Analysis
-
max time kernel
212s -
max time network
217s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
18-02-2023 20:41
General
-
Target
expressvpn_windows_12.43.0.0_release.exe
-
Size
58.4MB
-
MD5
a15d6e20d0107f59af14bfe1bfee8a5a
-
SHA1
a16c498932a3c2851f255bf355f12076159afba7
-
SHA256
301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7
-
SHA512
02ed872a21f838422881fb2e6099ee3bb3b5e6c22a9ea4439de54cac0fc1aa7cadbf4f1e601cff50bd300941c529313e844c3547f8b3a5bdd4f7b7f47bb6e21e
-
SSDEEP
1572864:gDG8e0q6S1HeWXgyzRT//W87ghVzJNUXhhgTO0GsrVRUZUcf8E:KMMi++9XWDX+0rrVRTE
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
RevengeRat Executable 1 IoCs
-
Blocklisted process makes network request 8 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 6 IoCs
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 24 IoCs
-
Loads dropped DLL 64 IoCs
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 22 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{56637A20-7200-4C98-A722-26C93B58D0EF}\.cr\expressvpn_windows_12.43.0.0_release.exe"C:\Windows\Temp\{56637A20-7200-4C98-A722-26C93B58D0EF}\.cr\expressvpn_windows_12.43.0.0_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe" -burn.filehandle.attached=692 -burn.filehandle.self=6962⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.be\ExpressVPN_12.43.0.0.exe"C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.be\ExpressVPN_12.43.0.0.exe" -q -burn.elevated BurnPipe.{3CDB35CF-7104-4F1C-A1F2-1AD60EBDB62E} {A04A6EAF-6B2A-40FE-B78E-73BA8CCEEA88} 49123⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{5E41B2F8-C4E1-41D8-99D3-A4F96197CCB1}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{5E41B2F8-C4E1-41D8-99D3-A4F96197CCB1}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\.be\VC_redist.x64.exe"C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5AEE6EA4-D6D4-4E74-9393-DBF8FDD5C3F3} {887962C8-E311-4C3B-8425-35329101AC70} 29566⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1072 -burn.embedded BurnPipe.{56C9D637-BEDE-476B-AA7C-F05BC762CF64} {696FF012-1C48-4367-AE45-D7B570FDC5D5} 48047⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1072 -burn.embedded BurnPipe.{56C9D637-BEDE-476B-AA7C-F05BC762CF64} {696FF012-1C48-4367-AE45-D7B570FDC5D5} 48048⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9146D60C-F086-4543-81C1-90C25A22A8BD} {62CE5EFB-A01C-4E3A-B907-A4C9EBFB1D1E} 48289⤵
- Modifies registry class
-
C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe"C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" /install /quiet /norestart -burn.filehandle.self=1648 -burn.embedded BurnPipe.{C6BC77B8-A860-4332-A95A-1BCDBFD7D65D} {69500CBD-AD4C-422E-8C67-BD537D6E17E4} 34244⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{6BBD579B-1159-478C-ACDB-17E00CEAE710}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe"C:\Windows\Temp\{6BBD579B-1159-478C-ACDB-17E00CEAE710}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart -burn.filehandle.self=1648 -burn.embedded BurnPipe.{C6BC77B8-A860-4332-A95A-1BCDBFD7D65D} {69500CBD-AD4C-422E-8C67-BD537D6E17E4} 34245⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe"C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe" -q -burn.elevated BurnPipe.{9D4C5609-9609-478C-A21B-098FBA65B935} {8E6D1D5C-4AA0-4BA5-8890-9EFE494E010C} 22766⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe" install3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe" uihaslaunched4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN-Installer.exe"ExpressVPN-Installer.exe" install4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\ExpressVPN\wintun\tapinstall\tapinstall.exe"C:\Program Files (x86)\ExpressVPN\wintun\tapinstall\tapinstall.exe" install "C:\Program Files (x86)\ExpressVPN\wintun\driver\expressvpn-tun.inf" expressvpntun5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv4 set subinterface "Local Area Connection" mtu=15005⤵
-
C:\Program Files (x86)\ExpressVPN\wintun\tapinstall\tapinstall.exe"C:\Program Files (x86)\ExpressVPN\wintun\tapinstall\tapinstall.exe" install "C:\Program Files (x86)\ExpressVPN\tap\driver\OemVista.inf" tapexpressvpn5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv4 set subinterface "Ethernet 2" mtu=15005⤵
-
C:\Program Files (x86)\ExpressVPN\splittunnel\install\expressvpndriverinstaller.exe"C:\Program Files (x86)\ExpressVPN\splittunnel\install\expressvpndriverinstaller.exe" remove5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\ExpressVPN\splittunnel\install\expressvpndriverinstaller.exe"C:\Program Files (x86)\ExpressVPN\splittunnel\install\expressvpndriverinstaller.exe" install "C:\Program Files (x86)\ExpressVPN\splittunnel\driver\expressvpnsplittunnel.sys"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ujsrxts.com/support/?utm_campaign=activation_code&utm_medium=apps&utm_source=windows_app&utm_content=activationcode_invalid_code_error4⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8543846f8,0x7ff854384708,0x7ff8543847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5568 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff778585460,0x7ff778585470,0x7ff7785854806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6276 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6680 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,15623991049331169624,13645797008169045715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:85⤵
-
C:\Users\Admin\Downloads\expressvpn_windows_12.43.0.0_release.exe"C:\Users\Admin\Downloads\expressvpn_windows_12.43.0.0_release.exe"5⤵
- Executes dropped EXE
-
C:\Windows\Temp\{67619007-FCCD-4395-8230-1E52912EF2FF}\.cr\expressvpn_windows_12.43.0.0_release.exe"C:\Windows\Temp\{67619007-FCCD-4395-8230-1E52912EF2FF}\.cr\expressvpn_windows_12.43.0.0_release.exe" -burn.clean.room="C:\Users\Admin\Downloads\expressvpn_windows_12.43.0.0_release.exe" -burn.filehandle.attached=580 -burn.filehandle.self=7166⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\Temp\{3EC73C91-BF7F-4D81-B144-F4FAAF2FE707}\.be\ExpressVPN_12.43.0.0.exe"C:\Windows\Temp\{3EC73C91-BF7F-4D81-B144-F4FAAF2FE707}\.be\ExpressVPN_12.43.0.0.exe" -q -burn.elevated BurnPipe.{14B64388-91B1-4383-B422-8AAB29F0CADB} {F596E272-F49D-4E34-BE16-ACC669C8D116} 60207⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EBE21580F684C2A3B34B3327F1D1C6582⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C416F3DE6223878D31BA6022B52B346B2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 081D8537C8E0ADA29A421D4AD5D3373F2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EE1F7DA8EA674D1395A2C1D2913E5BDD2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96DC55B3A67CFD74F16ECA756B9DEE432⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI2F78.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240660453 26 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseMainApp3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI66D0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240674531 73 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveLegacyRegistryData3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI6A2C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240675375 77 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveUserFolderData3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI6E44.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240676406 87 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.DeleteBinaries3⤵
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0EB271E60960422C4F033F5935852F4D E Global\MSI00002⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI3C5C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240663703 38 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveData3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4612.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240666140 45 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetBrowserHelperPath3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4BFF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240667671 49 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateAccessTokens3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4F8A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240668546 53 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateDefaultPortConfiguration3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI520B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240669187 57 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateServiceCredentials3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5662.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670312 61 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.InitializeProteusId3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5BC2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240671671 65 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetServicesFailureActions3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5DD6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672203 69 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.AddErrorReportingKeys3⤵
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2D2DDC19C716505456BBC035369E8B4E2⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIACF0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240758046 94 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseMainApp3⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC3F4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240763875 98 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseNotificationsApp3⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\ExpressVPN\services\lightway.exe"C:\Program Files (x86)\ExpressVPN\services\lightway.exe" --version2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a81d48d2-2b08-0c48-9729-d607bb2b861e}\expressvpn-tun.inf" "9" "4497a52b3" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\expressvpn\wintun\driver"2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:07cfc4e755425814:Expressvpntun.Install:0.8.0.0:expressvpntun," "4497a52b3" "0000000000000148"2⤵
- Drops file in Drivers directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e915e6e1-2048-fd4e-a3e5-ac723991c576}\oemvista.inf" "9" "41ad97973" "000000000000015C" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\expressvpn\tap\driver"2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tapexpressvpn.ndi:9.24.2.45:tapexpressvpn," "41ad97973" "0000000000000144"2⤵
- Drops file in Drivers directory
- Checks SCSI registry key(s)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exeFilesize
24.3MB
MD5703bd677778f2a1ba1eb4338bac3b868
SHA1a176f140e942920b777f80de89e16ea57ee32be8
SHA2562257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041
-
C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exeFilesize
55.1MB
MD526d558f92be15a50d59b8261123de56b
SHA1b5b1819cca753b070181f50411375b80412860a3
SHA2561b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA5125eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea
-
C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\ExpressVPN_12.43.0.0.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da
-
C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\state.rsmFilesize
952B
MD596c1b1d840080e6f8bcc4e94c0542172
SHA13c5dba26dcffcb8c8d51792ae0273c6c96a5505a
SHA256af8dcb1b7f2e30dd0fd3c233fb6092d7db5936db28d920f8a6e880d3d9d98b73
SHA5121ccfec3ed6cb03c61902da64d11b02fbc6abddd425fa99aa575b328fee36d504cdc070fc5cb66be137cbe63629f88158bff9de10609afacb2509e12153899a17
-
C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\state.rsmFilesize
1KB
MD5faf2b0bc3d91d980ac2da3fcc4396ca1
SHA14aff5acf859628bbc8364e3ce4a444e5eb00ea6f
SHA2563955b625e2a0330c9596d635a92d45ff7f7e2e8d31aa56c0078fcb440da59c55
SHA5122873864f356563826c0ce2eaea6c0f3a041e5d162f502242617312bf4c4a1ff3b73f27a6dcc56a7b6d2cf3ee8bcea2a673eaedfc066ab05656b3cc4f08c4f9f3
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230218214248_000_dotnet_runtime_6.0.5_win_x64.msi.logFilesize
4KB
MD5e5ccc6ad92bebc3e7f49ddb7282d2e25
SHA161e14f3f07824a97d3e2cb0c95cc68e72c796ebe
SHA256437802581ad60246791f660a5d042ead24ad3dfcf72b96bc78387dbd73f07a42
SHA512b57cce4804cd6d9bc4dbfc0e43076bc8bc788cd893e55684081b8316551c9e07be0363ae9a1b6e0c5a3b6b0cbb9b69bb5a7b78ce6b492c449f2ace343ee9348a
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230218214238_000_vcRuntimeMinimum_x64.logFilesize
2KB
MD56648629831ea8500e638fa86b490adeb
SHA18384479e2f3f60af040289e357a3e015239a6673
SHA256a0118d73d81c77885b936f744d82371ee67ea744e2d8e44672c2fd57b7824114
SHA5128c8c342d1c59357137c4426d169d25c0ed892ca883fc6ef027bdcaa97dec463540310d28e2ea03c1dd9babbc116e29c27c7bf5d868810766c8c3a6e0c49fc8d3
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230218214238_001_vcRuntimeAdditional_x64.logFilesize
2KB
MD5d40808329a47a021adc1d9ab01e0c559
SHA1ac070801b8f3110b1c75a0fde858cfb5ee4d9d1e
SHA2560059258b85ce7f20fb37a052538242714d0e76d6164b5aaa0567dd459043ed05
SHA512a902d12efef73ca0263788cf477403595d0009bd97e7a1a77448b357f78e30ec186d05ddecc992b831d2e4c549113ea15c100c0f04e0875803fb08067d851662
-
C:\Windows\Installer\MSIC26.tmpFilesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
C:\Windows\Installer\MSIC26.tmpFilesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
C:\Windows\Installer\MSIFB3C.tmpFilesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
C:\Windows\Installer\MSIFB3C.tmpFilesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\.be\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\.be\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\cab2C04DDC374BD96EB5C8EB8208F2C7C92Filesize
5.4MB
MD562bc0f466e65d9219281cf75c8f91380
SHA10826a1591b81acf0fe30d58e19b0a87df2a49a3e
SHA256534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3
SHA51217713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\cab5046A8AB272BF37297BB7928664C9503Filesize
914KB
MD545c9c674c0ba87f57168d6ab852e9641
SHA173ace24362f14dc58d4099dae6e4e62902e9e950
SHA256d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76
SHA5125bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\vcRuntimeAdditional_x64Filesize
180KB
MD5c214a9e931bbdd960bb48ac1a2b91945
SHA1a640c55dd522e01d0be4307a5eee9a40f779a6cc
SHA2561dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11
SHA512d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933
-
C:\Windows\Temp\{0B746A1F-9422-4F35-9168-805A6348BAC3}\vcRuntimeMinimum_x64Filesize
180KB
MD5df77fc41aa2f85ca423919e397084137
SHA15b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA25651b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\.ba\wixstdba.dllFilesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\.be\windowsdesktop-runtime-6.0.5-win-x64.exeFilesize
609KB
MD5987433e22c318ff3bfd596f6b7bb3d0d
SHA17b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA5128dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\.be\windowsdesktop-runtime-6.0.5-win-x64.exeFilesize
609KB
MD5987433e22c318ff3bfd596f6b7bb3d0d
SHA17b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA5128dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\dotnet_host_6.0.5_win_x64.msiFilesize
736KB
MD5bdc10a6d27e4df71409c9cd8bc40d48c
SHA13cd9327008fc4bc8f76d9f8174bc6a1bbf4d7632
SHA256ec6d27122faf6585fa4419284a95212102c54bbd7ee02bd56835a496039c70de
SHA512c60196e4f34efcaa62ac3bb750205b701d7434872fe9eb866a5d80ccab6cef879b35aab0d09c19d25cdbf2a3e19c23a4170a16033ad2fbd008dccc9a6530b1c9
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\dotnet_hostfxr_6.0.5_win_x64.msiFilesize
804KB
MD5eef7d4eaa530df3288c03b8e6463aaa3
SHA14d94b0073d5afeb1642a2f0da5c178f5765857b3
SHA256cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711
SHA5122be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\dotnet_runtime_6.0.5_win_x64.msiFilesize
26.2MB
MD5abf5dbc0196845d9c906189aa70d07ec
SHA14a6879976ca9d64a151e1679d0b08d975883a7b2
SHA256f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1
SHA512035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3
-
C:\Windows\Temp\{4B6E46FB-E3F4-4283-8E5F-B7C3689EF955}\windowsdesktop_runtime_6.0.5_win_x64.msiFilesize
28.5MB
MD5bf16e0cb45daf8f291ecfa351cb0c3c2
SHA11491de942eec40921a35f35aa377c2f8f7332c5b
SHA2560c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c
SHA512a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8
-
C:\Windows\Temp\{56637A20-7200-4C98-A722-26C93B58D0EF}\.cr\expressvpn_windows_12.43.0.0_release.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da
-
C:\Windows\Temp\{56637A20-7200-4C98-A722-26C93B58D0EF}\.cr\expressvpn_windows_12.43.0.0_release.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da
-
C:\Windows\Temp\{5E41B2F8-C4E1-41D8-99D3-A4F96197CCB1}\.cr\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{5E41B2F8-C4E1-41D8-99D3-A4F96197CCB1}\.cr\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{6BBD579B-1159-478C-ACDB-17E00CEAE710}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exeFilesize
609KB
MD5987433e22c318ff3bfd596f6b7bb3d0d
SHA17b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA5128dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46
-
C:\Windows\Temp\{6BBD579B-1159-478C-ACDB-17E00CEAE710}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exeFilesize
609KB
MD5987433e22c318ff3bfd596f6b7bb3d0d
SHA17b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA5128dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46
-
C:\Windows\Temp\{AF68CA73-27EF-4358-B403-1C7FD73D12FC}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\BootstrapperCore.dllFilesize
87KB
MD5b0d10a2a622a322788780e7a3cbb85f3
SHA104d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA51262b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\BootstrapperCore.dllFilesize
87KB
MD5b0d10a2a622a322788780e7a3cbb85f3
SHA104d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA51262b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVPN.Common.Shared.dllFilesize
60KB
MD55c1c022ec70d55d24bf799f1e71d4575
SHA1b1367945eb8e896a3f002f3e5ee6c8d1719b5f82
SHA25609177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260
SHA512372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVPN.Common.Shared.dllFilesize
60KB
MD55c1c022ec70d55d24bf799f1e71d4575
SHA1b1367945eb8e896a3f002f3e5ee6c8d1719b5f82
SHA25609177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260
SHA512372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVPN.Utils.dllFilesize
111KB
MD576af5689ae5e1f396292b0ac8705e9b5
SHA1d73ee7dd91892c57281947c8c1e921c622ff043f
SHA256626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3
SHA5124616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVPN.Utils.dllFilesize
111KB
MD576af5689ae5e1f396292b0ac8705e9b5
SHA1d73ee7dd91892c57281947c8c1e921c622ff043f
SHA256626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3
SHA5124616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVpn.Client.Setup.Shared.dllFilesize
18KB
MD579335077a88f53da50c2d448ef4a6df0
SHA1927d2fc8a3fa36aafa8c9ca6a96ec79607511e37
SHA25628db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b
SHA512992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVpn.Client.Setup.Shared.dllFilesize
18KB
MD579335077a88f53da50c2d448ef4a6df0
SHA1927d2fc8a3fa36aafa8c9ca6a96ec79607511e37
SHA25628db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b
SHA512992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVpn.Common.Logging.dllFilesize
79KB
MD585808933176b57cd4c9dc7f506071dd8
SHA17c8184c7da881ff84bf71f2587353ade0aa3f2b1
SHA2568fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f
SHA51213f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\ExpressVpn.Common.Logging.dllFilesize
79KB
MD585808933176b57cd4c9dc7f506071dd8
SHA17c8184c7da881ff84bf71f2587353ade0aa3f2b1
SHA2568fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f
SHA51213f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Bcl.AsyncInterfaces.dllFilesize
21KB
MD548efe61d6ca3054309907b532d576d2a
SHA1f36403aabb16540c93fb35245ec0b4e435628aae
SHA256295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Bcl.AsyncInterfaces.dllFilesize
21KB
MD548efe61d6ca3054309907b532d576d2a
SHA1f36403aabb16540c93fb35245ec0b4e435628aae
SHA256295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dllFilesize
46KB
MD5405bf969e7e50ef47422e54fa33605c8
SHA14f3c5c8803212719ee74c60813b9ae08604684b3
SHA25695a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dllFilesize
46KB
MD5405bf969e7e50ef47422e54fa33605c8
SHA14f3c5c8803212719ee74c60813b9ae08604684b3
SHA25695a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Extensions.DependencyInjection.dllFilesize
82KB
MD5f2a9c263e730b94057d26d8e6562e342
SHA1e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Extensions.DependencyInjection.dllFilesize
82KB
MD5f2a9c263e730b94057d26d8e6562e342
SHA1e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Extensions.Logging.Abstractions.dllFilesize
51KB
MD51237591a98cea80b03eaa68dbbcb2176
SHA15761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA5121446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Microsoft.Extensions.Logging.Abstractions.dllFilesize
51KB
MD51237591a98cea80b03eaa68dbbcb2176
SHA15761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA5121446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Newtonsoft.Json.dllFilesize
683KB
MD56815034209687816d8cf401877ec8133
SHA11248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA2567f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA5123398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\Newtonsoft.Json.dllFilesize
683KB
MD56815034209687816d8cf401877ec8133
SHA11248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA2567f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA5123398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\System.Threading.Tasks.Extensions.dllFilesize
25KB
MD5e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA12242627282f9e07e37b274ea36fac2d3cd9c9110
SHA2564f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\System.Threading.Tasks.Extensions.dllFilesize
25KB
MD5e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA12242627282f9e07e37b274ea36fac2d3cd9c9110
SHA2564f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\WixSharp Setup.exeFilesize
1.5MB
MD529ef76d3f5d45b200c62f4e2661181db
SHA1b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43
SHA256aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c
SHA512e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\WixSharp Setup.exeFilesize
1.5MB
MD529ef76d3f5d45b200c62f4e2661181db
SHA1b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43
SHA256aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c
SHA512e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.ba\mbahost.dllFilesize
119KB
MD5c59832217903ce88793a6c40888e3cae
SHA16d9facabf41dcf53281897764d467696780623b8
SHA2569dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA5121b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.be\ExpressVPN_12.43.0.0.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\.be\ExpressVPN_12.43.0.0.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\MainMsiFilesize
69.2MB
MD56b317a8789f3b27198323d006bf35d5d
SHA1acc0016e0840199e2c24a9bd76baf92a91c362cc
SHA2569f37bd05c7c7cdd185e660c0542fdc5d5c8e184817b72f18ef02e154724e03e7
SHA51226d9ffc44d7f472ca0fd80c75040e9da8d142dc971c489ca1b9d7b8e3c035c59d26501bd23edb40a8dc3a077d9b79f310b4a83ab9960d288df2d14b4d0dedbb0
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\Net6DesktopRuntime64Filesize
55.1MB
MD526d558f92be15a50d59b8261123de56b
SHA1b5b1819cca753b070181f50411375b80412860a3
SHA2561b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA5125eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea
-
C:\Windows\Temp\{C8433A84-C6DC-43EA-84A7-482E57A953D5}\VCRedist64Filesize
24.3MB
MD5703bd677778f2a1ba1eb4338bac3b868
SHA1a176f140e942920b777f80de89e16ea57ee32be8
SHA2562257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041
-
memory/336-244-0x0000000005370000-0x000000000538E000-memory.dmpFilesize
120KB
-
memory/336-242-0x0000000000000000-mapping.dmp
-
memory/336-243-0x00000000052C0000-0x0000000005336000-memory.dmpFilesize
472KB
-
memory/400-316-0x0000000000000000-mapping.dmp
-
memory/448-246-0x0000000000000000-mapping.dmp
-
memory/636-184-0x0000000000000000-mapping.dmp
-
memory/1156-307-0x0000000000000000-mapping.dmp
-
memory/1304-250-0x0000000000000000-mapping.dmp
-
memory/1536-318-0x0000000000000000-mapping.dmp
-
memory/1560-310-0x0000000000000000-mapping.dmp
-
memory/1780-226-0x0000000000000000-mapping.dmp
-
memory/1848-289-0x00000000063B0000-0x00000000063B8000-memory.dmpFilesize
32KB
-
memory/1848-262-0x00000000052A0000-0x00000000052E6000-memory.dmpFilesize
280KB
-
memory/1848-269-0x0000000005300000-0x0000000005308000-memory.dmpFilesize
32KB
-
memory/1848-283-0x0000000005900000-0x000000000590A000-memory.dmpFilesize
40KB
-
memory/1848-267-0x0000000005310000-0x0000000005326000-memory.dmpFilesize
88KB
-
memory/1848-257-0x0000000000000000-mapping.dmp
-
memory/1848-263-0x0000000005250000-0x0000000005270000-memory.dmpFilesize
128KB
-
memory/1848-259-0x00000000005A0000-0x0000000000674000-memory.dmpFilesize
848KB
-
memory/1848-281-0x00000000058C0000-0x00000000058C8000-memory.dmpFilesize
32KB
-
memory/1848-284-0x00000000060A0000-0x00000000060A8000-memory.dmpFilesize
32KB
-
memory/2004-320-0x0000000000000000-mapping.dmp
-
memory/2004-315-0x0000000000000000-mapping.dmp
-
memory/2012-247-0x0000000000000000-mapping.dmp
-
memory/2032-347-0x0000000000000000-mapping.dmp
-
memory/2128-277-0x0000000006080000-0x000000000608A000-memory.dmpFilesize
40KB
-
memory/2128-274-0x0000000005FD0000-0x0000000005FD8000-memory.dmpFilesize
32KB
-
memory/2128-261-0x0000000001A50000-0x0000000001A68000-memory.dmpFilesize
96KB
-
memory/2128-260-0x0000000000DE0000-0x00000000010B8000-memory.dmpFilesize
2.8MB
-
memory/2128-264-0x0000000006350000-0x000000000696E000-memory.dmpFilesize
6.1MB
-
memory/2128-265-0x0000000005D70000-0x0000000005DA6000-memory.dmpFilesize
216KB
-
memory/2128-268-0x0000000005F20000-0x0000000005F2A000-memory.dmpFilesize
40KB
-
memory/2128-270-0x0000000005F80000-0x0000000005F94000-memory.dmpFilesize
80KB
-
memory/2128-271-0x0000000005FE0000-0x0000000005FF2000-memory.dmpFilesize
72KB
-
memory/2128-272-0x0000000005F70000-0x0000000005F78000-memory.dmpFilesize
32KB
-
memory/2128-292-0x00000000075B0000-0x0000000007628000-memory.dmpFilesize
480KB
-
memory/2128-291-0x0000000006A10000-0x0000000006A2E000-memory.dmpFilesize
120KB
-
memory/2128-290-0x0000000006A80000-0x0000000006AE4000-memory.dmpFilesize
400KB
-
memory/2128-288-0x00000000062F0000-0x0000000006302000-memory.dmpFilesize
72KB
-
memory/2128-287-0x00000000069C0000-0x0000000006A0A000-memory.dmpFilesize
296KB
-
memory/2128-286-0x0000000006210000-0x0000000006218000-memory.dmpFilesize
32KB
-
memory/2128-285-0x00000000061C0000-0x00000000061D0000-memory.dmpFilesize
64KB
-
memory/2128-282-0x0000000006220000-0x00000000062D0000-memory.dmpFilesize
704KB
-
memory/2128-280-0x0000000006050000-0x0000000006058000-memory.dmpFilesize
32KB
-
memory/2128-279-0x0000000006120000-0x0000000006170000-memory.dmpFilesize
320KB
-
memory/2128-266-0x0000000005F10000-0x0000000005F1A000-memory.dmpFilesize
40KB
-
memory/2128-278-0x00000000060B0000-0x00000000060D0000-memory.dmpFilesize
128KB
-
memory/2128-276-0x0000000006060000-0x000000000606C000-memory.dmpFilesize
48KB
-
memory/2128-273-0x0000000005FC0000-0x0000000005FC8000-memory.dmpFilesize
32KB
-
memory/2128-275-0x0000000006020000-0x000000000603A000-memory.dmpFilesize
104KB
-
memory/2128-258-0x0000000000000000-mapping.dmp
-
memory/2148-205-0x0000000000000000-mapping.dmp
-
memory/2168-221-0x0000000000000000-mapping.dmp
-
memory/2276-208-0x0000000000000000-mapping.dmp
-
memory/2516-306-0x0000000000000000-mapping.dmp
-
memory/2560-313-0x0000000000000000-mapping.dmp
-
memory/2624-206-0x0000000000000000-mapping.dmp
-
memory/2772-317-0x0000000000000000-mapping.dmp
-
memory/2860-326-0x0000000000000000-mapping.dmp
-
memory/2928-311-0x0000000000000000-mapping.dmp
-
memory/2956-186-0x0000000000000000-mapping.dmp
-
memory/3052-229-0x0000000000000000-mapping.dmp
-
memory/3260-212-0x0000000000000000-mapping.dmp
-
memory/3424-178-0x0000000000000000-mapping.dmp
-
memory/3448-332-0x0000000000000000-mapping.dmp
-
memory/3476-312-0x0000000000000000-mapping.dmp
-
memory/3976-249-0x0000000000000000-mapping.dmp
-
memory/4040-328-0x0000000000000000-mapping.dmp
-
memory/4048-248-0x0000000000000000-mapping.dmp
-
memory/4144-319-0x0000000000000000-mapping.dmp
-
memory/4204-201-0x0000000000000000-mapping.dmp
-
memory/4252-241-0x0000000000000000-mapping.dmp
-
memory/4300-254-0x0000000000000000-mapping.dmp
-
memory/4300-255-0x00000000050D0000-0x0000000005136000-memory.dmpFilesize
408KB
-
memory/4328-351-0x0000000000000000-mapping.dmp
-
memory/4388-330-0x0000000000000000-mapping.dmp
-
memory/4400-245-0x0000000000000000-mapping.dmp
-
memory/4472-324-0x0000000000000000-mapping.dmp
-
memory/4496-252-0x0000000000000000-mapping.dmp
-
memory/4716-256-0x0000000000000000-mapping.dmp
-
memory/4728-323-0x0000000000000000-mapping.dmp
-
memory/4740-240-0x0000000000000000-mapping.dmp
-
memory/4796-227-0x0000000000000000-mapping.dmp
-
memory/4804-190-0x0000000000000000-mapping.dmp
-
memory/4828-202-0x0000000000000000-mapping.dmp
-
memory/4836-251-0x0000000000000000-mapping.dmp
-
memory/4844-238-0x00000000049E0000-0x00000000049EA000-memory.dmpFilesize
40KB
-
memory/4844-237-0x0000000004A00000-0x0000000004A20000-memory.dmpFilesize
128KB
-
memory/4844-230-0x0000000000000000-mapping.dmp
-
memory/4844-236-0x0000000004A50000-0x0000000004AC0000-memory.dmpFilesize
448KB
-
memory/4844-235-0x00000000049A0000-0x00000000049B4000-memory.dmpFilesize
80KB
-
memory/4844-234-0x0000000004960000-0x0000000004978000-memory.dmpFilesize
96KB
-
memory/4844-233-0x00000000025B0000-0x00000000025B8000-memory.dmpFilesize
32KB
-
memory/4844-239-0x0000000004A20000-0x0000000004A2C000-memory.dmpFilesize
48KB
-
memory/4844-232-0x00000000025C0000-0x00000000025D6000-memory.dmpFilesize
88KB
-
memory/4844-231-0x0000000002570000-0x000000000259E000-memory.dmpFilesize
184KB
-
memory/4884-321-0x0000000000000000-mapping.dmp
-
memory/4912-174-0x0000000007370000-0x0000000007378000-memory.dmpFilesize
32KB
-
memory/4912-163-0x0000000006730000-0x000000000673A000-memory.dmpFilesize
40KB
-
memory/4912-150-0x00000000066D0000-0x00000000066E8000-memory.dmpFilesize
96KB
-
memory/4912-154-0x0000000006710000-0x000000000672A000-memory.dmpFilesize
104KB
-
memory/4912-169-0x00000000068B0000-0x00000000068C0000-memory.dmpFilesize
64KB
-
memory/4912-176-0x00000000098A0000-0x00000000098AE000-memory.dmpFilesize
56KB
-
memory/4912-132-0x0000000000000000-mapping.dmp
-
memory/4912-147-0x0000000006510000-0x0000000006520000-memory.dmpFilesize
64KB
-
memory/4912-144-0x00000000064F0000-0x00000000064F8000-memory.dmpFilesize
32KB
-
memory/4912-157-0x0000000006750000-0x0000000006770000-memory.dmpFilesize
128KB
-
memory/4912-141-0x0000000006540000-0x00000000066C8000-memory.dmpFilesize
1.5MB
-
memory/4912-172-0x0000000006A40000-0x0000000006AF0000-memory.dmpFilesize
704KB
-
memory/4912-138-0x0000000005FA0000-0x0000000005FB8000-memory.dmpFilesize
96KB
-
memory/4912-160-0x0000000006870000-0x0000000006888000-memory.dmpFilesize
96KB
-
memory/4912-177-0x000000000AFA0000-0x000000000AFA8000-memory.dmpFilesize
32KB
-
memory/4912-153-0x00000000066F0000-0x0000000006704000-memory.dmpFilesize
80KB
-
memory/4912-173-0x0000000006410000-0x0000000006432000-memory.dmpFilesize
136KB
-
memory/4912-166-0x0000000006740000-0x000000000674A000-memory.dmpFilesize
40KB
-
memory/4912-175-0x00000000098E0000-0x0000000009918000-memory.dmpFilesize
224KB
-
memory/4932-253-0x0000000000000000-mapping.dmp
-
memory/5016-228-0x0000000000000000-mapping.dmp
-
memory/5044-314-0x0000000000000000-mapping.dmp
-
memory/5132-334-0x0000000000000000-mapping.dmp
-
memory/5272-349-0x0000000000000000-mapping.dmp
-
memory/5348-336-0x0000000000000000-mapping.dmp
-
memory/5428-337-0x0000000000000000-mapping.dmp
-
memory/5472-338-0x0000000000000000-mapping.dmp
-
memory/5644-339-0x0000000000000000-mapping.dmp
-
memory/5936-341-0x0000000000000000-mapping.dmp
-
memory/6004-343-0x0000000000000000-mapping.dmp
-
memory/6080-345-0x0000000000000000-mapping.dmp