revengerat | 301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7

Analysis

max time kernel
106s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2023 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

expressvpn_windows_12.43.0.0_release.exe
Size

58.4MB
MD5

a15d6e20d0107f59af14bfe1bfee8a5a
SHA1

a16c498932a3c2851f255bf355f12076159afba7
SHA256

301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7
SHA512

02ed872a21f838422881fb2e6099ee3bb3b5e6c22a9ea4439de54cac0fc1aa7cadbf4f1e601cff50bd300941c529313e844c3547f8b3a5bdd4f7b7f47bb6e21e
SSDEEP

1572864:gDG8e0q6S1HeWXgyzRT//W87ghVzJNUXhhgTO0GsrVRUZUcf8E:KMMi++9XWDX+0rrVRTE

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\MainMsi	revengerat

Downloads MZ/PE file

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ExpressVPN_12.43.0.0.exeVC_redist.x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ExpressVPN_12.43.0.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc} = "\"C:\\ProgramData\\Package Cache\\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\\ExpressVPN_12.43.0.0.exe\" /burn.runonce"	ExpressVPN_12.43.0.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VC_redist.x64.exeexpressvpn_windows_12.43.0.0_release.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	expressvpn_windows_12.43.0.0_release.exe

Drops file in System32 directory 22 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e57beeb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57beeb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CF4C347D-954E-4543-88D2-EC17F07F466F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4C7.tmp	msiexec.exe
File created	C:\Windows\Installer\e57befb.msi	msiexec.exe

Executes dropped EXE 5 IoCs

Processes:

expressvpn_windows_12.43.0.0_release.exeExpressVPN_12.43.0.0.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exe

pid process

1692 expressvpn_windows_12.43.0.0_release.exe
3280 ExpressVPN_12.43.0.0.exe
444 VC_redist.x64.exe
1508 VC_redist.x64.exe
820 VC_redist.x64.exe

Loads dropped DLL 26 IoCs

Processes:

expressvpn_windows_12.43.0.0_release.exeVC_redist.x64.exe

pid	process
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1692	expressvpn_windows_12.43.0.0_release.exe
1508	VC_redist.x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1152 1508 WerFault.exe VC_redist.x64.exe

pid	pid_target	process	target process
1152	1508	WerFault.exe	VC_redist.x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 46 IoCs

Processes:

msiexec.exeVC_redist.x64.exeExpressVPN_12.43.0.0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\PackageCode = "41D6234F5FF418F46B8784B191BEBB15"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}	ExpressVPN_12.43.0.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\DisplayName = "ExpressVPN"	ExpressVPN_12.43.0.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Version = "14.34.31931.0"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Dependents\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}	ExpressVPN_12.43.0.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Dependents	ExpressVPN_12.43.0.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931"	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Version = "237141179"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Version = "12.43.0.0"	ExpressVPN_12.43.0.0.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{CF4C347D-954E-4543-88D2-EC17F07F466F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\ = "{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}"	ExpressVPN_12.43.0.0.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\D743C4FCE4593454882DCE710FF764F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.34.31931"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exe

pid process

3044 msiexec.exe
3044 msiexec.exe
3044 msiexec.exe
3044 msiexec.exe

pid	process
3044	msiexec.exe
3044	msiexec.exe
3044	msiexec.exe
3044	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exesrtasks.exeVC_redist.x64.exemsiexec.exe

description	pid	process
Token: SeBackupPrivilege	332	vssvc.exe
Token: SeRestorePrivilege	332	vssvc.exe
Token: SeAuditPrivilege	332	vssvc.exe
Token: SeBackupPrivilege	920	srtasks.exe
Token: SeRestorePrivilege	920	srtasks.exe
Token: SeSecurityPrivilege	920	srtasks.exe
Token: SeTakeOwnershipPrivilege	920	srtasks.exe
Token: SeBackupPrivilege	920	srtasks.exe
Token: SeRestorePrivilege	920	srtasks.exe
Token: SeSecurityPrivilege	920	srtasks.exe
Token: SeTakeOwnershipPrivilege	920	srtasks.exe
Token: SeShutdownPrivilege	820	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	820	VC_redist.x64.exe
Token: SeSecurityPrivilege	3044	msiexec.exe
Token: SeCreateTokenPrivilege	820	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	820	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	820	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	820	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	820	VC_redist.x64.exe
Token: SeTcbPrivilege	820	VC_redist.x64.exe
Token: SeSecurityPrivilege	820	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	820	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	820	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	820	VC_redist.x64.exe
Token: SeSystemtimePrivilege	820	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	820	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	820	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	820	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	820	VC_redist.x64.exe
Token: SeBackupPrivilege	820	VC_redist.x64.exe
Token: SeRestorePrivilege	820	VC_redist.x64.exe
Token: SeShutdownPrivilege	820	VC_redist.x64.exe
Token: SeDebugPrivilege	820	VC_redist.x64.exe
Token: SeAuditPrivilege	820	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	820	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	820	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	820	VC_redist.x64.exe
Token: SeUndockPrivilege	820	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	820	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	820	VC_redist.x64.exe
Token: SeManageVolumePrivilege	820	VC_redist.x64.exe
Token: SeImpersonatePrivilege	820	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	820	VC_redist.x64.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

expressvpn_windows_12.43.0.0_release.exeexpressvpn_windows_12.43.0.0_release.exeExpressVPN_12.43.0.0.exeVC_redist.x64.exeVC_redist.x64.exe

description	pid	process	target process
PID 4928 wrote to memory of 1692	4928	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 4928 wrote to memory of 1692	4928	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 4928 wrote to memory of 1692	4928	expressvpn_windows_12.43.0.0_release.exe	expressvpn_windows_12.43.0.0_release.exe
PID 1692 wrote to memory of 3280	1692	expressvpn_windows_12.43.0.0_release.exe	ExpressVPN_12.43.0.0.exe
PID 1692 wrote to memory of 3280	1692	expressvpn_windows_12.43.0.0_release.exe	ExpressVPN_12.43.0.0.exe
PID 1692 wrote to memory of 3280	1692	expressvpn_windows_12.43.0.0_release.exe	ExpressVPN_12.43.0.0.exe
PID 3280 wrote to memory of 444	3280	ExpressVPN_12.43.0.0.exe	VC_redist.x64.exe
PID 3280 wrote to memory of 444	3280	ExpressVPN_12.43.0.0.exe	VC_redist.x64.exe
PID 3280 wrote to memory of 444	3280	ExpressVPN_12.43.0.0.exe	VC_redist.x64.exe
PID 444 wrote to memory of 1508	444	VC_redist.x64.exe	VC_redist.x64.exe
PID 444 wrote to memory of 1508	444	VC_redist.x64.exe	VC_redist.x64.exe
PID 444 wrote to memory of 1508	444	VC_redist.x64.exe	VC_redist.x64.exe
PID 1508 wrote to memory of 820	1508	VC_redist.x64.exe	VC_redist.x64.exe
PID 1508 wrote to memory of 820	1508	VC_redist.x64.exe	VC_redist.x64.exe
PID 1508 wrote to memory of 820	1508	VC_redist.x64.exe	VC_redist.x64.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe
"C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe
"C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe" -q -burn.elevated BurnPipe.{DE26A9A6-A62C-4987-AE99-DB55009E3672} {3067A064-040D-4C06-B880-FE038E364924} 1692
3⤵
- Adds Run key to start application
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3280

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648 /install /quiet /norestart
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5B957E83-6C60-4C1B-86FF-701A754325B5} {F8910C98-21B7-46B0-B2FA-16E8619C24E1} 1508
6⤵
- Adds Run key to start application
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 972
6⤵
- Program crash
PID:1152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1508 -ip 1508
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57beee.rbs
Filesize
19KB

MD5
ed445073408ab738cd92adb494a7f9a9

SHA1
64ab9490bf2dbfc6f2b53198429f9a1b06848dbd

SHA256
1cd6e986ee656228c8f81c78e1ba19db933a94f49a708aebd799010cfe467295

SHA512
6d42f79dbdbffc6cadfc8c2e3364661a77be9a7fea646d70ec22d243379f427a7454df4983a44e879f844f1422d846540aa10d686c6ee7791965964dd63aad11

Download Submit
C:\Config.Msi\e57befa.rbs
Filesize
19KB

MD5
0b78e07263037ca38444789b3d1ffbc3

SHA1
124d00daf196701e9c6bba3a85166cb017641c79

SHA256
b68e4c9f4037624466eb6792692cd82e20497755848f4be32407398de03f96e4

SHA512
f9e6f7668f64f09d447d36280e99521ddbf655c6d5c708033ca9b8ecd593a5f11f44014bcf3abe806ce881fea0477171ca88817ec671876dd30036e4daadcc25

Download Submit
C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
Filesize
24.3MB

MD5
703bd677778f2a1ba1eb4338bac3b868

SHA1
a176f140e942920b777f80de89e16ea57ee32be8

SHA256
2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9

SHA512
a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

Download Submit
C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\ExpressVPN_12.43.0.0.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\state.rsm
Filesize
952B

MD5
96c1b1d840080e6f8bcc4e94c0542172

SHA1
3c5dba26dcffcb8c8d51792ae0273c6c96a5505a

SHA256
af8dcb1b7f2e30dd0fd3c233fb6092d7db5936db28d920f8a6e880d3d9d98b73

SHA512
1ccfec3ed6cb03c61902da64d11b02fbc6abddd425fa99aa575b328fee36d504cdc070fc5cb66be137cbe63629f88158bff9de10609afacb2509e12153899a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230615115048_000_vcRuntimeMinimum_x64.log
Filesize
2KB

MD5
288eda972f93dcc8191d91d44e6b7570

SHA1
17948cf08c4c0adfcab49ff59f64b28895d69e11

SHA256
3e3ac0e1afa997f15bc6c12a9b9228198e85021f39485c503852db6aa3aa95ce

SHA512
d67bb8927aabafb823e835cb073f392f5958fda0a83ae58092446ceafb4579989853ed83394a516e438011698bcbb6732f01f1bc61286cd9a8e858694455e53c

Download Submit
C:\Windows\Installer\e57befb.msi
Filesize
180KB

MD5
df77fc41aa2f85ca423919e397084137

SHA1
5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b

SHA256
51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2

SHA512
a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
Filesize
5.4MB

MD5
62bc0f466e65d9219281cf75c8f91380

SHA1
0826a1591b81acf0fe30d58e19b0a87df2a49a3e

SHA256
534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3

SHA512
17713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\cab5046A8AB272BF37297BB7928664C9503
Filesize
914KB

MD5
45c9c674c0ba87f57168d6ab852e9641

SHA1
73ace24362f14dc58d4099dae6e4e62902e9e950

SHA256
d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76

SHA512
5bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\vcRuntimeAdditional_x64
Filesize
180KB

MD5
c214a9e931bbdd960bb48ac1a2b91945

SHA1
a640c55dd522e01d0be4307a5eee9a40f779a6cc

SHA256
1dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11

SHA512
d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933

Download Submit
C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\vcRuntimeMinimum_x64
Filesize
180KB

MD5
df77fc41aa2f85ca423919e397084137

SHA1
5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b

SHA256
51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2

SHA512
a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

Download Submit
C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe
Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\BootstrapperCore.config
Filesize
1KB

MD5
0c79473766c4a706b8acacbeff369bc6

SHA1
f5470d0ec6fd98403fa756d1760ddf0ecb3c5b81

SHA256
c044ee99956b0b7628f29d2c7f8d0aaaf18054156acf910915c86edbb09476aa

SHA512
991a357bcea62be7e926a9768e3cf3d399303b5cc7667bfe71c9487de289efbeaca91d98e18880125daac6b7f73b6d298bbbd2276452f155e82173ac5aac1c02

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\BootstrapperCore.dll
Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\BootstrapperCore.dll
Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Common.Shared.dll
Filesize
60KB

MD5
5c1c022ec70d55d24bf799f1e71d4575

SHA1
b1367945eb8e896a3f002f3e5ee6c8d1719b5f82

SHA256
09177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260

SHA512
372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Common.Shared.dll
Filesize
60KB

MD5
5c1c022ec70d55d24bf799f1e71d4575

SHA1
b1367945eb8e896a3f002f3e5ee6c8d1719b5f82

SHA256
09177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260

SHA512
372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Utils.dll
Filesize
111KB

MD5
76af5689ae5e1f396292b0ac8705e9b5

SHA1
d73ee7dd91892c57281947c8c1e921c622ff043f

SHA256
626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3

SHA512
4616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Utils.dll
Filesize
111KB

MD5
76af5689ae5e1f396292b0ac8705e9b5

SHA1
d73ee7dd91892c57281947c8c1e921c622ff043f

SHA256
626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3

SHA512
4616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Client.Setup.Shared.dll
Filesize
18KB

MD5
79335077a88f53da50c2d448ef4a6df0

SHA1
927d2fc8a3fa36aafa8c9ca6a96ec79607511e37

SHA256
28db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b

SHA512
992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Client.Setup.Shared.dll
Filesize
18KB

MD5
79335077a88f53da50c2d448ef4a6df0

SHA1
927d2fc8a3fa36aafa8c9ca6a96ec79607511e37

SHA256
28db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b

SHA512
992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Common.Logging.dll
Filesize
79KB

MD5
85808933176b57cd4c9dc7f506071dd8

SHA1
7c8184c7da881ff84bf71f2587353ade0aa3f2b1

SHA256
8fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f

SHA512
13f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Common.Logging.dll
Filesize
79KB

MD5
85808933176b57cd4c9dc7f506071dd8

SHA1
7c8184c7da881ff84bf71f2587353ade0aa3f2b1

SHA256
8fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f

SHA512
13f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
Filesize
21KB

MD5
48efe61d6ca3054309907b532d576d2a

SHA1
f36403aabb16540c93fb35245ec0b4e435628aae

SHA256
295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78

SHA512
778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
Filesize
21KB

MD5
48efe61d6ca3054309907b532d576d2a

SHA1
f36403aabb16540c93fb35245ec0b4e435628aae

SHA256
295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78

SHA512
778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
Filesize
46KB

MD5
405bf969e7e50ef47422e54fa33605c8

SHA1
4f3c5c8803212719ee74c60813b9ae08604684b3

SHA256
95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1

SHA512
d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
Filesize
46KB

MD5
405bf969e7e50ef47422e54fa33605c8

SHA1
4f3c5c8803212719ee74c60813b9ae08604684b3

SHA256
95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1

SHA512
d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.dll
Filesize
82KB

MD5
f2a9c263e730b94057d26d8e6562e342

SHA1
e36e4c8100585db5c7dbd07ff66f4adad8ccd37f

SHA256
d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c

SHA512
976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.dll
Filesize
82KB

MD5
f2a9c263e730b94057d26d8e6562e342

SHA1
e36e4c8100585db5c7dbd07ff66f4adad8ccd37f

SHA256
d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c

SHA512
976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
Filesize
51KB

MD5
1237591a98cea80b03eaa68dbbcb2176

SHA1
5761dfe8070d1e273c20bf6ce50eb46a8780e065

SHA256
ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1

SHA512
1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
Filesize
51KB

MD5
1237591a98cea80b03eaa68dbbcb2176

SHA1
5761dfe8070d1e273c20bf6ce50eb46a8780e065

SHA256
ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1

SHA512
1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Newtonsoft.Json.dll
Filesize
683KB

MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Newtonsoft.Json.dll
Filesize
683KB

MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\System.Threading.Tasks.Extensions.dll
Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\System.Threading.Tasks.Extensions.dll
Filesize
25KB

MD5
e1e9d7d46e5cd9525c5927dc98d9ecc7

SHA1
2242627282f9e07e37b274ea36fac2d3cd9c9110

SHA256
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6

SHA512
da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\WixSharp Setup.exe
Filesize
1.5MB

MD5
29ef76d3f5d45b200c62f4e2661181db

SHA1
b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43

SHA256
aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c

SHA512
e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\WixSharp Setup.exe
Filesize
1.5MB

MD5
29ef76d3f5d45b200c62f4e2661181db

SHA1
b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43

SHA256
aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c

SHA512
e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\mbahost.dll
Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe
Filesize
10.3MB

MD5
3b2354b92f91a4383b867b594196cd1c

SHA1
43c830cfa6b873b66a323e3747a199365cb18b50

SHA256
2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7

SHA512
7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\MainMsi
Filesize
69.2MB

MD5
6b317a8789f3b27198323d006bf35d5d

SHA1
acc0016e0840199e2c24a9bd76baf92a91c362cc

SHA256
9f37bd05c7c7cdd185e660c0542fdc5d5c8e184817b72f18ef02e154724e03e7

SHA512
26d9ffc44d7f472ca0fd80c75040e9da8d142dc971c489ca1b9d7b8e3c035c59d26501bd23edb40a8dc3a077d9b79f310b4a83ab9960d288df2d14b4d0dedbb0

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\Net6DesktopRuntime64
Filesize
55.1MB

MD5
26d558f92be15a50d59b8261123de56b

SHA1
b5b1819cca753b070181f50411375b80412860a3

SHA256
1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62

SHA512
5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

Download Submit
C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\VCRedist64
Filesize
24.3MB

MD5
703bd677778f2a1ba1eb4338bac3b868

SHA1
a176f140e942920b777f80de89e16ea57ee32be8

SHA256
2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9

SHA512
a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

Download Submit
memory/1692-300-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-268-0x0000000007010000-0x0000000007030000-memory.dmp

Filesize
128KB

Download
memory/1692-284-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/1692-312-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-313-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-314-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-315-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-316-0x000000007F190000-0x000000007F1A0000-memory.dmp

Filesize
64KB

Download
memory/1692-298-0x000000000A170000-0x000000000A17E000-memory.dmp

Filesize
56KB

Download
memory/1692-297-0x000000000A1B0000-0x000000000A1E8000-memory.dmp

Filesize
224KB

Download
memory/1692-296-0x0000000007C30000-0x0000000007C38000-memory.dmp

Filesize
32KB

Download
memory/1692-280-0x0000000007000000-0x000000000700A000-memory.dmp

Filesize
40KB

Download
memory/1692-293-0x000000007F190000-0x000000007F1A0000-memory.dmp

Filesize
64KB

Download
memory/1692-276-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/1692-272-0x0000000007030000-0x0000000007048000-memory.dmp

Filesize
96KB

Download
memory/1692-308-0x000000000AD50000-0x000000000AD58000-memory.dmp

Filesize
32KB

Download
memory/1692-264-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

Filesize
104KB

Download
memory/1692-263-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

Filesize
80KB

Download
memory/1692-259-0x0000000006F90000-0x0000000006FA8000-memory.dmp

Filesize
96KB

Download
memory/1692-255-0x0000000006DD0000-0x0000000006DE0000-memory.dmp

Filesize
64KB

Download
memory/1692-251-0x0000000006DB0000-0x0000000006DB8000-memory.dmp

Filesize
32KB

Download
memory/1692-292-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-247-0x0000000006E00000-0x0000000006F88000-memory.dmp

Filesize
1.5MB

Download
memory/1692-291-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

Filesize
136KB

Download
memory/1692-243-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-242-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-241-0x0000000006960000-0x0000000006970000-memory.dmp

Filesize
64KB

Download
memory/1692-237-0x0000000004840000-0x0000000004858000-memory.dmp

Filesize
96KB

Download
memory/1692-288-0x0000000007300000-0x00000000073B0000-memory.dmp

Filesize
704KB

Download