File name:

UrbanVPN.exe

Full analysis: https://app.any.run/tasks/0108b1fa-af4a-4b6a-9243-8d81349394ac
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: January 05, 2026, 17:06:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
auto-reg
adware
takemyfile
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

0513CC05D5DC706DFFB3C588E9C3983A

SHA1:

D72695E92C4A925DEBBCA48F00B74C4DE8FB2C5D

SHA256:

7995E11D7247AD47735AD354D8CB31DE629BE6EBA4CE703707578CA3DB471785

SSDEEP:

393216:62HTK4+quqCjV9phVT9ic1K2yE78+GiqQ5dH2mtR:NKmsVvhdkkKxZKWmP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • VC_redist.x86.exe (PID: 7368)
      • VC_redist.x86.exe (PID: 7652)
      • msiexec.exe (PID: 8056)

  • SUSPICIOUS

    • ADVANCEDINSTALLER mutex has been found

      • UrbanVPN.exe (PID: 7848)

    • Reads the Windows owner or organization settings

      • UrbanVPN.exe (PID: 7848)
      • msiexec.exe (PID: 8056)
      • UrbanVPN.exe (PID: 1572)

    • Checks for Java to be installed

      • msiexec.exe (PID: 8096)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 8096)
      • UrbanVPN.exe (PID: 7848)
      • UrbanVPN.exe (PID: 7196)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 7180)
      • VC_redist.x86.exe (PID: 7368)
      • msiexec.exe (PID: 8056)
      • VC_redist.x86.exe (PID: 6544)
      • UrbanVPN.exe (PID: 1572)
      • msiexec.exe (PID: 7264)

    • Executable content was dropped or overwritten

      • UrbanVPN.exe (PID: 7848)
      • UrbanVPN.exe (PID: 7196)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 7180)
      • VC_redist.x86.exe (PID: 7368)
      • VC_redist.x86.exe (PID: 4968)
      • VC_redist.x86.exe (PID: 6544)
      • VC_redist.x86.exe (PID: 8180)
      • UrbanVPN.exe (PID: 1572)
      • tapinstall.exe (PID: 5104)
      • MSI2D9D.tmp (PID: 1984)

    • Reads security settings of Internet Explorer

      • UrbanVPN.exe (PID: 7848)
      • msiexec.exe (PID: 8096)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 4968)
      • UrbanVPN.exe (PID: 1572)
      • VC_redist.x86.exe (PID: 8180)
      • tapinstall.exe (PID: 5104)
      • Urban Vpn Updater.exe (PID: 8064)
      • Urban Vpn Updater.exe (PID: 6900)

    • There is functionality for taking screenshot (YARA)

      • UrbanVPN.exe (PID: 7848)

    • Reads Microsoft Outlook installation path

      • UrbanVPN.exe (PID: 7848)

    • Reads Internet Explorer settings

      • UrbanVPN.exe (PID: 7848)

    • Detects AdvancedInstaller (YARA)

      • UrbanVPN.exe (PID: 7848)

    • Starts a Microsoft application from unusual location

      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 7368)

    • Searches for installed software

      • VC_redist.x86.exe (PID: 7296)
      • dllhost.exe (PID: 7360)
      • VC_redist.x86.exe (PID: 8156)
      • VC_redist.x86.exe (PID: 4968)
      • VC_redist.x86.exe (PID: 6544)
      • VC_redist.x86.exe (PID: 8180)
      • VC_redist.x86.exe (PID: 7652)

    • Starts itself from another location

      • VC_redist.x86.exe (PID: 7296)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5176)
      • urban-vpn-service.exe (PID: 1068)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 8056)
      • msiexec.exe (PID: 7264)
      • UrbanVPN.exe (PID: 7848)

    • Application launched itself

      • VC_redist.x86.exe (PID: 8156)
      • VC_redist.x86.exe (PID: 8116)
      • VC_redist.x86.exe (PID: 5612)
      • VC_redist.x86.exe (PID: 4968)
      • UrbanVPN.exe (PID: 7848)
      • VC_redist.x86.exe (PID: 8180)

    • Connects to unusual port

      • msiexec.exe (PID: 7264)
      • urban-vpn-service.exe (PID: 1068)
      • urban-vpn-app.exe (PID: 7840)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • MSI2D9D.tmp (PID: 1984)

    • Drops a system driver (possible attempt to evade defenses)

      • MSI2D9D.tmp (PID: 1984)
      • tapinstall.exe (PID: 5104)
      • drvinst.exe (PID: 7204)
      • drvinst.exe (PID: 7996)

    • The process creates files with name similar to system file names

      • MSI2D9D.tmp (PID: 1984)
      • msiexec.exe (PID: 8056)

  • INFO

    • Reads the computer name

      • UrbanVPN.exe (PID: 7848)
      • msiexec.exe (PID: 8096)
      • msiexec.exe (PID: 8056)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 7368)
      • VC_redist.x86.exe (PID: 4968)
      • VC_redist.x86.exe (PID: 6544)
      • UrbanVPN.exe (PID: 1572)
      • msiexec.exe (PID: 7264)
      • VC_redist.x86.exe (PID: 8180)
      • VC_redist.x86.exe (PID: 7652)
      • MSI2D9D.tmp (PID: 1984)
      • tapinstall.exe (PID: 5104)
      • drvinst.exe (PID: 7204)
      • drvinst.exe (PID: 7996)
      • msiexec.exe (PID: 7200)
      • Urban Vpn Updater.exe (PID: 5600)
      • urban-vpn-service.exe (PID: 1068)
      • Urban Vpn Updater.exe (PID: 8064)
      • urban-vpn-app.exe (PID: 7840)
      • Urban Vpn Updater.exe (PID: 6900)
      • urban-vpn-app.exe (PID: 7356)

    • Creates files or folders in the user directory

      • UrbanVPN.exe (PID: 7848)
      • UrbanVPN.exe (PID: 7196)
      • urban-vpn-app.exe (PID: 7840)

    • The sample compiled with english language support

      • UrbanVPN.exe (PID: 7848)
      • msiexec.exe (PID: 8096)
      • UrbanVPN.exe (PID: 7196)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 7180)
      • VC_redist.x86.exe (PID: 7368)
      • VC_redist.x86.exe (PID: 8180)
      • msiexec.exe (PID: 8056)
      • VC_redist.x86.exe (PID: 4968)
      • VC_redist.x86.exe (PID: 6544)
      • UrbanVPN.exe (PID: 1572)
      • msiexec.exe (PID: 7264)
      • MSI2D9D.tmp (PID: 1984)
      • tapinstall.exe (PID: 5104)
      • drvinst.exe (PID: 7204)
      • drvinst.exe (PID: 7996)

    • Checks supported languages

      • msiexec.exe (PID: 8056)
      • UrbanVPN.exe (PID: 7848)
      • UrbanVPN.exe (PID: 7196)
      • msiexec.exe (PID: 8096)
      • VC_redist.x86.exe (PID: 7180)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 7368)
      • VC_redist.x86.exe (PID: 8156)
      • VC_redist.x86.exe (PID: 8116)
      • VC_redist.x86.exe (PID: 8180)
      • VC_redist.x86.exe (PID: 5612)
      • VC_redist.x86.exe (PID: 4968)
      • VC_redist.x86.exe (PID: 6544)
      • UrbanVPN.exe (PID: 1572)
      • msiexec.exe (PID: 7264)
      • VC_redist.x86.exe (PID: 7652)
      • MSI2D9D.tmp (PID: 1984)
      • tapinstall.exe (PID: 7316)
      • tapinstall.exe (PID: 5104)
      • drvinst.exe (PID: 7204)
      • drvinst.exe (PID: 7996)
      • Urban Vpn Updater.exe (PID: 5600)
      • msiexec.exe (PID: 7200)
      • urban-vpn-service.exe (PID: 1068)
      • Urban Vpn Updater.exe (PID: 8064)
      • urban-vpn-app.exe (PID: 7840)
      • Urban Vpn Updater.exe (PID: 6900)
      • urban-vpn-app.exe (PID: 7356)

    • Reads Environment values

      • UrbanVPN.exe (PID: 7848)
      • msiexec.exe (PID: 8096)
      • UrbanVPN.exe (PID: 1572)
      • msiexec.exe (PID: 7264)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 8096)
      • msiexec.exe (PID: 8056)
      • msiexec.exe (PID: 7264)

    • Create files in a temporary directory

      • msiexec.exe (PID: 8096)
      • UrbanVPN.exe (PID: 7848)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 7368)
      • VC_redist.x86.exe (PID: 4968)
      • VC_redist.x86.exe (PID: 8180)
      • UrbanVPN.exe (PID: 1572)
      • msiexec.exe (PID: 7264)
      • tapinstall.exe (PID: 5104)
      • MSI2D9D.tmp (PID: 1984)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 8096)

    • Reads the machine GUID from the registry

      • UrbanVPN.exe (PID: 7848)
      • VC_redist.x86.exe (PID: 7368)
      • msiexec.exe (PID: 8056)
      • UrbanVPN.exe (PID: 1572)
      • msiexec.exe (PID: 7264)
      • tapinstall.exe (PID: 5104)
      • urban-vpn-service.exe (PID: 1068)
      • drvinst.exe (PID: 7204)
      • Urban Vpn Updater.exe (PID: 8064)
      • urban-vpn-app.exe (PID: 7840)

    • Checks proxy server information

      • UrbanVPN.exe (PID: 7848)
      • slui.exe (PID: 7892)
      • Urban Vpn Updater.exe (PID: 8064)
      • urban-vpn-app.exe (PID: 7840)

    • Process checks computer location settings

      • msiexec.exe (PID: 8096)
      • UrbanVPN.exe (PID: 7848)
      • VC_redist.x86.exe (PID: 7296)
      • VC_redist.x86.exe (PID: 4968)
      • VC_redist.x86.exe (PID: 8180)
      • Urban Vpn Updater.exe (PID: 8064)
      • Urban Vpn Updater.exe (PID: 6900)

    • Manages system restore points

      • SrTasks.exe (PID: 7824)

    • Launching a file from a Registry key

      • VC_redist.x86.exe (PID: 7368)
      • VC_redist.x86.exe (PID: 7652)
      • msiexec.exe (PID: 8056)

    • Creates files in the program directory

      • VC_redist.x86.exe (PID: 7368)
      • MSI2D9D.tmp (PID: 1984)
      • Urban Vpn Updater.exe (PID: 8064)

    • Creates a software uninstall entry

      • VC_redist.x86.exe (PID: 7368)
      • msiexec.exe (PID: 8056)
      • VC_redist.x86.exe (PID: 7652)
      • MSI2D9D.tmp (PID: 1984)

    • Manual execution by a user

      • VC_redist.x86.exe (PID: 8156)
      • Urban Vpn Updater.exe (PID: 8064)
      • Urban Vpn Updater.exe (PID: 6900)

    • Creating file in SysWOW64

      • msiexec.exe (PID: 8056)

    • Process checks whether UAC notifications are on

      • msiexec.exe (PID: 7264)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 8056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:03 13:51:40+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.43
CodeSize: 2920960
InitializedDataSize: 1195008
UninitializedDataSize: -
EntryPoint: 0x2351b0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 4.0.5.0
ProductVersionNumber: 4.0.5.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Urban Cyber Security
FileDescription: UrbanVPN Installer
FileVersion: 4.0.5.0
InternalName: UrbanVPN-no-promo-version-v4.0.5.0-276e9df-release-prod
LegalCopyright: Copyright (C) 2025 Urban Cyber Security
OriginalFileName: UrbanVPN-no-promo-version-v4.0.5.0-276e9df-release-prod.exe
ProductName: UrbanVPN
ProductVersion: 4.0.5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
38
Malicious processes
4
Suspicious processes
5

Behavior graph

Click at the process to see the details
start urbanvpn.exe msiexec.exe msiexec.exe urbanvpn.exe vc_redist.x86.exe vc_redist.x86.exe vc_redist.x86.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs vc_redist.x86.exe no specs vc_redist.x86.exe no specs vc_redist.x86.exe vc_redist.x86.exe no specs vc_redist.x86.exe vc_redist.x86.exe urbanvpn.exe msiexec.exe vc_redist.x86.exe SPPSurrogate no specs slui.exe msi2d9d.tmp tapinstall.exe no specs conhost.exe no specs tapinstall.exe conhost.exe no specs drvinst.exe no specs drvinst.exe no specs msiexec.exe no specs urban vpn updater.exe urban-vpn-service.exe urban vpn updater.exe urban-vpn-app.exe urban vpn updater.exe urban-vpn-app.exe no specs svchost.exe urbanvpn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Program Files (x86)\UrbanVPN\bin\urban-vpn-service.exe"C:\Program Files (x86)\UrbanVPN\bin\urban-vpn-service.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\program files (x86)\urbanvpn\bin\urban-vpn-service.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
1572"C:\Users\admin\Desktop\UrbanVPN.exe" /i "C:\Users\admin\AppData\Roaming\Urban Cyber Security\UrbanVPN 4.0.5.0\install\0A1C40D\UrbanVPN.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\UrbanVPN" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UrbanVPN" SECONDSEQUENCE="1" CLIENTPROCESSID="7848" AI_MORE_CMD_LINE=1C:\Users\admin\Desktop\UrbanVPN.exe
UrbanVPN.exe
User:
admin
Company:
Urban Cyber Security
Integrity Level:
HIGH
Description:
UrbanVPN Installer
Exit code:
0
Version:
4.0.5.0
Modules
Images
c:\users\admin\desktop\urbanvpn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imagehlp.dll
1984"C:\WINDOWS\Installer\MSI2D9D.tmp" /S /SELECT_UTILITIES=1C:\Windows\Installer\MSI2D9D.tmp
msiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\installer\msi2d9d.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4968"C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe" -burn.filehandle.attached=536 -burn.filehandle.self=556 -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=1036 -burn.embedded BurnPipe.{78DABA06-7621-43C0-A41D-960E36B8867A} {5A050285-DD00-4E2E-AC55-A9038E20078E} 7368C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe
VC_redist.x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5104"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901C:\Program Files\TAP-Windows\bin\tapinstall.exe
MSI2D9D.tmp
User:
admin
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
10.0.10011.16384
Modules
Images
c:\program files\tap-windows\bin\tapinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5176C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5600"C:\Program Files (x86)\UrbanVPN\Urban Vpn Updater.exe" /configservice -name "UrbanVPN-Updater"C:\Program Files (x86)\UrbanVPN\Urban Vpn Updater.exe
msiexec.exe
User:
admin
Company:
Urban Cyber Security
Integrity Level:
HIGH
Description:
Urban Vpn Updater 4.0.5.0
Exit code:
0
Version:
4.0.5.0
Modules
Images
c:\program files (x86)\urbanvpn\urban vpn updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5612"C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=1036 -burn.embedded BurnPipe.{78DABA06-7621-43C0-A41D-960E36B8867A} {5A050285-DD00-4E2E-AC55-A9038E20078E} 7368C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exeVC_redist.x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6544"C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{A8DC5E86-9FF5-4B2F-B8A8-7AD76EF1D2E2} {395167C4-F313-4558-AF9A-60DB1BF48F95} 4968C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe
VC_redist.x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\vc_redist.x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
45 160
Read events
43 908
Write events
954
Delete events
298

Modification events

(PID) Process:(7848) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7848) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7848) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7848) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\AiTemp
Operation:delete valueName:C__Users_admin_Desktop_UrbanVPN.exe
Value:
(PID) Process:(7848) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\AiTemp
Operation:delete keyName:(default)
Value:
(PID) Process:(7848) UrbanVPN.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:C__Users_admin_Desktop_UrbanVPN.exe
Value:
(PID) Process:(7360) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000E417D9B8657EDC01C01C0000141B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7360) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000970023B9657EDC01C01C0000141B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7360) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000970023B9657EDC01C01C0000141B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7360) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000970023B9657EDC01C01C0000141B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
279
Suspicious files
215
Text files
798
Unknown types
0

Dropped files

PID
Process
Filename
Type
7848UrbanVPN.exeC:\Users\admin\AppData\Roaming\Urban Cyber Security\UrbanVPN 4.0.5.0\install\holder0.aiph
MD5:
SHA256:
7848UrbanVPN.exeC:\Users\admin\AppData\Roaming\Urban Cyber Security\UrbanVPN 4.0.5.0\install\0A1C40D\UrbanVPN.msi
MD5:
SHA256:
7848UrbanVPN.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D4EDCAD43156E220AC6A9CF2424B15C7binary
MD5:90840B2B8CDE908584A2975D02D76E54
SHA256:095F4185695967C5AF9D8ECB086BD1DD325CF8213B5153B681DA9025A9BDDC5F
7848UrbanVPN.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:C4C07B58C6ECD87B66DD0D4724F27F0F
SHA256:06369DFC05956A3C29039A136F9DE4AD7AA4CBCFD31107AEF5F71567D87C7E8F
7848UrbanVPN.exeC:\Users\admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\4.0.5.0\tracking.initext
MD5:0AD18898331102AF3EE34F764DBCBD8A
SHA256:3F8BA11930D1A17CAF2A715AA058724BA2669E52C0722C8686C44E575CFF53BA
7848UrbanVPN.exeC:\Users\admin\AppData\Local\Temp\INA263.tmpexecutable
MD5:948CDFA1CF23767BC780E1352FCDEE94
SHA256:7D32C3F22ABA69AB7C881B54AA40CC92710630D9E49F861EB1535199780B4F52
7848UrbanVPN.exeC:\Users\admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\4.0.5.0\{BF73544E-EEC9-48B9-9D9A-709D7E50E182}.sessiontext
MD5:0EDE40BF062874A4BD0774AE8C092F54
SHA256:483F2D7FE4D5903799E45C0CF164E5A8BF3C7808176F3CACA560F83761D376DC
7848UrbanVPN.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:76E73F6874B570BD684C1B65F6D9B8E5
SHA256:A101B1C14A091CEE678F50256D98E300938DCFB4FFD7B072DF254CAD0C756E51
7848UrbanVPN.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D4EDCAD43156E220AC6A9CF2424B15C7binary
MD5:45969946474835357AA06045BDFB5EF0
SHA256:FB9F8BFAE6C6F6D11C8AFF89864121B0AB1D41725BA4ED472D3C7B5C028594F4
7848UrbanVPN.exeC:\Users\admin\AppData\Local\Temp\shi274.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
116
TCP/UDP connections
87
DNS requests
31
Threats
50

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2452
svchost.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2452
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
unknown
POST
200
40.126.31.69:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
unknown
7848
UrbanVPN.exe
GET
200
162.159.142.9:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7532
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2452
svchost.exe
23.216.77.26:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.216.77.26:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
23.216.77.26:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
2452
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.26
  • 23.216.77.21
  • 23.216.77.38
  • 23.216.77.18
  • 23.216.77.30
  • 23.216.77.36
  • 23.216.77.35
  • 23.216.77.37
  • 23.216.77.20
  • 2.16.164.72
  • 2.16.164.73
  • 2.16.164.74
  • 2.16.164.34
  • 2.16.164.64
  • 2.16.164.67
  • 2.16.164.49
  • 2.16.164.58
  • 2.16.164.51
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.59.18.102
whitelisted
login.live.com
  • 20.190.159.130
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.4
  • 40.126.31.67
  • 40.126.31.1
  • 20.190.159.71
  • 40.126.31.131
whitelisted
ocsp.digicert.com
  • 162.159.142.9
  • 172.66.2.5
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted
go.microsoft.com
  • 23.213.166.81
  • 88.221.169.205
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Google DNS-over-HTTPS service requested (dns. google)
2292
svchost.exe
Misc activity
INFO [ANY.RUN] Cloudflare DNS-over-HTTPS service requested (cloudflare-dns .com)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] AdvancedInstaller User-Agent
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] TakeMyFile UA
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] TakeMyFile UA
Process
Message
Urban Vpn Updater.exe
Logger::SetLogFile( C:\ProgramData\UrbanVPN\updates\updater.log ) while OLD path is:
Urban Vpn Updater.exe
Logger::SetLogFile( C:\ProgramData\UrbanVPN\updates\updater.log ) while OLD path is:
Urban Vpn Updater.exe
Logger::SetLogFile( C:\ProgramData\UrbanVPN\updates\updater.log ) while OLD path is:
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UrbanVPN.exe