6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060

Analysis

max time kernel
25s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-06-2023 18:00

Target

expressvpn_windows_12.38.0.60_release.exe
Size

57.9MB
MD5

c2f43c3bd04b18b42538f21d5c35769c
SHA1

c82bd94359c17d96d7e6195fb3350e5944747fa0
SHA256

6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060
SHA512

e220f439900da7058b430e0ee98eaf92b7063143071026ddb1234f1800978c4a3a4ca55252811d45ef8339a5cddcbd2a1f5deeb7036c8b23f4f09f207a6bf6a4
SSDEEP

1572864:dKaNvbJ8xod7dyy6KsEcOEhn8Oi2dLLflzBfaAThAz80FcaTT2uqGN:dKYCxod7dDHHUVvdL7LSTSgT2uT

Score

4^/10

Executes dropped EXE 1 IoCs

Processes:

expressvpn_windows_12.38.0.60_release.exe

pid process

924 expressvpn_windows_12.38.0.60_release.exe
Loads dropped DLL 1 IoCs

Processes:

expressvpn_windows_12.38.0.60_release.exe

pid process

1724 expressvpn_windows_12.38.0.60_release.exe

pid	process
924	expressvpn_windows_12.38.0.60_release.exe

pid	process
1724	expressvpn_windows_12.38.0.60_release.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

expressvpn_windows_12.38.0.60_release.exe

description	pid	process	target process
PID 1724 wrote to memory of 924	1724	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924	1724	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924	1724	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924	1724	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924	1724	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924	1724	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924	1724	expressvpn_windows_12.38.0.60_release.exe	expressvpn_windows_12.38.0.60_release.exe

C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
"C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
2⤵
- Executes dropped EXE
PID:924

C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
Filesize
10.3MB

MD5
07c7857ac0338fdc449755eddac67c94

SHA1
db057f68b70c981978855a2b02d8a8a397c79b0a

SHA256
efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a

SHA512
842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

Download Submit
C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
Filesize
10.3MB

MD5
07c7857ac0338fdc449755eddac67c94

SHA1
db057f68b70c981978855a2b02d8a8a397c79b0a

SHA256
efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a

SHA512
842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

Download Submit
\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
Filesize
10.3MB

MD5
07c7857ac0338fdc449755eddac67c94

SHA1
db057f68b70c981978855a2b02d8a8a397c79b0a

SHA256
efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a

SHA512
842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

Download Submit