Malware Analysis Report

2025-01-18 04:46

Sample ID 230615-pz7z6sha4y
Target 07849699.exe
SHA256 301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7
Tags
revengerat discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7

Threat Level: Known bad

The file 07849699.exe was found to be: Known bad.

Malicious Activity Summary

revengerat discovery persistence stealer trojan

RevengeRAT

RevengeRat Executable

Downloads MZ/PE file

Adds Run key to start application

Checks computer location settings

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-15 12:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-15 12:47

Reported

2023-06-15 12:50

Platform

win7-20230220-en

Max time kernel

24s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07849699.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\07849699.exe

"C:\Users\Admin\AppData\Local\Temp\07849699.exe"

C:\Windows\Temp\{694EF36E-6996-4165-A326-4994299B0150}\.cr\07849699.exe

"C:\Windows\Temp\{694EF36E-6996-4165-A326-4994299B0150}\.cr\07849699.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\07849699.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\Temp\{694EF36E-6996-4165-A326-4994299B0150}\.cr\07849699.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{694EF36E-6996-4165-A326-4994299B0150}\.cr\07849699.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{694EF36E-6996-4165-A326-4994299B0150}\.cr\07849699.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-15 12:47

Reported

2023-06-15 12:49

Platform

win10v2004-20230220-en

Max time kernel

136s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07849699.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc} = "\"C:\\ProgramData\\Package Cache\\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\\ExpressVPN_12.43.0.0.exe\" /burn.runonce" C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe N/A

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe N/A
N/A N/A C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Dependents\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc} C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Dependents C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}" C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931" C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc} C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\ = "{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}" C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\Version = "12.43.0.0" C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\DisplayName = "ExpressVPN" C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Version = "14.34.31931.0" C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\07849699.exe C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe
PID 60 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\07849699.exe C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe
PID 60 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\07849699.exe C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe
PID 3592 wrote to memory of 968 N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe
PID 3592 wrote to memory of 968 N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe
PID 3592 wrote to memory of 968 N/A C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe
PID 968 wrote to memory of 2076 N/A C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 968 wrote to memory of 2076 N/A C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 968 wrote to memory of 2076 N/A C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 2076 wrote to memory of 3372 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe
PID 2076 wrote to memory of 3372 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe
PID 2076 wrote to memory of 3372 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe
PID 3372 wrote to memory of 5112 N/A C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe
PID 3372 wrote to memory of 5112 N/A C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe
PID 3372 wrote to memory of 5112 N/A C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\07849699.exe

"C:\Users\Admin\AppData\Local\Temp\07849699.exe"

C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe

"C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\07849699.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe

"C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe" -q -burn.elevated BurnPipe.{2113F3C7-99AC-4C15-A68B-FDAD5CBA79C3} {3C5DC3AE-170B-4DAD-ABEB-91074351EBBC} 3592

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart

C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{4DF5BA6E-4C5E-4D30-99EB-866670DF67DB} {41570128-0DE0-4C00-9E61-C12994A57C99} 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 1048

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 58.250.217.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 93.184.215.201:443 download.visualstudio.microsoft.com tcp
US 20.189.173.11:443 tcp
US 8.8.8.8:53 201.215.184.93.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{188B2796-5050-4924-BE4C-FA3F843B4D80}\.cr\07849699.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

memory/3592-233-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/3592-238-0x0000000004950000-0x0000000004968000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\BootstrapperCore.config

MD5 0c79473766c4a706b8acacbeff369bc6
SHA1 f5470d0ec6fd98403fa756d1760ddf0ecb3c5b81
SHA256 c044ee99956b0b7628f29d2c7f8d0aaaf18054156acf910915c86edbb09476aa
SHA512 991a357bcea62be7e926a9768e3cf3d399303b5cc7667bfe71c9487de289efbeaca91d98e18880125daac6b7f73b6d298bbbd2276452f155e82173ac5aac1c02

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\WixSharp Setup.exe

MD5 29ef76d3f5d45b200c62f4e2661181db
SHA1 b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43
SHA256 aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c
SHA512 e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\WixSharp Setup.exe

MD5 29ef76d3f5d45b200c62f4e2661181db
SHA1 b3d6a4bbeb429b42f2a9fbdb090b1e1ab1d32c43
SHA256 aed2bd63c0eaa5c0e366cbb23cf35de086e37d1a4d748528d2634931d127f53c
SHA512 e0fbcc549ffb0b4adfd989c38513b9f2cd1d0dac7b15dabb661259ba66dea799b4ee5a412ebb7706e8995d51bf86eb50df64366a7599206ebe1e8986ebe8c85b

memory/3592-245-0x0000000006F40000-0x00000000070C8000-memory.dmp

memory/3592-249-0x00000000049E0000-0x00000000049E8000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 79335077a88f53da50c2d448ef4a6df0
SHA1 927d2fc8a3fa36aafa8c9ca6a96ec79607511e37
SHA256 28db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b
SHA512 992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 79335077a88f53da50c2d448ef4a6df0
SHA1 927d2fc8a3fa36aafa8c9ca6a96ec79607511e37
SHA256 28db0799ee4a3b7efc080de83bec170f0c35b53818e06e7da1b31fb10327920b
SHA512 992a1c0e47e56051f4b6f4d130b3528143657dcbd9104b58b66e0fd7a573c9e832c2a60d27034e5511aae793313a1ac178afabf9c1a77ed2dfb29fb55ac7f829

memory/3592-253-0x0000000006B90000-0x0000000006BA0000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVpn.Common.Logging.dll

MD5 85808933176b57cd4c9dc7f506071dd8
SHA1 7c8184c7da881ff84bf71f2587353ade0aa3f2b1
SHA256 8fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f
SHA512 13f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVpn.Common.Logging.dll

MD5 85808933176b57cd4c9dc7f506071dd8
SHA1 7c8184c7da881ff84bf71f2587353ade0aa3f2b1
SHA256 8fb910654c881b51c4c5a0ddf55302a1e98ce9ab5dc5164726b4b848fc70db8f
SHA512 13f41d43de8a1eec53720f9c9da3bf223a4142fb3d53f8cfedded550f616bd44770f123f722476fd7fc70cb39e99e4222c84ea1de22af755f31cad7333350701

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

memory/3592-257-0x0000000006F10000-0x0000000006F28000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVPN.Common.Shared.dll

MD5 5c1c022ec70d55d24bf799f1e71d4575
SHA1 b1367945eb8e896a3f002f3e5ee6c8d1719b5f82
SHA256 09177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260
SHA512 372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVPN.Common.Shared.dll

MD5 5c1c022ec70d55d24bf799f1e71d4575
SHA1 b1367945eb8e896a3f002f3e5ee6c8d1719b5f82
SHA256 09177650cb3caa6378aca696d5fce36f2bbe65f729a12b97aa887e8318507260
SHA512 372f951beb646c154de72c09ebf529f8bf6f70c6c073eb2467e5f9d59352ef102f0cce3b7a3164ab2c020c1f9b1e42aa7ec1095127ff576603dac814b7145070

memory/3592-261-0x00000000070D0000-0x00000000070E4000-memory.dmp

memory/3592-262-0x00000000070F0000-0x000000000710A000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVPN.Utils.dll

MD5 76af5689ae5e1f396292b0ac8705e9b5
SHA1 d73ee7dd91892c57281947c8c1e921c622ff043f
SHA256 626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3
SHA512 4616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\ExpressVPN.Utils.dll

MD5 76af5689ae5e1f396292b0ac8705e9b5
SHA1 d73ee7dd91892c57281947c8c1e921c622ff043f
SHA256 626c99223195921b3063ea350bd8449633c4f1d98614545d7487cb777f5097f3
SHA512 4616d073202a821c1240d2da43511ac1c6c69bc872b01da0f11747d9eb4f89132890c9877103273e5641b7e963eaa73b3335fd7b8b1f88f5d708892f532d2ad9

memory/3592-266-0x0000000007130000-0x0000000007150000-memory.dmp

memory/3592-267-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

memory/3592-268-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

memory/3592-272-0x0000000007150000-0x0000000007168000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

memory/3592-276-0x0000000006F30000-0x0000000006F3A000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

memory/3592-280-0x0000000007110000-0x000000000711A000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

memory/3592-284-0x0000000007180000-0x0000000007190000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

memory/3592-288-0x0000000007420000-0x00000000074D0000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.ba\Newtonsoft.Json.dll

MD5 6815034209687816d8cf401877ec8133
SHA1 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
SHA256 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
SHA512 3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

memory/3592-291-0x0000000006E10000-0x0000000006E32000-memory.dmp

memory/3592-292-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

memory/3592-293-0x000000007F250000-0x000000007F260000-memory.dmp

memory/3592-296-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

memory/3592-297-0x000000000A3E0000-0x000000000A418000-memory.dmp

memory/3592-298-0x000000000A3B0000-0x000000000A3BE000-memory.dmp

memory/3592-299-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

memory/3592-303-0x000000000A5D0000-0x000000000A5D8000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\.be\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

memory/3592-312-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

memory/3592-313-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

memory/3592-314-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

memory/3592-315-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

memory/3592-316-0x000000007F250000-0x000000007F260000-memory.dmp

memory/3592-317-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\VCRedist64

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\Net6DesktopRuntime64

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{2EED49A3-69A5-4485-A841-BBA53BC97FBB}\MainMsi

MD5 6b317a8789f3b27198323d006bf35d5d
SHA1 acc0016e0840199e2c24a9bd76baf92a91c362cc
SHA256 9f37bd05c7c7cdd185e660c0542fdc5d5c8e184817b72f18ef02e154724e03e7
SHA512 26d9ffc44d7f472ca0fd80c75040e9da8d142dc971c489ca1b9d7b8e3c035c59d26501bd23edb40a8dc3a077d9b79f310b4a83ab9960d288df2d14b4d0dedbb0

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{D19A2907-63FB-4276-8D24-1B84CFF14FB7}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{272AA470-E9FF-409C-8893-14980940753F}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\ExpressVPN_12.43.0.0.exe

MD5 3b2354b92f91a4383b867b594196cd1c
SHA1 43c830cfa6b873b66a323e3747a199365cb18b50
SHA256 2600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA512 7421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da

C:\ProgramData\Package Cache\{208ef9aa-412e-4b5a-a16e-e98d7b9bf2fc}\state.rsm

MD5 b29fdaa20b1c4afce66bdd228bf9900f
SHA1 583d67979b65550b16b37fe2161f602296aed0b3
SHA256 19cf48928a0211cca6c0bdf45835228961aa5592a664b050e725a49e69e44425
SHA512 aa51413e65f84fcbd0aa651625af3d6308b5698e271d0f388f258f388abd3ff0df1cb626c2f13c14b6a482d2f551aaf9034a3b8b3252528ca0986762c58633df