Malware analysis https://www.urban-vpn.com/thank-you-safe-browsing/ Malicious activity

Add for printing

URL:	https://www.urban-vpn.com/thank-you-safe-browsing/
Full analysis:	https://app.any.run/tasks/7220ae54-f6c3-4420-a8e9-4c75a7d3ef52
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	December 20, 2020, 11:43:56
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware loader buerloader
Indicators:
MD5:	C677BE0EE351CE825E5BA3211DB39D58
SHA1:	0D80EE4BA0863EC0EDCE67CEDED76AC271E28E90
SHA256:	905F9D2EE033EB9FBA21C83848E31078B90CE87BC05A3A086809B587CC64C323
SSDEEP:	3:N8DSLEUKNiOelKWLCKn:2OLE22K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.72)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - UrbanVPN2.exe (PID: 2508)
  - UrbanVPN2.exe (PID: 2396)
  - UrbanVPN2.exe (PID: 3152)
  - tapinstall.exe (PID: 2176)
  - tapinstall.exe (PID: 3372)
  - ns3BDE.tmp (PID: 3980)
  - ns3A18.tmp (PID: 1720)
  - UrbanVPNUpdater.exe (PID: 2592)
  - urbanvpnserv.exe (PID: 1672)
  - UrbanVPNUpdater.exe (PID: 1536)
  - urbanvpn.exe (PID: 636)
  - urbanvpn-gui.exe (PID: 3864)
  - urbanvpn.exe (PID: 2544)
- Changes settings of System certificates
  - UrbanVPN2.exe (PID: 2508)
  - tapinstall.exe (PID: 3372)
- Loads dropped or rewritten executable
  - UrbanVPN2.exe (PID: 2508)
  - urbanvpnserv.exe (PID: 1672)
  - urbanvpn.exe (PID: 636)
  - urbanvpn.exe (PID: 2544)
- Drops executable file immediately after starts
  - UrbanVPN2.exe (PID: 2508)
  - MSI3803.tmp (PID: 2664)
  - DrvInst.exe (PID: 2772)
- BuerLoader was detected
  - MSI3803.tmp (PID: 2664)
- Changes the autorun value in the registry
  - DrvInst.exe (PID: 664)
- Loads the Task Scheduler DLL interface
  - UrbanVPN2.exe (PID: 2508)
SUSPICIOUS
- Executable content was dropped or overwritten
  - chrome.exe (PID: 184)
  - UrbanVPN2.exe (PID: 2508)
  - msiexec.exe (PID: 2536)
  - MSI3803.tmp (PID: 2664)
  - tapinstall.exe (PID: 3372)
  - DrvInst.exe (PID: 2772)
  - DrvInst.exe (PID: 664)
- Drops a file that was compiled in debug mode
  - chrome.exe (PID: 184)
  - UrbanVPN2.exe (PID: 2508)
  - msiexec.exe (PID: 2536)
  - MSI3803.tmp (PID: 2664)
  - tapinstall.exe (PID: 3372)
  - DrvInst.exe (PID: 664)
  - DrvInst.exe (PID: 2772)
- Creates files in the user directory
  - UrbanVPN2.exe (PID: 2508)
- Reads internet explorer settings
  - UrbanVPN2.exe (PID: 2508)
- Reads Environment values
  - MsiExec.exe (PID: 3860)
  - MsiExec.exe (PID: 2668)
  - MsiExec.exe (PID: 2776)
  - UrbanVPNUpdater.exe (PID: 1536)
- Adds / modifies Windows certificates
  - UrbanVPN2.exe (PID: 2508)
  - tapinstall.exe (PID: 3372)
- Executed as Windows Service
  - vssvc.exe (PID: 3044)
  - urbanvpnserv.exe (PID: 1672)
- Application launched itself
  - UrbanVPN2.exe (PID: 2508)
- Creates a directory in Program Files
  - MSI3803.tmp (PID: 2664)
  - msiexec.exe (PID: 2536)
- Starts application with an unusual extension
  - MSI3803.tmp (PID: 2664)
- Creates files in the program directory
  - MSI3803.tmp (PID: 2664)
  - UrbanVPNUpdater.exe (PID: 1536)
  - urbanvpn-gui.exe (PID: 3864)
- Executed via COM
  - DrvInst.exe (PID: 2772)
  - DrvInst.exe (PID: 664)
  - iexplore.exe (PID: 3916)
  - DllHost.exe (PID: 1920)
- Removes files from Windows directory
  - DrvInst.exe (PID: 2772)
  - DrvInst.exe (PID: 664)
- Creates files in the Windows directory
  - DrvInst.exe (PID: 2772)
  - DrvInst.exe (PID: 664)
- Uses RUNDLL32.EXE to load library
  - DrvInst.exe (PID: 2772)
- Creates files in the driver directory
  - DrvInst.exe (PID: 2772)
  - DrvInst.exe (PID: 664)
- Drops a file with a compile date too recent
  - DrvInst.exe (PID: 2772)
  - tapinstall.exe (PID: 3372)
  - DrvInst.exe (PID: 664)
- Creates a software uninstall entry
  - MSI3803.tmp (PID: 2664)
- Drops a file with too old compile date
  - UrbanVPN2.exe (PID: 2508)
  - msiexec.exe (PID: 2536)
- Low-level read access rights to disk partition
  - urbanvpnserv.exe (PID: 1672)
INFO
- Reads the hosts file
  - chrome.exe (PID: 184)
  - chrome.exe (PID: 532)
- Application launched itself
  - chrome.exe (PID: 184)
  - msiexec.exe (PID: 2536)
  - iexplore.exe (PID: 3916)
- Manual execution by user
  - UrbanVPN2.exe (PID: 2396)
  - UrbanVPN2.exe (PID: 2508)
  - UrbanVPNUpdater.exe (PID: 1536)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 3860)
  - MsiExec.exe (PID: 2668)
  - MSI3803.tmp (PID: 2664)
  - MsiExec.exe (PID: 2776)
- Searches for installed software
  - msiexec.exe (PID: 2536)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 3044)
- Starts application with an unusual extension
  - msiexec.exe (PID: 2536)
- Application was dropped or rewritten from another process
  - MSI3803.tmp (PID: 2664)
  - MSI78D8.tmp (PID: 1900)
- Changes internet zones settings
  - iexplore.exe (PID: 3916)
- Reads settings of System Certificates
  - iexplore.exe (PID: 2872)
  - iexplore.exe (PID: 3916)
- Reads internet explorer settings
  - iexplore.exe (PID: 2872)
- Changes settings of System certificates
  - iexplore.exe (PID: 2872)
- Dropped object may contain Bitcoin addresses
  - iexplore.exe (PID: 2872)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 2872)
- Creates files in the program directory
  - msiexec.exe (PID: 2536)
- Creates files in the user directory
  - iexplore.exe (PID: 2872)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2536)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

184

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "https://www.urban-vpn.com/thank-you-safe-browsing/"

C:\Program Files\Google\Chrome\Application\chrome.exe

explorer.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

3221225547

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

532

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1004,14345771299736536923,9900199214025827053,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=12469261211033827198 --mojo-platform-channel-handle=1572 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

636

urbanvpn --version

C:\Program Files\UrbanVPN\bin\urbanvpn.exe

—

urbanvpn-gui.exe

User:

admin

Company:

Urban Cyber Security Inc.

Integrity Level:

MEDIUM

Description:

UrbanVPN Daemon

Exit code:

Version:

2.2.4.0

Modules

Images
c:\program files\urbanvpn\bin\urbanvpn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\urbanvpn\bin\libcrypto-1_1.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll

664

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oemvista.inf:tap0901.NTx86:tap0901.ndi:9.24.2.601:tap0901" "6d14a44ff" "000005C8" "000005D8" "000005E0"

C:\Windows\system32\DrvInst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1200

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1004,14345771299736536923,9900199214025827053,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12380142667893757014 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1536

"C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe" /checknow -minuseractions -startappfirst -restartapp "C:\Program Files\UrbanVPN\bin\urbanvpn-gui.exe" -restartappcmd "-f"

C:\Program Files\UrbanVPN\UrbanVPNUpdater.exe

explorer.exe

User:

admin

Company:

Urban Security

Integrity Level:

MEDIUM

Description:

UrbanVPNUpdater 2.2.4

Exit code:

3758096401

Version:

2.2.4

Modules

Images
c:\program files\urbanvpn\urbanvpnupdater.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1672

"C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe"

C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe

services.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Exit code:

Modules

Images
c:\program files\urbanvpn\bin\urbanvpnserv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\urbanvpn\bin\urbanvpn.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\fwpuclnt.dll

1692

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1004,14345771299736536923,9900199214025827053,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2700673668782349423 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

1720

"C:\Users\admin\AppData\Local\Temp\nsz38AF.tmp\ns3A18.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901

C:\Users\admin\AppData\Local\Temp\nsz38AF.tmp\ns3A18.tmp

—

MSI3803.tmp

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\nsz38af.tmp\ns3a18.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1768

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1004,14345771299736536923,9900199214025827053,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3238008968271065238 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

4 943

Read events

3 945

Write events

928

Delete events

Modification events


(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(2184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:	write	Name:	184-13252938252280750
Value: 259
(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome
Operation:	write	Name:	UsageStatsInSample
Value: 0
(PID) Process:	(184) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:	delete value	Name:	3252-13245750958665039
Value: 0
(PID) Process:	(184) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0

Add for printing

Executable files

Suspicious files

110

Text files

283

Unknown types

Dropped files

PID	Process	Filename		Type
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FDF390D-B8.pma		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1431cc.TMP		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\6b831184-07b8-4076-a8bd-6460d1d707e9.tmp		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG.old		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT		text
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old		—
		MD5:—	SHA256:—
184	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF14348b.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2668	MsiExec.exe	POST	200	148.72.152.76:40000	http://analytics.urban-vpn.com:40000/tickets	US	—	—	malicious
2872	iexplore.exe	GET	200	172.217.23.163:80	http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEB6CSjN0CZFqBQAAAAB%2BjGs%3D	US	der	471 b	whitelisted
2872	iexplore.exe	GET	200	23.55.163.61:80	http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D	US	der	1.37 Kb	whitelisted
2872	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAilokbNS1yMg9cCtLurU0k%3D	US	der	471 b	whitelisted
2872	iexplore.exe	GET	200	23.55.163.61:80	http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D	US	der	1.37 Kb	whitelisted
2872	iexplore.exe	GET	200	93.184.220.29:80	http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRhhZrQET0hvbSHUJmNfBKqR%2FiT7wQUU8oXWfxrwAMhLxqu5KqoHIJW2nUCEAtABqX9EjIed7Z%2BU3L8uO4%3D	US	der	471 b	shared
2668	MsiExec.exe	POST	200	148.72.152.76:40004	http://analytics.urban-vpn.com:40004/tickets	US	—	—	malicious
2872	iexplore.exe	GET	200	13.225.84.66:80	http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D	US	der	1.70 Kb	whitelisted
2872	iexplore.exe	GET	200	93.184.220.29:80	http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRhhZrQET0hvbSHUJmNfBKqR%2FiT7wQUU8oXWfxrwAMhLxqu5KqoHIJW2nUCEAtABqX9EjIed7Z%2BU3L8uO4%3D	US	der	471 b	shared
2872	iexplore.exe	GET	200	99.84.158.205:80	http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D	US	der	1.51 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
532	chrome.exe	216.58.205.237:443	accounts.google.com	Google Inc.	US	whitelisted
532	chrome.exe	172.217.23.104:443	www.googletagmanager.com	Google Inc.	US	suspicious
532	chrome.exe	192.229.233.25:443	platform.twitter.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
532	chrome.exe	65.9.68.102:443	static.hotjar.com	AT&T Services, Inc.	US	malicious
532	chrome.exe	216.58.205.238:443	www.google-analytics.com	Google Inc.	US	whitelisted
532	chrome.exe	185.60.216.19:443	connect.facebook.net	Facebook, Inc.	IE	whitelisted
532	chrome.exe	65.9.68.77:443	script.hotjar.com	AT&T Services, Inc.	US	unknown
532	chrome.exe	173.194.76.154:443	stats.g.doubleclick.net	Google Inc.	US	whitelisted
532	chrome.exe	157.240.9.35:443	www.facebook.com	Facebook, Inc.	US	malicious
532	chrome.exe	104.244.42.8:443	syndication.twitter.com	Twitter Inc.	US	unknown

DNS requests

Domain	IP	Reputation
www.urban-vpn.com	35.233.137.224	malicious
accounts.google.com	216.58.205.237	shared
platform.twitter.com	192.229.233.25	whitelisted
www.googletagmanager.com	172.217.23.104	whitelisted
static.hotjar.com	65.9.68.102 65.9.68.64 65.9.68.19 65.9.68.87 13.224.194.32 13.224.194.102 13.224.194.58 13.224.194.80	whitelisted
urban-vpn.postaffiliatepro.com	91.201.28.212 91.201.28.211	suspicious
www.google-analytics.com	216.58.205.238 64.233.180.139 64.233.180.138 64.233.180.102 64.233.180.101 64.233.180.113 64.233.180.100	whitelisted
connect.facebook.net	185.60.216.19 31.13.92.14	whitelisted
script.hotjar.com	65.9.68.77 65.9.68.23 65.9.68.19 65.9.68.48 13.224.194.129 13.224.194.79 13.224.194.56 13.224.194.4	whitelisted
stats.g.doubleclick.net	173.194.76.154 173.194.76.155 173.194.76.157 173.194.76.156	whitelisted

Threats

PID	Process	Class	Message
2668	MsiExec.exe	Misc activity	ADWARE [PTsecurity] Win32/Jetmedia.A
2668	MsiExec.exe	Misc activity	ADWARE [PTsecurity] Win32/Jetmedia.A
2668	MsiExec.exe	Misc activity	ADWARE [PTsecurity] Win32/Jetmedia.A
2668	MsiExec.exe	Misc activity	ADWARE [PTsecurity] Win32/Jetmedia.A
1672	urbanvpnserv.exe	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
1672	urbanvpnserv.exe	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
3864	urbanvpn-gui.exe	Potentially Bad Traffic	ET INFO TLS Handshake Failure
3864	urbanvpn-gui.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
1672	urbanvpnserv.exe	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
1672	urbanvpnserv.exe	Misc activity	ADWARE [PTsecurity] Win32/Jetmedia.A

Add for printing

Process	Message
MsiExec.exe	Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
UrbanVPNUpdater.exe	Logger::SetLogFile( C:\ProgramData\UrbanVPN\updates\updater.log ) while OLD path is:
MsiExec.exe	Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
MsiExec.exe	Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
UrbanVPNUpdater.exe	Logger::SetLogFile( C:\ProgramData\UrbanVPN\updates\updater.log ) while OLD path is:

General Info

https://www.urban-vpn.com/thank-you-safe-browsing/

C677BE0EE351CE825E5BA3211DB39D58

0D80EE4BA0863EC0EDCE67CEDED76AC271E28E90

905F9D2EE033EB9FBA21C83848E31078B90CE87BC05A3A086809B587CC64C323

3:N8DSLEUKNiOelKWLCKn:2OLE22K

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Changes settings of System certificates

Loads dropped or rewritten executable

Drops executable file immediately after starts

BuerLoader was detected

Changes the autorun value in the registry

Loads the Task Scheduler DLL interface

SUSPICIOUS

Executable content was dropped or overwritten

Drops a file that was compiled in debug mode

Creates files in the user directory

Reads internet explorer settings

Reads Environment values

Adds / modifies Windows certificates

Executed as Windows Service

Application launched itself

Creates a directory in Program Files

Starts application with an unusual extension

Creates files in the program directory

Executed via COM

Removes files from Windows directory

Creates files in the Windows directory

Uses RUNDLL32.EXE to load library

Creates files in the driver directory

Drops a file with a compile date too recent

Creates a software uninstall entry

Drops a file with too old compile date

Low-level read access rights to disk partition

INFO

Reads the hosts file

Application launched itself

Manual execution by user

Loads dropped or rewritten executable

Searches for installed software

Low-level read access rights to disk partition

Starts application with an unusual extension

Application was dropped or rewritten from another process

Changes internet zones settings

Reads settings of System Certificates

Reads internet explorer settings

Changes settings of System certificates

Dropped object may contain Bitcoin addresses

Adds / modifies Windows certificates

Creates files in the program directory

Creates files in the user directory

Creates a software uninstall entry

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information