Malware Analysis Report

2025-01-18 04:44

Sample ID 230615-ny3tdsgc8s
Target expressvpn_windows_12.43.0.0_release.exe
SHA256 301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7
Tags
revengerat discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7

Threat Level: Known bad

The file expressvpn_windows_12.43.0.0_release.exe was found to be: Known bad.

Malicious Activity Summary

revengerat discovery persistence stealer trojan

RevengeRAT

RevengeRat Executable

Downloads MZ/PE file

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-15 11:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-15 11:49

Reported

2023-06-15 11:52

Platform

win7-20230220-en

Max time kernel

27s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 1184 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"

C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe

"C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-15 11:49

Reported

2023-06-15 11:52

Platform

win10v2004-20230220-en

Max time kernel

106s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc} = "\"C:\\ProgramData\\Package Cache\\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\\ExpressVPN_12.43.0.0.exe\" /burn.runonce" C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57beeb.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57beeb.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{CF4C347D-954E-4543-88D2-EC17F07F466F} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICE2E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC4C7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57befb.msi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe N/A
N/A N/A C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}" C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\PackageCode = "41D6234F5FF418F46B8784B191BEBB15" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc} C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\DisplayName = "ExpressVPN" C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Version = "14.34.31931.0" C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Dependents\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc} C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Dependents C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931" C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Version = "237141179" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Version = "12.43.0.0" C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{CF4C347D-954E-4543-88D2-EC17F07F466F}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\Servicing_Key C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\ = "{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}" C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\D743C4FCE4593454882DCE710FF764F6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.34.31931" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\PackageName = "vc_runtimeMinimum_x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 4928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 4928 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe
PID 1692 wrote to memory of 3280 N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe
PID 1692 wrote to memory of 3280 N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe
PID 1692 wrote to memory of 3280 N/A C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe
PID 3280 wrote to memory of 444 N/A C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 3280 wrote to memory of 444 N/A C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 3280 wrote to memory of 444 N/A C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 444 wrote to memory of 1508 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe
PID 444 wrote to memory of 1508 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe
PID 444 wrote to memory of 1508 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe
PID 1508 wrote to memory of 820 N/A C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe
PID 1508 wrote to memory of 820 N/A C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe
PID 1508 wrote to memory of 820 N/A C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"

C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe

"C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe

"C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe" -q -burn.elevated BurnPipe.{DE26A9A6-A62C-4987-AE99-DB55009E3672} {3067A064-040D-4C06-B880-FE038E364924} 1692

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648 /install /quiet /norestart

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{5B957E83-6C60-4C1B-86FF-701A754325B5} {F8910C98-21B7-46B0-B2FA-16E8619C24E1} 1508

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 972

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 58.250.217.23.in-addr.arpa udp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 93.184.215.201:443 download.visualstudio.microsoft.com tcp
NL 13.69.109.130:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 201.215.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
NL 8.238.22.254:80 tcp
NL 8.238.22.254:80 tcp
NL 8.238.22.254:80 tcp
NL 173.223.113.164:443 tcp

Files

C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{B63658D7-D33A-4AF0-B100-E80749CA193D}\.cr\expressvpn_windows_12.43.0.0_release.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/1692-237-0x0000000004840000-0x0000000004858000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\BootstrapperCore.config

MD5 0c79473766c4a706b8acacbeff369bc6
SHA1 f5470d0ec6fd98403fa756d1760ddf0ecb3c5b81
SHA256 c044ee99956b0b7628f29d2c7f8d0aaaf18054156acf910915c86edbb09476aa
SHA512 991a357bcea62be7e926a9768e3cf3d399303b5cc7667bfe71c9487de289efbeaca91d98e18880125daac6b7f73b6d298bbbd2276452f155e82173ac5aac1c02

memory/1692-241-0x0000000006960000-0x0000000006970000-memory.dmp

memory/1692-242-0x0000000006960000-0x0000000006970000-memory.dmp

memory/1692-243-0x0000000006960000-0x0000000006970000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\WixSharp Setup.exe

MD5 29ef76d3f5d45b200c62f4e2661181db
SHA1 b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43
SHA256 aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c
SHA512 e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b

memory/1692-247-0x0000000006E00000-0x0000000006F88000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\WixSharp Setup.exe

MD5 29ef76d3f5d45b200c62f4e2661181db
SHA1 b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43
SHA256 aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c
SHA512 e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 79335077a88f53da50c2d448ef4a6df0
SHA1 927d2fc8a3fa36aafa8c9ca6a96ec79607511e37
SHA256 28db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b
SHA512 992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829

memory/1692-251-0x0000000006DB0000-0x0000000006DB8000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 79335077a88f53da50c2d448ef4a6df0
SHA1 927d2fc8a3fa36aafa8c9ca6a96ec79607511e37
SHA256 28db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b
SHA512 992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

memory/1692-255-0x0000000006DD0000-0x0000000006DE0000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Common.Logging.dll

MD5 85808933176b57cd4c9dc7f506071dd8
SHA1 7c8184c7da881ff84bf71f2587353ade0aa3f2b1
SHA256 8fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f
SHA512 13f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVpn.Common.Logging.dll

MD5 85808933176b57cd4c9dc7f506071dd8
SHA1 7c8184c7da881ff84bf71f2587353ade0aa3f2b1
SHA256 8fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f
SHA512 13f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701

memory/1692-259-0x0000000006F90000-0x0000000006FA8000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Common.Shared.dll

MD5 5c1c022ec70d55d24bf799f1e71d4575
SHA1 b1367945eb8e896a3f002f3e5ee6c8d1719b5f82
SHA256 09177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260
SHA512 372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070

memory/1692-263-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Common.Shared.dll

MD5 5c1c022ec70d55d24bf799f1e71d4575
SHA1 b1367945eb8e896a3f002f3e5ee6c8d1719b5f82
SHA256 09177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260
SHA512 372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070

memory/1692-264-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Utils.dll

MD5 76af5689ae5e1f396292b0ac8705e9b5
SHA1 d73ee7dd91892c57281947c8c1e921c622ff043f
SHA256 626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3
SHA512 4616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9

memory/1692-268-0x0000000007010000-0x0000000007030000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\ExpressVPN.Utils.dll

MD5 76af5689ae5e1f396292b0ac8705e9b5
SHA1 d73ee7dd91892c57281947c8c1e921c622ff043f
SHA256 626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3
SHA512 4616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

memory/1692-272-0x0000000007030000-0x0000000007048000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

memory/1692-276-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

memory/1692-280-0x0000000007000000-0x000000000700A000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

memory/1692-284-0x0000000007170000-0x0000000007180000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.ba\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

memory/1692-288-0x0000000007300000-0x00000000073B0000-memory.dmp

memory/1692-291-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

memory/1692-292-0x0000000006960000-0x0000000006970000-memory.dmp

memory/1692-293-0x000000007F190000-0x000000007F1A0000-memory.dmp

memory/1692-296-0x0000000007C30000-0x0000000007C38000-memory.dmp

memory/1692-297-0x000000000A1B0000-0x000000000A1E8000-memory.dmp

memory/1692-298-0x000000000A170000-0x000000000A17E000-memory.dmp

memory/1692-300-0x0000000006960000-0x0000000006970000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

memory/1692-308-0x000000000AD50000-0x000000000AD58000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\.be\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

memory/1692-312-0x0000000006960000-0x0000000006970000-memory.dmp

memory/1692-313-0x0000000006960000-0x0000000006970000-memory.dmp

memory/1692-314-0x0000000006960000-0x0000000006970000-memory.dmp

memory/1692-315-0x0000000006960000-0x0000000006970000-memory.dmp

memory/1692-316-0x000000007F190000-0x000000007F1A0000-memory.dmp

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\VCRedist64

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\Net6DesktopRuntime64

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{E63B1028-0B1A-47FA-A809-A47C252BFD71}\MainMsi

MD5 6b317a8789f3b27198323d006bf35d5d
SHA1 acc0016e0840199e2c24a9bd76baf92a91c362cc
SHA256 9f37bd05c7c7cdd185e660c0542fdc5d5c8e184817b72f18ef02e154724e03e7
SHA512 26d9ffc44d7f472ca0fd80c75040e9da8d142dc971c489ca1b9d7b8e3c035c59d26501bd23edb40a8dc3a077d9b79f310b4a83ab9960d288df2d14b4d0dedbb0

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{AE0483B1-7AA0-42D3-8265-2F9267906535}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\state.rsm

MD5 96c1b1d840080e6f8bcc4e94c0542172
SHA1 3c5dba26dcffcb8c8d51792ae0273c6c96a5505a
SHA256 af8dcb1b7f2e30dd0fd3c233fb6092d7db5936db28d920f8a6e880d3d9d98b73
SHA512 1ccfec3ed6cb03c61902da64d11b02fbc6abddd425fa99aa575b328fee36d504cdc070fc5cb66be137cbe63629f88158bff9de10609afacb2509e12153899a17

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\vcRuntimeMinimum_x64

MD5 df77fc41aa2f85ca423919e397084137
SHA1 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA256 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512 a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\cab5046A8AB272BF37297BB7928664C9503

MD5 45c9c674c0ba87f57168d6ab852e9641
SHA1 73ace24362f14dc58d4099dae6e4e62902e9e950
SHA256 d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76
SHA512 5bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\vcRuntimeAdditional_x64

MD5 c214a9e931bbdd960bb48ac1a2b91945
SHA1 a640c55dd522e01d0be4307a5eee9a40f779a6cc
SHA256 1dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11
SHA512 d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933

C:\Windows\Temp\{7BB7F08E-034E-4763-9668-A077EBAC4CDE}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

MD5 62bc0f466e65d9219281cf75c8f91380
SHA1 0826a1591b81acf0fe30d58e19b0a87df2a49a3e
SHA256 534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3
SHA512 17713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230615115048_000_vcRuntimeMinimum_x64.log

MD5 288eda972f93dcc8191d91d44e6b7570
SHA1 17948cf08c4c0adfcab49ff59f64b28895d69e11
SHA256 3e3ac0e1afa997f15bc6c12a9b9228198e85021f39485c503852db6aa3aa95ce
SHA512 d67bb8927aabafb823e835cb073f392f5958fda0a83ae58092446ceafb4579989853ed83394a516e438011698bcbb6732f01f1bc61286cd9a8e858694455e53c

C:\Windows\Installer\e57befb.msi

MD5 df77fc41aa2f85ca423919e397084137
SHA1 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA256 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512 a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

C:\Config.Msi\e57beee.rbs

MD5 ed445073408ab738cd92adb494a7f9a9
SHA1 64ab9490bf2dbfc6f2b53198429f9a1b06848dbd
SHA256 1cd6e986ee656228c8f81c78e1ba19db933a94f49a708aebd799010cfe467295
SHA512 6d42f79dbdbffc6cadfc8c2e3364661a77be9a7fea646d70ec22d243379f427a7454df4983a44e879f844f1422d846540aa10d686c6ee7791965964dd63aad11

C:\Config.Msi\e57befa.rbs

MD5 0b78e07263037ca38444789b3d1ffbc3
SHA1 124d00daf196701e9c6bba3a85166cb017641c79
SHA256 b68e4c9f4037624466eb6792692cd82e20497755848f4be32407398de03f96e4
SHA512 f9e6f7668f64f09d447d36280e99521ddbf655c6d5c708033ca9b8ecd593a5f11f44014bcf3abe806ce881fea0477171ca88817ec671876dd30036e4daadcc25