Analysis Overview
SHA256
6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060
Threat Level: Known bad
The file expressvpn_windows_12.38.0.60_release.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Downloads MZ/PE file
Blocklisted process makes network request
Enumerates connected drives
Adds Run key to start application
Checks computer location settings
Drops file in Windows directory
Checks installed software on the system
Registers COM server for autorun
Drops file in Program Files directory
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Program crash
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies system certificate store
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-13 18:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-13 18:00
Reported
2023-06-13 18:03
Platform
win7-20230220-en
Max time kernel
25s
Max time network
30s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"
C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
"C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
Network
Files
\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-13 18:00
Reported
2023-06-13 18:03
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Downloads MZ/PE file
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ExpressVPNNotificationService = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationServiceStarter.exe\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8e563438-c5e3-4ece-98b6-53dcb8e954c2} = "\"C:\\ProgramData\\Package Cache\\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\\ExpressVPN_12.38.0.60.exe\" /burn.runonce" | C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\LaunchDarkly.Logging.Microsoft.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.Serialization.Formatters.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Net.Security.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Printing.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\es\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Configuration.ConfigurationManager.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\WindowsBase.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\System.Xaml.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\mscorrc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-profile-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Data.DataSetExtensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\D3DCompiler_47_cor3.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\de\PresentationCore.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\fr\WindowsBase.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\PresentationFramework.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.settings.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.InteropServices.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Xml.Serialization.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\PresentationUI.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.IO.Packaging.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Diagnostics.EventLog.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\PresentationFramework.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\ReachFramework.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework-SystemCore.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Xml.XDocument.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Diagnostics.TraceSource.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\LICENSE.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\UIAutomationClientSideProviders.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\System.Windows.Forms.Design.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\de\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.InteropServices.RuntimeInformation.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Threading.Timer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework.Aero.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\cs\UIAutomationClientSideProviders.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\es\System.Windows.Input.Manipulations.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\UIAutomationTypes.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\fr\System.Windows.Forms.Design.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.AppService.Grpc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\LaunchDarkly.ClientSdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Diagnostics.TextWriterTraceListener.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\com.expressvpn.helper.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\System.Security.Cryptography.ProtectedData.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Text.Encoding.Extensions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-debug-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\dotnet.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\System.Windows.Controls.Ribbon.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\PresentationUI.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Linq.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-interlocked-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.ComponentModel.Primitives.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\WindowsBase.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\System.Windows.Forms.Design.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\LaunchDarkly.EventSource.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\lightway.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\System.Management.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\UIAutomationClient.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\WindowsBase.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Forms.Design.resources.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\LaunchDarkly.InternalSdk.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Logging.EventLog.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\ExpressVpn.Client.Setup.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI463E.tmp-\LaunchDarkly.CommonSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI56CB.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI739E.tmp-\System.Security.AccessControl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\System.Text.Encodings.Web.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI40ED.tmp-\System.ValueTuple.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI463E.tmp-\ExpressVPN.Common.Shared.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI56CB.tmp-\ExpressVPN.Utils.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5DD1.tmp-\LaunchDarkly.JsonStream.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5DD1.tmp-\MissingLinq.Linq2Management.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\Microsoft.Extensions.Configuration.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\System.Reactive.Linq.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3832.tmp-\System.Buffers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FB6.tmp-\Microsoft.Extensions.Primitives.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\System.Memory.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CE6.tmp-\System.IO.FileSystem.AccessControl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI40ED.tmp-\System.Memory.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI463E.tmp-\System.ValueTuple.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FB6.tmp-\Sentry.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI56CB.tmp-\MissingLinq.Linq2Management.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\Sentry.Extensions.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{089A177D-98AE-4195-A115-D3C45613B875} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\ExpressVPN.Common.Shared.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}\app_icon.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\System.Threading.Tasks.Extensions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CE6.tmp-\MissingLinq.Linq2Management.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI56CB.tmp-\LaunchDarkly.InternalSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5DD1.tmp-\LaunchDarkly.ClientSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5DD1.tmp-\System.Runtime.CompilerServices.Unsafe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI739E.tmp-\Sentry.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\e57c1d1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\System.Memory.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI463E.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI499A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI56CB.tmp-\Microsoft.Extensions.Configuration.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\System.Collections.Immutable.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CE6.tmp-\Microsoft.Extensions.Options.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI739E.tmp-\LaunchDarkly.CommonSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\WixSharp.UI.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI40ED.tmp-\System.Collections.Immutable.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.ClientSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI56CB.tmp-\Sentry.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5DD1.tmp-\Grpc.Core.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CE6.tmp-\ExpressVpn.Common.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CE6.tmp-\Microsoft.Extensions.FileSystemGlobbing.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI739E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57c1d5.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\System.Text.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3832.tmp-\Microsoft.Extensions.Logging.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI463E.tmp-\LaunchDarkly.ClientSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI499A.tmp-\ExpressVpn.Common.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI499A.tmp-\Microsoft.Extensions.FileProviders.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4FB6.tmp-\BootstrapperCore.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\Microsoft.Extensions.Options.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI696B.tmp-\System.Numerics.Vectors.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI739E.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1F09.tmp-\System.Collections.Immutable.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3832.tmp-\LaunchDarkly.ClientSdk.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3832.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3832.tmp-\System.Reflection.Metadata.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{4eb799a7-3ca3-4f32-b247-62b1a8899a9f}\LocalServer32 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{4eb799a7-3ca3-4f32-b247-62b1a8899a9f}\LocalServer32\ = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationService.exe\" -ToastActivated" | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}v12.38.0.60\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version = "48.23.40665" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\expressvpn\shell\open\command | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\ProductName = "Microsoft .NET Host FX Resolver - 6.0.5 (x64)" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B16A3B3F61CDA9242A06BDFA6E76149A\Provider | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\DisplayName = "ExpressVPN" | C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.23.40665_x64\Version = "48.23.40665" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{3E6CCD41-6B96-47BD-8E1E-D7B593CEE976}v48.23.40665\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\ = "URL:ExpressVPN Protocol" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{8e563438-c5e3-4ece-98b6-53dcb8e954c2} | C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{089A177D-98AE-4195-A115-D3C45613B875}v48.23.40665\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} | C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\ProductName = "ExpressVPN" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\Version = "806854361" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\XDeviceID | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5E3C9B5EC98822F49A954F8B6DDC8703 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\ProductName = "Microsoft .NET Runtime - 6.0.5 (x64)" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}v12.38.0.60\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{F3B3A61B-DC16-429A-A260-DBAFE66741A9}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\XDeviceID\{7b9b0021-e550-4a9f-abaf-ed1daf2b4184} | C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Version = "806854395" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Version = "48.23.40665" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D771A980EA8959141A513D4C65318B57\Provider | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\PackageCode = "3C57FB7C5C8A52B40956C723EAB175C1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96CB999B5A151C05AD66FE6E01275B09 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} | C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\Version = "203816960" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211}\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} | C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\95E1F2D0BA75B2B74C874D77E76BDC01\14DCC6E369B6DB74E8E17D5B39EC9E67 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{DE578B32-084A-49E7-8E55-6F58A37578C0}v48.23.40699\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}\Version = "12.38.0.60" | C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64 | C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{4eb799a7-3ca3-4f32-b247-62b1a8899a9f} | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\URL Protocol | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\PackageCode = "7C220EF0E82E1D747B8A574636FCC4E1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\Version = "12.38.0.60" | C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\10EA62E1536592372BC00B2945329E52\23B875EDA4807E94E855F6853A57870C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{DE578B32-084A-49E7-8E55-6F58A37578C0}v48.23.40699\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\PackageName = "ExpressVPN.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Dependents | C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"
C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe
"C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe" -burn.filehandle.attached=532 -burn.filehandle.self=536
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe
"C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe" -q -burn.elevated BurnPipe.{AE25E771-AEB8-4FF6-A654-2A686CC3335A} {3C5172FC-3F64-4AB5-9CFF-71BDAA608357} 640
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
"C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" /install /quiet /norestart -burn.filehandle.self=1628 -burn.embedded BurnPipe.{A58D639C-8114-4B4F-8C9A-B0463C4D1ABC} {190F4544-4522-4AC9-A7EF-0D9C3B184B8A} 4492
C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
"C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart -burn.filehandle.self=1628 -burn.embedded BurnPipe.{A58D639C-8114-4B4F-8C9A-B0463C4D1ABC} {190F4544-4522-4AC9-A7EF-0D9C3B184B8A} 4492
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
"C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe" -q -burn.elevated BurnPipe.{D1E0C687-BD0C-4337-BED2-D7D5D0DB2222} {8F7900AF-B21B-49E7-8EF0-D0C058682C80} 4572
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AD172D7A0845ADF6F49C009A073757F4
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 13BABD8DBC56A1F18C3D8528C58B86E6
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A36DDCC32832B3D1B10A26E63DEBC87A
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D642A118A0A5F47DA977AE294F2CEFBF
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 81BE6FE8D615AA8CA84364A0D61663E7
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI1F09.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240656312 22 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseMainApp
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 49BFE0685B136E64E983F32A0620385D E Global\MSI0000
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI3832.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240662609 37 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetBrowserHelperPath
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI40ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240664937 41 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateAccessTokens
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI463E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240666187 45 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateDefaultPortConfiguration
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI499A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240667031 49 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateServiceCredentials
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI4FB6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240668593 53 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.InitializeProteusId
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI56CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670406 57 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetServicesFailureActions
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2120 -ip 2120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1236
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI5DD1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672203 62 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.AddErrorReportingKeys
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe"
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe"
C:\Program Files (x86)\ExpressVPN\services\lightway.exe
"C:\Program Files (x86)\ExpressVPN\services\lightway.exe" --version
C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe
"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI696B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240675234 66 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveLegacyRegistryData
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI6CE6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240676093 70 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveUserFolderData
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI739E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240677781 80 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.DeleteBinaries
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe
"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe" install
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe
"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe
"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe" uihaslaunched
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 90.53.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| US | 192.229.232.200:443 | download.visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.232.229.192.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | o137163.ingest.sentry.io | udp |
| US | 34.120.195.249:443 | o137163.ingest.sentry.io | tcp |
| US | 34.120.195.249:443 | o137163.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | www.msftncsi.com | udp |
| US | 2.18.121.71:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | 249.195.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 34.120.195.249:443 | o137163.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | clientstream.launchdarkly.com | udp |
| US | 3.33.235.18:443 | clientstream.launchdarkly.com | tcp |
| US | 2.18.121.71:80 | www.msftncsi.com | tcp |
| US | 8.8.8.8:53 | 18.235.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobile.launchdarkly.com | udp |
| US | 107.22.208.224:443 | mobile.launchdarkly.com | tcp |
| US | 8.8.8.8:53 | 224.208.22.107.in-addr.arpa | udp |
| N/A | 127.0.0.1:2021 | tcp | |
| N/A | 127.0.0.1:2022 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| N/A | 127.0.0.1:2020 | tcp | |
| US | 2.18.121.71:80 | www.msftncsi.com | tcp |
Files
C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\mbahost.dll
| MD5 | c59832217903ce88793a6c40888e3cae |
| SHA1 | 6d9facabf41dcf53281897764d467696780623b8 |
| SHA256 | 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db |
| SHA512 | 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9 |
memory/640-234-0x0000000006450000-0x0000000006460000-memory.dmp
memory/640-235-0x0000000006450000-0x0000000006460000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
memory/640-239-0x00000000031F0000-0x0000000003208000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\BootstrapperCore.config
| MD5 | 0c79473766c4a706b8acacbeff369bc6 |
| SHA1 | f5470d0ec6fd98403fa756d1760ddf0ecb3c5b81 |
| SHA256 | c044ee99956b0b7628f29d2c7f8d0aaaf18054156acf910915c86edbb09476aa |
| SHA512 | 991a357bcea62be7e926a9768e3cf3d399303b5cc7667bfe71c9487de289efbeaca91d98e18880125daac6b7f73b6d298bbbd2276452f155e82173ac5aac1c02 |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\WixSharp Setup.exe
| MD5 | a1124e760bc0cbf9e261cdfe7a418832 |
| SHA1 | 0795b0adf6cf467fb7942b1f7405bd0ed754a9d6 |
| SHA256 | 0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a |
| SHA512 | 5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\WixSharp Setup.exe
| MD5 | a1124e760bc0cbf9e261cdfe7a418832 |
| SHA1 | 0795b0adf6cf467fb7942b1f7405bd0ed754a9d6 |
| SHA256 | 0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a |
| SHA512 | 5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb |
memory/640-246-0x00000000069B0000-0x0000000006B36000-memory.dmp
memory/640-247-0x0000000006450000-0x0000000006460000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Client.Setup.Shared.dll
| MD5 | 46e1d39b4319db3517b9fa2d7d0b67c8 |
| SHA1 | 33af5ab0df4b9d690fe283fb8a8bd63508f3ada3 |
| SHA256 | b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c |
| SHA512 | dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Client.Setup.Shared.dll
| MD5 | 46e1d39b4319db3517b9fa2d7d0b67c8 |
| SHA1 | 33af5ab0df4b9d690fe283fb8a8bd63508f3ada3 |
| SHA256 | b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c |
| SHA512 | dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e |
memory/640-251-0x0000000006430000-0x0000000006438000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
memory/640-255-0x0000000006960000-0x0000000006970000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Common.Logging.dll
| MD5 | 988912a8a5ae0cafeb29f80b4e3af6d4 |
| SHA1 | 1ca87bea628fff4c8995d92168e736ef7fffd1ae |
| SHA256 | 5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e |
| SHA512 | 2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Common.Logging.dll
| MD5 | 988912a8a5ae0cafeb29f80b4e3af6d4 |
| SHA1 | 1ca87bea628fff4c8995d92168e736ef7fffd1ae |
| SHA256 | 5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e |
| SHA512 | 2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f |
memory/640-259-0x0000000006990000-0x00000000069A8000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Common.Shared.dll
| MD5 | 8d3bd603070c5341750804592de30739 |
| SHA1 | 19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112 |
| SHA256 | 74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b |
| SHA512 | 8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35 |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Common.Shared.dll
| MD5 | 8d3bd603070c5341750804592de30739 |
| SHA1 | 19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112 |
| SHA256 | 74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b |
| SHA512 | 8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35 |
memory/640-263-0x0000000006B40000-0x0000000006B54000-memory.dmp
memory/640-264-0x0000000006B60000-0x0000000006B7A000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Utils.dll
| MD5 | f162ee7a69d27493bd375907f666ca94 |
| SHA1 | b79c97c0cdb592f7ce01f3b4bddf5ab5db252547 |
| SHA256 | a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e |
| SHA512 | cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Utils.dll
| MD5 | f162ee7a69d27493bd375907f666ca94 |
| SHA1 | b79c97c0cdb592f7ce01f3b4bddf5ab5db252547 |
| SHA256 | a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e |
| SHA512 | cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b |
memory/640-268-0x0000000006BA0000-0x0000000006BC0000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
memory/640-272-0x0000000006CC0000-0x0000000006CD8000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
memory/640-276-0x0000000006B80000-0x0000000006B8A000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
memory/640-280-0x0000000006B90000-0x0000000006B9A000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
memory/640-284-0x0000000006D00000-0x0000000006D10000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Newtonsoft.Json.dll
| MD5 | 6815034209687816d8cf401877ec8133 |
| SHA1 | 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10 |
| SHA256 | 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814 |
| SHA512 | 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721 |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Newtonsoft.Json.dll
| MD5 | 6815034209687816d8cf401877ec8133 |
| SHA1 | 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10 |
| SHA256 | 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814 |
| SHA512 | 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721 |
memory/640-288-0x0000000006E90000-0x0000000006F40000-memory.dmp
memory/640-293-0x0000000006880000-0x00000000068A2000-memory.dmp
memory/640-292-0x000000007FBB0000-0x000000007FBC0000-memory.dmp
memory/640-291-0x0000000006450000-0x0000000006460000-memory.dmp
memory/640-296-0x00000000077C0000-0x00000000077C8000-memory.dmp
memory/640-298-0x0000000009D30000-0x0000000009D68000-memory.dmp
memory/640-297-0x0000000006450000-0x0000000006460000-memory.dmp
memory/640-299-0x0000000009CF0000-0x0000000009CFE000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
memory/640-308-0x0000000009FE0000-0x0000000009FE8000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
memory/640-312-0x0000000006450000-0x0000000006460000-memory.dmp
memory/640-313-0x0000000006450000-0x0000000006460000-memory.dmp
memory/640-314-0x0000000006450000-0x0000000006460000-memory.dmp
memory/640-315-0x000000007FBB0000-0x000000007FBC0000-memory.dmp
memory/640-316-0x0000000006450000-0x0000000006460000-memory.dmp
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\Net6DesktopRuntime64
| MD5 | 26d558f92be15a50d59b8261123de56b |
| SHA1 | b5b1819cca753b070181f50411375b80412860a3 |
| SHA256 | 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62 |
| SHA512 | 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea |
C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\MainMsi
| MD5 | d5e72c30c8383525e3aed1f1c2f1caab |
| SHA1 | 453c6b82989d62d7e3d9e1c805b5d106c1f5463d |
| SHA256 | 59efe52b08ee6c4cef658510eeb2be1b4f4701d162ff581a57a2997421652c57 |
| SHA512 | f8e67557af9e9053498460a32401b0b9f20cbe771d14189df112db505ba2f9330c7f89fa4aa61f486a4ab7867115a0c1909cbf5b5b5546cc70c61280b49ee867 |
C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 26d558f92be15a50d59b8261123de56b |
| SHA1 | b5b1819cca753b070181f50411375b80412860a3 |
| SHA256 | 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62 |
| SHA512 | 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea |
C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.ba\wixstdba.dll
| MD5 | 4356ee50f0b1a878e270614780ddf095 |
| SHA1 | b5c0915f023b2e4ed3e122322abc40c4437909af |
| SHA256 | 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104 |
| SHA512 | b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691 |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.ba\bg.png
| MD5 | 9eb0320dfbf2bd541e6a55c01ddc9f20 |
| SHA1 | eb282a66d29594346531b1ff886d455e1dcd6d99 |
| SHA256 | 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79 |
| SHA512 | 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
| MD5 | 987433e22c318ff3bfd596f6b7bb3d0d |
| SHA1 | 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e |
| SHA256 | ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73 |
| SHA512 | 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46 |
C:\ProgramData\Package Cache\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\state.rsm
| MD5 | a7b9c0008fa75505ae8ad8e99617ace5 |
| SHA1 | 6ef386c6a77d5390ca66032e4496e961659f6de1 |
| SHA256 | 4c20916775719bc406ce71856335123c21d03b6eb824ff6f8aa7b45a4be7767b |
| SHA512 | 9693033537e15ec8e9181366d44a6b38afee4bd8779c97a6fa22da7342d27a8ed7f5902e96f451ec26e88edaa68107c091fe4e1e5abdb1b28b2fa28a4d225209 |
C:\ProgramData\Package Cache\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\ExpressVPN_12.38.0.60.exe
| MD5 | 07c7857ac0338fdc449755eddac67c94 |
| SHA1 | db057f68b70c981978855a2b02d8a8a397c79b0a |
| SHA256 | efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a |
| SHA512 | 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\dotnet_runtime_6.0.5_win_x64.msi
| MD5 | abf5dbc0196845d9c906189aa70d07ec |
| SHA1 | 4a6879976ca9d64a151e1679d0b08d975883a7b2 |
| SHA256 | f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1 |
| SHA512 | 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3 |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\dotnet_host_6.0.5_win_x64.msi
| MD5 | bdc10a6d27e4df71409c9cd8bc40d48c |
| SHA1 | 3cd9327008fc4bc8f76d9f8174bc6a1bbf4d7632 |
| SHA256 | ec6d27122faf6585fa4419284a95212102c54bbd7ee02bd56835a496039c70de |
| SHA512 | c60196e4f34efcaa62ac3bb750205b701d7434872fe9eb866a5d80ccab6cef879b35aab0d09c19d25cdbf2a3e19c23a4170a16033ad2fbd008dccc9a6530b1c9 |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\dotnet_hostfxr_6.0.5_win_x64.msi
| MD5 | eef7d4eaa530df3288c03b8e6463aaa3 |
| SHA1 | 4d94b0073d5afeb1642a2f0da5c178f5765857b3 |
| SHA256 | cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711 |
| SHA512 | 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823 |
C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\windowsdesktop_runtime_6.0.5_win_x64.msi
| MD5 | bf16e0cb45daf8f291ecfa351cb0c3c2 |
| SHA1 | 1491de942eec40921a35f35aa377c2f8f7332c5b |
| SHA256 | 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c |
| SHA512 | a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_000_dotnet_runtime_6.0.5_win_x64.msi.log
| MD5 | 799c30f9d713ff1ebe873bba31493266 |
| SHA1 | b57d675b2f8bcc5db4f92fea0dcaac7a98122ec0 |
| SHA256 | b8f93452c624b9d8740b62da2e35aeec42be6715271458e6ba8bc80c2afcb470 |
| SHA512 | 741fae3cc99f2184992f6a33b3481316f9f2aa85bfc8c46cbc9863439f9f0cb7ce4ff957a0ffc88b4b3a7d9a93910b02a8801552d48f878026251aef6c476e87 |
C:\Windows\Installer\MSID14A.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSID14A.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\e57c1cc.msi
| MD5 | abf5dbc0196845d9c906189aa70d07ec |
| SHA1 | 4a6879976ca9d64a151e1679d0b08d975883a7b2 |
| SHA256 | f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1 |
| SHA512 | 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3 |
C:\Config.Msi\e57c1cb.rbs
| MD5 | d9aaf6cab7e900b30e757e6c400028d2 |
| SHA1 | ea78608ca592b1fe81dba719db52eefc94a25f1b |
| SHA256 | 90ff25cc55f0435df505477856418316cecaf3ea31113126c79a7f3a290b9207 |
| SHA512 | 91178793795183c825676c92626e949c9f034c0a976ef53b456851d7825fff42dd3b1ab6ff2ac3a5471f62f5dbe477a1101d73d6f1e4d9a9a03b5a4efa51d0cf |
C:\Windows\Installer\MSIE58F.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSIE58F.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_001_dotnet_hostfxr_6.0.5_win_x64.msi.log
| MD5 | 1fadd77a2ca4963270247519b5158f88 |
| SHA1 | 38e825e6ccf30df1061aab086854a3b30c6850c4 |
| SHA256 | 9683ca9ce9765e960621c009cb652fa7048c530b7fcce6b1431ffda5acfef32c |
| SHA512 | d0b841df424d440d3229d51d79cce9a32953178330c4459ac34f7578351d63b3bfbfd21faff46bc67a8851694e942f47b9f6d72cdc63c8c1cb9458c27bf673e9 |
C:\Windows\Installer\MSIEAC1.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSIEAC1.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSIEAC1.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\e57c1cd.msi
| MD5 | eef7d4eaa530df3288c03b8e6463aaa3 |
| SHA1 | 4d94b0073d5afeb1642a2f0da5c178f5765857b3 |
| SHA256 | cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711 |
| SHA512 | 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823 |
C:\Config.Msi\e57c1cf.rbs
| MD5 | 0bf78a80939d2bfeb4339877983b38e4 |
| SHA1 | 656b2b3dc36e2ff7fff7c05dbfa67b6c3399045b |
| SHA256 | 1b0a8e15900112c793a546c25fa8fa0285b345d7e38a76408ab099dc9b64349a |
| SHA512 | 6c3b2b3a818399a16da7ef89323dad1a55631023f8f475f101dfe7c5de3c71666bd94223ffa7664f38f10e657ee78c13bea9bad96882cee2bfafdec64ecc370a |
C:\Windows\Installer\MSIF022.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSIF022.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_002_dotnet_host_6.0.5_win_x64.msi.log
| MD5 | 566e642b2c1da27682e9e8d53182365d |
| SHA1 | 35c826cf30cc070ee93cf221c96d5d6febe13b01 |
| SHA256 | 206c3748ffaa447ba96ec015d7c602eb850602400c506e3dc239316baa62a401 |
| SHA512 | 59159982801787907dd3d3c85e19b1a60854fa9315996c85845cca3d0cc03e208d177451032ee832902cdc670ae619a1ed54db7b3d9be17cccfda452711223d6 |
C:\Windows\Installer\MSIF311.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSIF311.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Program Files\dotnet\ThirdPartyNotices.txt
| MD5 | f77a4aecfaf4640d801eb6dcdfddc478 |
| SHA1 | 7424710f255f6205ef559e4d7e281a3b701183bb |
| SHA256 | d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7 |
| SHA512 | 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b |
C:\Program Files\dotnet\LICENSE.txt
| MD5 | 31c5a77b3c57c8c2e82b9541b00bcd5a |
| SHA1 | 153d4bc14e3a2c1485006f1752e797ca8684d06d |
| SHA256 | 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d |
| SHA512 | ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6 |
C:\Config.Msi\e57c1d3.rbs
| MD5 | fa9d17795f93418e17b45dd493b3b055 |
| SHA1 | 6244f0c9b5b5b4f28acb76e2c7731e117e70dda1 |
| SHA256 | 923189e8d305241f5e4eb9f32e5614f7f131cdff196f8e7529a2663bd03260b9 |
| SHA512 | f0ddb9c76443c101557babe2895b05f3edc9b48abc15df4a2a7bcb4e8b5908f5b198a77f85f69899eb4f409687f932cbae72eac713041969bf614ca091d04271 |
C:\Windows\Installer\MSIF7E5.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSIF7E5.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_003_windowsdesktop_runtime_6.0.5_win_x64.msi.log
| MD5 | ce84f7ed90e6913d8f684936a3620a5b |
| SHA1 | de121bbe38206577b6cd7641ded88ab31c6e57af |
| SHA256 | 5a17522a2be6bd36279ac2f181920f12049e8d4647ee62675f27e5d3606179ef |
| SHA512 | bb62f77061838f4fc76a13597dcae7b7ea50b367f79a881bf8895dd9432cde296f6b0b367420cb844a0bebf5aab501b61f573359ec7f8fa4a174299db6736261 |
C:\Windows\Installer\MSIFCC8.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSIFCC8.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\e57c1d8.msi
| MD5 | bf16e0cb45daf8f291ecfa351cb0c3c2 |
| SHA1 | 1491de942eec40921a35f35aa377c2f8f7332c5b |
| SHA256 | 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c |
| SHA512 | a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8 |
C:\Config.Msi\e57c1d7.rbs
| MD5 | 88125d178117ab0a806439db5d0b21fa |
| SHA1 | fb6fda3a78fa84102e8752299adacfd89dc88829 |
| SHA256 | 76054e1451b91fedcbc2b5d3f25b6f1ecc9829ed23f3bce6a6a4c5da6ce019f3 |
| SHA512 | f1c0d154a09a4547acb66c83a95ac0cce0d9317d89d359a6a5eb38f8e45b0f6e2017c8ae45f09ef3e816ffa5d08edf1611698721d6e0e8f64bc2a2b2119c245e |
C:\Windows\Installer\MSI10A0.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSI10A0.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Windows\Installer\MSI1F09.tmp-\Newtonsoft.Json.dll
| MD5 | 6815034209687816d8cf401877ec8133 |
| SHA1 | 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10 |
| SHA256 | 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814 |
| SHA512 | 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721 |
memory/2248-1160-0x0000000005690000-0x00000000056BE000-memory.dmp
memory/2248-1162-0x00000000056E0000-0x00000000056F6000-memory.dmp
memory/2248-1164-0x0000000003330000-0x0000000003338000-memory.dmp
memory/2248-1166-0x0000000005700000-0x0000000005718000-memory.dmp
memory/2248-1169-0x0000000005740000-0x0000000005754000-memory.dmp
memory/2248-1171-0x0000000005810000-0x0000000005880000-memory.dmp
memory/2248-1173-0x00000000057A0000-0x00000000057C0000-memory.dmp
memory/2248-1175-0x0000000005770000-0x000000000577A000-memory.dmp
memory/2248-1177-0x00000000057D0000-0x00000000057DC000-memory.dmp
C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
C:\Windows\Installer\MSI1F09.tmp-\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
memory/2248-1262-0x0000000003220000-0x0000000003230000-memory.dmp
memory/2248-1263-0x0000000003220000-0x0000000003230000-memory.dmp
memory/2248-1264-0x0000000003220000-0x0000000003230000-memory.dmp
memory/2248-1265-0x0000000003220000-0x0000000003230000-memory.dmp
C:\Windows\Installer\MSI3832.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 1a5caea6734fdd07caa514c3f3fb75da |
| SHA1 | f070ac0d91bd337d7952abd1ddf19a737b94510c |
| SHA256 | cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca |
| SHA512 | a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1 |
C:\Windows\Installer\MSI3832.tmp-\CustomAction.config
| MD5 | c9c40af1656f8531eaa647caceb1e436 |
| SHA1 | 907837497508de13d5a7e60697fc9d050e327e19 |
| SHA256 | 1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8 |
| SHA512 | 0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7 |
C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Client.Setup.CustomActions.dll
| MD5 | 3e40e18013bbb899607891f3234a8446 |
| SHA1 | 0cc000b1a1d41cd46ab393b2ebf928939b6477ba |
| SHA256 | d04a426349d56dda212e907cdd3799d402cd7d7e46f5fc051fa14c7802ee7fc6 |
| SHA512 | ec20c499b3475805b2ce3da8658d96899f3d35ff4544cb961350e6b06ee252f244b567dc11ccd73e9ebf7075735237063d94a34333457312bc3ed418d9e7e04d |
C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Client.Setup.Shared.dll
| MD5 | 9c69b9327a9cb3f9c814bebb625c55c2 |
| SHA1 | 3f0c9af7f54af5d09f91e06005351c6e143c83a9 |
| SHA256 | 491737b9d171ede500938a3985d438f3018ca98c84f8ace03e75c2f63b05a2e0 |
| SHA512 | f7ba8808d87d22ef9ca130b56c32846df0c947d0e41347ad93fe7c06cd1ac8769721f8cc3477893f41c4491cd32bb44a91550da035f190f02e5dd58d04e8527b |
C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Common.Logging.dll
| MD5 | 4c0619b0ea8d374bf199e507af60823c |
| SHA1 | 6472e515499ec9fa0ee43e1e9006ae1dcc8dc111 |
| SHA256 | a19a22cdab7b32c45ae226fa66bb9e6ab70e27e1b63ed4839a94f213d141dcfe |
| SHA512 | 9a093e0f304a320589c7755d48813d4303a10358c9d753a75ab98c7ffafe140483bfb9e54b2f764bbbe068fdcdf2ed87b3a4d14f13ab09844e347ea0f4cfcc85 |
C:\Windows\Installer\MSI3832.tmp-\ExpressVPN.Common.Shared.dll
| MD5 | e13ebbf5e06bba7267eb1f14dc027ae0 |
| SHA1 | bedade1d1b7f6217d7127549c0a7a2dac416a0fc |
| SHA256 | 0587fe0fde62220324b26426c00e7ffd895e8b17b768d79710f934bfb559a065 |
| SHA512 | 7c47952f6672cf6319e29bfa928a12d56de87f0a7a25958e479ea43add25e39c8472db3c56c2fc7cc9cb9dd83de4b7243d5a6b0013e3f79771fb7660901ce726 |
C:\Windows\Installer\MSI3832.tmp-\WixSharp.dll
| MD5 | dd1aaef9d73a034f25c660c892cc3492 |
| SHA1 | cee6f7bc28721daa7c63e182baf18b353f981021 |
| SHA256 | 08650aee86ff2e3e31b7d1e5239d61a668f1efb56e0bee43f824217b4360d01a |
| SHA512 | b095fb787f243baee30713428adfba1b98b6e58b94f10acebe03318786e46e6da12c183474b014e7b97bc4720ae4e24f71e39573cf7827f9ad7d5f949389fa6f |
C:\Windows\Installer\MSI3832.tmp-\ExpressVPN.Utils.dll
| MD5 | 4fe7e636837b93970abc6f0de3531c40 |
| SHA1 | 1874886c7c25bc3f3b5250bc892b0d024d7b874b |
| SHA256 | 7406b12169d3a9e496c64df21635e99189a632e4d43b7bc28193699e0f8fa3ab |
| SHA512 | 29e1cd8a6f762a35928535c30ef20c394e59d2280ecfe93e0d2f0aa728e5bfff59496e5e6bc5d170fb3798faa71498e55a61a1ceeea594496d7afb2e37d1ab76 |
C:\Windows\Installer\MSI3832.tmp-\ExpressVPN.Client.Installer.dll
| MD5 | e79df256636d80c69810b873d9efcfe8 |
| SHA1 | 3e586438fbb0b2ae743665b14436b4cc1a9f657b |
| SHA256 | fb3b97b9683ade2d0cc9bc74933748b74032ea2c265b37fe060bbc1280d096e2 |
| SHA512 | fb47cfad24d6a965990cb672db9840aa43ecabde4112a7ff2049095bf11b8bf74404bcb82dd49b8d9ee9d4f418345948e943aa722fe025f1a5cb473bdae96347 |
C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Utils.Wmi.dll
| MD5 | 316786e333501cbb1b9d7a2799e4d4af |
| SHA1 | 53884c1dbfb5ec819aa8d0242205e026ecc73bf5 |
| SHA256 | bd837011f2b402833653bf4c2e4ef065426316672c09d6764686bd798b3a22d6 |
| SHA512 | 562a0e9ce21c0a6333569207f8fcbc8b4f79872ed17a5d9a40a05ed6b9ccee33ae0df82d96a4e58f2bb39a97a5e945dddceb9726419616ebff0fa52ec38c3028 |
memory/2308-1563-0x0000000004AB0000-0x0000000004B26000-memory.dmp
memory/2308-1564-0x0000000004B60000-0x0000000004B7E000-memory.dmp
memory/2308-1565-0x0000000004800000-0x0000000004810000-memory.dmp
memory/2308-1566-0x0000000004800000-0x0000000004810000-memory.dmp
memory/2308-1567-0x0000000004800000-0x0000000004810000-memory.dmp
memory/2308-1568-0x0000000004800000-0x0000000004810000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN.lnk~RFe583f85.TMP
| MD5 | f2bc7ea15ae0b3bab82df0d686599bc5 |
| SHA1 | c9ab67881a04d400138d8c681cf1e87c52b985a5 |
| SHA256 | d81054a42a6a22b9b1040a4fde1459d51b506d0f966f0fb3389576b4eb6b0b1a |
| SHA512 | 266ea8e86a0dcdf73ddbcf98905c7179dbe49fa2b99c3a3bebae26b1ca9542559df7f419d939d569f3564513da2d756993b25e8d710d05d21466970fdbf8807b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN.lnk
| MD5 | 1fb361d1c8fe4a2f3335b32bf56f1365 |
| SHA1 | 24df1e108e922b9a58ebfe614d8b0f185b74404b |
| SHA256 | 329b3458a8c7f5a583e2d958993c347079ee81a2a518b7ec0b620b809974b5b5 |
| SHA512 | 371e8e878f224135caf46027147c54feafe3c9bef5369a7846a8fcfce881aa188671097107d624b9b0df9874eb784d994a6147aa5f85bd3cec7de13c6484efdc |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN.lnk
| MD5 | 9494b09a88b7082caa27e191e9b743d5 |
| SHA1 | 8190712c0f9a2d99fd6ffd73c7b583b87134a6e9 |
| SHA256 | 19d88c2ec3b3fd9c5c340e8d964dfaf095b8686a64ad91357a6815c1a2d19730 |
| SHA512 | 2982b1050c555ad80f7409f6c030ce6f3bde036e4c0b76df41afdbb8b36120d9f468a1a1690b9e8154a6e963930b6d9bd7a61a3e57f595ebf96dde0043695338 |
C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe
| MD5 | 85ad9f4cfba5a47f8714fd63887605ab |
| SHA1 | 79e52d574f81a57168fc1dcc25fd3b2e5c361603 |
| SHA256 | e85912b9f6d1434726264cef08db208b92265d2b6fddf42234bc345a9684bf11 |
| SHA512 | 1272401153dadb496d850901bde2f96f677a1591b568ca37476b362611621c45ad437b891a3c7e98b9cd99081e32fdb027512ef2b5e9391e36aa728ab708c1bd |
C:\Windows\Installer\MSI40ED.tmp
| MD5 | 9d0ee5a255b92fd11c36979ecb3aca67 |
| SHA1 | 2021cdb47d5743ce84991004c3891f53173ebd59 |
| SHA256 | ec23d81a8e3139d572150e582fb7191b7db3a338f507301ed94cfad8ebc30206 |
| SHA512 | 925208e9202f3003cfd81de194d170ce9cd539a6163a35f169cbd41ad7c478c444885c7574a5516a282e16485a413d6938f59ba710d230340b746bd67f13f088 |
C:\Windows\Installer\MSI40ED.tmp-\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
C:\Windows\Installer\MSI40ED.tmp-\Grpc.Core.Api.dll
| MD5 | 33e82bfceee2a76c34edee46091bafc8 |
| SHA1 | 55c8e27e8efa1e08e87f96424c574ec581335910 |
| SHA256 | 1e6db7069217797180cf7664e555994a9993db0155c9761be8012860bb82f8a2 |
| SHA512 | 2818f76c324cfa556c5c9b68cba712c57d12da2f1bf6cf6defd314c0a5dbe4f504e20c04deaf9b69be6a56b01f47fe341ffbca2a431df9a71b28d38c9e1ec6bc |
C:\Windows\Installer\MSI40ED.tmp-\Google.Protobuf.dll
| MD5 | 25647dfce0e91490e97f8c6366b2632a |
| SHA1 | 8b812d8418143e0e8bc782e6687583dee13710bd |
| SHA256 | da005e408ac85c4fafae30aa79ab7c18ddfa9fb5b23cd7fb2228a88413388c54 |
| SHA512 | 5c0947cceb867f765ef4e77a73c2e2cea11f80ed83cdd43f3f5816ac2c27403fa74ea6a7edd648061d14d3e480d0f5e8271b754688d8da62e8653ae7581bb910 |
C:\Windows\Installer\MSI40ED.tmp-\Grpc.Core.dll
| MD5 | 832a45191b8711adc888d8d45b26f0f8 |
| SHA1 | a90d87c10f3e5ed48a80f8e1cf0e883a07830c8d |
| SHA256 | 873b7debc4411c2707b48de1454d2ff437d9d56d44ad603c6487a8fb69b4413c |
| SHA512 | 94fe9bad110671a1bd965f4847609ed20955f082f96c049b1679634fbc878b189edaf952914137316a3a7ee65996df020ed2c65dcce0b7ba55db853f48132ef4 |
C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.Primitives.dll
| MD5 | d833ddcb52e5c6d6da71bae25395a911 |
| SHA1 | 17ce025ad7a0175c467f5a7108ca81a813e4ac21 |
| SHA256 | 76152e774b2bd9c5a0d301e92e253d8bf55fa90e191d0155dfd86b2b84766ae8 |
| SHA512 | fd963a9fa5bdd10a1c54ce8fcba862b59786280ca5d668fa041b30b80d7fa2b84230d33b1c0541423534c764e7432213039d5f586d0427d542c0faf703081a79 |
C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.Options.dll
| MD5 | 3ddea0033ead23660b51921146dda017 |
| SHA1 | 5708c44aa5326da0a69072a9b0e48715112a4bdd |
| SHA256 | c4673c6000602e76844bad63feecbe42d88fc72639b1fd64d2acde48955be970 |
| SHA512 | d57e25a2412f2685770e3fd1d6650ee433ed28d337221941841eb9589dbf3868a27efb0d488f960f75785e60357cd2914b0eece1da62aa9ffe77219340c03576 |
C:\Windows\Installer\MSI40ED.tmp-\System.Buffers.dll
| MD5 | ecdfe8ede869d2ccc6bf99981ea96400 |
| SHA1 | 2f410a0396bc148ed533ad49b6415fb58dd4d641 |
| SHA256 | accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb |
| SHA512 | 5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741 |
C:\Windows\Installer\MSI40ED.tmp-\System.Collections.Immutable.dll
| MD5 | c598080fa777d6e63dfd0370e97ec8f3 |
| SHA1 | 9d1236dcfb3caa07278a6d4ec751798d67d73cc2 |
| SHA256 | 646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c |
| SHA512 | 8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32 |
C:\Windows\Installer\MSI40ED.tmp-\System.Reactive.Interfaces.dll
| MD5 | 0a471405a43ace8273b6e266f819901f |
| SHA1 | bb7c4d3930358fa574136248cc1da6c9bcf5f192 |
| SHA256 | c86b4625d3a35b6f600d8f0d129b82eb73928e5d4f9df1a028e527aac86ee4e4 |
| SHA512 | 27da5c7d98cac39525b845f40f128cbbdec6a693c1f20be689a1bc2ec0a2fa33a1a82605dad06e410371cf069304663bd6bf1c4a5864d99921e0584243b33997 |
C:\Windows\Installer\MSI40ED.tmp-\System.Reactive.Core.dll
| MD5 | f20967beae947a5d54156b5cb40d0c04 |
| SHA1 | c5ea57f70835e22cbaf08ac5262716de3de16f2b |
| SHA256 | ac464ea84539c60cbdb498dd787f6fb90b2f11067a5acc9e1ed4f8f62cb7bc7a |
| SHA512 | 7f1fd97ac58bfe5194e348a141595bb261870bed0cdab0e491aec40da7a930d2d821457aa2e44c80da276bbce98dd3a08e344de3539037367977815055a79435 |
C:\Windows\Installer\MSI40ED.tmp-\System.Text.Encodings.Web.dll
| MD5 | e8cdacfd2ef2f4b3d1a8e6d59b6e3027 |
| SHA1 | 9a85d938d8430a73255a65ea002a7709c81a4cf3 |
| SHA256 | edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30 |
| SHA512 | ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5 |
C:\Windows\Installer\MSI40ED.tmp-\System.ValueTuple.dll
| MD5 | 23ee4302e85013a1eb4324c414d561d5 |
| SHA1 | d1664731719e85aad7a2273685d77feb0204ec98 |
| SHA256 | e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4 |
| SHA512 | 6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32 |
C:\Windows\Installer\MSI40ED.tmp-\System.Text.Json.dll
| MD5 | 38470ca21414a8827c24d8fe0438e84b |
| SHA1 | 1c394a150c5693c69f85403f201caa501594b7ab |
| SHA256 | 2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c |
| SHA512 | 079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8 |
C:\Windows\Installer\MSI40ED.tmp-\System.Reflection.Metadata.dll
| MD5 | c4ea65bd802f1ccd3ea2ad1841fd85c2 |
| SHA1 | 2364d6dd5dd3b566e06e6b1dc960533d2b3017b7 |
| SHA256 | 46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f |
| SHA512 | fc4c18ea6a6f38d8c4b4f2e02d3d077cc729b531ca08cf9602c65e22aadc0be770e441660cc980cbfed3b27bd783e65f793838532673e2845276390b4b22d730 |
C:\Windows\Installer\MSI40ED.tmp-\System.Reactive.Linq.dll
| MD5 | 317dce13b2316abee548a2b013f26471 |
| SHA1 | 3123573b2291a0f01badb10b149f741bcb9eb0f7 |
| SHA256 | 21fad2983b4b2f95049e975c9f26a77bfe9281d8ed18e380c9017fc82137a1d9 |
| SHA512 | 3444f813632f5f397b5c27e0314479a404b7ade058a5e6c540331fa4fd5fa798ba7352b1bf58d6f977e5e61912ed9620a1ec1350901d0b00fad2ace3eaeb6163 |
C:\Windows\Installer\MSI40ED.tmp-\System.Numerics.Vectors.dll
| MD5 | aaa2cbf14e06e9d3586d8a4ed455db33 |
| SHA1 | 3d216458740ad5cb05bc5f7c3491cde44a1e5df0 |
| SHA256 | 1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183 |
| SHA512 | 0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8 |
C:\Windows\Installer\MSI40ED.tmp-\System.Memory.dll
| MD5 | 6fb95a357a3f7e88ade5c1629e2801f8 |
| SHA1 | 19bf79600b716523b5317b9a7b68760ae5d55741 |
| SHA256 | 8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7 |
| SHA512 | 293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0 |
memory/4396-1759-0x0000000002F40000-0x0000000002F50000-memory.dmp
memory/4396-1762-0x0000000002F40000-0x0000000002F50000-memory.dmp
memory/4396-1764-0x0000000002F40000-0x0000000002F50000-memory.dmp
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll
| MD5 | baa7644ed2f322d1d2c953220987c4a9 |
| SHA1 | 3860c3d54413837fd23e9a7081c15d27ab2ed4f0 |
| SHA256 | 5da295c08aba9257c8f27a39a3d21e0ee82c4e55c098794688305c270b4983b6 |
| SHA512 | 034cb63f8a8ccf99d2cb182c72e7e5ad67cd23baaca376dff3444c13e9c0bb78e1e5643ed82999130e9398fbd643cd86a875249401a49438b7d7976329d2ac74 |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.Binder.dll
| MD5 | b825099a89c81fe4127ee2628596d5d1 |
| SHA1 | 8e69faa62f82dd042a51a345eea19b959442e985 |
| SHA256 | f2f6d158380c32a50bdb827b4d63f97c364f221813641daf74c257034484b507 |
| SHA512 | 5c8dd2275702daa09bee2a8dac563d1292eef6735cd0a3a250f633afb3ac7823769435c4a29796b0b3522d72312497bac86b5ca71cbba2fbe31ce9cc24557068 |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.FileExtensions.dll
| MD5 | 8be2c97bbbe81795e3042602a21965e6 |
| SHA1 | cf89501075ac6713c091ca773dad2ba946b7c6ea |
| SHA256 | 385ec618612990af5b4d8ec6edffb13fbb5ff5a03e7786033b42ea061ee3976e |
| SHA512 | d89a13ac0e3639acbb26f43739cd7a01ddb07fb03d7e0db5940dd28624d76014ba5e420b45f2d35b1acf0d9b3117a06f41f56109066fc95e9bb438d7516afc04 |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.dll
| MD5 | 4ae4c4004b28a9c7286ce1b4f2bbf415 |
| SHA1 | 423c11f0e71b51378f39eb275093aa223c49f848 |
| SHA256 | d5f7cd54e4aa3b02bd445bd5b8ff4786cb6463ec976cbfe820fced5e272ec572 |
| SHA512 | 7bf95813a0c66425dcf3e4d7e0078f72e97a3df9baff9cc525f2292f5cdbbe1cb52fd674089d1be15516770f214b9e7bc937de314eb9042441bf0ef1be28b044 |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.FileProviders.Physical.dll
| MD5 | 4e153e7492eae30cd0aa49a3140c1ebe |
| SHA1 | 55c123a2f3d1c7e24c4ed5edc54043cd9c37810a |
| SHA256 | 6bda4bddedfbb9023a5330dc1fd528e851cf2c869e53f3248e704927cec107cc |
| SHA512 | ba25bbbba4c3e454f4ec064195f5f5e9d0cc4c217b9b4ee538fd31d138224a12c58c0b97c588ea4ea482b2303b0afa04125c30bed102b7c5f2aa645d8e7c03bf |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.FileProviders.Abstractions.dll
| MD5 | 9b981dcb9329e9043987eb2c24371714 |
| SHA1 | c3c45b42a67525cbf8596cf6ef9a56d103bb70f9 |
| SHA256 | 0706cedcd984a2478f10a9e57bb06e81bae2e0a1271507b26e91fb8f8c3413fe |
| SHA512 | 566bf7d258d3306742c3c585d04d19b338a8e1224e29ec7af35770e6827bf597a613775223cf93aa9afcb4ea3da0ca53b99493d9b3c6684da815907c8629b03e |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.Json.dll
| MD5 | ae4d8069218e6a793e4cb461e09d4d9e |
| SHA1 | cba0b162d94d80def76020a36c855543e8787ef9 |
| SHA256 | dfa8ce0bbd09c898957dc08ca9d3e1db2e87edd5d940c78f6b0becc6243d9d9e |
| SHA512 | 6c838cbba6623ec3f9168f79f27ba651073a96cda48cdce244883caba27004ac72f76c77f5012f0b044877fd3d90c1b9425465fc1782f0b5dc37d33c9f124e3e |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Http.dll
| MD5 | 4186e9c7d8c571c4620b5e6ea312539c |
| SHA1 | 6ffccc5331e561dc09c80acbb448f14500aef8c8 |
| SHA256 | 8736296948e3d51c58303a328000f9d6d83160084d2d375e71914c55e6aaa644 |
| SHA512 | 707942962d1ed4865796eb1432418ecbf4c948c82cb5e5536b5320765427d0028024510904197cfa08dd110bd09887916f208ac35c25e715f5c6d7827ea1a8ce |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll
| MD5 | 25f286646b702aea416ea09b4d1d5dab |
| SHA1 | 63762d40b3d8bd7e2f7d8f6fb1186cbfa4b4f0a3 |
| SHA256 | 89595fabd8b150813d0d2e8993f19aa2e2cab3b3be22e1173c8179b51b37dccd |
| SHA512 | 019c432de3f3bee3be6ef0a88b5a4966e1b6af7fe2ef6b19016248554f11acbf0ced306582930c3dad781ad308b9b98a27b2889f67f2323f9747033aff9a7617 |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Logging.dll
| MD5 | 73eab96c0898a78a61d89782ef6fab83 |
| SHA1 | 07541eed457b5977890c13622d4fc4cabebc67fb |
| SHA256 | c4b2b98c21b24b88640bc0be5dcd335d82df129dcaa0dcc778d91a759a037524 |
| SHA512 | 90e8b699f451667d18762cbeb0f050f5462e97186b2b495b5de737ae565a7e1667c0ae5d89442ad93c08f2b5db5459b7febb63b1667466e13908f24cf1e3c075 |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Logging.Configuration.dll
| MD5 | 89edab075ca0d2e8eee86dbd664ba609 |
| SHA1 | 651ca53b439982ae4583722e650570c9e6d78561 |
| SHA256 | 5ca00fffda7e3af0b67c0f9c0c572acaee4a0a50c1b9c38d3be19cb5a358890a |
| SHA512 | fc28c7b66fc2e9b750058c0e1b8e5bca118212cb1cc2a91c9701514f319d63c38ffe95682ed3bdb892d58c97d35c22a12d2db22e3ee283fc3066c67b5908b222 |
C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.FileSystemGlobbing.dll
| MD5 | f8dc23b883576fb84eccd1b7b56490d3 |
| SHA1 | c447b48529380954c878f1d933a10ef1bc402bb6 |
| SHA256 | 1acb904f6eee86f33b507a7e7cf8f2112d34d1b34daf1532df4d800795d328bc |
| SHA512 | 2604147c8a3664e2abeeafe9503cbed07866c763581c7587f59f8472718995c7d17782385826d70ab515a73bf4efc57e91ec5738d09363689305592c38fdb6db |
C:\Windows\Installer\MSI463E.tmp-\System.Diagnostics.DiagnosticSource.dll
| MD5 | ccb6a65fa77074cdb0cb00478a89aecc |
| SHA1 | be6e62302419bfcd9fd9842a9084e64367580970 |
| SHA256 | 599a79d25958eae655ddae7337477d16ebc4f013b6896bbd60719c85b37db88c |
| SHA512 | 0495c13ced63266fe1adbabc0e2c86e7d6ce1b1dc3065f42a40607239ae88c92c39eba07a02dc0c68e200883b65a8541fd7b5c3dea58cb4c6d494dee0946d605 |
C:\Windows\Installer\MSI463E.tmp-\System.IO.FileSystem.AccessControl.dll
| MD5 | 3409c581f0c5083f0c2a93a7a5ac9790 |
| SHA1 | 18ea7bd41d31247148abf184527c9368a26f39e7 |
| SHA256 | e6026501ad4056ff2f1655b0afdfe8923bc6e8fbad67e1e9ef56e3002f49fbb9 |
| SHA512 | ae877c6fddad0e4133274e6372d783eaa4dd6bdcbbf40ab66302fb89bd2f76b215130001186b5c9a135abd16336c5bfd4d414177704d7d359539da91918e82ed |
C:\Windows\Installer\MSI463E.tmp-\System.Runtime.CompilerServices.Unsafe.dll
| MD5 | c610e828b54001574d86dd2ed730e392 |
| SHA1 | 180a7baafbc820a838bbaca434032d9d33cceebe |
| SHA256 | 37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf |
| SHA512 | 441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396 |
C:\Windows\Installer\MSI463E.tmp-\System.Security.AccessControl.dll
| MD5 | 996aab294e1d369b148d732e5ec0dfdc |
| SHA1 | 28465fd34680a082506f160107f350b46140a1aa |
| SHA256 | 1fda491eebdb19ea0a83cf6c16ab5dd004a1bfdfc845ede017ebe0945beb927f |
| SHA512 | 5e6b172d2de5928915b38ec80c7b76f42430aac959f04aa3521c63495b6f3c4f82df139c275e9fc5024b1a0a4f307daade6130b6028779f98f456282ae8b61cd |
C:\Windows\Installer\MSI463E.tmp-\System.Security.Principal.Windows.dll
| MD5 | be2962225b441cc23575456f32a9cf6a |
| SHA1 | 9a5be1fcf410fe5934d720329d36a2377e83747e |
| SHA256 | b4d8e15adc235d0e858e39b5133e5d00a4baa8c94f4f39e3b5e791b0f9c0c806 |
| SHA512 | 3f7692e94419bffe3465d54c0e25c207330cd1368fcdfad71dbeed1ee842474b5abcb03dba5bc124bd10033263f22dc9f462f12c20f866aebc5c91eb151af2e6 |
memory/5064-2025-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/5064-2026-0x0000000004A60000-0x0000000004A70000-memory.dmp
memory/5064-2028-0x0000000004A60000-0x0000000004A70000-memory.dmp
C:\Windows\Installer\MSI499A.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb
| MD5 | d47b237172f53537265eae8e3519606f |
| SHA1 | 11a8cb9f6f74968b8098e2715f695a7b7bf53554 |
| SHA256 | 53788ab62cfd07a5f3116e20181c1292a6ff2ceef724bf41cef89b35a10d481e |
| SHA512 | fc8079c00f119a0368aa364bf94558877f7ff21f54c0ce75fb088efc2c6a4ba2e83f4846c2f13dc129cb01e353a731a08813ae49b396f5f368d36814a84ff24b |
C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.ClientSdk.dll
| MD5 | b79e7de7c6642e6d6ce8e2b37b921c2c |
| SHA1 | 59eea6cc0dd51fb08d68cb668e81f75946b343d1 |
| SHA256 | 15e9c3d9f8efbcdc5f18d5c77ac81fda944b38afcca559d8e21b3346b42afa27 |
| SHA512 | 1a54d162b342e3cee2a3b2c8a856e99276df5ece4e4cc48b6f306c1e653554a5430d3f9b3dbe03bc589fe0d9aee12c9a9fedd135172d825f917f1cf478ea1910 |
C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.EventSource.dll
| MD5 | 88e4c62a290c1b92a5db9dfaea8b27a2 |
| SHA1 | 40924ee10f8fc47a4b0e155f94ae63d84c38be09 |
| SHA256 | 62d279ad27aba29a8dc9e8d74ceb509e11bf88fa8f3d2d10f8a7d0d581f85754 |
| SHA512 | 69c838ea49bde60c7ea6b56a597a86a14654dc2262f515ec82f5362ae157f4395a0ce4d72d8150ac2c43031f8e1a4d55b6427cdf07091cd838489406dc95bbc5 |
C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.CommonSdk.dll
| MD5 | bddf7315bf45d28f31ddfeba750eae17 |
| SHA1 | 4dd5532e09df3e134105e41cb78b5534de314e6b |
| SHA256 | 0afa90a013560bffa6f335f5565e4947b7ddc8056c31e08d13a771d036748099 |
| SHA512 | 56939801584e59266a36c4caf32329835cbbca618c5b0ca81709de1d67aa968ab5ac6b993695593b6480ea1a76c24155055825e6ae6e8741f08bac0397b276c5 |
C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.InternalSdk.dll
| MD5 | 37f3ffd5ec2276e591cb3e47e6fbd2be |
| SHA1 | 75cab5c4c5fbe168f0030af5836d267ca5ca67d3 |
| SHA256 | 12a8f93a53951d7adc792753839064d79a4338475327f49d61372761ef0b0959 |
| SHA512 | 9f36711a94e821bd2eb0d9ab3e7c296f5ab28f492016748849384170c8b4ba3264a84e14ee860ab574a1e784d10235709c197859907475370e245377542c0999 |
C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.JsonStream.dll
| MD5 | a6364c20196dea022227564b830ca058 |
| SHA1 | 560bc6572892014b5cf43dd91cb10d2f3c39de92 |
| SHA256 | 7c49cdc1202e3691fc2848546e267136cfb597b7f50533a1b2c7e8c755389f65 |
| SHA512 | 9ab37ae34c020e0cc4a9f2f542e9a11f033911578ff730139c73687f2efa96a7899e2aac68e1ccf4fbf6dea4ea8e29cea19fda607f38c54978b371633afd0b29 |
C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.Logging.dll
| MD5 | 5c0c31190f09f6da14d16a9f1c01378a |
| SHA1 | 8cbe5d3a83b91d55b5bd511fa24904b48002eb57 |
| SHA256 | d8c514832108b4defc03968c375e4b263b0ef0fffdbb85d30d3522c07fc6372c |
| SHA512 | a65d490717d09feff5894cee7fbb00a8d88bae3601b89f2dc45c73eb3fd85ba02b80ff73686dc8bf5f854675b7569c2eaaa4aa87047e4898c6a2003cc306c327 |
C:\Windows\Installer\MSI499A.tmp-\ManagedWifi.dll
| MD5 | b4130361f0edba34394a59f5d434ac88 |
| SHA1 | 58061bb6dcb6f4bcc9d341730923207645184169 |
| SHA256 | 3ffbc36eedbf1222c2b4034530ee258b654e7e7f2c23900b83c01454e0a4f80f |
| SHA512 | c95a60d8701699d8ac5fc0431ea8402c11b31599927c83cd41c7e7076111702eb904f638f4b4f37749bbdf801b8b62bb876c95211d18dcbf5c8af75bb4f81a57 |
C:\Windows\Installer\MSI499A.tmp-\log4net.dll
| MD5 | 8594e528cbd4b9b81cdf98ad39a7f7da |
| SHA1 | 51c67d26bbc287ce39c892eff1a6178dbc2c1219 |
| SHA256 | e6b5667056e67787e77a10be1ba134f46c1af8d4977148aa7829c9222fea80de |
| SHA512 | eb6685ad13dbce6049fb38e15f17854a8fd5bf797d1a45fa7264db5e1ae6094a480e7a6ddb0d02ce5fad4e7394cbec3f1e5d9cd4eed0cf3b8b0eec18384a8608 |
C:\Windows\Installer\MSI499A.tmp-\MissingLinq.Linq2Management.dll
| MD5 | 3a41ddea7a6ced7d4a1af988064350ef |
| SHA1 | 43405986af7602d8ecae222e34825e469d564c6f |
| SHA256 | a52086b39a18146dcb27a492d2429b6f70fd12044e50d56b8b17d172254f6aa4 |
| SHA512 | c789bc85f8fe77600bc5723c92a1fff4e75924db6cfc7eede22ad08d6fb3675b396e627f1eb271b372bf28384322f8ab3326bb7ab22e7f50fb35b022b2e2b798 |
C:\Windows\Installer\MSI499A.tmp-\NLog.dll
| MD5 | 6553bba76b42597080ffd54cb12a33c4 |
| SHA1 | 661357b08128507a34fe75466ecb5d7e3a522454 |
| SHA256 | c73881b442220f671bd35873999483777ebdc95b5123feaa5813fd9d55268b64 |
| SHA512 | ed9180002c30a18b5ac73224b8560163a1323a878d6b5698aa76bd0e5825c28f525d3f0080d1682224d24b739425d6ddccdd9f272cabb4e28a21073100589f5b |
C:\Windows\Installer\MSI499A.tmp-\Sentry.dll
| MD5 | 2e7dfe826fbdb73299d37722206fb29b |
| SHA1 | 268056d5f8519db888bbd2ec274128333b81b6d2 |
| SHA256 | 73e9de1f6002f9ef0df14f9a934e4ef87578a7dd67012cac0acec593832f824f |
| SHA512 | 36ba5406343acca303792702ebae768f7c853d3c651a181d8e897dfd20c71f21046a16a0ae2773dc182ca853cfd45cae6e442e9e5b4c39fe4154f2cc483ef5e7 |
C:\Windows\Installer\MSI499A.tmp-\Sentry.Extensions.Logging.dll
| MD5 | 8f826963e958bd0816266db056b049b1 |
| SHA1 | ee1e08065a5ece32e0783e36653db25abeb62173 |
| SHA256 | ac278dfa3187a5c2480e5c60df999890390d35260c39f0e2d74d25d166672e14 |
| SHA512 | c58fdbc9b474f1a84098d14627d0a1b44b463a23b772da79bfa269bee5dbd7bbafa1cd72eb3dcc8db3cf42a103781d0de787bae00d80bbe5f18481a5435fdccb |
C:\Windows\Installer\MSI499A.tmp-\System.Management.Automation.dll
| MD5 | 7bde1e64b59b1922baf74b6a19b8fc32 |
| SHA1 | 2daf4971be94dcdd811d1bf799eb5d08502a87ff |
| SHA256 | 1fa048750cd62df4e1317d9fc054a95d49b6b142b2825ae15d983f43af91528b |
| SHA512 | 0c5a2279ceb52798a8f398a5c498e67a606275e75acef5627c2103db54f920c567e92d4adf7b2050acbfb1de33f118ff34d85ba7db0f08133f89efd633aa235d |
C:\Windows\Installer\MSI499A.tmp-\WixSharp.UI.dll
| MD5 | 4cb9b80d4790c5ecc3ec5718a8345f10 |
| SHA1 | 949c3128e65606899550831bf824214030710971 |
| SHA256 | a4cabea22c6d3e0a4e1b640b97705c448400bec6945830b6dedc6e85ff54e96f |
| SHA512 | d5e96c7124a12735e40cd6960caedb8c7f64c379d3f823cf7d556a0cfb467763695d3355074ed586580c91aea73af857e314e3e7b293a42c025931c0f041a4f8 |
C:\Windows\Installer\MSI499A.tmp-\WixSharp.Msi.dll
| MD5 | 92a1f1ab887a8099eebc0a646a0455d4 |
| SHA1 | 8ac9e007e6a18fd238781fc80a4887b2d3fe6375 |
| SHA256 | 7aac4d32402119d5226fd414e8449dd5bef70592ef29a2c5071350eb5d77d2dd |
| SHA512 | f17ad09f6e9cf03f24d24bd3407e4fb57789b29d0d876798b01d2305ffc3a8b5176a463d9db6ce12a86314c2686f7a6195239dd1e901116ce602f72e3a88b09a |
memory/2684-2114-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
memory/2684-2115-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
memory/2684-2116-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
memory/2684-2117-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
memory/8-2289-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/8-2292-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/8-2293-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/2120-2463-0x00000000051D0000-0x00000000051F2000-memory.dmp
memory/2120-2465-0x0000000005240000-0x0000000005250000-memory.dmp
memory/2120-2464-0x0000000005240000-0x0000000005250000-memory.dmp
C:\Windows\Installer\e57c1dc.msi
| MD5 | d5e72c30c8383525e3aed1f1c2f1caab |
| SHA1 | 453c6b82989d62d7e3d9e1c805b5d106c1f5463d |
| SHA256 | 59efe52b08ee6c4cef658510eeb2be1b4f4701d162ff581a57a2997421652c57 |
| SHA512 | f8e67557af9e9053498460a32401b0b9f20cbe771d14189df112db505ba2f9330c7f89fa4aa61f486a4ab7867115a0c1909cbf5b5b5546cc70c61280b49ee867 |
C:\ProgramData\ExpressVPN\Config\p3d0hfrs.bin
| MD5 | fd523a062c3e787588fe859e15dcc813 |
| SHA1 | 684a114c2d2925ab68fb27f1b0cc20c7ccb70772 |
| SHA256 | a222509b36550a374015242b4653d680b726101a4b7c42be969c5f1f12f3aa40 |
| SHA512 | eb7602b502a070d7f5fd361a76cecd4103a9893cd68766bb4a3c882a01d9eed4d5f19fd80df1fa60e7865654805414cbe5f7ade3b538b2d31b8ff51c2aecb169 |
C:\Config.Msi\e57c1db.rbs
| MD5 | 5e86d712a04bdefeffe3fa6517aefe63 |
| SHA1 | 079ba76b81e74ee97578ba8505057e6436072530 |
| SHA256 | 3e714fd668f8d073d12ddc1fc53095789da3137c6e656322cdd992bc8e058b6b |
| SHA512 | 5b5231995c7482c072533a9050c1c0b915a59223fd45898e93e75b16151251220ce9532b1543c94828fb68e2d0256b240d17d6bf6270e4d53b9eb3da7fd31807 |
C:\Windows\Installer\MSI762F.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Users\Admin\AppData\Local\Temp\DEL7A5F.tmp
| MD5 | f162ee7a69d27493bd375907f666ca94 |
| SHA1 | b79c97c0cdb592f7ce01f3b4bddf5ab5db252547 |
| SHA256 | a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e |
| SHA512 | cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b |
C:\Users\Admin\AppData\Local\Temp\DEL7A5E.tmp
| MD5 | 8d3bd603070c5341750804592de30739 |
| SHA1 | 19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112 |
| SHA256 | 74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b |
| SHA512 | 8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35 |
C:\Users\Admin\AppData\Local\Temp\DEL7A5D.tmp
| MD5 | 988912a8a5ae0cafeb29f80b4e3af6d4 |
| SHA1 | 1ca87bea628fff4c8995d92168e736ef7fffd1ae |
| SHA256 | 5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e |
| SHA512 | 2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f |
C:\Users\Admin\AppData\Local\Temp\DEL7A76.tmp
| MD5 | a1124e760bc0cbf9e261cdfe7a418832 |
| SHA1 | 0795b0adf6cf467fb7942b1f7405bd0ed754a9d6 |
| SHA256 | 0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a |
| SHA512 | 5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb |
C:\Users\Admin\AppData\Local\Temp\DEL7A5C.tmp
| MD5 | 46e1d39b4319db3517b9fa2d7d0b67c8 |
| SHA1 | 33af5ab0df4b9d690fe283fb8a8bd63508f3ada3 |
| SHA256 | b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c |
| SHA512 | dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\user.config
| MD5 | df2ea154c113c86c064714b3b0b5555a |
| SHA1 | c0b1a1a0a78a372d9fdd7ba4a029cdee42a0de65 |
| SHA256 | c2cf2a4af9784fca26bb94e650209bfdf1decee29f02e1398b902ad49182588d |
| SHA512 | c7cbbe4c79af3c2a246ba361842d1adcdd541e1eeadffa1ea55e9be75ce5099b90d020864def8f449b8fe472a3576454809f036533404e706b1baa142402a0fe |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\z1llg1g5.newcfg
| MD5 | 26e3e068ccf44f130f40a158db8c4526 |
| SHA1 | c5f43d44ddadff0fd11a4f6285b54329196d668f |
| SHA256 | 18c2b162e66a3fe5edfb24eb6215dda7c075cc8afa9eb69cd2bcb0785f400e79 |
| SHA512 | 7720c82b2464879668763cad16963de5d4ecc5ac377b641cc8675d113c91a462c46733396be023417be05ac3b3eca3a8749c1e91fe191bd697db092df14e6856 |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\glm11yii.newcfg
| MD5 | 286c05e5e213d7e97069184c0c44c85b |
| SHA1 | 009b760165d9332fc7af6bfa05a826fb87964f9e |
| SHA256 | d29a7bc5b1f30f8d9dde55e417e89eb86b5339613910e293405b5aaf50fea7ed |
| SHA512 | eaf3ebf413e08b111a6937947da7b29100737d6c1b4c21783392d1093db3ec9e28371f1afe203c3335f866bb09a213000d48a60e71a7c54d2750b1582c033b1c |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\zuzgwv1k.newcfg
| MD5 | 0b5a51b4d5c666f5df3161ed1bc62511 |
| SHA1 | 362568ee7b81c337f4abbc2179682346445785bb |
| SHA256 | 95eaf9af9ccb14c33daeb04c498cad14f7b4eca49e890cb0c6debdb189a0538c |
| SHA512 | 947d1717325db18bbd7782929b018ac54660a8465d52c9264fa0d4b2521682ffcadb15bcc93c9bd141ffa3c7d9ee3397b4b7fcae74a9511bb404d244eb660b12 |
C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\agbjdexy.newcfg
| MD5 | a39f8f3cf32aa2eb6b8796db17cb4717 |
| SHA1 | a656c39987cd4d044105ac3665a414e0970aff49 |
| SHA256 | dcbe2d0f8514213217fef33467208772f9b6c9c0d28b1bdfd3d1a6f829948cae |
| SHA512 | 735b305f0adcaee25981a16c960352e78070132cb0ffff010027a8fc8441da8720b6f905a8966478a4c9f9a885114e8d0957b2c61c1bae2ab0de21789ded1847 |