lumma | 25bedb839070a35a6195fec683ca363d031fb265e10ddc9d5537199be60c4fab

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

expressvpn_windows_install.7z
Size

45.5MB
MD5

453d0bcc246d8f9def6d542fd846c3d4
SHA1

5e35087c69cbd0425c02ce7edc5192feea82722a
SHA256

f6be94dd7fa4acd3775553af020ed4bd07bdd8070383926b3e2ad62c3c30a9ae
SHA512

e674fbd76f5919436780d9bf75918b1202dffcf279708aad0a000ae7bd489a9bdf55d6f7a2b4f7b738a66080a59b18403c702e43d58d3c764b22f848e6752c61
SSDEEP

786432:IOjgCSRBYxWy0WXMGMVcvPKI0+mOafSmyEXa0Lsn7kEGYEKbKjGHV7/ijz/:DkRBf6LwcKyafY+a0ukEmjGHO

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

82.117.255.80

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

expressvpn_windows_10.28.0.7_release.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	expressvpn_windows_10.28.0.7_release.exe

Executes dropped EXE 7 IoCs

Processes:

expressvpn_windows_install.exeexpressvpn_windows_install.tmp7za.exeexpressvpn_windows_10.28.0.7_release.exeexpressvpn_windows_10.28.0.7_release.exeExpressVPN_10.28.0.7.exeVCR-2005-2023-09.02.2023.exe

pid	process
3304	expressvpn_windows_install.exe
2120	expressvpn_windows_install.tmp
3924	7za.exe
4612	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3052	ExpressVPN_10.28.0.7.exe
3344	VCR-2005-2023-09.02.2023.exe

Loads dropped DLL 14 IoCs

Processes:

expressvpn_windows_install.tmpexpressvpn_windows_10.28.0.7_release.exe

pid	process
2120	expressvpn_windows_install.tmp
2120	expressvpn_windows_install.tmp
2120	expressvpn_windows_install.tmp
2120	expressvpn_windows_install.tmp
2120	expressvpn_windows_install.tmp
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe
3356	expressvpn_windows_10.28.0.7_release.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

Processes:

expressvpn_windows_install.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	expressvpn_windows_install.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\expressvpn_windows_10.28.0.7_release.exe	expressvpn_windows_install.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\7za.exe	expressvpn_windows_install.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.dat	expressvpn_windows_install.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\is-3OF6Q.tmp	expressvpn_windows_install.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\is-HQL12.tmp	expressvpn_windows_install.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-53JCL.tmp	expressvpn_windows_install.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\is-3VDN8.tmp	expressvpn_windows_install.tmp
File created	C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\unins000.msg	expressvpn_windows_install.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Applications\7zFM.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000054562b9f110050524f4752417e310000740009000400efbe874fdb4954562b9f2e0000003f0000000000010000000000000000004a0000000000df58bd00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000054569b981000372d5a6970003c0009000400efbe54569a9854569b982e000000ee260200000006000000000000000000000000000000d3072d0137002d005a0069007000000014000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Applications\7zFM.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Applications	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\""	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Applications\7zFM.exe\shell\open\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Applications\7zFM.exe\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

expressvpn_windows_install.tmppowershell.exepowershell.exe7zFM.exe

pid	process
2120	expressvpn_windows_install.tmp
2120	expressvpn_windows_install.tmp
5016	powershell.exe
5016	powershell.exe
3872	powershell.exe
3872	powershell.exe
5040	7zFM.exe
5040	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

4344 OpenWith.exe
5040 7zFM.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

7zFM.exepowershell.exepowershell.exe7za.exevssvc.exe

description	pid	process
Token: SeRestorePrivilege	5040	7zFM.exe
Token: 35	5040	7zFM.exe
Token: SeSecurityPrivilege	5040	7zFM.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeRestorePrivilege	3924	7za.exe
Token: 35	3924	7za.exe
Token: SeSecurityPrivilege	3924	7za.exe
Token: SeSecurityPrivilege	3924	7za.exe
Token: SeBackupPrivilege	3424	vssvc.exe
Token: SeRestorePrivilege	3424	vssvc.exe
Token: SeAuditPrivilege	3424	vssvc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeexpressvpn_windows_install.tmp

pid process

5040 7zFM.exe
5040 7zFM.exe
2120 expressvpn_windows_install.tmp

pid	process
5040	7zFM.exe
5040	7zFM.exe
2120	expressvpn_windows_install.tmp

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

OpenWith.exe

pid	process
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe
4344	OpenWith.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

OpenWith.exe7zFM.exeexpressvpn_windows_install.exeexpressvpn_windows_install.tmpcmd.exeexpressvpn_windows_10.28.0.7_release.exeexpressvpn_windows_10.28.0.7_release.exe

description	pid	process	target process
PID 4344 wrote to memory of 5040	4344	OpenWith.exe	7zFM.exe
PID 4344 wrote to memory of 5040	4344	OpenWith.exe	7zFM.exe
PID 5040 wrote to memory of 3304	5040	7zFM.exe	expressvpn_windows_install.exe
PID 5040 wrote to memory of 3304	5040	7zFM.exe	expressvpn_windows_install.exe
PID 5040 wrote to memory of 3304	5040	7zFM.exe	expressvpn_windows_install.exe
PID 3304 wrote to memory of 2120	3304	expressvpn_windows_install.exe	expressvpn_windows_install.tmp
PID 3304 wrote to memory of 2120	3304	expressvpn_windows_install.exe	expressvpn_windows_install.tmp
PID 3304 wrote to memory of 2120	3304	expressvpn_windows_install.exe	expressvpn_windows_install.tmp
PID 2120 wrote to memory of 4136	2120	expressvpn_windows_install.tmp	cmd.exe
PID 2120 wrote to memory of 4136	2120	expressvpn_windows_install.tmp	cmd.exe
PID 2120 wrote to memory of 4136	2120	expressvpn_windows_install.tmp	cmd.exe
PID 4136 wrote to memory of 5016	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 5016	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 5016	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3872	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3872	4136	cmd.exe	powershell.exe
PID 4136 wrote to memory of 3872	4136	cmd.exe	powershell.exe
PID 2120 wrote to memory of 3924	2120	expressvpn_windows_install.tmp	7za.exe
PID 2120 wrote to memory of 3924	2120	expressvpn_windows_install.tmp	7za.exe
PID 2120 wrote to memory of 3924	2120	expressvpn_windows_install.tmp	7za.exe
PID 2120 wrote to memory of 4612	2120	expressvpn_windows_install.tmp	expressvpn_windows_10.28.0.7_release.exe
PID 2120 wrote to memory of 4612	2120	expressvpn_windows_install.tmp	expressvpn_windows_10.28.0.7_release.exe
PID 2120 wrote to memory of 4612	2120	expressvpn_windows_install.tmp	expressvpn_windows_10.28.0.7_release.exe
PID 4612 wrote to memory of 3356	4612	expressvpn_windows_10.28.0.7_release.exe	expressvpn_windows_10.28.0.7_release.exe
PID 4612 wrote to memory of 3356	4612	expressvpn_windows_10.28.0.7_release.exe	expressvpn_windows_10.28.0.7_release.exe
PID 4612 wrote to memory of 3356	4612	expressvpn_windows_10.28.0.7_release.exe	expressvpn_windows_10.28.0.7_release.exe
PID 3356 wrote to memory of 3052	3356	expressvpn_windows_10.28.0.7_release.exe	ExpressVPN_10.28.0.7.exe
PID 3356 wrote to memory of 3052	3356	expressvpn_windows_10.28.0.7_release.exe	ExpressVPN_10.28.0.7.exe
PID 3356 wrote to memory of 3052	3356	expressvpn_windows_10.28.0.7_release.exe	ExpressVPN_10.28.0.7.exe
PID 2120 wrote to memory of 3344	2120	expressvpn_windows_install.tmp	VCR-2005-2023-09.02.2023.exe
PID 2120 wrote to memory of 3344	2120	expressvpn_windows_install.tmp	VCR-2005-2023-09.02.2023.exe
PID 2120 wrote to memory of 3344	2120	expressvpn_windows_install.tmp	VCR-2005-2023-09.02.2023.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z
1⤵
- Modifies registry class
PID:5084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\7zO0B39F286\expressvpn_windows_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0B39F286\expressvpn_windows_install.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\Temp\is-CIACQ.tmp\expressvpn_windows_install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CIACQ.tmp\expressvpn_windows_install.tmp" /SL5="$B003E,46668844,920064,C:\Users\Admin\AppData\Local\Temp\7zO0B39F286\expressvpn_windows_install.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\WebrootCommAgentService.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAnACkA
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ENC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABFAG4AdgBpAHIAbwBuAG0AZQBuAHQAVgBhAHIAaQBhAGIAbABlACgAJwBVAFMARQBSAFAAUgBPAEYASQBMAEUAJwApACAAKwAgACcAXABBAHAAcABEAGEAdABhACcAKQA=
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\7za.exe
"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\7za.exe" x "C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\keys.zip" -o"C:\Users\Public\Desktop\" * -r -aoa
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\expressvpn_windows_10.28.0.7_release.exe
"C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\expressvpn_windows_10.28.0.7_release.exe" /install /quiet /norestart
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\Temp\{38E90606-9C6A-4743-A54F-E9A9584C696F}\.cr\expressvpn_windows_10.28.0.7_release.exe
"C:\Windows\Temp\{38E90606-9C6A-4743-A54F-E9A9584C696F}\.cr\expressvpn_windows_10.28.0.7_release.exe" -burn.clean.room="C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\expressvpn_windows_10.28.0.7_release.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532 /install /quiet /norestart
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.be\ExpressVPN_10.28.0.7.exe
"C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.be\ExpressVPN_10.28.0.7.exe" -q -burn.elevated BurnPipe.{382DB89E-A25D-4D35-AD79-F91578EF694A} {B5FDD41A-A821-411B-9332-0BDB446C7C26} 3356
7⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\VCR-2005-2023-09.02.2023.exe
"C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\\VCR-2005-2023-09.02.2023.exe"
5⤵
- Executes dropped EXE
PID:3344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\7za.exe
Filesize
796KB

MD5
90aac6489f6b226bf7dc1adabfdb1259

SHA1
c90c47b717b776922cdd09758d2b4212d9ae4911

SHA256
ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549

SHA512
befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\activate\keys.zip
Filesize
1KB

MD5
73583d506546470ad208e5329aad8f82

SHA1
d0b9d0b4b0694b31fc6dc260e3cd4c7e84bcfd24

SHA256
378ee3339c934287e1f7ab8daead283d08b59f15dde44478d3ec9e32aad4c390

SHA512
68a335f671b8570fc5b00cd9ff4885004c4abc10050d3f46493ffa0049f81c0d2a92dd5bb662e0b8bbee67ff4c982896f225de1ef12dc4c9e3e34b91eb20a545

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\expressvpn_windows_10.28.0.7_release.exe
Filesize
36.3MB

MD5
697a6c5fcd10d82105171a946e5c8c87

SHA1
2de3e9dfce00ff92cf25c69da443e75bc05de536

SHA256
10b74e750ac5b4c1a79c3ad9dfd69c0985dc5cb2a773bca228f3803e85d345e3

SHA512
f967f53b75af25518efedb4a2d18bddcf8e63213b789d233e4dd029ee78a27b2f92cf2c00948df6f52978cd906c55dbe3b8e31f094d8b9471ce761ffee1bdc01

Download Submit
C:\Program Files (x86)\Microsoft Visual C++ Redistributable latest\expressvpn_windows_10.28.0.7_release.exe
Filesize
36.3MB

MD5
697a6c5fcd10d82105171a946e5c8c87

SHA1
2de3e9dfce00ff92cf25c69da443e75bc05de536

SHA256
10b74e750ac5b4c1a79c3ad9dfd69c0985dc5cb2a773bca228f3803e85d345e3

SHA512
f967f53b75af25518efedb4a2d18bddcf8e63213b789d233e4dd029ee78a27b2f92cf2c00948df6f52978cd906c55dbe3b8e31f094d8b9471ce761ffee1bdc01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
b220a4c6f7dd73edbd945056464a33a2

SHA1
34d42c4637358d927484171da292dfa6fdea804a

SHA256
dfe276bcb1e0d8a2945137cf29a4c018dc364d970a0f983c9d1f5d8f5bf41fc9

SHA512
27d8583d377614f12d81e464d652daa27ff949a7a6ea4955a20b2c182dcd487a0c097395f287c01d524ccb34b62ebf1c23c1f30d7abffa39ba77f13b6604bee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
b220a4c6f7dd73edbd945056464a33a2

SHA1
34d42c4637358d927484171da292dfa6fdea804a

SHA256
dfe276bcb1e0d8a2945137cf29a4c018dc364d970a0f983c9d1f5d8f5bf41fc9

SHA512
27d8583d377614f12d81e464d652daa27ff949a7a6ea4955a20b2c182dcd487a0c097395f287c01d524ccb34b62ebf1c23c1f30d7abffa39ba77f13b6604bee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
43b0ad906de85e55977fc83f288818e0

SHA1
c21c8c546934a25d6a32eeaf0640bdf4f49a7276

SHA256
68a26d05c42d58de7f5d918130c237ef2ba1911bd2a82a10ad5bfc8e4d85a9b3

SHA512
808fd76c8b02e8d4a3027adaf6cac4ea130b872ac039d6b2b7e75db0a2fed9437eaffdba1ed6f73fd8d8dd7930f9934c5a3427322714fdbb38008875ed4a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0B39F286\expressvpn_windows_install.exe
Filesize
45.5MB

MD5
5b20d0726e1ac919f2d624defc1de0b5

SHA1
46441d1caa28af02f792094a06b95a41346b0d26

SHA256
17394c37b9ae31d757a39960133542691697191cfe03746b0d553bece042e360

SHA512
9c5f38723b1f3fd2675110d9f9bc9dd0733cdc4a038ce6254b173f94087a4840ce7acfeef8450a429729e1d6058009069e81213206e715369d1bc650903a2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0B39F286\expressvpn_windows_install.exe
Filesize
45.5MB

MD5
5b20d0726e1ac919f2d624defc1de0b5

SHA1
46441d1caa28af02f792094a06b95a41346b0d26

SHA256
17394c37b9ae31d757a39960133542691697191cfe03746b0d553bece042e360

SHA512
9c5f38723b1f3fd2675110d9f9bc9dd0733cdc4a038ce6254b173f94087a4840ce7acfeef8450a429729e1d6058009069e81213206e715369d1bc650903a2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0B39F286\expressvpn_windows_install.exe
Filesize
45.5MB

MD5
5b20d0726e1ac919f2d624defc1de0b5

SHA1
46441d1caa28af02f792094a06b95a41346b0d26

SHA256
17394c37b9ae31d757a39960133542691697191cfe03746b0d553bece042e360

SHA512
9c5f38723b1f3fd2675110d9f9bc9dd0733cdc4a038ce6254b173f94087a4840ce7acfeef8450a429729e1d6058009069e81213206e715369d1bc650903a2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hnupfke.3al.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
386.4MB

MD5
17227eda67c95b7a8c779a415c27dc5a

SHA1
6cd4e441fa8d5d735661f76b39dd395ce7da1022

SHA256
532dbbbb74dbb1fd28175ac8e46981f36085038554264ba30b823a6262ad9d87

SHA512
9c1b0be460f54faa0405c06d6a4acbf5ea4f24385275f4282396b5ab00b478ac754d1232df99d4d2277ab304f18520979670a6f2a1bc4fe0dad4140c2a199c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
393.1MB

MD5
4eb025461bd01a15ba94c9d289290f8d

SHA1
555cdbaf4b818026845030f97983ae10ee6a1111

SHA256
993e53ea7fe7b2d6b4ecbeb059bb0b106912d568e26bfec7df079d3ecaf53a2a

SHA512
64c2fc9019060b8dadbd91f14ebfeeee92dae7eb9b39187629a3c7de8771fa984f9e8fe2bb734f0e7990cb1c7c89afbd37100c4580236a5e3f77f1526484f0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\VCR-2005-2023-09.02.2023.exe
Filesize
395.2MB

MD5
ccd1f68ab49db43812762499e5783e25

SHA1
9bc21a41cea89a7d17e2478447426f997409a9b1

SHA256
8670761fbf53d4874d31a79afe622c832d9725766ac00b0ec1d08cfcf0cded63

SHA512
48a44fd601a38e960e7f26c60d46712cb2e9a386b0c2df07f6e5f0993c8ae529a5366fcd47e00295894c10c70344278afd1e6b4804c3f4440731afc00bdcab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\WebrootCommAgentService.bat
Filesize
559B

MD5
439e4b6f172643534bc0c5d12e9f983e

SHA1
010aab79a6f71aeb8921c826d2bdbe110d063e95

SHA256
9c6ef11ca6f3f5e1c3d886197c5731567f47f08b224ba20a0b31d944b47f5c78

SHA512
79dea89abdf15b396a85361e23fde3a20a474afc2d26dd9ccb7336b92c3bf5aea5e9c183e9c415e06f07f8501bc8b86a273fd01b7fd505aabad8417dbe1fb900

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\_isetup\_isdecmp.dll
Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5VNMD.tmp\innocallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CIACQ.tmp\expressvpn_windows_install.tmp
Filesize
3.1MB

MD5
bb94dd71153f47e9b75a106d194e2986

SHA1
e6221337b567bf16c9591a46682cd0ce17074866

SHA256
51d90568208143aa202fcb1b8d378e14a8e354378b4b08c85468d37e70049b82

SHA512
a2c436beff0aceb2aaea401bc454a1d3f544ce468e7253bd9443dd0d15bfe3b929e8ee0f8e90f796ed4a1e77790f9ad27bf154691603fead27c7b237fe964f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CIACQ.tmp\expressvpn_windows_install.tmp
Filesize
3.1MB

MD5
bb94dd71153f47e9b75a106d194e2986

SHA1
e6221337b567bf16c9591a46682cd0ce17074866

SHA256
51d90568208143aa202fcb1b8d378e14a8e354378b4b08c85468d37e70049b82

SHA512
a2c436beff0aceb2aaea401bc454a1d3f544ce468e7253bd9443dd0d15bfe3b929e8ee0f8e90f796ed4a1e77790f9ad27bf154691603fead27c7b237fe964f62

Download Submit
C:\Windows\Temp\{38E90606-9C6A-4743-A54F-E9A9584C696F}\.cr\expressvpn_windows_10.28.0.7_release.exe
Filesize
1.8MB

MD5
551b0e0d85967d42f4731b5317ea62dd

SHA1
42944f044419212b6005fe16050373bac3bd2196

SHA256
f5dfc1f6a9e59ca74cc8bbe64e9ff280b4f49b41be07d0568d65128b5caeb935

SHA512
f3c9431d622f6f05a9458afe934b725e698bfe04c4e32d9dac99464af55be7c04e1178b0fd4f9f1c295f8c2d086742f8f0367f4c26b0c522cb4d9438a26fd1f4

Download Submit
C:\Windows\Temp\{38E90606-9C6A-4743-A54F-E9A9584C696F}\.cr\expressvpn_windows_10.28.0.7_release.exe
Filesize
1.8MB

MD5
551b0e0d85967d42f4731b5317ea62dd

SHA1
42944f044419212b6005fe16050373bac3bd2196

SHA256
f5dfc1f6a9e59ca74cc8bbe64e9ff280b4f49b41be07d0568d65128b5caeb935

SHA512
f3c9431d622f6f05a9458afe934b725e698bfe04c4e32d9dac99464af55be7c04e1178b0fd4f9f1c295f8c2d086742f8f0367f4c26b0c522cb4d9438a26fd1f4

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\BootstrapperCore.config
Filesize
797B

MD5
7f1ea3ba7ed3360baa755450669d58b0

SHA1
498070a830ee24d1e0cf46b6397a0ecc66674c54

SHA256
f8a83e1a8157507ef776c3b6c7d87d7c84296356c05a48a60d61bf5efe85bab0

SHA512
a31340993f1fc99cfc13d91565f5e426099584d1a7fcef72c6c27cc221a7bcd2714298562714a2c471d7ca3f34f423a74d0e5041f6bee43a02e0b1beb127be69

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\BootstrapperCore.dll
Filesize
80KB

MD5
c4f7146ddc56763ccdb1cb3c09478708

SHA1
bca088ab33cfb69adeae11a272e9c8a83f39a8c9

SHA256
886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

SHA512
df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\BootstrapperCore.dll
Filesize
80KB

MD5
c4f7146ddc56763ccdb1cb3c09478708

SHA1
bca088ab33cfb69adeae11a272e9c8a83f39a8c9

SHA256
886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

SHA512
df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\Castle.Core.dll
Filesize
432KB

MD5
17cec17759cf531181523d43683f836c

SHA1
8a4038677ca374afc9a7449befd0409c521e1106

SHA256
5579520b8588e1ab4a5fb2e188aa91917a1f3c53810d40c7c6ebc720f537ad5c

SHA512
1a9e37b31bb203bcb16066cfc133cc40dbbda8cb9d828b292c781f26d118c3176b3ff5de8a13f2ef67948ce1d2be227257fddb2752253ec9e3eff9d88dabf9e6

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\Castle.Core.dll
Filesize
432KB

MD5
17cec17759cf531181523d43683f836c

SHA1
8a4038677ca374afc9a7449befd0409c521e1106

SHA256
5579520b8588e1ab4a5fb2e188aa91917a1f3c53810d40c7c6ebc720f537ad5c

SHA512
1a9e37b31bb203bcb16066cfc133cc40dbbda8cb9d828b292c781f26d118c3176b3ff5de8a13f2ef67948ce1d2be227257fddb2752253ec9e3eff9d88dabf9e6

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\Castle.Windsor.dll
Filesize
372KB

MD5
d1ce1ee15a59bc18e4bf757431213759

SHA1
becf11887ec65ee63bf5cc674ebfa8d8e86de724

SHA256
1207c52b697e09b0fd4e873e173f4ec58b72a1e197d88f047bc89bcada7eeade

SHA512
71c10d0c2a3e4115d5059bbb058c9ab6ca2443184355d51ce1239168a7800f9f4108b22824127b4a8d7dc02211815961c23480def28865439e6b5e29dfe910f7

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\Castle.Windsor.dll
Filesize
372KB

MD5
d1ce1ee15a59bc18e4bf757431213759

SHA1
becf11887ec65ee63bf5cc674ebfa8d8e86de724

SHA256
1207c52b697e09b0fd4e873e173f4ec58b72a1e197d88f047bc89bcada7eeade

SHA512
71c10d0c2a3e4115d5059bbb058c9ab6ca2443184355d51ce1239168a7800f9f4108b22824127b4a8d7dc02211815961c23480def28865439e6b5e29dfe910f7

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\WixSharp Setup.exe
Filesize
1.5MB

MD5
8d5f6b1c803d676553fa18db1a2bf6f1

SHA1
6c970031ad9eb75b2b6ee533efba07971773a826

SHA256
d3a4da5a19215dbc4cfd2c77edc4637f8e3ea92f75fd47fa356003f148023f00

SHA512
2a8de64ce7737d17ddc443eab3d8ba121ca95708381333e9a372241cf1da62b32095df6129dc0ca7bdfca4d7ee807a76df2a5cfba649eefb53000856f1baa24a

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\WixSharp Setup.exe
Filesize
1.5MB

MD5
8d5f6b1c803d676553fa18db1a2bf6f1

SHA1
6c970031ad9eb75b2b6ee533efba07971773a826

SHA256
d3a4da5a19215dbc4cfd2c77edc4637f8e3ea92f75fd47fa356003f148023f00

SHA512
2a8de64ce7737d17ddc443eab3d8ba121ca95708381333e9a372241cf1da62b32095df6129dc0ca7bdfca4d7ee807a76df2a5cfba649eefb53000856f1baa24a

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.ba\mbahost.dll
Filesize
111KB

MD5
d7c697ceb6f40ce91dabfcbe8df08e22

SHA1
49cd0213a1655dcdb493668083ab2d7f55135381

SHA256
b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df

SHA512
22ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.be\ExpressVPN_10.28.0.7.exe
Filesize
1.8MB

MD5
551b0e0d85967d42f4731b5317ea62dd

SHA1
42944f044419212b6005fe16050373bac3bd2196

SHA256
f5dfc1f6a9e59ca74cc8bbe64e9ff280b4f49b41be07d0568d65128b5caeb935

SHA512
f3c9431d622f6f05a9458afe934b725e698bfe04c4e32d9dac99464af55be7c04e1178b0fd4f9f1c295f8c2d086742f8f0367f4c26b0c522cb4d9438a26fd1f4

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.be\ExpressVPN_10.28.0.7.exe
Filesize
1.8MB

MD5
551b0e0d85967d42f4731b5317ea62dd

SHA1
42944f044419212b6005fe16050373bac3bd2196

SHA256
f5dfc1f6a9e59ca74cc8bbe64e9ff280b4f49b41be07d0568d65128b5caeb935

SHA512
f3c9431d622f6f05a9458afe934b725e698bfe04c4e32d9dac99464af55be7c04e1178b0fd4f9f1c295f8c2d086742f8f0367f4c26b0c522cb4d9438a26fd1f4

Download Submit
C:\Windows\Temp\{642DF44D-78B4-4160-B232-6613443AF2E5}\.be\ExpressVPN_10.28.0.7.exe
Filesize
1.8MB

MD5
551b0e0d85967d42f4731b5317ea62dd

SHA1
42944f044419212b6005fe16050373bac3bd2196

SHA256
f5dfc1f6a9e59ca74cc8bbe64e9ff280b4f49b41be07d0568d65128b5caeb935

SHA512
f3c9431d622f6f05a9458afe934b725e698bfe04c4e32d9dac99464af55be7c04e1178b0fd4f9f1c295f8c2d086742f8f0367f4c26b0c522cb4d9438a26fd1f4

Download Submit
memory/2120-209-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2120-185-0x0000000003600000-0x0000000003615000-memory.dmp

Filesize
84KB

Download
memory/2120-210-0x0000000003600000-0x0000000003615000-memory.dmp

Filesize
84KB

Download
memory/2120-160-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2120-184-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2120-276-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2120-162-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2120-177-0x0000000003600000-0x0000000003615000-memory.dmp

Filesize
84KB

Download
memory/2120-380-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2120-277-0x0000000003600000-0x0000000003615000-memory.dmp

Filesize
84KB

Download
memory/3304-383-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3304-161-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3304-154-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3344-382-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/3344-395-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/3344-386-0x0000000002B60000-0x0000000002C78000-memory.dmp

Filesize
1.1MB

Download
memory/3356-343-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3356-378-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3356-381-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3356-377-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3356-329-0x00000000065C0000-0x00000000065D8000-memory.dmp

Filesize
96KB

Download
memory/3356-379-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3356-356-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3356-336-0x0000000006B80000-0x0000000006CF8000-memory.dmp

Filesize
1.5MB

Download
memory/3356-347-0x0000000006E30000-0x0000000006EA0000-memory.dmp

Filesize
448KB

Download
memory/3356-348-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3356-340-0x0000000006D60000-0x0000000006DC0000-memory.dmp

Filesize
384KB

Download
memory/3356-351-0x00000000065F0000-0x0000000006600000-memory.dmp

Filesize
64KB

Download
memory/3872-247-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/3872-259-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/3872-249-0x000000006FBF0000-0x000000006FC3C000-memory.dmp

Filesize
304KB

Download
memory/3872-248-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/3872-260-0x000000007FC60000-0x000000007FC70000-memory.dmp

Filesize
64KB

Download
memory/5016-226-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/5016-198-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/5016-225-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

Filesize
64KB

Download
memory/5016-224-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/5016-223-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/5016-227-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/5016-213-0x000000006FBF0000-0x000000006FC3C000-memory.dmp

Filesize
304KB

Download
memory/5016-212-0x00000000070B0000-0x00000000070E2000-memory.dmp

Filesize
200KB

Download
memory/5016-211-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/5016-229-0x0000000007450000-0x00000000074E6000-memory.dmp

Filesize
600KB

Download
memory/5016-199-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/5016-228-0x0000000007240000-0x000000000724A000-memory.dmp

Filesize
40KB

Download
memory/5016-233-0x00000000074F0000-0x00000000074F8000-memory.dmp

Filesize
32KB

Download
memory/5016-232-0x0000000007510000-0x000000000752A000-memory.dmp

Filesize
104KB

Download
memory/5016-197-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/5016-231-0x0000000007400000-0x000000000740E000-memory.dmp

Filesize
56KB

Download
memory/5016-196-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/5016-195-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/5016-194-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/5016-193-0x0000000002920000-0x0000000002956000-memory.dmp

Filesize
216KB

Download