Analysis Overview
SHA256
2ec6df9a41e10daed0543128f9dcc897017828c12d4e78f0c4ad2f2b37aaaff0
Threat Level: Known bad
The file expressvpn_windows_12.51.0.4_release.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Downloads MZ/PE file
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Enumerates physical storage devices
Program crash
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-25 18:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-25 18:51
Reported
2023-06-25 18:55
Platform
win7-20230621-en
Max time kernel
27s
Max time network
33s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"
C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
"C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
Network
Files
\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-25 18:51
Reported
2023-06-25 18:55
Platform
win10v2004-20230621-en
Max time kernel
95s
Max time network
143s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{6c4bfa07-2536-464d-b059-57b12b4da8f3} = "\"C:\\ProgramData\\Package Cache\\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\\ExpressVPN_12.51.0.4.exe\" /burn.runonce" | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe | N/A |
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b3688a723d11638b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b3688a720000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff000000000700010000680900b3688a72000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff000000000700010000680919b3688a72000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b3688a7200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Version = "14.34.31931.0" | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3} | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3} | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\ = "{6c4bfa07-2536-464d-b059-57b12b4da8f3}" | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Version = "12.51.0.4" | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents\{6c4bfa07-2536-464d-b059-57b12b4da8f3} | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\DisplayName = "ExpressVPN" | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}" | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931" | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents\{6c4bfa07-2536-464d-b059-57b12b4da8f3} | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents | C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\Dependents | C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe
"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"
C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe
"C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe
"C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe" -q -burn.elevated BurnPipe.{92D04CFD-21EB-4678-AE33-C13678637952} {7AEF06EA-E85F-4F17-9EF8-3A05060DFAC1} 4684
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart
C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart
C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DD4C6FF8-3D17-4C3C-8C70-A8BBEF05B7F3} {755EDC31-D866-4010-99F8-3EA5065C4551} 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1204
Network
| Country | Destination | Domain | Proto |
| IE | 40.126.31.73:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.250.217.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| US | 93.184.215.201:443 | download.visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | 201.215.184.93.in-addr.arpa | udp |
| US | 20.42.65.89:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp |
Files
C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
C:\Windows\Temp\{CB0B5256-1EE0-427F-904E-29183E144292}\.cr\expressvpn_windows_12.51.0.4_release.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\mbahost.dll
| MD5 | c59832217903ce88793a6c40888e3cae |
| SHA1 | 6d9facabf41dcf53281897764d467696780623b8 |
| SHA256 | 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db |
| SHA512 | 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\BootstrapperCore.dll
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
memory/4684-257-0x0000000005BE0000-0x0000000005BF8000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\BootstrapperCore.config
| MD5 | a591cca57a0534087061bb7509208f80 |
| SHA1 | b16c4f3651308cbb6a01efc16ee376f6ef5068e0 |
| SHA256 | d1f7224eae4295cb89e21d4aaf6aff5f8cfe912090350d8c7a25c3022ee9f75a |
| SHA512 | e416b4cb1b860c99dc5121dcf81bf38b8973d262e810f447ad5dcba33a6e2d485c62a675fc29e259a943174cf7a91d96a74af40787bb2db3336eefb2d41d94ae |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\WixSharp Setup.exe
| MD5 | 8212b3c933fc1b2a5d871617bc76c38c |
| SHA1 | b70b50677c83eb8857e5edc737358e435d6aee7e |
| SHA256 | a6673ea49b7e7cbe719af07699c1870ed05508c248855987428808535159aabe |
| SHA512 | 372f3858563da3181632300bd2eb27a3fc87fc1060f9c84b3f8d34fdde9f02d47376d57e6da1bf148fcfabdef855d985f027852b9cabe53049180c268b77840d |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\WixSharp Setup.exe
| MD5 | 8212b3c933fc1b2a5d871617bc76c38c |
| SHA1 | b70b50677c83eb8857e5edc737358e435d6aee7e |
| SHA256 | a6673ea49b7e7cbe719af07699c1870ed05508c248855987428808535159aabe |
| SHA512 | 372f3858563da3181632300bd2eb27a3fc87fc1060f9c84b3f8d34fdde9f02d47376d57e6da1bf148fcfabdef855d985f027852b9cabe53049180c268b77840d |
memory/4684-264-0x00000000061A0000-0x000000000632A000-memory.dmp
memory/4684-265-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-266-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-267-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Client.Setup.Shared.dll
| MD5 | 626fc98337eeee9f6e7a144216816a81 |
| SHA1 | b2119b320155a65cc245298a29e6ce5e9cd35327 |
| SHA256 | de7549bc6ba7e93ad1a4b97bffb159523903da83c5f6740d23b915880cf04e73 |
| SHA512 | 5d91038eb3aed85907124e4020c7288666325c2961a715dcf8810f38cf171ba07f6b9a4b61c4ebee2fb09c8480a617b2a1b2def791521bedbb41e59e9cdc82e3 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Client.Setup.Shared.dll
| MD5 | 626fc98337eeee9f6e7a144216816a81 |
| SHA1 | b2119b320155a65cc245298a29e6ce5e9cd35327 |
| SHA256 | de7549bc6ba7e93ad1a4b97bffb159523903da83c5f6740d23b915880cf04e73 |
| SHA512 | 5d91038eb3aed85907124e4020c7288666325c2961a715dcf8810f38cf171ba07f6b9a4b61c4ebee2fb09c8480a617b2a1b2def791521bedbb41e59e9cdc82e3 |
memory/4684-271-0x0000000005CB0000-0x0000000005CB8000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
memory/4684-275-0x0000000006160000-0x0000000006170000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Common.Logging.dll
| MD5 | f2eaadbac858e2c1dbde9cc4c888fd7f |
| SHA1 | c42ced517df717bf24071b76c4053f9a7f90d735 |
| SHA256 | 0332a764c939200c3e33b22f9f4b19e89e97f8b1481e5a74920f49b0229e58e4 |
| SHA512 | 4c7900f4ef1a4329e26ce7b3fb7d74edfae4b46cc29b39f7cfc2643fd92a76eab3e7326ee60c3174a30811f4136701048334673bc667e42f42e516643a9f309a |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVpn.Common.Logging.dll
| MD5 | f2eaadbac858e2c1dbde9cc4c888fd7f |
| SHA1 | c42ced517df717bf24071b76c4053f9a7f90d735 |
| SHA256 | 0332a764c939200c3e33b22f9f4b19e89e97f8b1481e5a74920f49b0229e58e4 |
| SHA512 | 4c7900f4ef1a4329e26ce7b3fb7d74edfae4b46cc29b39f7cfc2643fd92a76eab3e7326ee60c3174a30811f4136701048334673bc667e42f42e516643a9f309a |
memory/4684-279-0x0000000006330000-0x0000000006348000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Common.Shared.dll
| MD5 | b338364a52caaf764be051ddd2c38d57 |
| SHA1 | 34c3a95d8f1f370c0ac6a06549f7c4d899b34a79 |
| SHA256 | fd7aa965ed8d658aebd425f32c12aef4144b5d8e2cc26e5e207a5957b84f68b7 |
| SHA512 | 34171ccbdbbef54e8e92052198c3497b3daabf5fc0184a829f49e777ec915f40741930422935c4f7972e79774d340cbab1d53787e7927a612259598bbcbd4786 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Common.Shared.dll
| MD5 | b338364a52caaf764be051ddd2c38d57 |
| SHA1 | 34c3a95d8f1f370c0ac6a06549f7c4d899b34a79 |
| SHA256 | fd7aa965ed8d658aebd425f32c12aef4144b5d8e2cc26e5e207a5957b84f68b7 |
| SHA512 | 34171ccbdbbef54e8e92052198c3497b3daabf5fc0184a829f49e777ec915f40741930422935c4f7972e79774d340cbab1d53787e7927a612259598bbcbd4786 |
memory/4684-283-0x0000000006350000-0x000000000636C000-memory.dmp
memory/4684-284-0x0000000006370000-0x000000000638A000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Utils.dll
| MD5 | f8b378728c2296b993fddf58fe8daf06 |
| SHA1 | 59ac902ae292a5992ab087a65f00cdd86ffd7db8 |
| SHA256 | 119f78909ec6e69bbc385ea22673adcd9f14a64f1dfbcdb327418931d5e5b91e |
| SHA512 | 99fd44a9c82387aca59a9fa14a8ffeaa1b5e7cf49bee04ce6bdb21fb14e06754e22c593af293b38f416ac9a4ff501cb6f5bb65bce1c8cc2ed59a23fe5df07bab |
memory/4684-288-0x0000000006390000-0x00000000063B0000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\ExpressVPN.Utils.dll
| MD5 | f8b378728c2296b993fddf58fe8daf06 |
| SHA1 | 59ac902ae292a5992ab087a65f00cdd86ffd7db8 |
| SHA256 | 119f78909ec6e69bbc385ea22673adcd9f14a64f1dfbcdb327418931d5e5b91e |
| SHA512 | 99fd44a9c82387aca59a9fa14a8ffeaa1b5e7cf49bee04ce6bdb21fb14e06754e22c593af293b38f416ac9a4ff501cb6f5bb65bce1c8cc2ed59a23fe5df07bab |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.DependencyInjection.dll
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
memory/4684-292-0x00000000064B0000-0x00000000064C8000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Bcl.AsyncInterfaces.dll
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
memory/4684-296-0x0000000006190000-0x000000000619A000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\System.Threading.Tasks.Extensions.dll
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
memory/4684-300-0x00000000064D0000-0x00000000064DA000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Microsoft.Extensions.Logging.Abstractions.dll
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
memory/4684-304-0x0000000006500000-0x0000000006510000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Newtonsoft.Json.dll
| MD5 | 715a1fbee4665e99e859eda667fe8034 |
| SHA1 | e13c6e4210043c4976dcdc447ea2b32854f70cc6 |
| SHA256 | c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e |
| SHA512 | bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Newtonsoft.Json.dll
| MD5 | 715a1fbee4665e99e859eda667fe8034 |
| SHA1 | e13c6e4210043c4976dcdc447ea2b32854f70cc6 |
| SHA256 | c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e |
| SHA512 | bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad |
memory/4684-308-0x0000000006690000-0x0000000006742000-memory.dmp
memory/4684-311-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-312-0x000000007F4E0000-0x000000007F4F0000-memory.dmp
memory/4684-313-0x0000000006070000-0x0000000006092000-memory.dmp
memory/4684-316-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-317-0x0000000007010000-0x0000000007018000-memory.dmp
memory/4684-318-0x0000000009680000-0x00000000096B8000-memory.dmp
memory/4684-319-0x0000000009640000-0x000000000964E000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
memory/4684-323-0x0000000009800000-0x0000000009808000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.be\ExpressVPN_12.51.0.4.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
memory/4684-332-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-333-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-334-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-335-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
memory/4684-336-0x000000007F4E0000-0x000000007F4F0000-memory.dmp
memory/4684-337-0x0000000005CC0000-0x0000000005CD0000-memory.dmp
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\VCRedist64
| MD5 | 703bd677778f2a1ba1eb4338bac3b868 |
| SHA1 | a176f140e942920b777f80de89e16ea57ee32be8 |
| SHA256 | 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9 |
| SHA512 | a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\Net6DesktopRuntime64
| MD5 | 26d558f92be15a50d59b8261123de56b |
| SHA1 | b5b1819cca753b070181f50411375b80412860a3 |
| SHA256 | 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62 |
| SHA512 | 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\MainMsi
| MD5 | 55d55b40a85e0861b2a67553c3944af5 |
| SHA1 | 9fb667c840313a2a1a402fc3a6f279a962b6162e |
| SHA256 | f55b4e7eda7d48b81d30ebe159091dd1668cb53f7ce95938a0971bf1fca233b9 |
| SHA512 | 8bc81e34b0670416e66d4eee786e545300c6443741f00781481b62c3536892d1ea7451d4946ef358e603b7bf110ecc3927bdd0debaf990aeb49b012da731cf07 |
C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
| MD5 | 703bd677778f2a1ba1eb4338bac3b868 |
| SHA1 | a176f140e942920b777f80de89e16ea57ee32be8 |
| SHA256 | 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9 |
| SHA512 | a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041 |
C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{20787DBE-7178-43A3-97B1-8E3C461E967D}\.cr\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\Windows\Temp\{49095F37-9019-42E7-A0E9-34DE659CED69}\.be\VC_redist.x64.exe
| MD5 | 848da6b57cb8acc151a8d64d15ba383d |
| SHA1 | 8f4d4a1afa9fd985c67642213b3e7ccf415591da |
| SHA256 | 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12 |
| SHA512 | ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6 |
C:\ProgramData\Package Cache\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\ExpressVPN_12.51.0.4.exe
| MD5 | cd663dec310c64e1e17ddfd520a572e9 |
| SHA1 | c759095b8f0e2826ce099c7f1eff9ea2745b41fb |
| SHA256 | 6510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe |
| SHA512 | b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3 |
C:\ProgramData\Package Cache\{6c4bfa07-2536-464d-b059-57b12b4da8f3}\state.rsm
| MD5 | f6d183b122af2c7d7cbddc2d32d9b14b |
| SHA1 | 21de65cf2c1bf31b94cdb1c045e6b53546635774 |
| SHA256 | 8064474c175f9e46b53089209b05c7f159ea0b094a378ffcf38320b8120dbe3a |
| SHA512 | b11ec268069768984d5176f925779a6798a8474eccde6326e0fdd85d39bf7aa03121aaeb3dde9d260b4fe3e4837b9d438348f87ed2f015da08d8b5be6a1d19dd |
C:\Users\Admin\AppData\Local\Temp\DELCA07.tmp
| MD5 | b0d10a2a622a322788780e7a3cbb85f3 |
| SHA1 | 04d90b16fa7b47a545c1133d5c0ca9e490f54633 |
| SHA256 | f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426 |
| SHA512 | 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f |
C:\Users\Admin\AppData\Local\Temp\DELCA19.tmp
| MD5 | b338364a52caaf764be051ddd2c38d57 |
| SHA1 | 34c3a95d8f1f370c0ac6a06549f7c4d899b34a79 |
| SHA256 | fd7aa965ed8d658aebd425f32c12aef4144b5d8e2cc26e5e207a5957b84f68b7 |
| SHA512 | 34171ccbdbbef54e8e92052198c3497b3daabf5fc0184a829f49e777ec915f40741930422935c4f7972e79774d340cbab1d53787e7927a612259598bbcbd4786 |
C:\Users\Admin\AppData\Local\Temp\DELCA2E.tmp
| MD5 | 1237591a98cea80b03eaa68dbbcb2176 |
| SHA1 | 5761dfe8070d1e273c20bf6ce50eb46a8780e065 |
| SHA256 | ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1 |
| SHA512 | 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07 |
C:\Users\Admin\AppData\Local\Temp\DELCA3F.tmp
| MD5 | e1e9d7d46e5cd9525c5927dc98d9ecc7 |
| SHA1 | 2242627282f9e07e37b274ea36fac2d3cd9c9110 |
| SHA256 | 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6 |
| SHA512 | da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11 |
C:\Windows\Temp\{B7846F7F-FC0B-4E7B-A7E1-0105BA9CCCC0}\.ba\Newtonsoft.Json.dll
| MD5 | 715a1fbee4665e99e859eda667fe8034 |
| SHA1 | e13c6e4210043c4976dcdc447ea2b32854f70cc6 |
| SHA256 | c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e |
| SHA512 | bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad |
C:\Users\Admin\AppData\Local\Temp\DELCA40.tmp
| MD5 | 8212b3c933fc1b2a5d871617bc76c38c |
| SHA1 | b70b50677c83eb8857e5edc737358e435d6aee7e |
| SHA256 | a6673ea49b7e7cbe719af07699c1870ed05508c248855987428808535159aabe |
| SHA512 | 372f3858563da3181632300bd2eb27a3fc87fc1060f9c84b3f8d34fdde9f02d47376d57e6da1bf148fcfabdef855d985f027852b9cabe53049180c268b77840d |
C:\Users\Admin\AppData\Local\Temp\DELCA2D.tmp
| MD5 | f2a9c263e730b94057d26d8e6562e342 |
| SHA1 | e36e4c8100585db5c7dbd07ff66f4adad8ccd37f |
| SHA256 | d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c |
| SHA512 | 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9 |
C:\Users\Admin\AppData\Local\Temp\DELCA2C.tmp
| MD5 | 405bf969e7e50ef47422e54fa33605c8 |
| SHA1 | 4f3c5c8803212719ee74c60813b9ae08604684b3 |
| SHA256 | 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1 |
| SHA512 | d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a |
C:\Users\Admin\AppData\Local\Temp\DELCA2B.tmp
| MD5 | 48efe61d6ca3054309907b532d576d2a |
| SHA1 | f36403aabb16540c93fb35245ec0b4e435628aae |
| SHA256 | 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78 |
| SHA512 | 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3 |
C:\Users\Admin\AppData\Local\Temp\DELCA1A.tmp
| MD5 | f8b378728c2296b993fddf58fe8daf06 |
| SHA1 | 59ac902ae292a5992ab087a65f00cdd86ffd7db8 |
| SHA256 | 119f78909ec6e69bbc385ea22673adcd9f14a64f1dfbcdb327418931d5e5b91e |
| SHA512 | 99fd44a9c82387aca59a9fa14a8ffeaa1b5e7cf49bee04ce6bdb21fb14e06754e22c593af293b38f416ac9a4ff501cb6f5bb65bce1c8cc2ed59a23fe5df07bab |
C:\Users\Admin\AppData\Local\Temp\DELCA18.tmp
| MD5 | f2eaadbac858e2c1dbde9cc4c888fd7f |
| SHA1 | c42ced517df717bf24071b76c4053f9a7f90d735 |
| SHA256 | 0332a764c939200c3e33b22f9f4b19e89e97f8b1481e5a74920f49b0229e58e4 |
| SHA512 | 4c7900f4ef1a4329e26ce7b3fb7d74edfae4b46cc29b39f7cfc2643fd92a76eab3e7326ee60c3174a30811f4136701048334673bc667e42f42e516643a9f309a |
C:\Users\Admin\AppData\Local\Temp\DELCA17.tmp
| MD5 | 626fc98337eeee9f6e7a144216816a81 |
| SHA1 | b2119b320155a65cc245298a29e6ce5e9cd35327 |
| SHA256 | de7549bc6ba7e93ad1a4b97bffb159523903da83c5f6740d23b915880cf04e73 |
| SHA512 | 5d91038eb3aed85907124e4020c7288666325c2961a715dcf8810f38cf171ba07f6b9a4b61c4ebee2fb09c8480a617b2a1b2def791521bedbb41e59e9cdc82e3 |