301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7

Analysis

max time kernel
27s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 11:49

Target

expressvpn_windows_12.43.0.0_release.exe
Size

58.4MB
MD5

a15d6e20d0107f59af14bfe1bfee8a5a
SHA1

a16c498932a3c2851f255bf355f12076159afba7
SHA256

301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7
SHA512

02ed872a21f838422881fb2e6099ee3bb3b5e6c22a9ea4439de54cac0fc1aa7cadbf4f1e601cff50bd300941c529313e844c3547f8b3a5bdd4f7b7f47bb6e21e
SSDEEP

1572864:gDG8e0q6S1HeWXgyzRT//W87ghVzJNUXhhgTO0GsrVRUZUcf8E:KMMi++9XWDX+0rrVRTE

Score

4^/10

Executes dropped EXE 1 IoCs

Processes:

expressvpn_windows_12.43.0.0_release.exe

pid process

1252 expressvpn_windows_12.43.0.0_release.exe
Loads dropped DLL 1 IoCs

Processes:

expressvpn_windows_12.43.0.0_release.exe

pid process

1184 expressvpn_windows_12.43.0.0_release.exe

pid	process
1252	expressvpn_windows_12.43.0.0_release.exe

pid	process
1184	expressvpn_windows_12.43.0.0_release.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

expressvpn_windows_12.43.0.0_release.exe

description	pid	process	target process
PID 1184 wrote to memory of 1252	1184	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252	1184	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252	1184	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252	1184	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252	1184	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252	1184	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252	1184	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe

C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
"C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
2⤵
- Executes dropped EXE
PID:1252

C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit