2ec6df9a41e10daed0543128f9dcc897017828c12d4e78f0c4ad2f2b37aaaff0

Analysis

max time kernel
27s
max time network
33s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
25-06-2023 18:51

Target

expressvpn_windows_12.51.0.4_release.exe
Size

62.9MB
MD5

c7a0290ac607dda06b5a83dc29d0dbb3
SHA1

627ef1672e58add4e0863d5fbd5e63b7666df489
SHA256

2ec6df9a41e10daed0543128f9dcc897017828c12d4e78f0c4ad2f2b37aaaff0
SHA512

13c079a3719b686d958f1794712ef236e33933edcaaab778b2938b0b9315527f98e514c8a7e0d3857185a40d249a11cd45fcee98c8c3eeef38b62a723ef1f012
SSDEEP

1572864:eA9T8BsJn5wq9hWLN4V0HjU6o5hykKjtNJJbXoilwyf:eAaB4KMKeVOho5h7K5NfoSf

Score

4^/10

Executes dropped EXE 1 IoCs

Processes:

expressvpn_windows_12.51.0.4_release.exe

pid process

2036 expressvpn_windows_12.51.0.4_release.exe
Loads dropped DLL 1 IoCs

Processes:

expressvpn_windows_12.51.0.4_release.exe

pid process

1792 expressvpn_windows_12.51.0.4_release.exe

pid	process
2036	expressvpn_windows_12.51.0.4_release.exe

pid	process
1792	expressvpn_windows_12.51.0.4_release.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

expressvpn_windows_12.51.0.4_release.exe

description	pid	process	target process
PID 1792 wrote to memory of 2036	1792	expressvpn_windows_12.51.0.4_release.exe	expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036	1792	expressvpn_windows_12.51.0.4_release.exe	expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036	1792	expressvpn_windows_12.51.0.4_release.exe	expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036	1792	expressvpn_windows_12.51.0.4_release.exe	expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036	1792	expressvpn_windows_12.51.0.4_release.exe	expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036	1792	expressvpn_windows_12.51.0.4_release.exe	expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036	1792	expressvpn_windows_12.51.0.4_release.exe	expressvpn_windows_12.51.0.4_release.exe

C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
"C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
Filesize
11.0MB

MD5
cd663dec310c64e1e17ddfd520a572e9

SHA1
c759095b8f0e2826ce099c7f1eff9ea2745b41fb

SHA256
6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe

SHA512
b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

Download Submit
C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
Filesize
11.0MB

MD5
cd663dec310c64e1e17ddfd520a572e9

SHA1
c759095b8f0e2826ce099c7f1eff9ea2745b41fb

SHA256
6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe

SHA512
b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

Download Submit
\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
Filesize
11.0MB

MD5
cd663dec310c64e1e17ddfd520a572e9

SHA1
c759095b8f0e2826ce099c7f1eff9ea2745b41fb

SHA256
6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe

SHA512
b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

Download Submit