File name:

UrbanVPN.exe

Full analysis: https://app.any.run/tasks/00cd3eaa-5bf3-4816-b7b6-2dd5c090d801
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: September 02, 2024, 00:55:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
adware
takemyfile
advancedinstaller
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

39089B4B80B37EF22A1759321FA6E750

SHA1:

B9CECC18CFEA029E24F738714E130EA60AC8E667

SHA256:

56C0AE02C993971BC1A2FA42ABEC9B65E9AD0BAC1E7D275CAF2BC544088C5A10

SSDEEP:

393216:h1aXfeiyvl3HjZBhuur44tX884cbw0jSq:h164XXhuu84J6cbw0jSq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 6752)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • UrbanVPN.exe (PID: 6596)
      • msiexec.exe (PID: 7140)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 6752)
      • MSI5A8C.tmp (PID: 2248)
      • tapinstall.exe (PID: 4004)
      • drvinst.exe (PID: 6344)
      • drvinst.exe (PID: 1448)

    • Executable content was dropped or overwritten

      • UrbanVPN.exe (PID: 6596)
      • UrbanVPN.exe (PID: 4064)
      • MSI5A8C.tmp (PID: 2248)
      • tapinstall.exe (PID: 4004)
      • drvinst.exe (PID: 6344)
      • drvinst.exe (PID: 1448)

    • Reads security settings of Internet Explorer

      • UrbanVPN.exe (PID: 6596)
      • UrbanVPN.exe (PID: 4064)
      • tapinstall.exe (PID: 4004)
      • MSI631C.tmp (PID: 5288)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Reads the Windows owner or organization settings

      • UrbanVPN.exe (PID: 6596)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 6752)

    • Checks Windows Trust Settings

      • UrbanVPN.exe (PID: 6596)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 6752)
      • tapinstall.exe (PID: 4004)
      • drvinst.exe (PID: 6344)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Process drops legitimate windows executable

      • UrbanVPN.exe (PID: 6596)
      • msiexec.exe (PID: 7140)
      • UrbanVPN.exe (PID: 4064)

    • Reads Microsoft Outlook installation path

      • UrbanVPN.exe (PID: 6596)

    • Checks for Java to be installed

      • msiexec.exe (PID: 7140)

    • Application launched itself

      • UrbanVPN.exe (PID: 6596)

    • Reads the date of Windows installation

      • UrbanVPN.exe (PID: 6596)
      • MSI631C.tmp (PID: 5288)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Reads Internet Explorer settings

      • UrbanVPN.exe (PID: 6596)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5656)
      • urbanvpnserv.exe (PID: 7320)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • MSI5A8C.tmp (PID: 2248)

    • Drops a system driver (possible attempt to evade defenses)

      • MSI5A8C.tmp (PID: 2248)
      • tapinstall.exe (PID: 4004)
      • drvinst.exe (PID: 6344)
      • drvinst.exe (PID: 1448)

    • The process creates files with name similar to system file names

      • MSI5A8C.tmp (PID: 2248)

    • Creates files in the driver directory

      • drvinst.exe (PID: 6344)
      • drvinst.exe (PID: 1448)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 1448)

    • Creates a software uninstall entry

      • MSI5A8C.tmp (PID: 2248)

    • Connects to unusual port

      • msiexec.exe (PID: 2796)
      • urbanvpnserv.exe (PID: 7320)

  • INFO

    • Creates files or folders in the user directory

      • UrbanVPN.exe (PID: 6596)

    • Reads the computer name

      • UrbanVPN.exe (PID: 6596)
      • msiexec.exe (PID: 6752)
      • msiexec.exe (PID: 7140)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 4540)
      • msiexec.exe (PID: 2796)
      • tapinstall.exe (PID: 4004)
      • MSI5A8C.tmp (PID: 2248)
      • MSI631C.tmp (PID: 5288)
      • drvinst.exe (PID: 6344)
      • drvinst.exe (PID: 1448)
      • msiexec.exe (PID: 6664)
      • UrbanVPNUpdater.exe (PID: 5544)
      • urbanvpnserv.exe (PID: 7320)
      • UrbanVPNUpdater.exe (PID: 8024)
      • urbanvpn-gui.exe (PID: 8068)
      • identity_helper.exe (PID: 7200)

    • Checks supported languages

      • UrbanVPN.exe (PID: 6596)
      • msiexec.exe (PID: 6752)
      • msiexec.exe (PID: 7140)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 4540)
      • msiexec.exe (PID: 2796)
      • MSI5A8C.tmp (PID: 2248)
      • tapinstall.exe (PID: 4004)
      • tapinstall.exe (PID: 4824)
      • drvinst.exe (PID: 6344)
      • drvinst.exe (PID: 1448)
      • MSI631C.tmp (PID: 5288)
      • msiexec.exe (PID: 6664)
      • UrbanVPNUpdater.exe (PID: 5544)
      • UrbanVPNUpdater.exe (PID: 8024)
      • urbanvpnserv.exe (PID: 7320)
      • urbanvpn-gui.exe (PID: 8068)
      • urbanvpn.exe (PID: 8104)
      • identity_helper.exe (PID: 7200)

    • Reads the machine GUID from the registry

      • UrbanVPN.exe (PID: 6596)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 6752)
      • msiexec.exe (PID: 2796)
      • tapinstall.exe (PID: 4004)
      • drvinst.exe (PID: 6344)
      • msiexec.exe (PID: 6664)
      • urbanvpnserv.exe (PID: 7320)
      • urbanvpn-gui.exe (PID: 8068)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Checks proxy server information

      • UrbanVPN.exe (PID: 6596)
      • MSI631C.tmp (PID: 5288)
      • urbanvpn-gui.exe (PID: 8068)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Reads the software policy settings

      • UrbanVPN.exe (PID: 6596)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 6752)
      • tapinstall.exe (PID: 4004)
      • drvinst.exe (PID: 6344)
      • urbanvpn-gui.exe (PID: 8068)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Create files in a temporary directory

      • UrbanVPN.exe (PID: 6596)
      • msiexec.exe (PID: 7140)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 4540)
      • MSI5A8C.tmp (PID: 2248)
      • tapinstall.exe (PID: 4004)
      • MSI631C.tmp (PID: 5288)

    • Reads Environment values

      • UrbanVPN.exe (PID: 6596)
      • msiexec.exe (PID: 7140)
      • UrbanVPN.exe (PID: 4064)
      • msiexec.exe (PID: 4540)
      • urbanvpnserv.exe (PID: 7320)
      • identity_helper.exe (PID: 7200)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7140)
      • msiexec.exe (PID: 6752)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 7140)
      • MSI631C.tmp (PID: 5288)
      • msedge.exe (PID: 7128)
      • msedge.exe (PID: 6976)

    • Process checks Internet Explorer phishing filters

      • UrbanVPN.exe (PID: 6596)

    • The process uses the downloaded file

      • UrbanVPN.exe (PID: 6596)
      • MSI631C.tmp (PID: 5288)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Process checks computer location settings

      • UrbanVPN.exe (PID: 6596)
      • MSI631C.tmp (PID: 5288)
      • UrbanVPNUpdater.exe (PID: 8024)

    • Application launched itself

      • msiexec.exe (PID: 6752)
      • msedge.exe (PID: 7128)
      • msedge.exe (PID: 6976)

    • Process checks whether UAC notifications are on

      • msiexec.exe (PID: 2796)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 6752)

    • Creates files in the program directory

      • MSI5A8C.tmp (PID: 2248)
      • UrbanVPNUpdater.exe (PID: 8024)
      • urbanvpn-gui.exe (PID: 8068)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6752)

    • Manual execution by a user

      • UrbanVPNUpdater.exe (PID: 8024)
      • msedge.exe (PID: 6976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:21 13:48:47+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.31
CodeSize: 2193920
InitializedDataSize: 892416
UninitializedDataSize: -
EntryPoint: 0x197714
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.3.0.3
ProductVersionNumber: 2.3.0.3
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Urban Security
FileDescription: UrbanVPN Installer
FileVersion: 2.3.0.3
InternalName: urbanvpn_setup_2.3.0.3
LegalCopyright: Copyright (C) 2024 Urban Security
OriginalFileName: urbanvpn_setup_2.3.0.3.exe
ProductName: UrbanVPN
ProductVersion: 2.3.0.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
189
Monitored processes
69
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start urbanvpn.exe msiexec.exe msiexec.exe urbanvpn.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe msi5a8c.tmp tapinstall.exe no specs conhost.exe no specs tapinstall.exe conhost.exe no specs drvinst.exe drvinst.exe msi631c.tmp no specs msiexec.exe msedge.exe no specs msedge.exe no specs urbanvpnupdater.exe msedge.exe no specs msedge.exe no specs msedge.exe HNetCfg.FwPolicy2 no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs urbanvpnserv.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs urbanvpnupdater.exe urbanvpn-gui.exe urbanvpn.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs urbanvpn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3504 --field-trial-handle=2388,i,5905874350829707557,12590169213451730964,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x2fc,0x300,0x304,0x2f8,0x30c,0x7fffd2645fd8,0x7fffd2645fe4,0x7fffd2645ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901," "4d14a44ff" "00000000000000EC"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
1840"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6808 --field-trial-handle=2388,i,5905874350829707557,12590169213451730964,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2248"C:\WINDOWS\Installer\MSI5A8C.tmp" /S /SELECT_UTILITIES=1C:\Windows\Installer\MSI5A8C.tmp
msiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\installer\msi5a8c.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2628"C:\Users\admin\Desktop\UrbanVPN.exe" C:\Users\admin\Desktop\UrbanVPN.exeexplorer.exe
User:
admin
Company:
Urban Security
Integrity Level:
MEDIUM
Description:
UrbanVPN Installer
Exit code:
3221226540
Version:
2.3.0.3
Modules
Images
c:\users\admin\desktop\urbanvpn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2796C:\Windows\System32\MsiExec.exe -Embedding B7AE3A25FD19600D7509397FE4454A83C:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3832C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
4004"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901C:\Program Files\TAP-Windows\bin\tapinstall.exe
MSI5A8C.tmp
User:
admin
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
10.0.10011.16384
Modules
Images
c:\program files\tap-windows\bin\tapinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4008"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3996 --field-trial-handle=2388,i,5905874350829707557,12590169213451730964,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
57 741
Read events
57 135
Write events
571
Delete events
35

Modification events

(PID) Process:(6596) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6596) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6596) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6596) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6596) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6596) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6596) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6752) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D1EB15DAD2FCDA01601A0000381A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6752) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D1EB15DAD2FCDA01601A0000381A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6752) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000A2E753DAD2FCDA01601A0000381A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
107
Suspicious files
278
Text files
125
Unknown types
5

Dropped files

PID
Process
Filename
Type
6596UrbanVPN.exeC:\Users\admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\holder0.aiph
MD5:
SHA256:
6596UrbanVPN.exeC:\Users\admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\A28FC47\urbanvpninstaller.msi
MD5:
SHA256:
6596UrbanVPN.exeC:\Users\admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\A28FC47\urbanvpninstaller.x64.msi
MD5:
SHA256:
6596UrbanVPN.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:7327332A7FF3290684FEBF9728F937CF
SHA256:BC1BF7D60E813F1741B7CDB35FE0B74F8495E3D5066649B0705FF06808D25432
6596UrbanVPN.exeC:\Users\admin\AppData\Local\Temp\INAD6FF.tmpexecutable
MD5:175D9B039177B405EE04C81F4C9AA4AF
SHA256:34A742397244BD2848291F7D1087EB43462A69272F22249E24C2AA71E79D14F3
6596UrbanVPN.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_7FC12770964C92F4BAD25029FC641CBDbinary
MD5:3F68D78A7E9BDD15226A5A3A9450E1EC
SHA256:D93BE1A6DC9417B702E18E1DA3D34CCD80F319686900442FAE67DA9BB70FD918
6596UrbanVPN.exeC:\Users\admin\AppData\Local\Temp\shiD71F.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
6596UrbanVPN.exeC:\Users\admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.3\{5A07C4EB-0A6F-46C1-8BAB-D757A0845FE6}.sessiontext
MD5:5596E5480352BA9207B64660625B4964
SHA256:FCCD3DF93BB87843C7B909B4FF6BA510C7C9E5A75505DB20B4F270215121BDD3
6596UrbanVPN.exeC:\Users\admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\decoder.dllexecutable
MD5:899944FB96CCC34CFBD2CCB9134367C5
SHA256:780D10EDA2B9A0A10BF844A7C8B6B350AA541C5BBD24022FF34F99201F9E9259
7140msiexec.exeC:\Users\admin\AppData\Local\Temp\shiD7F9.tmpexecutable
MD5:F8020A76E8616207AB1FE91334E5E934
SHA256:67D9FFB4E10EB0C300DA8B52B32728F9683FD4E5AA70AE5307E15CDF0F07A07A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
214
TCP/UDP connections
144
DNS requests
71
Threats
88

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6596
UrbanVPN.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6596
UrbanVPN.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6596
UrbanVPN.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAN8OBm6V%2FQ712OcDUKDCyI%3D
unknown
whitelisted
2796
msiexec.exe
POST
200
148.72.165.78:40004
http://analytics.urban-vpn.com:40004/tickets
unknown
2796
msiexec.exe
POST
200
148.72.165.78:40000
http://analytics.urban-vpn.com:40000/tickets
unknown
2796
msiexec.exe
POST
200
148.72.165.78:40000
http://analytics.urban-vpn.com:40000/tickets
unknown
2796
msiexec.exe
POST
200
148.72.165.78:40000
http://analytics.urban-vpn.com:40000/tickets
unknown
GET
200
3.160.150.69:443
https://www.urban-vpn.com/wp-content/themes/urbanvpn/font/DMSans-Regular.woff2
unknown
woff2
27.1 Kb
GET
200
3.160.150.2:443
https://www.urban-vpn.com/wp-content/cache/min/1/wp-content/plugins/sitepress-multilingual-cms/dist/css/blocks/styles.css?ver=1724074763
unknown
text
56.8 Kb
GET
200
3.160.150.118:443
https://www.urban-vpn.com/wp-content/cache/min/1/wp-content/plugins/wpml-cms-nav/res/css/cms-navigation.css?ver=1724074763
unknown
text
1.16 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6596
UrbanVPN.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2796
msiexec.exe
148.72.165.78:40004
analytics.urban-vpn.com
AS-30083-GO-DADDY-COM-LLC
US
unknown
2796
msiexec.exe
148.72.165.78:40000
analytics.urban-vpn.com
AS-30083-GO-DADDY-COM-LLC
US
unknown
6976
msedge.exe
239.255.255.250:1900
whitelisted
4528
msedge.exe
3.160.150.69:443
www.urban-vpn.com
US
unknown
4528
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
analytics.urban-vpn.com
  • 148.72.165.78
  • 148.72.152.76
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.urban-vpn.com
  • 3.160.150.69
  • 3.160.150.118
  • 3.160.150.38
  • 3.160.150.2
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
86 ETPRO signatures available at the full report
Process
Message
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
UrbanVPNUpdater.exe
Logger::SetLogFile( C:\ProgramData\UrbanVPN\updates\updater.log ) while OLD path is:
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
UrbanVPNUpdater.exe
Logger::SetLogFile( C:\ProgramData\UrbanVPN\updates\updater.log ) while OLD path is:
urbanvpn-gui.exe
First instance of UrbanVPN was started.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
UrbanVPN.exe