Malware Analysis Report

2025-01-18 04:45

Sample ID 230613-wljtrahh24
Target expressvpn_windows_12.38.0.60_release.exe
SHA256 6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060
Tags
revengerat discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060

Threat Level: Known bad

The file expressvpn_windows_12.38.0.60_release.exe was found to be: Known bad.

Malicious Activity Summary

revengerat discovery persistence stealer trojan

RevengeRAT

RevengeRat Executable

Downloads MZ/PE file

Blocklisted process makes network request

Enumerates connected drives

Adds Run key to start application

Checks computer location settings

Drops file in Windows directory

Checks installed software on the system

Registers COM server for autorun

Drops file in Program Files directory

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Program crash

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies system certificate store

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-13 18:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-13 18:00

Reported

2023-06-13 18:03

Platform

win7-20230220-en

Max time kernel

25s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 1724 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"

C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe

"C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-13 18:00

Reported

2023-06-13 18:03

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ExpressVPNNotificationService = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationServiceStarter.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8e563438-c5e3-4ece-98b6-53dcb8e954c2} = "\"C:\\ProgramData\\Package Cache\\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\\ExpressVPN_12.38.0.60.exe\" /burn.runonce" C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\LaunchDarkly.Logging.Microsoft.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.Serialization.Formatters.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Net.Security.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Printing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\es\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Configuration.ConfigurationManager.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\mscorrc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-profile-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Data.DataSetExtensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\D3DCompiler_47_cor3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\de\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\fr\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.settings.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.InteropServices.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Xml.Serialization.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\PresentationUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.IO.Packaging.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Diagnostics.EventLog.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework-SystemCore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Xml.XDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Diagnostics.TraceSource.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\System.Windows.Forms.Design.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\de\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.InteropServices.RuntimeInformation.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Threading.Timer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework.Aero.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\cs\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\es\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\fr\System.Windows.Forms.Design.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.AppService.Grpc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\LaunchDarkly.ClientSdk.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Diagnostics.TextWriterTraceListener.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\com.expressvpn.helper.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\System.Security.Cryptography.ProtectedData.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Text.Encoding.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-debug-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\dotnet.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\PresentationUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Linq.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-interlocked-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.ComponentModel.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\System.Windows.Forms.Design.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\LaunchDarkly.EventSource.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\lightway.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\System.Management.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\UIAutomationClient.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hans\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Forms.Design.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\LaunchDarkly.InternalSdk.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Logging.EventLog.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\ExpressVpn.Client.Setup.CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI463E.tmp-\LaunchDarkly.CommonSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI56CB.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI739E.tmp-\System.Security.AccessControl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\System.Text.Encodings.Web.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI40ED.tmp-\System.ValueTuple.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI463E.tmp-\ExpressVPN.Common.Shared.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI56CB.tmp-\ExpressVPN.Utils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5DD1.tmp-\LaunchDarkly.JsonStream.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5DD1.tmp-\MissingLinq.Linq2Management.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\Microsoft.Extensions.Configuration.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\System.Reactive.Linq.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3832.tmp-\System.Buffers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI4FB6.tmp-\Microsoft.Extensions.Primitives.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\System.Memory.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI6CE6.tmp-\System.IO.FileSystem.AccessControl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI40ED.tmp-\System.Memory.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI463E.tmp-\System.ValueTuple.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI4FB6.tmp-\Sentry.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI56CB.tmp-\MissingLinq.Linq2Management.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\Sentry.Extensions.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{089A177D-98AE-4195-A115-D3C45613B875} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\ExpressVPN.Common.Shared.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}\app_icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\System.Threading.Tasks.Extensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI6CE6.tmp-\MissingLinq.Linq2Management.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI56CB.tmp-\LaunchDarkly.InternalSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5DD1.tmp-\LaunchDarkly.ClientSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5DD1.tmp-\System.Runtime.CompilerServices.Unsafe.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI739E.tmp-\Sentry.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e57c1d1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\System.Memory.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI463E.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI499A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI56CB.tmp-\Microsoft.Extensions.Configuration.Json.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\System.Collections.Immutable.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI6CE6.tmp-\Microsoft.Extensions.Options.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI739E.tmp-\LaunchDarkly.CommonSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\WixSharp.UI.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI40ED.tmp-\System.Collections.Immutable.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.ClientSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI56CB.tmp-\Sentry.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI5DD1.tmp-\Grpc.Core.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI6CE6.tmp-\ExpressVpn.Common.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI6CE6.tmp-\Microsoft.Extensions.FileSystemGlobbing.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI739E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57c1d5.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\System.Text.Json.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3832.tmp-\Microsoft.Extensions.Logging.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI463E.tmp-\LaunchDarkly.ClientSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI499A.tmp-\ExpressVpn.Common.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI499A.tmp-\Microsoft.Extensions.FileProviders.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI4FB6.tmp-\BootstrapperCore.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\Microsoft.Extensions.Options.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI696B.tmp-\System.Numerics.Vectors.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI739E.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI1F09.tmp-\System.Collections.Immutable.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3832.tmp-\LaunchDarkly.ClientSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3832.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3832.tmp-\System.Reflection.Metadata.dll C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe N/A
N/A N/A C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{4eb799a7-3ca3-4f32-b247-62b1a8899a9f}\LocalServer32 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{4eb799a7-3ca3-4f32-b247-62b1a8899a9f}\LocalServer32\ = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationService.exe\" -ToastActivated" C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}v12.38.0.60\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version = "48.23.40665" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\expressvpn\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\ProductName = "Microsoft .NET Host FX Resolver - 6.0.5 (x64)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B16A3B3F61CDA9242A06BDFA6E76149A\Provider C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\DisplayName = "ExpressVPN" C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.23.40665_x64\Version = "48.23.40665" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{3E6CCD41-6B96-47BD-8E1E-D7B593CEE976}v48.23.40665\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\ = "URL:ExpressVPN Protocol" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{8e563438-c5e3-4ece-98b6-53dcb8e954c2} C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{089A177D-98AE-4195-A115-D3C45613B875}v48.23.40665\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\ProductName = "ExpressVPN" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\Version = "806854361" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XDeviceID C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5E3C9B5EC98822F49A954F8B6DDC8703 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\ProductName = "Microsoft .NET Runtime - 6.0.5 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}v12.38.0.60\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{F3B3A61B-DC16-429A-A260-DBAFE66741A9}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XDeviceID\{7b9b0021-e550-4a9f-abaf-ed1daf2b4184} C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Version = "806854395" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Version = "48.23.40665" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D771A980EA8959141A513D4C65318B57\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\PackageCode = "3C57FB7C5C8A52B40956C723EAB175C1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96CB999B5A151C05AD66FE6E01275B09 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\shell\open C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\Version = "203816960" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211}\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\95E1F2D0BA75B2B74C874D77E76BDC01\14DCC6E369B6DB74E8E17D5B39EC9E67 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{DE578B32-084A-49E7-8E55-6F58A37578C0}v48.23.40699\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E5B9C3E5-889C-4F22-A959-F4B8982D786D}\Version = "12.38.0.60" C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64 C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{4eb799a7-3ca3-4f32-b247-62b1a8899a9f} C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\expressvpn\URL Protocol C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\PackageCode = "7C220EF0E82E1D747B8A574636FCC4E1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\Version = "12.38.0.60" C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\10EA62E1536592372BC00B2945329E52\23B875EDA4807E94E855F6853A57870C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{DE578B32-084A-49E7-8E55-6F58A37578C0}v48.23.40699\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\SourceList\PackageName = "ExpressVPN.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B89D287D6\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Dependents C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 4332 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 4332 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe
PID 640 wrote to memory of 4492 N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe
PID 640 wrote to memory of 4492 N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe
PID 640 wrote to memory of 4492 N/A C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe
PID 4492 wrote to memory of 4100 N/A C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4492 wrote to memory of 4100 N/A C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4492 wrote to memory of 4100 N/A C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4100 wrote to memory of 4572 N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4100 wrote to memory of 4572 N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4100 wrote to memory of 4572 N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4572 wrote to memory of 3340 N/A C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4572 wrote to memory of 3340 N/A C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 4572 wrote to memory of 3340 N/A C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 3444 wrote to memory of 1468 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 1468 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 1468 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4456 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4456 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4456 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4404 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4404 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4404 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4560 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 1500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 1500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 1500 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1500 wrote to memory of 2248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 2248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 3444 wrote to memory of 4012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3444 wrote to memory of 4012 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4012 wrote to memory of 2308 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2308 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2308 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 4396 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 4396 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 4396 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 5064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 5064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 5064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2684 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2684 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2684 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 8 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 8 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 8 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 8 wrote to memory of 4976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe
PID 8 wrote to memory of 4976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe
PID 4012 wrote to memory of 2120 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2120 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 2120 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4012 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 3180 wrote to memory of 396 N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe C:\Program Files (x86)\ExpressVPN\services\lightway.exe
PID 3180 wrote to memory of 396 N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe C:\Program Files (x86)\ExpressVPN\services\lightway.exe
PID 1500 wrote to memory of 1884 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 1884 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1500 wrote to memory of 1884 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"

C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe

"C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe" -burn.filehandle.attached=532 -burn.filehandle.self=536

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe

"C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe" -q -burn.elevated BurnPipe.{AE25E771-AEB8-4FF6-A654-2A686CC3335A} {3C5172FC-3F64-4AB5-9CFF-71BDAA608357} 640

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" /install /quiet /norestart -burn.filehandle.self=1628 -burn.embedded BurnPipe.{A58D639C-8114-4B4F-8C9A-B0463C4D1ABC} {190F4544-4522-4AC9-A7EF-0D9C3B184B8A} 4492

C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart -burn.filehandle.self=1628 -burn.embedded BurnPipe.{A58D639C-8114-4B4F-8C9A-B0463C4D1ABC} {190F4544-4522-4AC9-A7EF-0D9C3B184B8A} 4492

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe" -q -burn.elevated BurnPipe.{D1E0C687-BD0C-4337-BED2-D7D5D0DB2222} {8F7900AF-B21B-49E7-8EF0-D0C058682C80} 4572

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AD172D7A0845ADF6F49C009A073757F4

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 13BABD8DBC56A1F18C3D8528C58B86E6

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A36DDCC32832B3D1B10A26E63DEBC87A

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D642A118A0A5F47DA977AE294F2CEFBF

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 81BE6FE8D615AA8CA84364A0D61663E7

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI1F09.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240656312 22 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseMainApp

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 49BFE0685B136E64E983F32A0620385D E Global\MSI0000

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI3832.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240662609 37 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetBrowserHelperPath

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI40ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240664937 41 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateAccessTokens

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI463E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240666187 45 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateDefaultPortConfiguration

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI499A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240667031 49 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateServiceCredentials

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI4FB6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240668593 53 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.InitializeProteusId

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI56CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670406 57 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetServicesFailureActions

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2120 -ip 2120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1236

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI5DD1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672203 62 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.AddErrorReportingKeys

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe"

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe"

C:\Program Files (x86)\ExpressVPN\services\lightway.exe

"C:\Program Files (x86)\ExpressVPN\services\lightway.exe" --version

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI696B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240675234 66 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveLegacyRegistryData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI6CE6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240676093 70 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveUserFolderData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI739E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240677781 80 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.DeleteBinaries

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe" install

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe" uihaslaunched

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 90.53.100.95.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 192.229.232.200:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 200.232.229.192.in-addr.arpa udp
US 40.125.122.176:443 tcp
NL 87.248.202.1:80 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 o137163.ingest.sentry.io udp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 8.8.8.8:53 www.msftncsi.com udp
US 2.18.121.71:80 www.msftncsi.com tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 8.8.8.8:53 clientstream.launchdarkly.com udp
US 3.33.235.18:443 clientstream.launchdarkly.com tcp
US 2.18.121.71:80 www.msftncsi.com tcp
US 8.8.8.8:53 18.235.33.3.in-addr.arpa udp
US 8.8.8.8:53 mobile.launchdarkly.com udp
US 107.22.208.224:443 mobile.launchdarkly.com tcp
US 8.8.8.8:53 224.208.22.107.in-addr.arpa udp
N/A 127.0.0.1:2021 tcp
N/A 127.0.0.1:2022 tcp
US 40.125.122.176:443 tcp
N/A 127.0.0.1:2020 tcp
US 2.18.121.71:80 www.msftncsi.com tcp

Files

C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

C:\Windows\Temp\{EE1EC32B-75B6-4BF6-B91D-5ACC86409384}\.cr\expressvpn_windows_12.38.0.60_release.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

memory/640-234-0x0000000006450000-0x0000000006460000-memory.dmp

memory/640-235-0x0000000006450000-0x0000000006460000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/640-239-0x00000000031F0000-0x0000000003208000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\BootstrapperCore.config

MD5 0c79473766c4a706b8acacbeff369bc6
SHA1 f5470d0ec6fd98403fa756d1760ddf0ecb3c5b81
SHA256 c044ee99956b0b7628f29d2c7f8d0aaaf18054156acf910915c86edbb09476aa
SHA512 991a357bcea62be7e926a9768e3cf3d399303b5cc7667bfe71c9487de289efbeaca91d98e18880125daac6b7f73b6d298bbbd2276452f155e82173ac5aac1c02

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\WixSharp Setup.exe

MD5 a1124e760bc0cbf9e261cdfe7a418832
SHA1 0795b0adf6cf467fb7942b1f7405bd0ed754a9d6
SHA256 0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a
SHA512 5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\WixSharp Setup.exe

MD5 a1124e760bc0cbf9e261cdfe7a418832
SHA1 0795b0adf6cf467fb7942b1f7405bd0ed754a9d6
SHA256 0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a
SHA512 5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb

memory/640-246-0x00000000069B0000-0x0000000006B36000-memory.dmp

memory/640-247-0x0000000006450000-0x0000000006460000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 46e1d39b4319db3517b9fa2d7d0b67c8
SHA1 33af5ab0df4b9d690fe283fb8a8bd63508f3ada3
SHA256 b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c
SHA512 dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 46e1d39b4319db3517b9fa2d7d0b67c8
SHA1 33af5ab0df4b9d690fe283fb8a8bd63508f3ada3
SHA256 b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c
SHA512 dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e

memory/640-251-0x0000000006430000-0x0000000006438000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

memory/640-255-0x0000000006960000-0x0000000006970000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Common.Logging.dll

MD5 988912a8a5ae0cafeb29f80b4e3af6d4
SHA1 1ca87bea628fff4c8995d92168e736ef7fffd1ae
SHA256 5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e
SHA512 2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVpn.Common.Logging.dll

MD5 988912a8a5ae0cafeb29f80b4e3af6d4
SHA1 1ca87bea628fff4c8995d92168e736ef7fffd1ae
SHA256 5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e
SHA512 2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f

memory/640-259-0x0000000006990000-0x00000000069A8000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Common.Shared.dll

MD5 8d3bd603070c5341750804592de30739
SHA1 19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112
SHA256 74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b
SHA512 8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Common.Shared.dll

MD5 8d3bd603070c5341750804592de30739
SHA1 19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112
SHA256 74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b
SHA512 8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35

memory/640-263-0x0000000006B40000-0x0000000006B54000-memory.dmp

memory/640-264-0x0000000006B60000-0x0000000006B7A000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Utils.dll

MD5 f162ee7a69d27493bd375907f666ca94
SHA1 b79c97c0cdb592f7ce01f3b4bddf5ab5db252547
SHA256 a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e
SHA512 cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\ExpressVPN.Utils.dll

MD5 f162ee7a69d27493bd375907f666ca94
SHA1 b79c97c0cdb592f7ce01f3b4bddf5ab5db252547
SHA256 a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e
SHA512 cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b

memory/640-268-0x0000000006BA0000-0x0000000006BC0000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

memory/640-272-0x0000000006CC0000-0x0000000006CD8000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

memory/640-276-0x0000000006B80000-0x0000000006B8A000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

memory/640-280-0x0000000006B90000-0x0000000006B9A000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

memory/640-284-0x0000000006D00000-0x0000000006D10000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.ba\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

memory/640-288-0x0000000006E90000-0x0000000006F40000-memory.dmp

memory/640-293-0x0000000006880000-0x00000000068A2000-memory.dmp

memory/640-292-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

memory/640-291-0x0000000006450000-0x0000000006460000-memory.dmp

memory/640-296-0x00000000077C0000-0x00000000077C8000-memory.dmp

memory/640-298-0x0000000009D30000-0x0000000009D68000-memory.dmp

memory/640-297-0x0000000006450000-0x0000000006460000-memory.dmp

memory/640-299-0x0000000009CF0000-0x0000000009CFE000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

memory/640-308-0x0000000009FE0000-0x0000000009FE8000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\.be\ExpressVPN_12.38.0.60.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

memory/640-312-0x0000000006450000-0x0000000006460000-memory.dmp

memory/640-313-0x0000000006450000-0x0000000006460000-memory.dmp

memory/640-314-0x0000000006450000-0x0000000006460000-memory.dmp

memory/640-315-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

memory/640-316-0x0000000006450000-0x0000000006460000-memory.dmp

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\Net6DesktopRuntime64

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{AE791D1B-18B8-41F1-9200-A1C96FABE26F}\MainMsi

MD5 d5e72c30c8383525e3aed1f1c2f1caab
SHA1 453c6b82989d62d7e3d9e1c805b5d106c1f5463d
SHA256 59efe52b08ee6c4cef658510eeb2be1b4f4701d162ff581a57a2997421652c57
SHA512 f8e67557af9e9053498460a32401b0b9f20cbe771d14189df112db505ba2f9330c7f89fa4aa61f486a4ab7867115a0c1909cbf5b5b5546cc70c61280b49ee867

C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{54994286-3575-4D6C-9B7C-433C77624542}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\ProgramData\Package Cache\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\state.rsm

MD5 a7b9c0008fa75505ae8ad8e99617ace5
SHA1 6ef386c6a77d5390ca66032e4496e961659f6de1
SHA256 4c20916775719bc406ce71856335123c21d03b6eb824ff6f8aa7b45a4be7767b
SHA512 9693033537e15ec8e9181366d44a6b38afee4bd8779c97a6fa22da7342d27a8ed7f5902e96f451ec26e88edaa68107c091fe4e1e5abdb1b28b2fa28a4d225209

C:\ProgramData\Package Cache\{8e563438-c5e3-4ece-98b6-53dcb8e954c2}\ExpressVPN_12.38.0.60.exe

MD5 07c7857ac0338fdc449755eddac67c94
SHA1 db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256 efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512 842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\dotnet_runtime_6.0.5_win_x64.msi

MD5 abf5dbc0196845d9c906189aa70d07ec
SHA1 4a6879976ca9d64a151e1679d0b08d975883a7b2
SHA256 f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1
SHA512 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\dotnet_host_6.0.5_win_x64.msi

MD5 bdc10a6d27e4df71409c9cd8bc40d48c
SHA1 3cd9327008fc4bc8f76d9f8174bc6a1bbf4d7632
SHA256 ec6d27122faf6585fa4419284a95212102c54bbd7ee02bd56835a496039c70de
SHA512 c60196e4f34efcaa62ac3bb750205b701d7434872fe9eb866a5d80ccab6cef879b35aab0d09c19d25cdbf2a3e19c23a4170a16033ad2fbd008dccc9a6530b1c9

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\dotnet_hostfxr_6.0.5_win_x64.msi

MD5 eef7d4eaa530df3288c03b8e6463aaa3
SHA1 4d94b0073d5afeb1642a2f0da5c178f5765857b3
SHA256 cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711
SHA512 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823

C:\Windows\Temp\{F9BCD5BD-E6B9-4B48-ACA3-D777E30175A7}\windowsdesktop_runtime_6.0.5_win_x64.msi

MD5 bf16e0cb45daf8f291ecfa351cb0c3c2
SHA1 1491de942eec40921a35f35aa377c2f8f7332c5b
SHA256 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c
SHA512 a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_000_dotnet_runtime_6.0.5_win_x64.msi.log

MD5 799c30f9d713ff1ebe873bba31493266
SHA1 b57d675b2f8bcc5db4f92fea0dcaac7a98122ec0
SHA256 b8f93452c624b9d8740b62da2e35aeec42be6715271458e6ba8bc80c2afcb470
SHA512 741fae3cc99f2184992f6a33b3481316f9f2aa85bfc8c46cbc9863439f9f0cb7ce4ff957a0ffc88b4b3a7d9a93910b02a8801552d48f878026251aef6c476e87

C:\Windows\Installer\MSID14A.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSID14A.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\e57c1cc.msi

MD5 abf5dbc0196845d9c906189aa70d07ec
SHA1 4a6879976ca9d64a151e1679d0b08d975883a7b2
SHA256 f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1
SHA512 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3

C:\Config.Msi\e57c1cb.rbs

MD5 d9aaf6cab7e900b30e757e6c400028d2
SHA1 ea78608ca592b1fe81dba719db52eefc94a25f1b
SHA256 90ff25cc55f0435df505477856418316cecaf3ea31113126c79a7f3a290b9207
SHA512 91178793795183c825676c92626e949c9f034c0a976ef53b456851d7825fff42dd3b1ab6ff2ac3a5471f62f5dbe477a1101d73d6f1e4d9a9a03b5a4efa51d0cf

C:\Windows\Installer\MSIE58F.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSIE58F.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_001_dotnet_hostfxr_6.0.5_win_x64.msi.log

MD5 1fadd77a2ca4963270247519b5158f88
SHA1 38e825e6ccf30df1061aab086854a3b30c6850c4
SHA256 9683ca9ce9765e960621c009cb652fa7048c530b7fcce6b1431ffda5acfef32c
SHA512 d0b841df424d440d3229d51d79cce9a32953178330c4459ac34f7578351d63b3bfbfd21faff46bc67a8851694e942f47b9f6d72cdc63c8c1cb9458c27bf673e9

C:\Windows\Installer\MSIEAC1.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSIEAC1.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSIEAC1.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\e57c1cd.msi

MD5 eef7d4eaa530df3288c03b8e6463aaa3
SHA1 4d94b0073d5afeb1642a2f0da5c178f5765857b3
SHA256 cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711
SHA512 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823

C:\Config.Msi\e57c1cf.rbs

MD5 0bf78a80939d2bfeb4339877983b38e4
SHA1 656b2b3dc36e2ff7fff7c05dbfa67b6c3399045b
SHA256 1b0a8e15900112c793a546c25fa8fa0285b345d7e38a76408ab099dc9b64349a
SHA512 6c3b2b3a818399a16da7ef89323dad1a55631023f8f475f101dfe7c5de3c71666bd94223ffa7664f38f10e657ee78c13bea9bad96882cee2bfafdec64ecc370a

C:\Windows\Installer\MSIF022.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSIF022.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_002_dotnet_host_6.0.5_win_x64.msi.log

MD5 566e642b2c1da27682e9e8d53182365d
SHA1 35c826cf30cc070ee93cf221c96d5d6febe13b01
SHA256 206c3748ffaa447ba96ec015d7c602eb850602400c506e3dc239316baa62a401
SHA512 59159982801787907dd3d3c85e19b1a60854fa9315996c85845cca3d0cc03e208d177451032ee832902cdc670ae619a1ed54db7b3d9be17cccfda452711223d6

C:\Windows\Installer\MSIF311.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSIF311.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Program Files\dotnet\ThirdPartyNotices.txt

MD5 f77a4aecfaf4640d801eb6dcdfddc478
SHA1 7424710f255f6205ef559e4d7e281a3b701183bb
SHA256 d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA512 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

C:\Program Files\dotnet\LICENSE.txt

MD5 31c5a77b3c57c8c2e82b9541b00bcd5a
SHA1 153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA256 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512 ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

C:\Config.Msi\e57c1d3.rbs

MD5 fa9d17795f93418e17b45dd493b3b055
SHA1 6244f0c9b5b5b4f28acb76e2c7731e117e70dda1
SHA256 923189e8d305241f5e4eb9f32e5614f7f131cdff196f8e7529a2663bd03260b9
SHA512 f0ddb9c76443c101557babe2895b05f3edc9b48abc15df4a2a7bcb4e8b5908f5b198a77f85f69899eb4f409687f932cbae72eac713041969bf614ca091d04271

C:\Windows\Installer\MSIF7E5.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSIF7E5.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230613180206_003_windowsdesktop_runtime_6.0.5_win_x64.msi.log

MD5 ce84f7ed90e6913d8f684936a3620a5b
SHA1 de121bbe38206577b6cd7641ded88ab31c6e57af
SHA256 5a17522a2be6bd36279ac2f181920f12049e8d4647ee62675f27e5d3606179ef
SHA512 bb62f77061838f4fc76a13597dcae7b7ea50b367f79a881bf8895dd9432cde296f6b0b367420cb844a0bebf5aab501b61f573359ec7f8fa4a174299db6736261

C:\Windows\Installer\MSIFCC8.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSIFCC8.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\e57c1d8.msi

MD5 bf16e0cb45daf8f291ecfa351cb0c3c2
SHA1 1491de942eec40921a35f35aa377c2f8f7332c5b
SHA256 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c
SHA512 a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8

C:\Config.Msi\e57c1d7.rbs

MD5 88125d178117ab0a806439db5d0b21fa
SHA1 fb6fda3a78fa84102e8752299adacfd89dc88829
SHA256 76054e1451b91fedcbc2b5d3f25b6f1ecc9829ed23f3bce6a6a4c5da6ce019f3
SHA512 f1c0d154a09a4547acb66c83a95ac0cce0d9317d89d359a6a5eb38f8e45b0f6e2017c8ae45f09ef3e816ffa5d08edf1611698721d6e0e8f64bc2a2b2119c245e

C:\Windows\Installer\MSI10A0.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSI10A0.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSI1F09.tmp-\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

memory/2248-1160-0x0000000005690000-0x00000000056BE000-memory.dmp

memory/2248-1162-0x00000000056E0000-0x00000000056F6000-memory.dmp

memory/2248-1164-0x0000000003330000-0x0000000003338000-memory.dmp

memory/2248-1166-0x0000000005700000-0x0000000005718000-memory.dmp

memory/2248-1169-0x0000000005740000-0x0000000005754000-memory.dmp

memory/2248-1171-0x0000000005810000-0x0000000005880000-memory.dmp

memory/2248-1173-0x00000000057A0000-0x00000000057C0000-memory.dmp

memory/2248-1175-0x0000000005770000-0x000000000577A000-memory.dmp

memory/2248-1177-0x00000000057D0000-0x00000000057DC000-memory.dmp

C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Installer\MSI1F09.tmp-\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Installer\MSI1F09.tmp-\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

memory/2248-1262-0x0000000003220000-0x0000000003230000-memory.dmp

memory/2248-1263-0x0000000003220000-0x0000000003230000-memory.dmp

memory/2248-1264-0x0000000003220000-0x0000000003230000-memory.dmp

memory/2248-1265-0x0000000003220000-0x0000000003230000-memory.dmp

C:\Windows\Installer\MSI3832.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 1a5caea6734fdd07caa514c3f3fb75da
SHA1 f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256 cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512 a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

C:\Windows\Installer\MSI3832.tmp-\CustomAction.config

MD5 c9c40af1656f8531eaa647caceb1e436
SHA1 907837497508de13d5a7e60697fc9d050e327e19
SHA256 1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8
SHA512 0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Client.Setup.CustomActions.dll

MD5 3e40e18013bbb899607891f3234a8446
SHA1 0cc000b1a1d41cd46ab393b2ebf928939b6477ba
SHA256 d04a426349d56dda212e907cdd3799d402cd7d7e46f5fc051fa14c7802ee7fc6
SHA512 ec20c499b3475805b2ce3da8658d96899f3d35ff4544cb961350e6b06ee252f244b567dc11ccd73e9ebf7075735237063d94a34333457312bc3ed418d9e7e04d

C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Client.Setup.Shared.dll

MD5 9c69b9327a9cb3f9c814bebb625c55c2
SHA1 3f0c9af7f54af5d09f91e06005351c6e143c83a9
SHA256 491737b9d171ede500938a3985d438f3018ca98c84f8ace03e75c2f63b05a2e0
SHA512 f7ba8808d87d22ef9ca130b56c32846df0c947d0e41347ad93fe7c06cd1ac8769721f8cc3477893f41c4491cd32bb44a91550da035f190f02e5dd58d04e8527b

C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Common.Logging.dll

MD5 4c0619b0ea8d374bf199e507af60823c
SHA1 6472e515499ec9fa0ee43e1e9006ae1dcc8dc111
SHA256 a19a22cdab7b32c45ae226fa66bb9e6ab70e27e1b63ed4839a94f213d141dcfe
SHA512 9a093e0f304a320589c7755d48813d4303a10358c9d753a75ab98c7ffafe140483bfb9e54b2f764bbbe068fdcdf2ed87b3a4d14f13ab09844e347ea0f4cfcc85

C:\Windows\Installer\MSI3832.tmp-\ExpressVPN.Common.Shared.dll

MD5 e13ebbf5e06bba7267eb1f14dc027ae0
SHA1 bedade1d1b7f6217d7127549c0a7a2dac416a0fc
SHA256 0587fe0fde62220324b26426c00e7ffd895e8b17b768d79710f934bfb559a065
SHA512 7c47952f6672cf6319e29bfa928a12d56de87f0a7a25958e479ea43add25e39c8472db3c56c2fc7cc9cb9dd83de4b7243d5a6b0013e3f79771fb7660901ce726

C:\Windows\Installer\MSI3832.tmp-\WixSharp.dll

MD5 dd1aaef9d73a034f25c660c892cc3492
SHA1 cee6f7bc28721daa7c63e182baf18b353f981021
SHA256 08650aee86ff2e3e31b7d1e5239d61a668f1efb56e0bee43f824217b4360d01a
SHA512 b095fb787f243baee30713428adfba1b98b6e58b94f10acebe03318786e46e6da12c183474b014e7b97bc4720ae4e24f71e39573cf7827f9ad7d5f949389fa6f

C:\Windows\Installer\MSI3832.tmp-\ExpressVPN.Utils.dll

MD5 4fe7e636837b93970abc6f0de3531c40
SHA1 1874886c7c25bc3f3b5250bc892b0d024d7b874b
SHA256 7406b12169d3a9e496c64df21635e99189a632e4d43b7bc28193699e0f8fa3ab
SHA512 29e1cd8a6f762a35928535c30ef20c394e59d2280ecfe93e0d2f0aa728e5bfff59496e5e6bc5d170fb3798faa71498e55a61a1ceeea594496d7afb2e37d1ab76

C:\Windows\Installer\MSI3832.tmp-\ExpressVPN.Client.Installer.dll

MD5 e79df256636d80c69810b873d9efcfe8
SHA1 3e586438fbb0b2ae743665b14436b4cc1a9f657b
SHA256 fb3b97b9683ade2d0cc9bc74933748b74032ea2c265b37fe060bbc1280d096e2
SHA512 fb47cfad24d6a965990cb672db9840aa43ecabde4112a7ff2049095bf11b8bf74404bcb82dd49b8d9ee9d4f418345948e943aa722fe025f1a5cb473bdae96347

C:\Windows\Installer\MSI3832.tmp-\ExpressVpn.Utils.Wmi.dll

MD5 316786e333501cbb1b9d7a2799e4d4af
SHA1 53884c1dbfb5ec819aa8d0242205e026ecc73bf5
SHA256 bd837011f2b402833653bf4c2e4ef065426316672c09d6764686bd798b3a22d6
SHA512 562a0e9ce21c0a6333569207f8fcbc8b4f79872ed17a5d9a40a05ed6b9ccee33ae0df82d96a4e58f2bb39a97a5e945dddceb9726419616ebff0fa52ec38c3028

memory/2308-1563-0x0000000004AB0000-0x0000000004B26000-memory.dmp

memory/2308-1564-0x0000000004B60000-0x0000000004B7E000-memory.dmp

memory/2308-1565-0x0000000004800000-0x0000000004810000-memory.dmp

memory/2308-1566-0x0000000004800000-0x0000000004810000-memory.dmp

memory/2308-1567-0x0000000004800000-0x0000000004810000-memory.dmp

memory/2308-1568-0x0000000004800000-0x0000000004810000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN.lnk~RFe583f85.TMP

MD5 f2bc7ea15ae0b3bab82df0d686599bc5
SHA1 c9ab67881a04d400138d8c681cf1e87c52b985a5
SHA256 d81054a42a6a22b9b1040a4fde1459d51b506d0f966f0fb3389576b4eb6b0b1a
SHA512 266ea8e86a0dcdf73ddbcf98905c7179dbe49fa2b99c3a3bebae26b1ca9542559df7f419d939d569f3564513da2d756993b25e8d710d05d21466970fdbf8807b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN.lnk

MD5 1fb361d1c8fe4a2f3335b32bf56f1365
SHA1 24df1e108e922b9a58ebfe614d8b0f185b74404b
SHA256 329b3458a8c7f5a583e2d958993c347079ee81a2a518b7ec0b620b809974b5b5
SHA512 371e8e878f224135caf46027147c54feafe3c9bef5369a7846a8fcfce881aa188671097107d624b9b0df9874eb784d994a6147aa5f85bd3cec7de13c6484efdc

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN.lnk

MD5 9494b09a88b7082caa27e191e9b743d5
SHA1 8190712c0f9a2d99fd6ffd73c7b583b87134a6e9
SHA256 19d88c2ec3b3fd9c5c340e8d964dfaf095b8686a64ad91357a6815c1a2d19730
SHA512 2982b1050c555ad80f7409f6c030ce6f3bde036e4c0b76df41afdbb8b36120d9f468a1a1690b9e8154a6e963930b6d9bd7a61a3e57f595ebf96dde0043695338

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe

MD5 85ad9f4cfba5a47f8714fd63887605ab
SHA1 79e52d574f81a57168fc1dcc25fd3b2e5c361603
SHA256 e85912b9f6d1434726264cef08db208b92265d2b6fddf42234bc345a9684bf11
SHA512 1272401153dadb496d850901bde2f96f677a1591b568ca37476b362611621c45ad437b891a3c7e98b9cd99081e32fdb027512ef2b5e9391e36aa728ab708c1bd

C:\Windows\Installer\MSI40ED.tmp

MD5 9d0ee5a255b92fd11c36979ecb3aca67
SHA1 2021cdb47d5743ce84991004c3891f53173ebd59
SHA256 ec23d81a8e3139d572150e582fb7191b7db3a338f507301ed94cfad8ebc30206
SHA512 925208e9202f3003cfd81de194d170ce9cd539a6163a35f169cbd41ad7c478c444885c7574a5516a282e16485a413d6938f59ba710d230340b746bd67f13f088

C:\Windows\Installer\MSI40ED.tmp-\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Installer\MSI40ED.tmp-\Grpc.Core.Api.dll

MD5 33e82bfceee2a76c34edee46091bafc8
SHA1 55c8e27e8efa1e08e87f96424c574ec581335910
SHA256 1e6db7069217797180cf7664e555994a9993db0155c9761be8012860bb82f8a2
SHA512 2818f76c324cfa556c5c9b68cba712c57d12da2f1bf6cf6defd314c0a5dbe4f504e20c04deaf9b69be6a56b01f47fe341ffbca2a431df9a71b28d38c9e1ec6bc

C:\Windows\Installer\MSI40ED.tmp-\Google.Protobuf.dll

MD5 25647dfce0e91490e97f8c6366b2632a
SHA1 8b812d8418143e0e8bc782e6687583dee13710bd
SHA256 da005e408ac85c4fafae30aa79ab7c18ddfa9fb5b23cd7fb2228a88413388c54
SHA512 5c0947cceb867f765ef4e77a73c2e2cea11f80ed83cdd43f3f5816ac2c27403fa74ea6a7edd648061d14d3e480d0f5e8271b754688d8da62e8653ae7581bb910

C:\Windows\Installer\MSI40ED.tmp-\Grpc.Core.dll

MD5 832a45191b8711adc888d8d45b26f0f8
SHA1 a90d87c10f3e5ed48a80f8e1cf0e883a07830c8d
SHA256 873b7debc4411c2707b48de1454d2ff437d9d56d44ad603c6487a8fb69b4413c
SHA512 94fe9bad110671a1bd965f4847609ed20955f082f96c049b1679634fbc878b189edaf952914137316a3a7ee65996df020ed2c65dcce0b7ba55db853f48132ef4

C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.Primitives.dll

MD5 d833ddcb52e5c6d6da71bae25395a911
SHA1 17ce025ad7a0175c467f5a7108ca81a813e4ac21
SHA256 76152e774b2bd9c5a0d301e92e253d8bf55fa90e191d0155dfd86b2b84766ae8
SHA512 fd963a9fa5bdd10a1c54ce8fcba862b59786280ca5d668fa041b30b80d7fa2b84230d33b1c0541423534c764e7432213039d5f586d0427d542c0faf703081a79

C:\Windows\Installer\MSI40ED.tmp-\Microsoft.Extensions.Options.dll

MD5 3ddea0033ead23660b51921146dda017
SHA1 5708c44aa5326da0a69072a9b0e48715112a4bdd
SHA256 c4673c6000602e76844bad63feecbe42d88fc72639b1fd64d2acde48955be970
SHA512 d57e25a2412f2685770e3fd1d6650ee433ed28d337221941841eb9589dbf3868a27efb0d488f960f75785e60357cd2914b0eece1da62aa9ffe77219340c03576

C:\Windows\Installer\MSI40ED.tmp-\System.Buffers.dll

MD5 ecdfe8ede869d2ccc6bf99981ea96400
SHA1 2f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256 accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA512 5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

C:\Windows\Installer\MSI40ED.tmp-\System.Collections.Immutable.dll

MD5 c598080fa777d6e63dfd0370e97ec8f3
SHA1 9d1236dcfb3caa07278a6d4ec751798d67d73cc2
SHA256 646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c
SHA512 8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32

C:\Windows\Installer\MSI40ED.tmp-\System.Reactive.Interfaces.dll

MD5 0a471405a43ace8273b6e266f819901f
SHA1 bb7c4d3930358fa574136248cc1da6c9bcf5f192
SHA256 c86b4625d3a35b6f600d8f0d129b82eb73928e5d4f9df1a028e527aac86ee4e4
SHA512 27da5c7d98cac39525b845f40f128cbbdec6a693c1f20be689a1bc2ec0a2fa33a1a82605dad06e410371cf069304663bd6bf1c4a5864d99921e0584243b33997

C:\Windows\Installer\MSI40ED.tmp-\System.Reactive.Core.dll

MD5 f20967beae947a5d54156b5cb40d0c04
SHA1 c5ea57f70835e22cbaf08ac5262716de3de16f2b
SHA256 ac464ea84539c60cbdb498dd787f6fb90b2f11067a5acc9e1ed4f8f62cb7bc7a
SHA512 7f1fd97ac58bfe5194e348a141595bb261870bed0cdab0e491aec40da7a930d2d821457aa2e44c80da276bbce98dd3a08e344de3539037367977815055a79435

C:\Windows\Installer\MSI40ED.tmp-\System.Text.Encodings.Web.dll

MD5 e8cdacfd2ef2f4b3d1a8e6d59b6e3027
SHA1 9a85d938d8430a73255a65ea002a7709c81a4cf3
SHA256 edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30
SHA512 ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

C:\Windows\Installer\MSI40ED.tmp-\System.ValueTuple.dll

MD5 23ee4302e85013a1eb4324c414d561d5
SHA1 d1664731719e85aad7a2273685d77feb0204ec98
SHA256 e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4
SHA512 6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32

C:\Windows\Installer\MSI40ED.tmp-\System.Text.Json.dll

MD5 38470ca21414a8827c24d8fe0438e84b
SHA1 1c394a150c5693c69f85403f201caa501594b7ab
SHA256 2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c
SHA512 079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

C:\Windows\Installer\MSI40ED.tmp-\System.Reflection.Metadata.dll

MD5 c4ea65bd802f1ccd3ea2ad1841fd85c2
SHA1 2364d6dd5dd3b566e06e6b1dc960533d2b3017b7
SHA256 46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f
SHA512 fc4c18ea6a6f38d8c4b4f2e02d3d077cc729b531ca08cf9602c65e22aadc0be770e441660cc980cbfed3b27bd783e65f793838532673e2845276390b4b22d730

C:\Windows\Installer\MSI40ED.tmp-\System.Reactive.Linq.dll

MD5 317dce13b2316abee548a2b013f26471
SHA1 3123573b2291a0f01badb10b149f741bcb9eb0f7
SHA256 21fad2983b4b2f95049e975c9f26a77bfe9281d8ed18e380c9017fc82137a1d9
SHA512 3444f813632f5f397b5c27e0314479a404b7ade058a5e6c540331fa4fd5fa798ba7352b1bf58d6f977e5e61912ed9620a1ec1350901d0b00fad2ace3eaeb6163

C:\Windows\Installer\MSI40ED.tmp-\System.Numerics.Vectors.dll

MD5 aaa2cbf14e06e9d3586d8a4ed455db33
SHA1 3d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA256 1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA512 0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

C:\Windows\Installer\MSI40ED.tmp-\System.Memory.dll

MD5 6fb95a357a3f7e88ade5c1629e2801f8
SHA1 19bf79600b716523b5317b9a7b68760ae5d55741
SHA256 8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7
SHA512 293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

memory/4396-1759-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/4396-1762-0x0000000002F40000-0x0000000002F50000-memory.dmp

memory/4396-1764-0x0000000002F40000-0x0000000002F50000-memory.dmp

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll

MD5 baa7644ed2f322d1d2c953220987c4a9
SHA1 3860c3d54413837fd23e9a7081c15d27ab2ed4f0
SHA256 5da295c08aba9257c8f27a39a3d21e0ee82c4e55c098794688305c270b4983b6
SHA512 034cb63f8a8ccf99d2cb182c72e7e5ad67cd23baaca376dff3444c13e9c0bb78e1e5643ed82999130e9398fbd643cd86a875249401a49438b7d7976329d2ac74

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.Binder.dll

MD5 b825099a89c81fe4127ee2628596d5d1
SHA1 8e69faa62f82dd042a51a345eea19b959442e985
SHA256 f2f6d158380c32a50bdb827b4d63f97c364f221813641daf74c257034484b507
SHA512 5c8dd2275702daa09bee2a8dac563d1292eef6735cd0a3a250f633afb3ac7823769435c4a29796b0b3522d72312497bac86b5ca71cbba2fbe31ce9cc24557068

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.FileExtensions.dll

MD5 8be2c97bbbe81795e3042602a21965e6
SHA1 cf89501075ac6713c091ca773dad2ba946b7c6ea
SHA256 385ec618612990af5b4d8ec6edffb13fbb5ff5a03e7786033b42ea061ee3976e
SHA512 d89a13ac0e3639acbb26f43739cd7a01ddb07fb03d7e0db5940dd28624d76014ba5e420b45f2d35b1acf0d9b3117a06f41f56109066fc95e9bb438d7516afc04

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.dll

MD5 4ae4c4004b28a9c7286ce1b4f2bbf415
SHA1 423c11f0e71b51378f39eb275093aa223c49f848
SHA256 d5f7cd54e4aa3b02bd445bd5b8ff4786cb6463ec976cbfe820fced5e272ec572
SHA512 7bf95813a0c66425dcf3e4d7e0078f72e97a3df9baff9cc525f2292f5cdbbe1cb52fd674089d1be15516770f214b9e7bc937de314eb9042441bf0ef1be28b044

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.FileProviders.Physical.dll

MD5 4e153e7492eae30cd0aa49a3140c1ebe
SHA1 55c123a2f3d1c7e24c4ed5edc54043cd9c37810a
SHA256 6bda4bddedfbb9023a5330dc1fd528e851cf2c869e53f3248e704927cec107cc
SHA512 ba25bbbba4c3e454f4ec064195f5f5e9d0cc4c217b9b4ee538fd31d138224a12c58c0b97c588ea4ea482b2303b0afa04125c30bed102b7c5f2aa645d8e7c03bf

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.FileProviders.Abstractions.dll

MD5 9b981dcb9329e9043987eb2c24371714
SHA1 c3c45b42a67525cbf8596cf6ef9a56d103bb70f9
SHA256 0706cedcd984a2478f10a9e57bb06e81bae2e0a1271507b26e91fb8f8c3413fe
SHA512 566bf7d258d3306742c3c585d04d19b338a8e1224e29ec7af35770e6827bf597a613775223cf93aa9afcb4ea3da0ca53b99493d9b3c6684da815907c8629b03e

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Configuration.Json.dll

MD5 ae4d8069218e6a793e4cb461e09d4d9e
SHA1 cba0b162d94d80def76020a36c855543e8787ef9
SHA256 dfa8ce0bbd09c898957dc08ca9d3e1db2e87edd5d940c78f6b0becc6243d9d9e
SHA512 6c838cbba6623ec3f9168f79f27ba651073a96cda48cdce244883caba27004ac72f76c77f5012f0b044877fd3d90c1b9425465fc1782f0b5dc37d33c9f124e3e

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Http.dll

MD5 4186e9c7d8c571c4620b5e6ea312539c
SHA1 6ffccc5331e561dc09c80acbb448f14500aef8c8
SHA256 8736296948e3d51c58303a328000f9d6d83160084d2d375e71914c55e6aaa644
SHA512 707942962d1ed4865796eb1432418ecbf4c948c82cb5e5536b5320765427d0028024510904197cfa08dd110bd09887916f208ac35c25e715f5c6d7827ea1a8ce

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll

MD5 25f286646b702aea416ea09b4d1d5dab
SHA1 63762d40b3d8bd7e2f7d8f6fb1186cbfa4b4f0a3
SHA256 89595fabd8b150813d0d2e8993f19aa2e2cab3b3be22e1173c8179b51b37dccd
SHA512 019c432de3f3bee3be6ef0a88b5a4966e1b6af7fe2ef6b19016248554f11acbf0ced306582930c3dad781ad308b9b98a27b2889f67f2323f9747033aff9a7617

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Logging.dll

MD5 73eab96c0898a78a61d89782ef6fab83
SHA1 07541eed457b5977890c13622d4fc4cabebc67fb
SHA256 c4b2b98c21b24b88640bc0be5dcd335d82df129dcaa0dcc778d91a759a037524
SHA512 90e8b699f451667d18762cbeb0f050f5462e97186b2b495b5de737ae565a7e1667c0ae5d89442ad93c08f2b5db5459b7febb63b1667466e13908f24cf1e3c075

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.Logging.Configuration.dll

MD5 89edab075ca0d2e8eee86dbd664ba609
SHA1 651ca53b439982ae4583722e650570c9e6d78561
SHA256 5ca00fffda7e3af0b67c0f9c0c572acaee4a0a50c1b9c38d3be19cb5a358890a
SHA512 fc28c7b66fc2e9b750058c0e1b8e5bca118212cb1cc2a91c9701514f319d63c38ffe95682ed3bdb892d58c97d35c22a12d2db22e3ee283fc3066c67b5908b222

C:\Windows\Installer\MSI463E.tmp-\Microsoft.Extensions.FileSystemGlobbing.dll

MD5 f8dc23b883576fb84eccd1b7b56490d3
SHA1 c447b48529380954c878f1d933a10ef1bc402bb6
SHA256 1acb904f6eee86f33b507a7e7cf8f2112d34d1b34daf1532df4d800795d328bc
SHA512 2604147c8a3664e2abeeafe9503cbed07866c763581c7587f59f8472718995c7d17782385826d70ab515a73bf4efc57e91ec5738d09363689305592c38fdb6db

C:\Windows\Installer\MSI463E.tmp-\System.Diagnostics.DiagnosticSource.dll

MD5 ccb6a65fa77074cdb0cb00478a89aecc
SHA1 be6e62302419bfcd9fd9842a9084e64367580970
SHA256 599a79d25958eae655ddae7337477d16ebc4f013b6896bbd60719c85b37db88c
SHA512 0495c13ced63266fe1adbabc0e2c86e7d6ce1b1dc3065f42a40607239ae88c92c39eba07a02dc0c68e200883b65a8541fd7b5c3dea58cb4c6d494dee0946d605

C:\Windows\Installer\MSI463E.tmp-\System.IO.FileSystem.AccessControl.dll

MD5 3409c581f0c5083f0c2a93a7a5ac9790
SHA1 18ea7bd41d31247148abf184527c9368a26f39e7
SHA256 e6026501ad4056ff2f1655b0afdfe8923bc6e8fbad67e1e9ef56e3002f49fbb9
SHA512 ae877c6fddad0e4133274e6372d783eaa4dd6bdcbbf40ab66302fb89bd2f76b215130001186b5c9a135abd16336c5bfd4d414177704d7d359539da91918e82ed

C:\Windows\Installer\MSI463E.tmp-\System.Runtime.CompilerServices.Unsafe.dll

MD5 c610e828b54001574d86dd2ed730e392
SHA1 180a7baafbc820a838bbaca434032d9d33cceebe
SHA256 37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512 441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

C:\Windows\Installer\MSI463E.tmp-\System.Security.AccessControl.dll

MD5 996aab294e1d369b148d732e5ec0dfdc
SHA1 28465fd34680a082506f160107f350b46140a1aa
SHA256 1fda491eebdb19ea0a83cf6c16ab5dd004a1bfdfc845ede017ebe0945beb927f
SHA512 5e6b172d2de5928915b38ec80c7b76f42430aac959f04aa3521c63495b6f3c4f82df139c275e9fc5024b1a0a4f307daade6130b6028779f98f456282ae8b61cd

C:\Windows\Installer\MSI463E.tmp-\System.Security.Principal.Windows.dll

MD5 be2962225b441cc23575456f32a9cf6a
SHA1 9a5be1fcf410fe5934d720329d36a2377e83747e
SHA256 b4d8e15adc235d0e858e39b5133e5d00a4baa8c94f4f39e3b5e791b0f9c0c806
SHA512 3f7692e94419bffe3465d54c0e25c207330cd1368fcdfad71dbeed1ee842474b5abcb03dba5bc124bd10033263f22dc9f462f12c20f866aebc5c91eb151af2e6

memory/5064-2025-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/5064-2026-0x0000000004A60000-0x0000000004A70000-memory.dmp

memory/5064-2028-0x0000000004A60000-0x0000000004A70000-memory.dmp

C:\Windows\Installer\MSI499A.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb

MD5 d47b237172f53537265eae8e3519606f
SHA1 11a8cb9f6f74968b8098e2715f695a7b7bf53554
SHA256 53788ab62cfd07a5f3116e20181c1292a6ff2ceef724bf41cef89b35a10d481e
SHA512 fc8079c00f119a0368aa364bf94558877f7ff21f54c0ce75fb088efc2c6a4ba2e83f4846c2f13dc129cb01e353a731a08813ae49b396f5f368d36814a84ff24b

C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.ClientSdk.dll

MD5 b79e7de7c6642e6d6ce8e2b37b921c2c
SHA1 59eea6cc0dd51fb08d68cb668e81f75946b343d1
SHA256 15e9c3d9f8efbcdc5f18d5c77ac81fda944b38afcca559d8e21b3346b42afa27
SHA512 1a54d162b342e3cee2a3b2c8a856e99276df5ece4e4cc48b6f306c1e653554a5430d3f9b3dbe03bc589fe0d9aee12c9a9fedd135172d825f917f1cf478ea1910

C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.EventSource.dll

MD5 88e4c62a290c1b92a5db9dfaea8b27a2
SHA1 40924ee10f8fc47a4b0e155f94ae63d84c38be09
SHA256 62d279ad27aba29a8dc9e8d74ceb509e11bf88fa8f3d2d10f8a7d0d581f85754
SHA512 69c838ea49bde60c7ea6b56a597a86a14654dc2262f515ec82f5362ae157f4395a0ce4d72d8150ac2c43031f8e1a4d55b6427cdf07091cd838489406dc95bbc5

C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.CommonSdk.dll

MD5 bddf7315bf45d28f31ddfeba750eae17
SHA1 4dd5532e09df3e134105e41cb78b5534de314e6b
SHA256 0afa90a013560bffa6f335f5565e4947b7ddc8056c31e08d13a771d036748099
SHA512 56939801584e59266a36c4caf32329835cbbca618c5b0ca81709de1d67aa968ab5ac6b993695593b6480ea1a76c24155055825e6ae6e8741f08bac0397b276c5

C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.InternalSdk.dll

MD5 37f3ffd5ec2276e591cb3e47e6fbd2be
SHA1 75cab5c4c5fbe168f0030af5836d267ca5ca67d3
SHA256 12a8f93a53951d7adc792753839064d79a4338475327f49d61372761ef0b0959
SHA512 9f36711a94e821bd2eb0d9ab3e7c296f5ab28f492016748849384170c8b4ba3264a84e14ee860ab574a1e784d10235709c197859907475370e245377542c0999

C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.JsonStream.dll

MD5 a6364c20196dea022227564b830ca058
SHA1 560bc6572892014b5cf43dd91cb10d2f3c39de92
SHA256 7c49cdc1202e3691fc2848546e267136cfb597b7f50533a1b2c7e8c755389f65
SHA512 9ab37ae34c020e0cc4a9f2f542e9a11f033911578ff730139c73687f2efa96a7899e2aac68e1ccf4fbf6dea4ea8e29cea19fda607f38c54978b371633afd0b29

C:\Windows\Installer\MSI499A.tmp-\LaunchDarkly.Logging.dll

MD5 5c0c31190f09f6da14d16a9f1c01378a
SHA1 8cbe5d3a83b91d55b5bd511fa24904b48002eb57
SHA256 d8c514832108b4defc03968c375e4b263b0ef0fffdbb85d30d3522c07fc6372c
SHA512 a65d490717d09feff5894cee7fbb00a8d88bae3601b89f2dc45c73eb3fd85ba02b80ff73686dc8bf5f854675b7569c2eaaa4aa87047e4898c6a2003cc306c327

C:\Windows\Installer\MSI499A.tmp-\ManagedWifi.dll

MD5 b4130361f0edba34394a59f5d434ac88
SHA1 58061bb6dcb6f4bcc9d341730923207645184169
SHA256 3ffbc36eedbf1222c2b4034530ee258b654e7e7f2c23900b83c01454e0a4f80f
SHA512 c95a60d8701699d8ac5fc0431ea8402c11b31599927c83cd41c7e7076111702eb904f638f4b4f37749bbdf801b8b62bb876c95211d18dcbf5c8af75bb4f81a57

C:\Windows\Installer\MSI499A.tmp-\log4net.dll

MD5 8594e528cbd4b9b81cdf98ad39a7f7da
SHA1 51c67d26bbc287ce39c892eff1a6178dbc2c1219
SHA256 e6b5667056e67787e77a10be1ba134f46c1af8d4977148aa7829c9222fea80de
SHA512 eb6685ad13dbce6049fb38e15f17854a8fd5bf797d1a45fa7264db5e1ae6094a480e7a6ddb0d02ce5fad4e7394cbec3f1e5d9cd4eed0cf3b8b0eec18384a8608

C:\Windows\Installer\MSI499A.tmp-\MissingLinq.Linq2Management.dll

MD5 3a41ddea7a6ced7d4a1af988064350ef
SHA1 43405986af7602d8ecae222e34825e469d564c6f
SHA256 a52086b39a18146dcb27a492d2429b6f70fd12044e50d56b8b17d172254f6aa4
SHA512 c789bc85f8fe77600bc5723c92a1fff4e75924db6cfc7eede22ad08d6fb3675b396e627f1eb271b372bf28384322f8ab3326bb7ab22e7f50fb35b022b2e2b798

C:\Windows\Installer\MSI499A.tmp-\NLog.dll

MD5 6553bba76b42597080ffd54cb12a33c4
SHA1 661357b08128507a34fe75466ecb5d7e3a522454
SHA256 c73881b442220f671bd35873999483777ebdc95b5123feaa5813fd9d55268b64
SHA512 ed9180002c30a18b5ac73224b8560163a1323a878d6b5698aa76bd0e5825c28f525d3f0080d1682224d24b739425d6ddccdd9f272cabb4e28a21073100589f5b

C:\Windows\Installer\MSI499A.tmp-\Sentry.dll

MD5 2e7dfe826fbdb73299d37722206fb29b
SHA1 268056d5f8519db888bbd2ec274128333b81b6d2
SHA256 73e9de1f6002f9ef0df14f9a934e4ef87578a7dd67012cac0acec593832f824f
SHA512 36ba5406343acca303792702ebae768f7c853d3c651a181d8e897dfd20c71f21046a16a0ae2773dc182ca853cfd45cae6e442e9e5b4c39fe4154f2cc483ef5e7

C:\Windows\Installer\MSI499A.tmp-\Sentry.Extensions.Logging.dll

MD5 8f826963e958bd0816266db056b049b1
SHA1 ee1e08065a5ece32e0783e36653db25abeb62173
SHA256 ac278dfa3187a5c2480e5c60df999890390d35260c39f0e2d74d25d166672e14
SHA512 c58fdbc9b474f1a84098d14627d0a1b44b463a23b772da79bfa269bee5dbd7bbafa1cd72eb3dcc8db3cf42a103781d0de787bae00d80bbe5f18481a5435fdccb

C:\Windows\Installer\MSI499A.tmp-\System.Management.Automation.dll

MD5 7bde1e64b59b1922baf74b6a19b8fc32
SHA1 2daf4971be94dcdd811d1bf799eb5d08502a87ff
SHA256 1fa048750cd62df4e1317d9fc054a95d49b6b142b2825ae15d983f43af91528b
SHA512 0c5a2279ceb52798a8f398a5c498e67a606275e75acef5627c2103db54f920c567e92d4adf7b2050acbfb1de33f118ff34d85ba7db0f08133f89efd633aa235d

C:\Windows\Installer\MSI499A.tmp-\WixSharp.UI.dll

MD5 4cb9b80d4790c5ecc3ec5718a8345f10
SHA1 949c3128e65606899550831bf824214030710971
SHA256 a4cabea22c6d3e0a4e1b640b97705c448400bec6945830b6dedc6e85ff54e96f
SHA512 d5e96c7124a12735e40cd6960caedb8c7f64c379d3f823cf7d556a0cfb467763695d3355074ed586580c91aea73af857e314e3e7b293a42c025931c0f041a4f8

C:\Windows\Installer\MSI499A.tmp-\WixSharp.Msi.dll

MD5 92a1f1ab887a8099eebc0a646a0455d4
SHA1 8ac9e007e6a18fd238781fc80a4887b2d3fe6375
SHA256 7aac4d32402119d5226fd414e8449dd5bef70592ef29a2c5071350eb5d77d2dd
SHA512 f17ad09f6e9cf03f24d24bd3407e4fb57789b29d0d876798b01d2305ffc3a8b5176a463d9db6ce12a86314c2686f7a6195239dd1e901116ce602f72e3a88b09a

memory/2684-2114-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/2684-2115-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/2684-2116-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/2684-2117-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

memory/8-2289-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/8-2292-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/8-2293-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/2120-2463-0x00000000051D0000-0x00000000051F2000-memory.dmp

memory/2120-2465-0x0000000005240000-0x0000000005250000-memory.dmp

memory/2120-2464-0x0000000005240000-0x0000000005250000-memory.dmp

C:\Windows\Installer\e57c1dc.msi

MD5 d5e72c30c8383525e3aed1f1c2f1caab
SHA1 453c6b82989d62d7e3d9e1c805b5d106c1f5463d
SHA256 59efe52b08ee6c4cef658510eeb2be1b4f4701d162ff581a57a2997421652c57
SHA512 f8e67557af9e9053498460a32401b0b9f20cbe771d14189df112db505ba2f9330c7f89fa4aa61f486a4ab7867115a0c1909cbf5b5b5546cc70c61280b49ee867

C:\ProgramData\ExpressVPN\Config\p3d0hfrs.bin

MD5 fd523a062c3e787588fe859e15dcc813
SHA1 684a114c2d2925ab68fb27f1b0cc20c7ccb70772
SHA256 a222509b36550a374015242b4653d680b726101a4b7c42be969c5f1f12f3aa40
SHA512 eb7602b502a070d7f5fd361a76cecd4103a9893cd68766bb4a3c882a01d9eed4d5f19fd80df1fa60e7865654805414cbe5f7ade3b538b2d31b8ff51c2aecb169

C:\Config.Msi\e57c1db.rbs

MD5 5e86d712a04bdefeffe3fa6517aefe63
SHA1 079ba76b81e74ee97578ba8505057e6436072530
SHA256 3e714fd668f8d073d12ddc1fc53095789da3137c6e656322cdd992bc8e058b6b
SHA512 5b5231995c7482c072533a9050c1c0b915a59223fd45898e93e75b16151251220ce9532b1543c94828fb68e2d0256b240d17d6bf6270e4d53b9eb3da7fd31807

C:\Windows\Installer\MSI762F.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\Local\Temp\DEL7A5F.tmp

MD5 f162ee7a69d27493bd375907f666ca94
SHA1 b79c97c0cdb592f7ce01f3b4bddf5ab5db252547
SHA256 a8609434e1d3481f153b811e5f7c1a0a98b205a0a6d5a176b45b4b8b1ff1b95e
SHA512 cd32829c002d236014e45d14232f7104f4518291c39fa0dd55b5d29a1c5bf991b287b1ae3c6f16e5e8d31efba5f27e61d3c7241648936f1157d0564a1a47d32b

C:\Users\Admin\AppData\Local\Temp\DEL7A5E.tmp

MD5 8d3bd603070c5341750804592de30739
SHA1 19b27c7834ad7cbf1b9d6a396dfa0a5fa5588112
SHA256 74fd8ff3b37e161c04c4a17ada1138cc44f52b4af93f946237affb040b0c916b
SHA512 8c366f1a037e448edec3d324f559ccb56ac184c5f504764c8afec8cc56048d4532b8a0926e10316d6d41fc2b21a9bd673899ff459c665e6d3d8e371bce980c35

C:\Users\Admin\AppData\Local\Temp\DEL7A5D.tmp

MD5 988912a8a5ae0cafeb29f80b4e3af6d4
SHA1 1ca87bea628fff4c8995d92168e736ef7fffd1ae
SHA256 5c67aca3caf64cb4a2ca3111ce00da9aa1364583344896dfdcb6d85c5050f43e
SHA512 2d58cde0d8f2d2aca423a612c77f34a146f46c64f8e5c877e7395baf2669ae1537bcff6431c7c0c01bb0889ced875604f9c4743b0974c2f89e300aaa13b01d3f

C:\Users\Admin\AppData\Local\Temp\DEL7A76.tmp

MD5 a1124e760bc0cbf9e261cdfe7a418832
SHA1 0795b0adf6cf467fb7942b1f7405bd0ed754a9d6
SHA256 0502f8da948a642e4db4cea611ce28dd3da8c2928d3626ce530cfafbb4d11f7a
SHA512 5ff54162d73559133b64bf35bf07da1d3ee064ce32c071caf137f9eea41d0fb30879e7835b6cf537639cd2442c9117a9cf68d4a5e89b8af5d1319b82f9f4afcb

C:\Users\Admin\AppData\Local\Temp\DEL7A5C.tmp

MD5 46e1d39b4319db3517b9fa2d7d0b67c8
SHA1 33af5ab0df4b9d690fe283fb8a8bd63508f3ada3
SHA256 b509e2c677b73b4cad4f09d0c3f94724bf3fd952b3f4c24c30985636ff2ed30c
SHA512 dfedfc09ca7c1dbe611015c19464918d1b13b0f9828d504ac11598be442d61ce3ef8038f0d9c9ea0275fa5d95630e41ffe6a0bb1b0b67f955a46a858669a345e

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\user.config

MD5 df2ea154c113c86c064714b3b0b5555a
SHA1 c0b1a1a0a78a372d9fdd7ba4a029cdee42a0de65
SHA256 c2cf2a4af9784fca26bb94e650209bfdf1decee29f02e1398b902ad49182588d
SHA512 c7cbbe4c79af3c2a246ba361842d1adcdd541e1eeadffa1ea55e9be75ce5099b90d020864def8f449b8fe472a3576454809f036533404e706b1baa142402a0fe

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\z1llg1g5.newcfg

MD5 26e3e068ccf44f130f40a158db8c4526
SHA1 c5f43d44ddadff0fd11a4f6285b54329196d668f
SHA256 18c2b162e66a3fe5edfb24eb6215dda7c075cc8afa9eb69cd2bcb0785f400e79
SHA512 7720c82b2464879668763cad16963de5d4ecc5ac377b641cc8675d113c91a462c46733396be023417be05ac3b3eca3a8749c1e91fe191bd697db092df14e6856

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\glm11yii.newcfg

MD5 286c05e5e213d7e97069184c0c44c85b
SHA1 009b760165d9332fc7af6bfa05a826fb87964f9e
SHA256 d29a7bc5b1f30f8d9dde55e417e89eb86b5339613910e293405b5aaf50fea7ed
SHA512 eaf3ebf413e08b111a6937947da7b29100737d6c1b4c21783392d1093db3ec9e28371f1afe203c3335f866bb09a213000d48a60e71a7c54d2750b1582c033b1c

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\zuzgwv1k.newcfg

MD5 0b5a51b4d5c666f5df3161ed1bc62511
SHA1 362568ee7b81c337f4abbc2179682346445785bb
SHA256 95eaf9af9ccb14c33daeb04c498cad14f7b4eca49e890cb0c6debdb189a0538c
SHA512 947d1717325db18bbd7782929b018ac54660a8465d52c9264fa0d4b2521682ffcadb15bcc93c9bd141ffa3c7d9ee3397b4b7fcae74a9511bb404d244eb660b12

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.38.0.60\agbjdexy.newcfg

MD5 a39f8f3cf32aa2eb6b8796db17cb4717
SHA1 a656c39987cd4d044105ac3665a414e0970aff49
SHA256 dcbe2d0f8514213217fef33467208772f9b6c9c0d28b1bdfd3d1a6f829948cae
SHA512 735b305f0adcaee25981a16c960352e78070132cb0ffff010027a8fc8441da8720b6f905a8966478a4c9f9a885114e8d0957b2c61c1bae2ab0de21789ded1847