (1).exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1356	MsiExec.exe
1500	MSIB5AF.tmp
1500	MSIB5AF.tmp
1500	MSIB5AF.tmp
1500	MSIB5AF.tmp
1500	MSIB5AF.tmp
1500	MSIB5AF.tmp
1500	MSIB5AF.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UrbanVPN (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UrbanVPN (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIB5AF.tmp

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000019358-12.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	UrbanVPN (1).exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	UrbanVPN (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2984	MsiExec.exe
2984	MsiExec.exe
2868	msiexec.exe
2868	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2244	UrbanVPN (1).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: SeCreateTokenPrivilege	2244	UrbanVPN (1).exe
Token: SeAssignPrimaryTokenPrivilege	2244	UrbanVPN (1).exe
Token: SeLockMemoryPrivilege	2244	UrbanVPN (1).exe
Token: SeIncreaseQuotaPrivilege	2244	UrbanVPN (1).exe
Token: SeMachineAccountPrivilege	2244	UrbanVPN (1).exe
Token: SeTcbPrivilege	2244	UrbanVPN (1).exe
Token: SeSecurityPrivilege	2244	UrbanVPN (1).exe
Token: SeTakeOwnershipPrivilege	2244	UrbanVPN (1).exe
Token: SeLoadDriverPrivilege	2244	UrbanVPN (1).exe
Token: SeSystemProfilePrivilege	2244	UrbanVPN (1).exe
Token: SeSystemtimePrivilege	2244	UrbanVPN (1).exe
Token: SeProfSingleProcessPrivilege	2244	UrbanVPN (1).exe
Token: SeIncBasePriorityPrivilege	2244	UrbanVPN (1).exe
Token: SeCreatePagefilePrivilege	2244	UrbanVPN (1).exe
Token: SeCreatePermanentPrivilege	2244	UrbanVPN (1).exe
Token: SeBackupPrivilege	2244	UrbanVPN (1).exe
Token: SeRestorePrivilege	2244	UrbanVPN (1).exe
Token: SeShutdownPrivilege	2244	UrbanVPN (1).exe
Token: SeDebugPrivilege	2244	UrbanVPN (1).exe
Token: SeAuditPrivilege	2244	UrbanVPN (1).exe
Token: SeSystemEnvironmentPrivilege	2244	UrbanVPN (1).exe
Token: SeChangeNotifyPrivilege	2244	UrbanVPN (1).exe
Token: SeRemoteShutdownPrivilege	2244	UrbanVPN (1).exe
Token: SeUndockPrivilege	2244	UrbanVPN (1).exe
Token: SeSyncAgentPrivilege	2244	UrbanVPN (1).exe
Token: SeEnableDelegationPrivilege	2244	UrbanVPN (1).exe
Token: SeManageVolumePrivilege	2244	UrbanVPN (1).exe
Token: SeImpersonatePrivilege	2244	UrbanVPN (1).exe
Token: SeCreateGlobalPrivilege	2244	UrbanVPN (1).exe
Token: SeCreateTokenPrivilege	2244	UrbanVPN (1).exe
Token: SeAssignPrimaryTokenPrivilege	2244	UrbanVPN (1).exe
Token: SeLockMemoryPrivilege	2244	UrbanVPN (1).exe
Token: SeIncreaseQuotaPrivilege	2244	UrbanVPN (1).exe
Token: SeMachineAccountPrivilege	2244	UrbanVPN (1).exe
Token: SeTcbPrivilege	2244	UrbanVPN (1).exe
Token: SeSecurityPrivilege	2244	UrbanVPN (1).exe
Token: SeTakeOwnershipPrivilege	2244	UrbanVPN (1).exe
Token: SeLoadDriverPrivilege	2244	UrbanVPN (1).exe
Token: SeSystemProfilePrivilege	2244	UrbanVPN (1).exe
Token: SeSystemtimePrivilege	2244	UrbanVPN (1).exe
Token: SeProfSingleProcessPrivilege	2244	UrbanVPN (1).exe
Token: SeIncBasePriorityPrivilege	2244	UrbanVPN (1).exe
Token: SeCreatePagefilePrivilege	2244	UrbanVPN (1).exe
Token: SeCreatePermanentPrivilege	2244	UrbanVPN (1).exe
Token: SeBackupPrivilege	2244	UrbanVPN (1).exe
Token: SeRestorePrivilege	2244	UrbanVPN (1).exe
Token: SeShutdownPrivilege	2244	UrbanVPN (1).exe
Token: SeDebugPrivilege	2244	UrbanVPN (1).exe
Token: SeAuditPrivilege	2244	UrbanVPN (1).exe
Token: SeSystemEnvironmentPrivilege	2244	UrbanVPN (1).exe
Token: SeChangeNotifyPrivilege	2244	UrbanVPN (1).exe
Token: SeRemoteShutdownPrivilege	2244	UrbanVPN (1).exe
Token: SeUndockPrivilege	2244	UrbanVPN (1).exe
Token: SeSyncAgentPrivilege	2244	UrbanVPN (1).exe
Token: SeEnableDelegationPrivilege	2244	UrbanVPN (1).exe
Token: SeManageVolumePrivilege	2244	UrbanVPN (1).exe
Token: SeImpersonatePrivilege	2244	UrbanVPN (1).exe
Token: SeCreateGlobalPrivilege	2244	UrbanVPN (1).exe
Token: SeCreateTokenPrivilege	2244	UrbanVPN (1).exe
Token: SeAssignPrimaryTokenPrivilege	2244	UrbanVPN (1).exe
Token: SeLockMemoryPrivilege	2244	UrbanVPN (1).exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2244	UrbanVPN (1).exe
2244	UrbanVPN (1).exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	UrbanVPN (1).exe
2244	UrbanVPN (1).exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2984	2868	msiexec.exe	32
PID 2868 wrote to memory of 2984	2868	msiexec.exe	32
PID 2868 wrote to memory of 2984	2868	msiexec.exe	32
PID 2868 wrote to memory of 2984	2868	msiexec.exe	32
PID 2868 wrote to memory of 2984	2868	msiexec.exe	32
PID 2868 wrote to memory of 2984	2868	msiexec.exe	32
PID 2868 wrote to memory of 2984	2868	msiexec.exe	32
PID 2244 wrote to memory of 1504	2244	UrbanVPN (1).exe	33
PID 2244 wrote to memory of 1504	2244	UrbanVPN (1).exe	33
PID 2244 wrote to memory of 1504	2244	UrbanVPN (1).exe	33
PID 2244 wrote to memory of 1504	2244	UrbanVPN (1).exe	33
PID 2244 wrote to memory of 1504	2244	UrbanVPN (1).exe	33
PID 2244 wrote to memory of 1504	2244	UrbanVPN (1).exe	33
PID 2244 wrote to memory of 1504	2244	UrbanVPN (1).exe	33
PID 2868 wrote to memory of 1356	2868	msiexec.exe	37
PID 2868 wrote to memory of 1356	2868	msiexec.exe	37
PID 2868 wrote to memory of 1356	2868	msiexec.exe	37
PID 2868 wrote to memory of 1356	2868	msiexec.exe	37
PID 2868 wrote to memory of 1356	2868	msiexec.exe	37
PID 2868 wrote to memory of 1356	2868	msiexec.exe	37
PID 2868 wrote to memory of 1356	2868	msiexec.exe	37
PID 2868 wrote to memory of 1012	2868	msiexec.exe	38
PID 2868 wrote to memory of 1012	2868	msiexec.exe	38
PID 2868 wrote to memory of 1012	2868	msiexec.exe	38
PID 2868 wrote to memory of 1012	2868	msiexec.exe	38
PID 2868 wrote to memory of 1012	2868	msiexec.exe	38
PID 2868 wrote to memory of 1500	2868	msiexec.exe	40
PID 2868 wrote to memory of 1500	2868	msiexec.exe	40
PID 2868 wrote to memory of 1500	2868	msiexec.exe	40
PID 2868 wrote to memory of 1500	2868	msiexec.exe	40
PID 1500 wrote to memory of 2672	1500	MSIB5AF.tmp	41
PID 1500 wrote to memory of 2672	1500	MSIB5AF.tmp	41
PID 1500 wrote to memory of 2672	1500	MSIB5AF.tmp	41
PID 1500 wrote to memory of 2672	1500	MSIB5AF.tmp	41
PID 1500 wrote to memory of 1624	1500	MSIB5AF.tmp	43
PID 1500 wrote to memory of 1624	1500	MSIB5AF.tmp	43
PID 1500 wrote to memory of 1624	1500	MSIB5AF.tmp	43
PID 1500 wrote to memory of 1624	1500	MSIB5AF.tmp	43
PID 1196 wrote to memory of 2388	1196	DrvInst.exe	46
PID 1196 wrote to memory of 2388	1196	DrvInst.exe	46
PID 1196 wrote to memory of 2388	1196	DrvInst.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\UrbanVPN (1).exe
"C:\Users\Admin\AppData\Local\Temp\UrbanVPN (1).exe"
1⤵
- Enumerates connected drives
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\UrbanVPN (1).exe
  "C:\Users\Admin\AppData\Local\Temp\UrbanVPN (1).exe" /i "C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.2\install\63408BE\urbanvpninstaller.x64.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\UrbanVPN" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UrbanVPN" SECONDSEQUENCE="1" CLIENTPROCESSID="2244" AI_MORE_CMD_LINE=1
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:1504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CD7BB90C2DF73FC89FCD9170F324686 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D2D0274D2912B77615DE8EBA4F0085CE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1356
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B18CB9AA81245320F0C689AD4313C9C7
  2⤵
  - Blocklisted process makes network request
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Loads dropped DLL
  PID:1012
- C:\Windows\Installer\MSIB5AF.tmp
  "C:\Windows\Installer\MSIB5AF.tmp" /S /SELECT_UTILITIES=1
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Program Files\TAP-Windows\bin\tapinstall.exe
    "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Program Files\TAP-Windows\bin\tapinstall.exe
    "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2816

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C4" "00000000000005C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2720

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3e5502e1-4f6d-0268-73c7-6f3c76ef4824}\oemvista.inf" "9" "6d14a44ff" "00000000000005C8" "WinSta0\Default" "0000000000000558" "208" "c:\program files\tap-windows\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{45b0a807-2f1d-5ac5-aa5c-3c57331a771d} Global\{573c5caa-ef30-5aa7-0bdb-eb61ef07ed42} C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\tap0901.cat
  2⤵
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
5869540ce061feb303e537be8ad46251

SHA1
357e6a1de3bb92b9efdd00e35c419f7824418843

SHA256
2e9c761b399112a534fc10eb775ccfe4ef62f32e181be79b37af977b9ef3cf65

SHA512
3c9791fc480b9437ceeefc1cf3d265e808702f26af7b5a2624a134fac570f276cdb2bd80673533b6d9d470d843d5c99934ba7bc40d8fbf002fadf70ba70bab38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_C3AAA786DBF6A5B54A1C96BD0D6E59D3

Filesize
727B

MD5
ae0d94638478a75152a55c8acf49783b

SHA1
8e6f613a355df04283fd15b198f071efb92d2623

SHA256
0c20d0314cb0ba07134dcc7930ec5cf9ca4e23014727a36b42645ab4e7c791e4

SHA512
1889bbfe9f8b873d97ec2e07a9978d29c8689c0958d8d50666f500f1fa191810e3b4828587cf1ff2facc9ee4234e395239cf640a2535f48832b06138e6af6096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
33fcf950ba4faa53d8c85d49613958a3

SHA1
7033e77c5b8d3831d139ae44a80b6acca23550c1

SHA256
c8a94d09937c2e3e5088a6a3bed4d30f8f270160c89481f94f65804f81ded795

SHA512
3cd02794924140b81e834ce08d1671afebb062b330054cbb58084d83269b029ebdbda7646d8534a1f091058222144aa497b8e021e62565ea7cdbd729e6291e58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
801bb8f81e5158bb80c24cd8cb4a329b

SHA1
f1db0117f6b14207520f44a93094ee40158ef5a2

SHA256
6299f817d5b11bf560c984183a0b0abb86541c6a13d996c9cdbc2389c3b226e1

SHA512
90f7d704a302d59d2fa252137db4948242703dfc179d6603e8db3046e65a6afed65b52d0e73fd11f2041d5224bfc85c8eab5bfe64bcc5ed10cdb7cd0a1e18778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_C3AAA786DBF6A5B54A1C96BD0D6E59D3

Filesize
404B

MD5
77cfb9ecdd6a9c3dac1fb1ffbe038783

SHA1
49f0e24b4b201557cf18c1faf87bd28ea78ef6d1

SHA256
7f3c4d9365c66df6e6d502b1bbe50445dcdf80efaf9f0394f5de919475589f6d

SHA512
ad0214322e8bd0d8a6d3cd7480876a63aa76dc5695e0419f7d4ceb6da51afa939e2f1bfee499253c121aa5fc7b999da0dbc7fd54039abdb0fd40e9952186a2ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
930adabcb21c743e930d034599b6d54f

SHA1
4daa502b8512b51ccacad167a3412ba2c20c047e

SHA256
43767816d4a978692ae81972151f3b6d22fb4c0b119de48b73938f95a71d5527

SHA512
1949052a1eef7acf6e5417e02c8659051649cfba227ffcae5361edda916a0d91e4e93e9ff8649a24e1c6a6f0be6f2648b0178ab34d59776392513564848bafc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
386c4c78c641b1819ccdce1ab4448c8f

SHA1
51ec12190a2f81f9219f457deab68b893e1b431f

SHA256
e801547dc858d36e672a3f61ddc56f6af78e8d18acd3be74640621aad664dcec

SHA512
41f20b0f024250405f2d88c80f92ef0b4af8d07cfdd6343c0f89490b9dc429e83607f01879ae222ac81366b1874af04ee07f7a20433bfdcf27e3ccd4f216c29d

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.2\tracking.ini

Filesize
84B

MD5
7bda72906664e40ccf4e2f21ec2f4419

SHA1
f3bcc51f3854c424be9f3bd65ce876296643fe27

SHA256
a7cf5e628d83175d17a06d3ca0a61e89359a196d9c7b1468edc630ced7c599c5

SHA512
8975de29979740b7d62a645efb0214728731c682068e83a8f568b76a811ba05e3434685ad3c3988813b3411158f9dd7a0ac89e81c9a139cf8347747f91e2d416

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.2\{6B4DF0A0-9CA0-4BB9-89E3-06C38A1177D3}.session

Filesize
309B

MD5
84702121b8b6c54a69fdc4f54143960e

SHA1
26bbb2a60f750b96aef2f1e763b5c633f837026d

SHA256
09b95e918538390741dd7149d0ba480fa9a8f8f80d0f7ef363bfdae88e2ce6d6

SHA512
b53cc26938c46f402ba381c4766e4970b8d6215aaa66100a15219683ab5a1af90fd3c074ec85c5698fbd2615b65fa11fcf975ea1182747ebfd35f0592963c27e

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.2\{6B4DF0A0-9CA0-4BB9-89E3-06C38A1177D3}.session

Filesize
4KB

MD5
7db0dede4f00ed57a2bb53ed0e5cc29f

SHA1
39fbb26cc01e7795221eb64ae5e1978751c7d2b3

SHA256
b3cb11cc045485cb08d8b5bd1343a89d9ef5d82a55c5f5a6d123a86224cf784f

SHA512
c43526e4ad93345385e041fa795405322e52930c1159c28f6d1751ccc49d193b04f1e46eed58350d83d5ecd76865bd477dba8e2481af3e0f6b2ec063a010b5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2244\banner.jpg

Filesize
7KB

MD5
cc08338efa87c4f5ef6351f2598fc28f

SHA1
bb5cecc5fe4dfbc13165eb9d76c2a7c48fea8af7

SHA256
c14948f437d22f943c3f887ce082cbcc69862cb5f4e0fa6b1e9e18cac22ea038

SHA512
d81a0bd1d179854abef657d3baf9b0b1187f5c6ef3152426fb1ad1029c74eeb5d7cf89801c7d075786a3b49d58a55654cb44ba45876a871fee4b118374cec5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2244\dialog.jpg

Filesize
21KB

MD5
81b61102f7970a8c83ecd382c4ab6def

SHA1
165795d45b6fa70661d073bb8c791114c0e6748e

SHA256
9a9ab67db52355b3d091e0bd58275e5c6633adbffc300ddb6607db7bbda88a15

SHA512
2b58f4da52cd687073cae64a0f467c3666daaca14bd95e38e544ae76319c3a9e7b5a223db6de2d92848822e23a9028d2cc97c64d7b2133aebbea5876e81e9937

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCEF5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID1BA.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID295.tmp

Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID50B.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID695.tmp

Filesize
196KB

MD5
efa1291d4eb0ff2050967dd63bfdbdc8

SHA1
54ba41d5a6fb192267b36127ff573cb112413fd8

SHA256
da78931d835e91c59cadaebc95fbae56020ce5031523a6a175fefa4582334ac4

SHA512
5fcce6422b0ee6827a57c5d0c476e36a5e75a880550b8041a0f3db42b630f483654508a797421ff4316fd84db549c8c78536a25d5da2de9eb60365720517d5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFD2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban_TOS.html

Filesize
17KB

MD5
2ef2475606bc51edf94f8f66a9c9af62

SHA1
abe3e2101b0c6056ab70fabc109f7264b840b1d1

SHA256
93155b2e6b2d3eaee65eaac4590f6783b4d8bb6747b183a85a2add26ff741444

SHA512
e0c00c073c21596d5271bbace43e865fc39d5a099640393f84cb0133ec95ed59c41f4f6024395a8f78f0c4c392ac413a4d2d699bbf1634458a3aab9e02c2ae29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB5D9.tmp\ShellLink.dll

Filesize
4KB

MD5
aad75be0bdd1f1bac758b521c9f1d022

SHA1
5d444b8432c8834f5b5cd29225101856cebb8ecf

SHA256
d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7

SHA512
4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB5D9.tmp\nsExec.dll

Filesize
6KB

MD5
50ba20cad29399e2db9fa75a1324bd1d

SHA1
3850634bb15a112623222972ef554c8d1eca16f4

SHA256
e7b145abc7c519e6bd91dc06b7b83d1e73735ac1ac37d30a7889840a6eed38fc

SHA512
893e053fcb0a2d3742e2b13b869941a3a485b2bda3a92567f84190cb1be170b67d20cc71c6a2cb92f4202140c8afd9c40a358496947d709e0c4b68d43a368754

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.2\install\63408BE\urbanvpninstaller.x64.msi

Filesize
7.8MB

MD5
38f395d699ebd1c9ee8034f4f1bfe01e

SHA1
a3eb5f3a824bc70ce6905007be4fbc36e60451bd

SHA256
7d0d55f0bade30d960843dc8e3aaf2b15d859dfbea53295e7924623666a040fc

SHA512
f2bcffe9374268c34ead79cc4ab687be4de2028d552204ca504567ae381dc8abd38d20a61165f69df5d93cd767de7cbb7ab219429755eb540d7ecc6242d303aa

Download Submit
C:\Windows\Installer\MSI8AE.tmp

Filesize
231KB

MD5
fd9c9125577e39e220c1e1b7c0206820

SHA1
67850a3ea6b672050f137e82cabfdcc4391a2423

SHA256
2877c6c075a9b7f67dcb335b0779385af7ec29895ba03455348c982a86ef04c1

SHA512
ba3a729b77a218f427ee7c185008e4482933b70e77bee1deff31c5ae16664e6da5f6a5fa1388888a3b96cf1d396380ecc92e3ca4cb227f7f1a5d5ed1e7022698

Download Submit
C:\Windows\Installer\MSIB54E.tmp

Filesize
284KB

MD5
e00a2d2e343f66d2325929bf99b0a446

SHA1
8ea50b11013a70afcbfc14396b09d432af7ed328

SHA256
d61b87cad6cda7962d80686ff2a7d529201ade8e99f7f09e6d3bdc22607cdb6d

SHA512
4221df8a5fa3efae28b9d43845cc8961e192f93cf64975d9bab35f01a2bdfb1fc74dcc6651cab3e3f2f87717f8dcdd1bf6794b7552373d325ff8c5d6a4d26e4c

Download Submit
C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB876.tmp

Filesize
7KB

MD5
50d29ca2e3ddb8a696923420ec2ac4fa

SHA1
d85f4e65fe10f13ded1780ddbd074edfc75f2d25

SHA256
817dff7f4944a255a0a33b8d74eb60a755d8d268cc7afd46fce41e102e0a004b

SHA512
03778a9cddd23639c88e24bb5d0446da3a400bb6b3321fb35887cd23d88d0f7ad3fe911642cc7f8d16d29cd9e42106851b0028379e8dbcb3c6721c238fc4a0d3

Download Submit
C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB877.tmp

Filesize
9KB

MD5
685d08d5e2a2450648a40b518e2046fc

SHA1
d99e38968de1ca1850971a2b81bfdab49626aaed

SHA256
56a658934acc55ad665d685ae05913b4710e053a8fd385c0798b96041da161b2

SHA512
619d08317328b351feea51c08c57b4704eea0a92836d6ed3be850478ea6a9c2a14dfa30c763581608e16983010ab2e12b51e3bec68f3480ee45a04c0e857fdb7

Download Submit
C:\Windows\System32\DriverStore\Temp\{4ad332e5-155e-6fe9-295c-9f0f3b94ba25}\SETB878.tmp

Filesize
30KB

MD5
7da5638f82f0ef7a759c9a35cfae38e3

SHA1
841a86f416a882b0743fd6d9c9f29baf3ed06b6a

SHA256
fb4825ce4b0bf61fa4e30109ef5d718906716560cdc8274092fcb072c5bd762d

SHA512
53867e2c53e263d9df613d973f946d0cee703acc4e48e63c9178fddcc34c070060957e77fd729e876a9adb20cc8cee4b0dbdc6166bac573fc7e84bfb0ae8e9f4

Download Submit
C:\Windows\Temp\CabB888.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB89A.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Users\Admin\AppData\Local\Temp\INAD199.tmp

Filesize
782KB

MD5
175d9b039177b405ee04c81f4c9aa4af

SHA1
6b523f7652761f4a24cf12ce08a32479ed03e8cf

SHA256
34a742397244bd2848291f7d1087eb43462a69272f22249e24c2aa71e79d14f3

SHA512
80f39a82a12899601da3dfc3092ba7465554b360a741fe26c0e4fbe3fac9b62ddde1f8c50f972eabf982427ac0b120edd67e8be31161a4ce4e2f8ef0dd53b26a

Download Submit
\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.2\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit