Malware Analysis Report

2025-01-18 04:45

Sample ID 230625-xhvyaaed73
Target expressvpn_windows_12.51.0.4_release.exe
SHA256 2ec6df9a41e10daed0543128f9dcc897017828c12d4e78f0c4ad2f2b37aaaff0
Tags
revengerat discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ec6df9a41e10daed0543128f9dcc897017828c12d4e78f0c4ad2f2b37aaaff0

Threat Level: Known bad

The file expressvpn_windows_12.51.0.4_release.exe was found to be: Known bad.

Malicious Activity Summary

revengerat discovery persistence stealer trojan

RevengeRAT

RevengeRat Executable

Downloads MZ/PE file

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Program crash

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 18:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 18:51

Reported

2023-06-25 18:55

Platform

win7-20230621-en

Max time kernel

27s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 1792 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"

C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe

"C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 18:51

Reported

2023-06-25 18:55

Platform

win10v2004-20230621-en

Max time kernel

95s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{6c4bfa07-2536-464d-b059-57b12b4da8f3} = "\"C:\\ProgramData\\Package Cache\\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\\ExpressVPN_12.51.0.4.exe\" /burn.runonce" C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe N/A

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe N/A
N/A N/A C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b3688a723d11638b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b3688a720000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff000000000700010000680900b3688a72000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff000000000700010000680919b3688a72000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b3688a7200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Version = "14.34.31931.0" C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3} C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3} C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\ = "{6c4bfa07-2536-464d-b059-57b12b4da8f3}" C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Version = "12.51.0.4" C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents\{6c4bfa07-2536-464d-b059-57b12b4da8f3} C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\DisplayName = "ExpressVPN" C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}" C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931" C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents\{6c4bfa07-2536-464d-b059-57b12b4da8f3} C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 2688 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 2688 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe
PID 4684 wrote to memory of 3308 N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe
PID 4684 wrote to memory of 3308 N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe
PID 4684 wrote to memory of 3308 N/A C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe
PID 3308 wrote to memory of 4072 N/A C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 3308 wrote to memory of 4072 N/A C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 3308 wrote to memory of 4072 N/A C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 4072 wrote to memory of 1168 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe
PID 4072 wrote to memory of 1168 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe
PID 4072 wrote to memory of 1168 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe
PID 1168 wrote to memory of 3392 N/A C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe
PID 1168 wrote to memory of 3392 N/A C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe
PID 1168 wrote to memory of 3392 N/A C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"

C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe

"C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe

"C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe" -q -burn.elevated BurnPipe.{92D04CFD-21EB-4678-AE33-C13678637952} {7AEF06EA-E85F-4F17-9EF8-3A05060DFAC1} 4684

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart

C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DD4C6FF8-3D17-4C3C-8C70-A8BBEF05B7F3} {755EDC31-D866-4010-99F8-3EA5065C4551} 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1204

Network

Country Destination Domain Proto
IE 40.126.31.73:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 58.250.217.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 93.184.215.201:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 201.215.184.93.in-addr.arpa udp
US 20.42.65.89:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp

Files

C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/4684-257-0x0000000005BE0000-0x0000000005BF8000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\BootstrapperCore.config

MD5 a591cca57a0534087061bb7509208f80
SHA1 b16c4f3651308cbb6a01efc16ee376f6ef5068e0
SHA256 d1f7224eae4295cb89e21d4aaf6aff5f8cfe912090350d8c7a25c3022ee9f75a
SHA512 e416b4cb1b860c99dc5121dcf81bf38b8973d262e810f447ad5dcba33a6e2d485c62a675fc29e259a943174cf7a91d96a74af40787bb2db3336eefb2d41d94ae

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\WixSharp Setup.exe

MD5 8212b3c933fc1b2a5d871617bc76c38c
SHA1 b70b50677c83eb8857e5edc737358e435d6aee7e
SHA256 a6673ea49b7e7cbe719af07699c1870ed05508c248855987428808535159aabe
SHA512 372f3858563da3181632300bd2eb27a3fc87fc1060f9c84b3f8d34fdde9f02d47376d57e6da1bf148fcfabdef855d985f027852b9cabe53049180c268b77840d

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\WixSharp Setup.exe

MD5 8212b3c933fc1b2a5d871617bc76c38c
SHA1 b70b50677c83eb8857e5edc737358e435d6aee7e
SHA256 a6673ea49b7e7cbe719af07699c1870ed05508c248855987428808535159aabe
SHA512 372f3858563da3181632300bd2eb27a3fc87fc1060f9c84b3f8d34fdde9f02d47376d57e6da1bf148fcfabdef855d985f027852b9cabe53049180c268b77840d

memory/4684-264-0x00000000061A0000-0x000000000632A000-memory.dmp

memory/4684-265-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-266-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-267-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 626fc98337eeee9f6e7a144216816a81
SHA1 b2119b320155a65cc245298a29e6ce5e9cd35327
SHA256 de7549bc6ba7e93ad1a4b97bffb159523903da83c5f6740d23b915880cf04e73
SHA512 5d91038eb3aed85907124e4020c7288666325c2961a715dcf8810f38cf171ba07f6b9a4b61c4ebee2fb09c8480a617b2a1b2def791521bedbb41e59e9cdc82e3

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 626fc98337eeee9f6e7a144216816a81
SHA1 b2119b320155a65cc245298a29e6ce5e9cd35327
SHA256 de7549bc6ba7e93ad1a4b97bffb159523903da83c5f6740d23b915880cf04e73
SHA512 5d91038eb3aed85907124e4020c7288666325c2961a715dcf8810f38cf171ba07f6b9a4b61c4ebee2fb09c8480a617b2a1b2def791521bedbb41e59e9cdc82e3

memory/4684-271-0x0000000005CB0000-0x0000000005CB8000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

memory/4684-275-0x0000000006160000-0x0000000006170000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Common.Logging.dll

MD5 f2eaadbac858e2c1dbde9cc4c888fd7f
SHA1 c42ced517df717bf24071b76c4053f9a7f90d735
SHA256 0332a764c939200c3e33b22f9f4b19e89e97f8b1481e5a74920f49b0229e58e4
SHA512 4c7900f4ef1a4329e26ce7b3fb7d74edfae4b46cc29b39f7cfc2643fd92a76eab3e7326ee60c3174a30811f4136701048334673bc667e42f42e516643a9f309a

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Common.Logging.dll

MD5 f2eaadbac858e2c1dbde9cc4c888fd7f
SHA1 c42ced517df717bf24071b76c4053f9a7f90d735
SHA256 0332a764c939200c3e33b22f9f4b19e89e97f8b1481e5a74920f49b0229e58e4
SHA512 4c7900f4ef1a4329e26ce7b3fb7d74edfae4b46cc29b39f7cfc2643fd92a76eab3e7326ee60c3174a30811f4136701048334673bc667e42f42e516643a9f309a

memory/4684-279-0x0000000006330000-0x0000000006348000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Common.Shared.dll

MD5 b338364a52caaf764be051ddd2c38d57
SHA1 34c3a95d8f1f370c0ac6a06549f7c4d899b34a79
SHA256 fd7aa965ed8d658aebd425f32c12aef4144b5d8e2cc26e5e207a5957b84f68b7
SHA512 34171ccbdbbef54e8e92052198c3497b3daabf5fc0184a829f49e777ec915f40741930422935c4f7972e79774d340cbab1d53787e7927a612259598bbcbd4786

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Common.Shared.dll

MD5 b338364a52caaf764be051ddd2c38d57
SHA1 34c3a95d8f1f370c0ac6a06549f7c4d899b34a79
SHA256 fd7aa965ed8d658aebd425f32c12aef4144b5d8e2cc26e5e207a5957b84f68b7
SHA512 34171ccbdbbef54e8e92052198c3497b3daabf5fc0184a829f49e777ec915f40741930422935c4f7972e79774d340cbab1d53787e7927a612259598bbcbd4786

memory/4684-283-0x0000000006350000-0x000000000636C000-memory.dmp

memory/4684-284-0x0000000006370000-0x000000000638A000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Utils.dll

MD5 f8b378728c2296b993fddf58fe8daf06
SHA1 59ac902ae292a5992ab087a65f00cdd86ffd7db8
SHA256 119f78909ec6e69bbc385ea22673adcd9f14a64f1dfbcdb327418931d5e5b91e
SHA512 99fd44a9c82387aca59a9fa14a8ffeaa1b5e7cf49bee04ce6bdb21fb14e06754e22c593af293b38f416ac9a4ff501cb6f5bb65bce1c8cc2ed59a23fe5df07bab

memory/4684-288-0x0000000006390000-0x00000000063B0000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Utils.dll

MD5 f8b378728c2296b993fddf58fe8daf06
SHA1 59ac902ae292a5992ab087a65f00cdd86ffd7db8
SHA256 119f78909ec6e69bbc385ea22673adcd9f14a64f1dfbcdb327418931d5e5b91e
SHA512 99fd44a9c82387aca59a9fa14a8ffeaa1b5e7cf49bee04ce6bdb21fb14e06754e22c593af293b38f416ac9a4ff501cb6f5bb65bce1c8cc2ed59a23fe5df07bab

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

memory/4684-292-0x00000000064B0000-0x00000000064C8000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

memory/4684-296-0x0000000006190000-0x000000000619A000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

memory/4684-300-0x00000000064D0000-0x00000000064DA000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

memory/4684-304-0x0000000006500000-0x0000000006510000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

memory/4684-308-0x0000000006690000-0x0000000006742000-memory.dmp

memory/4684-311-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-312-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

memory/4684-313-0x0000000006070000-0x0000000006092000-memory.dmp

memory/4684-316-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-317-0x0000000007010000-0x0000000007018000-memory.dmp

memory/4684-318-0x0000000009680000-0x00000000096B8000-memory.dmp

memory/4684-319-0x0000000009640000-0x000000000964E000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

memory/4684-323-0x0000000009800000-0x0000000009808000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

memory/4684-332-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-333-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-334-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-335-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

memory/4684-336-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

memory/4684-337-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\VCRedist64

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\Net6DesktopRuntime64

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\MainMsi

MD5 55d55b40a85e0861b2a67553c3944af5
SHA1 9fb667c840313a2a1a402fc3a6f279a962b6162e
SHA256 f55b4e7eda7d48b81d30ebe159091dd1668cb53f7ce95938a0971bf1fca233b9
SHA512 8bc81e34b0670416e66d4eee786e545300c6443741f00781481b62c3536892d1ea7451d4946ef358e603b7bf110ecc3927bdd0debaf990aeb49b012da731cf07

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\ProgramData\Package Cache\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\ExpressVPN_12.51.0.4.exe

MD5 cd663dec310c64e1e17ddfd520a572e9
SHA1 c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA256 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512 b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3

C:\ProgramData\Package Cache\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\state.rsm

MD5 f6d183b122af2c7d7cbddc2d32d9b14b
SHA1 21de65cf2c1bf31b94cdb1c045e6b53546635774
SHA256 8064474c175f9e46b53089209b05c7f159ea0b094a378ffcf38320b8120dbe3a
SHA512 b11ec268069768984d5176f925779a6798a8474eccde6326e0fdd85d39bf7aa03121aaeb3dde9d260b4fe3e4837b9d438348f87ed2f015da08d8b5be6a1d19dd

C:\Users\Admin\AppData\Local\Temp\DELCA07.tmp

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Users\Admin\AppData\Local\Temp\DELCA19.tmp

MD5 b338364a52caaf764be051ddd2c38d57
SHA1 34c3a95d8f1f370c0ac6a06549f7c4d899b34a79
SHA256 fd7aa965ed8d658aebd425f32c12aef4144b5d8e2cc26e5e207a5957b84f68b7
SHA512 34171ccbdbbef54e8e92052198c3497b3daabf5fc0184a829f49e777ec915f40741930422935c4f7972e79774d340cbab1d53787e7927a612259598bbcbd4786

C:\Users\Admin\AppData\Local\Temp\DELCA2E.tmp

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Users\Admin\AppData\Local\Temp\DELCA3F.tmp

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

C:\Users\Admin\AppData\Local\Temp\DELCA40.tmp

MD5 8212b3c933fc1b2a5d871617bc76c38c
SHA1 b70b50677c83eb8857e5edc737358e435d6aee7e
SHA256 a6673ea49b7e7cbe719af07699c1870ed05508c248855987428808535159aabe
SHA512 372f3858563da3181632300bd2eb27a3fc87fc1060f9c84b3f8d34fdde9f02d47376d57e6da1bf148fcfabdef855d985f027852b9cabe53049180c268b77840d

C:\Users\Admin\AppData\Local\Temp\DELCA2D.tmp

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Users\Admin\AppData\Local\Temp\DELCA2C.tmp

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Users\Admin\AppData\Local\Temp\DELCA2B.tmp

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Users\Admin\AppData\Local\Temp\DELCA1A.tmp

MD5 f8b378728c2296b993fddf58fe8daf06
SHA1 59ac902ae292a5992ab087a65f00cdd86ffd7db8
SHA256 119f78909ec6e69bbc385ea22673adcd9f14a64f1dfbcdb327418931d5e5b91e
SHA512 99fd44a9c82387aca59a9fa14a8ffeaa1b5e7cf49bee04ce6bdb21fb14e06754e22c593af293b38f416ac9a4ff501cb6f5bb65bce1c8cc2ed59a23fe5df07bab

C:\Users\Admin\AppData\Local\Temp\DELCA18.tmp

MD5 f2eaadbac858e2c1dbde9cc4c888fd7f
SHA1 c42ced517df717bf24071b76c4053f9a7f90d735
SHA256 0332a764c939200c3e33b22f9f4b19e89e97f8b1481e5a74920f49b0229e58e4
SHA512 4c7900f4ef1a4329e26ce7b3fb7d74edfae4b46cc29b39f7cfc2643fd92a76eab3e7326ee60c3174a30811f4136701048334673bc667e42f42e516643a9f309a

C:\Users\Admin\AppData\Local\Temp\DELCA17.tmp

MD5 626fc98337eeee9f6e7a144216816a81
SHA1 b2119b320155a65cc245298a29e6ce5e9cd35327
SHA256 de7549bc6ba7e93ad1a4b97bffb159523903da83c5f6740d23b915880cf04e73
SHA512 5d91038eb3aed85907124e4020c7288666325c2961a715dcf8810f38cf171ba07f6b9a4b61c4ebee2fb09c8480a617b2a1b2def791521bedbb41e59e9cdc82e3