Malware Analysis Report

2025-01-18 04:46

Sample ID 230628-hlzy3sge87
Target expressvpn_windows_12.49.0.4_release [pesktop.com].exe
SHA256 6713695798164eeef13de43bffb24f47b82e58a68c12b92bcee41d45f864e931
Tags
revengerat discovery persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6713695798164eeef13de43bffb24f47b82e58a68c12b92bcee41d45f864e931

Threat Level: Known bad

The file expressvpn_windows_12.49.0.4_release [pesktop.com].exe was found to be: Known bad.

Malicious Activity Summary

revengerat discovery persistence stealer trojan

RevengeRAT

RevengeRat Executable

Downloads MZ/PE file

Blocklisted process makes network request

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Checks computer location settings

Drops file in Windows directory

Executes dropped EXE

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Registers COM server for autorun

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 06:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 06:50

Reported

2023-06-28 06:53

Platform

win7-20230621-en

Max time kernel

29s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1156 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1156 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1156 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1156 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1156 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1156 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"

C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

"C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 06:50

Reported

2023-06-28 06:59

Platform

win10v2004-20230621-en

Max time kernel

506s

Max time network

516s

Command Line

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{6cad862f-afe1-438f-bb94-c3e847bed3b1} = "\"C:\\ProgramData\\Package Cache\\{6cad862f-afe1-438f-bb94-c3e847bed3b1}\\ExpressVPN_12.49.0.4.exe\" /burn.runonce" C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ExpressVPNNotificationService = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationServiceStarter.exe\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_2.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\concrt140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfcm140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140enu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfcm140u.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140esn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140deu.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcomp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140ita.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140kor.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140rus.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_codecvt_ids.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vccorlib140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcamp140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140cht.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140fra.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\mfc140jpn.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\mfc140chs.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\msvcp140.dll C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.IO.Compression.Native.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\fr\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\70x70Logo.scale-150.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Options.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Runtime.Serialization.Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ja\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.AppService.Grpc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.deps.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.Utils.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Google.Protobuf.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\it\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\System.Diagnostics.EventLog.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.IO.FileSystem.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.ServiceProcess.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ja\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ko\Microsoft.VisualBasic.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\System.Windows.Input.Manipulations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\cs\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\wintun\driver\expressvpn-tun.sys C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Polly.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\mscordaccore.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\es\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\UIAutomationProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Threading.Thread.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.ComponentModel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-core-datetime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\PresentationFramework.Aero2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\de\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Caliburn.Micro.Platform.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Configuration.UserSecrets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\wintun\tapinstall\tapinstall.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Microsoft.Extensions.Logging.Console.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Resources.ResourceManager.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ja\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\150x150Logo.scale-200.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Reflection.Emit.ILGeneration.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\UIAutomationClient.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\System.Windows.Forms.Design.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\System.Reactive.Core.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\System.ServiceProcess.ServiceController.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.Client.Proteus.Adapter.dll.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\lightway.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\log4net.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pl\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\ru\WindowsFormsIntegration.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\pt-BR\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Resources.pri C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\xvclient_csharp.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.5\System.Drawing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\Microsoft.WindowsDesktop.App.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.5\zh-Hant\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.BrowserHelper.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.Grpc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.5 (x64).swidtag C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
File created C:\Program Files (x86)\ExpressVPN\expressvpn-ui\Assets\en-US\150x150Logo.scale-150.png C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Grpc.Core.Api.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\ExpressVPN\services\Serilog.Sinks.Async.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIF025.tmp-\LaunchDarkly.InternalSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIBD26.tmp-\System.Text.Encodings.Web.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID0A2.tmp-\LaunchDarkly.InternalSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID5A4.tmp-\ManagedWifi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\Polly.Contrib.WaitAndRetry.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\Microsoft.IdentityModel.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDCF8.tmp-\Microsoft.Extensions.DependencyInjection.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIEC3C.tmp-\System.Security.AccessControl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\Microsoft.Extensions.Configuration.Binder.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\System.Management.Automation.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICC3C.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDCF8.tmp-\Microsoft.Extensions.Logging.EventLog.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIEC3C.tmp-\DeviceId.Windows.Wmi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIEC3C.tmp-\System.Threading.Tasks.Extensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\Newtonsoft.Json.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAEAD.tmp-\Microsoft.Extensions.Logging.EventLog.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID0A2.tmp-\WixSharp.UI.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID5A4.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDCF8.tmp-\Microsoft.Extensions.Logging.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF025.tmp-\System.Diagnostics.DiagnosticSource.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE0C2.tmp-\LaunchDarkly.CommonSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICC3C.tmp-\Microsoft.Extensions.Configuration.Binder.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICC3C.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID5A4.tmp-\log4net.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID5A4.tmp-\Microsoft.Extensions.Configuration.CommandLine.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e57caf3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICC3C.tmp-\System.Security.AccessControl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID5A4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID5A4.tmp-\Grpc.Core.Api.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE0C2.tmp-\log4net.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAEAD.tmp-\System.Security.Principal.Windows.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIBD26.tmp-\ExpressVpn.Common.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Configuration.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE532.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID0A2.tmp-\Microsoft.Extensions.Logging.EventSource.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF025.tmp-\DeviceId.Windows.Wmi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\Microsoft.Extensions.DependencyInjection.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAEAD.tmp-\Microsoft.Extensions.Configuration.Binder.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC797.tmp-\log4net.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC797.tmp-\Microsoft.Extensions.Http.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\System.IO.FileSystem.AccessControl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\System.Threading.Tasks.Extensions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSID5A4.tmp-\Microsoft.Extensions.Logging.EventLog.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIEC3C.tmp-\LaunchDarkly.JsonStream.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.Configuration.Binder.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\Sentry.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\System.Collections.Immutable.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIC797.tmp-\ExpressVPN.Utils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIDCF8.tmp-\Polly.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\Kape.Braze.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\Microsoft.IdentityModel.Abstractions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{F3B3A61B-DC16-429A-A260-DBAFE66741A9} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57cb19.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBD26.tmp-\LaunchDarkly.CommonSdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIEC3C.tmp-\Microsoft.Extensions.Configuration.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA74A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC797.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIE0C2.tmp-\System.Reflection.Metadata.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9B61.tmp-\Newtonsoft.Json.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF825.tmp-\System.Buffers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIF025.tmp-\ExpressVPN.Utils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICC3C.tmp-\ExpressVPN.Client.Installer.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSICC3C.tmp-\log4net.dll C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe N/A
N/A N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\lightway.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe N/A
N/A N/A C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe N/A
N/A N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
N/A N/A C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32\ = "\"C:\\Program Files (x86)\\ExpressVPN\\expressvpn-ui\\ExpressVPNNotificationService.exe\" -ToastActivated" C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c70357fb409b87e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c70357f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809003c70357f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809193c70357f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c70357f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\SysWOW64\rundll32.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.23.40665_x64 C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.34.31931" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211}\Dependents\{0f711ee3-eb88-456d-acb4-c2ee31add211} C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\ = "{089A177D-98AE-4195-A115-D3C45613B875}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\expressvpn\DefaultIcon C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\10EA62E1536592372BC00B2945329E52\23B875EDA4807E94E855F6853A57870C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Version = "806854361" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E5B9C3E5-889C-4F22-A959-F4B899DD7835}\DisplayName = "ExpressVPN" C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.5 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E3C9B5EC98822F49A954F8B99DD8753 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}" C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\expressvpn C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af} C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\AppUserModelId\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}/ExpressVPN/expressvpn-ui/ExpressVPNNotificationService.exe\DisplayName = "ExpressVPN" C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\D743C4FCE4593454882DCE710FF764F6 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\14DCC6E369B6DB74E8E17D5B39EC9E67 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\14DCC6E369B6DB74E8E17D5B39EC9E67\ProductName = "Microsoft .NET Host FX Resolver - 6.0.5 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{F3B3A61B-DC16-429A-A260-DBAFE66741A9}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99DD8753\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{c1a51ea5-665e-cac3-4426-32d306a827af} C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D771A980EA8959141A513D4C65318B57\Provider C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.23.40665_x64\Dependents C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\23B875EDA4807E94E855F6853A57870C\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99DD8753\ProductName = "ExpressVPN" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\Dependents C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E3C9B5EC98822F49A954F8B99DD8753\SourceList\PackageName = "ExpressVPN.msi" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\VC_Runtime_Minimum C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f711ee3-eb88-456d-acb4-c2ee31add211}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.5 (x64)" C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\DisplayName = "Microsoft .NET Host - 6.0.5 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\23B875EDA4807E94E855F6853A57870C\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D771A980EA8959141A513D4C65318B57\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\23B875EDA4807E94E855F6853A57870C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{E5B9C3E5-889C-4F22-A959-F4B899DD7835}\ = "{E5B9C3E5-889C-4F22-A959-F4B899DD7835}" C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E3C9B5EC98822F49A954F8B99DD8753\Complete C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B16A3B3F61CDA9242A06BDFA6E76149A\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.23.40699_x64\ = "{DE578B32-084A-49E7-8E55-6F58A37578C0}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\WOW6432Node\CLSID\{c1a51ea5-665e-cac3-4426-32d306a827af}\LocalServer32 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe N/A
N/A N/A C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1216 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 1216 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
PID 3588 wrote to memory of 5104 N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe
PID 3588 wrote to memory of 5104 N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe
PID 3588 wrote to memory of 5104 N/A C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe
PID 5104 wrote to memory of 4668 N/A C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 5104 wrote to memory of 4668 N/A C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 5104 wrote to memory of 4668 N/A C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe
PID 4668 wrote to memory of 3672 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe
PID 4668 wrote to memory of 3672 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe
PID 4668 wrote to memory of 3672 N/A C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe
PID 3672 wrote to memory of 3916 N/A C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe
PID 3672 wrote to memory of 3916 N/A C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe
PID 3672 wrote to memory of 3916 N/A C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe
PID 3916 wrote to memory of 1672 N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 3916 wrote to memory of 1672 N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 3916 wrote to memory of 1672 N/A C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1672 wrote to memory of 1168 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1672 wrote to memory of 1168 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1672 wrote to memory of 1168 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1168 wrote to memory of 4252 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1168 wrote to memory of 4252 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 1168 wrote to memory of 4252 N/A C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
PID 5104 wrote to memory of 3764 N/A C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 5104 wrote to memory of 3764 N/A C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 5104 wrote to memory of 3764 N/A C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 3764 wrote to memory of 2248 N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 3764 wrote to memory of 2248 N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 3764 wrote to memory of 2248 N/A C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 2248 wrote to memory of 4204 N/A C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 2248 wrote to memory of 4204 N/A C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 2248 wrote to memory of 4204 N/A C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe
PID 1908 wrote to memory of 3172 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 3172 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 3172 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 1988 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 1988 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 1988 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 2128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 2128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 2128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 5048 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 5048 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 5048 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 4480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 4480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 4480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4480 wrote to memory of 4892 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4480 wrote to memory of 4892 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 4480 wrote to memory of 4892 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 1568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 1568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1908 wrote to memory of 1568 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1568 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 4324 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 3900 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 3900 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 3900 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 3296 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 3296 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 3296 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 5028 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"

C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

"C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.filehandle.attached=700 -burn.filehandle.self=704

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe

"C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe" -q -burn.elevated BurnPipe.{6DDFA8F5-BA23-4B9E-9034-1E82FD79EFD8} {1AE74B34-ABE9-462E-86FB-0F42697B4D71} 3588

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

"C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /install /quiet /norestart

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B1663C9F-B1DB-470C-A88D-82221B8BB6BA} {A9860BDB-F1C5-4F9E-95CC-B7328BFB44BA} 3672

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{A081CDAC-580B-43DB-98D2-F67B7E1A1BFA} {4F530CD7-23BD-4297-AED9-8E090CE575D5} 3916

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{A081CDAC-580B-43DB-98D2-F67B7E1A1BFA} {4F530CD7-23BD-4297-AED9-8E090CE575D5} 3916

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0E5D2DF7-7740-4851-91F2-4BECE9056CCC} {74A80C32-6B92-41D2-A459-0F78ABFB750B} 1168

C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" /install /quiet /norestart -burn.filehandle.self=988 -burn.embedded BurnPipe.{493C3436-2558-4C35-BCD7-95A8E5D4B7F2} {C4EB9B81-A677-4198-93B5-C4B648869228} 5104

C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=688 /install /quiet /norestart -burn.filehandle.self=988 -burn.embedded BurnPipe.{493C3436-2558-4C35-BCD7-95A8E5D4B7F2} {C4EB9B81-A677-4198-93B5-C4B648869228} 5104

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

"C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe" -q -burn.elevated BurnPipe.{3C6F56FC-88CC-4568-A07A-5922BDEEF629} {F881A2A3-C1FA-482F-913E-17F391F917AF} 2248

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9ACC93B039BB17455E63719BAB13DB56

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 35F89EF459865A871A16B7BCFCAAA59F

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D55CD0FEE4821D1365739CB4F3E4ACB2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5351BDBA96D98B5F6483DBCAF9B3E0E2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BF5774569E9125ABA4A01C1E8EA0870C

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI9B61.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240688171 26 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CloseMainApp

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 88650BAE337E5A603B0262ADFA411313 E Global\MSI0000

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIAEAD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240693046 38 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIBD26.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240696656 45 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetBrowserHelperPath

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIC797.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240699328 49 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateAccessTokens

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSICC3C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240700484 53 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateDefaultPortConfiguration

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSID0A2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240701609 57 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.CreateServiceCredentials

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSID5A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240702875 61 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.InitializeProteusId

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.Installer.Exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIDCF8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240704750 65 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.SetServicesFailureActions

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIE0C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240705734 69 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.AddErrorReportingKeys

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.VpnService.exe"

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.SystemService.exe"

C:\Program Files (x86)\ExpressVPN\services\lightway.exe

"C:\Program Files (x86)\ExpressVPN\services\lightway.exe" --version

C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe

"C:\Program Files (x86)\ExpressVPN\services\ExpressVPN.AppService.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIEC3C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240708718 73 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveLegacyRegistryData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF025.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240709687 77 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.RemoveUserFolderData

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIF825.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240711718 87 ExpressVpn.Client.Setup.CustomActions!ExpressVpn.Client.Setup.CustomActions.Actions.DeleteBinaries

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe" install

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe"

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe

"C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe" uihaslaunched

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ujsrxts.com/order?utm_source=windows_app&utm_medium=apps&utm_campaign=app_buy_subscription&utm_content=not_activated_buy_a_subscription

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffba30146f8,0x7ffba3014708,0x7ffba3014718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5764 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff660265460,0x7ff660265470,0x7ff660265480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18424992244151931949,13724833658421105960,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3260 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.21.66.23.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
US 93.184.215.201:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 201.215.184.93.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 o137163.ingest.sentry.io udp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.221:80 www.msftncsi.com tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
NL 95.101.74.221:80 www.msftncsi.com tcp
US 34.120.195.249:443 o137163.ingest.sentry.io tcp
US 8.8.8.8:53 221.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 clientstream.launchdarkly.com udp
US 15.197.213.252:443 clientstream.launchdarkly.com tcp
NL 95.101.74.221:80 www.msftncsi.com tcp
US 8.8.8.8:53 252.213.197.15.in-addr.arpa udp
US 8.8.8.8:53 mobile.launchdarkly.com udp
US 35.170.211.240:443 mobile.launchdarkly.com tcp
US 8.8.8.8:53 240.211.170.35.in-addr.arpa udp
N/A 127.0.0.1:2021 tcp
N/A 127.0.0.1:2022 tcp
NL 95.101.74.221:80 www.msftncsi.com tcp
N/A 127.0.0.1:2020 tcp
N/A 127.0.0.1:2020 tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.221:80 www.msftncsi.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.ujsrxts.com udp
NL 108.156.60.14:443 www.ujsrxts.com tcp
NL 108.156.60.14:443 www.ujsrxts.com tcp
US 8.8.8.8:53 14.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 www.expressvpn.com udp
NL 108.156.60.31:443 www.expressvpn.com tcp
US 8.8.8.8:53 xvp.imgix.net udp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
NL 199.232.150.208:443 xvp.imgix.net tcp
US 8.8.8.8:53 storage.googleapis.com udp
US 8.8.8.8:53 connect.facebook.net udp
US 157.240.0.6:443 connect.facebook.net tcp
NL 142.251.36.48:443 storage.googleapis.com tcp
US 8.8.8.8:53 31.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 208.150.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 48.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 6.0.240.157.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 js.chargebee.com udp
NL 52.222.139.33:443 js.chargebee.com tcp
US 8.8.8.8:53 js.braintreegateway.com udp
US 151.101.2.133:443 js.braintreegateway.com tcp
US 151.101.2.133:443 js.braintreegateway.com tcp
US 8.8.8.8:53 032abab40d5946349911dd26aca7c536-5e03eac5ed10.cdn.forter.com udp
US 8.8.8.8:53 cdn9.forter.com udp
US 8.8.8.8:53 cdn3.forter.com udp
US 34.198.208.8:443 cdn3.forter.com tcp
US 54.81.184.157:443 032abab40d5946349911dd26aca7c536-5e03eac5ed10.cdn.forter.com tcp
US 8.8.8.8:53 33.139.222.52.in-addr.arpa udp
US 8.8.8.8:53 133.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 18.239.94.67:443 cdn9.forter.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
NL 142.250.102.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 bat.bing.com udp
US 204.79.197.200:443 bat.bing.com tcp
US 8.8.8.8:53 5e03eac5ed10.cdn4.forter.com udp
NL 142.251.36.2:443 googleads.g.doubleclick.net tcp
NL 52.222.139.87:443 5e03eac5ed10.cdn4.forter.com tcp
NL 142.251.36.2:443 googleads.g.doubleclick.net udp
NL 142.250.102.156:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 payments.braintree-api.com udp
US 216.239.36.181:443 analytics.google.com tcp
US 76.223.13.31:443 payments.braintree-api.com tcp
US 8.8.8.8:53 67.94.239.18.in-addr.arpa udp
US 8.8.8.8:53 8.208.198.34.in-addr.arpa udp
US 8.8.8.8:53 157.184.81.54.in-addr.arpa udp
US 8.8.8.8:53 156.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 87.139.222.52.in-addr.arpa udp
US 8.8.8.8:53 181.36.239.216.in-addr.arpa udp
US 8.8.8.8:53 31.13.223.76.in-addr.arpa udp
US 8.8.8.8:53 checkout.paypal.com udp
US 8.8.8.8:53 client-analytics.braintreegateway.com udp
US 18.220.4.23:443 client-analytics.braintreegateway.com tcp
US 18.220.4.23:443 client-analytics.braintreegateway.com tcp
US 18.220.4.23:443 client-analytics.braintreegateway.com tcp
US 8.8.8.8:53 www.paypal.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ec2-52-23-111-175.compute-1.amazonaws.com udp
US 52.23.111.175:3478 ec2-52-23-111-175.compute-1.amazonaws.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 192.229.210.155:443 www.paypalobjects.com tcp
US 192.229.210.155:443 www.paypalobjects.com tcp
US 8.8.8.8:53 xv-pacs.chargebeestaticv2.com udp
NL 13.227.219.44:443 xv-pacs.chargebeestaticv2.com tcp
US 8.8.8.8:53 175.111.23.52.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 23.4.220.18.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 155.210.229.192.in-addr.arpa udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 44.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
US 151.101.1.35:443 c.paypal.com tcp
US 8.8.8.8:53 b.stats.paypal.com udp
US 34.106.92.18:443 b.stats.paypal.com tcp
US 54.81.184.157:443 032abab40d5946349911dd26aca7c536-5e03eac5ed10.cdn.forter.com tcp
US 8.8.8.8:53 9120728.fls.doubleclick.net udp
NL 142.250.179.134:443 9120728.fls.doubleclick.net tcp
US 8.8.8.8:53 c6.paypal.com udp
US 8.8.8.8:53 slc.stats.paypal.com udp
NL 142.250.179.134:443 9120728.fls.doubleclick.net udp
US 34.106.92.18:443 slc.stats.paypal.com tcp
US 8.8.8.8:53 www.facebook.com udp
DE 157.240.252.35:443 www.facebook.com tcp
DE 157.240.252.35:443 www.facebook.com tcp
US 8.8.8.8:53 18.92.106.34.in-addr.arpa udp
US 8.8.8.8:53 134.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.252.240.157.in-addr.arpa udp
US 8.8.8.8:53 cdn0.forter.com udp
US 34.192.191.43:443 cdn0.forter.com tcp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.191.192.34.in-addr.arpa udp
US 34.198.208.8:443 cdn3.forter.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 215.74.101.95.in-addr.arpa udp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.221:80 www.msftncsi.com tcp
NL 95.101.74.221:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.221:80 www.msftncsi.com tcp
NL 95.101.74.221:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp
NL 95.101.74.215:80 www.msftncsi.com tcp
US 8.8.8.8:53 www.msftncsi.com udp
NL 95.101.74.215:80 www.msftncsi.com tcp

Files

C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

C:\Windows\Temp\{29A90EBA-2B15-4836-8335-4CB9F4D24262}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

memory/3588-253-0x00000000065B0000-0x00000000065C0000-memory.dmp

memory/3588-254-0x00000000065B0000-0x00000000065C0000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/3588-259-0x0000000006440000-0x0000000006458000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\BootstrapperCore.config

MD5 a591cca57a0534087061bb7509208f80
SHA1 b16c4f3651308cbb6a01efc16ee376f6ef5068e0
SHA256 d1f7224eae4295cb89e21d4aaf6aff5f8cfe912090350d8c7a25c3022ee9f75a
SHA512 e416b4cb1b860c99dc5121dcf81bf38b8973d262e810f447ad5dcba33a6e2d485c62a675fc29e259a943174cf7a91d96a74af40787bb2db3336eefb2d41d94ae

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\WixSharp Setup.exe

MD5 3689c949c8a9e50c4be0ad69e85b796b
SHA1 81b527ac5326fb1a8520f53473079f16bb9206b8
SHA256 a4ba0ad01375437bdd766af50417f29c27a97a6dcb5ce101341df9866bf6475f
SHA512 a117a1641832d1706211ac14941e2f620bdd08088fe0c0e0b1f6a8863df5cd3b2b0a0b736bbcceda50b4c45faf0d1b24bf42c20518293a09145de07937c6ed89

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\WixSharp Setup.exe

MD5 3689c949c8a9e50c4be0ad69e85b796b
SHA1 81b527ac5326fb1a8520f53473079f16bb9206b8
SHA256 a4ba0ad01375437bdd766af50417f29c27a97a6dcb5ce101341df9866bf6475f
SHA512 a117a1641832d1706211ac14941e2f620bdd08088fe0c0e0b1f6a8863df5cd3b2b0a0b736bbcceda50b4c45faf0d1b24bf42c20518293a09145de07937c6ed89

memory/3588-266-0x00000000065B0000-0x00000000065C0000-memory.dmp

memory/3588-267-0x00000000069D0000-0x0000000006B5A000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 d0e13c9902ceda116a2da4e52f19d8d2
SHA1 d3b8dc458fe7f8b62ef67c5e792ab2a63135d739
SHA256 9efcfb62ec60c4d6cbaa7f4f345d48daf8d892a5b7fd1c2a004c276cb4c56025
SHA512 65aad37155404f79f2df315826e2e00f5b4d210ad9189e9ef8a3607fa7c7ea6d466473beea2a45f94dd72b81c829473417fa73b3eb6493c1c7139e97536e3d26

memory/3588-271-0x0000000006980000-0x0000000006988000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Client.Setup.Shared.dll

MD5 d0e13c9902ceda116a2da4e52f19d8d2
SHA1 d3b8dc458fe7f8b62ef67c5e792ab2a63135d739
SHA256 9efcfb62ec60c4d6cbaa7f4f345d48daf8d892a5b7fd1c2a004c276cb4c56025
SHA512 65aad37155404f79f2df315826e2e00f5b4d210ad9189e9ef8a3607fa7c7ea6d466473beea2a45f94dd72b81c829473417fa73b3eb6493c1c7139e97536e3d26

memory/3588-275-0x00000000069A0000-0x00000000069B0000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Common.Logging.dll

MD5 8e03da8aa1af38b35eccdecef5275fc1
SHA1 dfd4a470498deff650aa5ced5a39cab3266b6e35
SHA256 42f9b0dc9d9c582fcbcd839ebb6d3e264d25445ea4013ed7e83e9160171042e3
SHA512 01c84101bfd2d496ef655befbacc98368ded039ec7df5263336a00bf873069f3767825766c5820fdbb9d28a60000f5c5c08d93d8522dca39fe58466dffe602a9

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVpn.Common.Logging.dll

MD5 8e03da8aa1af38b35eccdecef5275fc1
SHA1 dfd4a470498deff650aa5ced5a39cab3266b6e35
SHA256 42f9b0dc9d9c582fcbcd839ebb6d3e264d25445ea4013ed7e83e9160171042e3
SHA512 01c84101bfd2d496ef655befbacc98368ded039ec7df5263336a00bf873069f3767825766c5820fdbb9d28a60000f5c5c08d93d8522dca39fe58466dffe602a9

memory/3588-279-0x0000000006B60000-0x0000000006B78000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Common.Shared.dll

MD5 f2e58ebf64836cb13255857c5aa3928d
SHA1 aec4007a55d1d26bbce778b80b99a9ba5e35ab86
SHA256 35390aafdc7b170a7ea52a72312e2a363bc44eaf90d056f420a83c673371285a
SHA512 8b45cd809ae6af63d28740905bb544b4d0b7840b24f4ec468224d7ea374b5f7d6e5d9bb35b5fb7eedae9c87248023bc48c68e3e526060c998ee56ff6df21ae6f

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Common.Shared.dll

MD5 f2e58ebf64836cb13255857c5aa3928d
SHA1 aec4007a55d1d26bbce778b80b99a9ba5e35ab86
SHA256 35390aafdc7b170a7ea52a72312e2a363bc44eaf90d056f420a83c673371285a
SHA512 8b45cd809ae6af63d28740905bb544b4d0b7840b24f4ec468224d7ea374b5f7d6e5d9bb35b5fb7eedae9c87248023bc48c68e3e526060c998ee56ff6df21ae6f

memory/3588-283-0x0000000006B80000-0x0000000006B9C000-memory.dmp

memory/3588-284-0x0000000006BA0000-0x0000000006BBA000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Utils.dll

MD5 7030752e082569358c38af7d55f0e09b
SHA1 b876868cd2e6a02d6449cc70deebd7b9207de4a0
SHA256 326662d937b47e063aaa709f385c300c6bf096a81f3dc48255ff6601b0c6dedd
SHA512 6cf78bc60d9cb013862f524ffb16feac0ce867fd60bd5b7ca29e4ffb1a7d9def8577644f7dbdc457b0977f2393a25a437d5de65fbf035f03b04a5190ab34db69

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\ExpressVPN.Utils.dll

MD5 7030752e082569358c38af7d55f0e09b
SHA1 b876868cd2e6a02d6449cc70deebd7b9207de4a0
SHA256 326662d937b47e063aaa709f385c300c6bf096a81f3dc48255ff6601b0c6dedd
SHA512 6cf78bc60d9cb013862f524ffb16feac0ce867fd60bd5b7ca29e4ffb1a7d9def8577644f7dbdc457b0977f2393a25a437d5de65fbf035f03b04a5190ab34db69

memory/3588-288-0x0000000006BE0000-0x0000000006C00000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

memory/3588-292-0x0000000006D00000-0x0000000006D18000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

memory/3588-296-0x0000000006BC0000-0x0000000006BCA000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

memory/3588-300-0x0000000006BD0000-0x0000000006BDA000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

memory/3588-304-0x0000000006D40000-0x0000000006D50000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.ba\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

memory/3588-308-0x0000000006ED0000-0x0000000006F82000-memory.dmp

memory/3588-311-0x000000007F250000-0x000000007F260000-memory.dmp

memory/3588-312-0x00000000068A0000-0x00000000068C2000-memory.dmp

memory/3588-315-0x00000000065B0000-0x00000000065C0000-memory.dmp

memory/3588-316-0x0000000007810000-0x0000000007818000-memory.dmp

memory/3588-317-0x0000000009D90000-0x0000000009DC8000-memory.dmp

memory/3588-318-0x0000000009D50000-0x0000000009D5E000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

memory/3588-322-0x000000000A940000-0x000000000A948000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\.be\ExpressVPN_12.49.0.4.exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

memory/3588-331-0x00000000065B0000-0x00000000065C0000-memory.dmp

memory/3588-332-0x00000000065B0000-0x00000000065C0000-memory.dmp

memory/3588-333-0x00000000065B0000-0x00000000065C0000-memory.dmp

memory/3588-335-0x000000007F250000-0x000000007F260000-memory.dmp

memory/3588-334-0x00000000065B0000-0x00000000065C0000-memory.dmp

memory/3588-336-0x00000000065B0000-0x00000000065C0000-memory.dmp

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\VCRedist64

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\Net6DesktopRuntime64

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{B9A62CD3-6163-43A3-ACE6-319019F715AF}\MainMsi

MD5 4e70ff7a831e48ab45c70c3754d68b70
SHA1 e3e2aa31c73740fa4b86e98646d2701c92fe982c
SHA256 99d86ae18806781c9f2855c1e2a827e1919a6b85db2b097519a1208eef4d0912
SHA512 7b927cce79056361963eef287e89be01bc191f7e76d4b71592b32610a9e747697fe34e1f12d60aa6805bb42ca803c974c6cad15516a0a192e8d72d79dcd2a086

C:\ProgramData\Package Cache\A176F140E942920B777F80DE89E16EA57EE32BE8\VC_redist.x64.exe

MD5 703bd677778f2a1ba1eb4338bac3b868
SHA1 a176f140e942920b777f80de89e16ea57ee32be8
SHA256 2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512 a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{F70EBF18-0682-43B6-8D2F-9555D862B822}\.cr\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\.be\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\ProgramData\Package Cache\{6cad862f-afe1-438f-bb94-c3e847bed3b1}\state.rsm

MD5 b37213e7fb19738364c81905e279b2e2
SHA1 21f518f20e39ec24bd836881f622b21efea687fe
SHA256 5662d303f8a21bb8ea001fb39a15ea114684b8d40e3ca9ae940bb3aa01d16e40
SHA512 e1101bb558a3e2b2b6346b25c657797208a1f29107f559dd7ff6c0511f8b44abf16f34b527489509607746ca8e18ebe3f4258ea36fec54d3481589af316ecf8b

C:\ProgramData\Package Cache\{6cad862f-afe1-438f-bb94-c3e847bed3b1}\ExpressVPN_12.49.0.4.exe

MD5 6a25e359c5876cbb2695abb2f0242e76
SHA1 bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256 f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512 c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\vcRuntimeAdditional_x64

MD5 c214a9e931bbdd960bb48ac1a2b91945
SHA1 a640c55dd522e01d0be4307a5eee9a40f779a6cc
SHA256 1dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11
SHA512 d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

MD5 62bc0f466e65d9219281cf75c8f91380
SHA1 0826a1591b81acf0fe30d58e19b0a87df2a49a3e
SHA256 534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3
SHA512 17713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\cab5046A8AB272BF37297BB7928664C9503

MD5 45c9c674c0ba87f57168d6ab852e9641
SHA1 73ace24362f14dc58d4099dae6e4e62902e9e950
SHA256 d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76
SHA512 5bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684

C:\Windows\Temp\{80A16730-6E9E-4774-A934-858E2519D742}\vcRuntimeMinimum_x64

MD5 df77fc41aa2f85ca423919e397084137
SHA1 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA256 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512 a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230628065218_000_vcRuntimeMinimum_x64.log

MD5 d150d3c4104609f4dd15a7a2471255d4
SHA1 e359c03ab365ed448e2b6179cae6c8e6f7403454
SHA256 427af7c9befa42018746b3d422b14a821d2fb673b313aade666118b051488959
SHA512 3c2dac05df263d203b4b2e616a3879a4c456706ca2e35247b572ecd4c50d96a803ae5f2207837e6fa7dd6edf80b690e0674610d21003ce02ef3b7a3fd3cccd48

C:\Windows\Installer\e57caf3.msi

MD5 df77fc41aa2f85ca423919e397084137
SHA1 5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA256 51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512 a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

C:\Config.Msi\e57cae6.rbs

MD5 de76a85fcab3604463e0aa16b62a57db
SHA1 55c46919a0a82a89cd2006d6d8b4e428cd56667f
SHA256 b291f6947c14bbde14cee45d2b5f9426393d40690669ad171f7bf53f561a5d7b
SHA512 49a0b57c71e37fb18a514fcbe863689d9d8f3a27ab826e20570627bc801912628a0f1cc92cabe2191fc75ec469ceefc4ba7b6f5cfd494a9e4a7988acddcc48ff

C:\Config.Msi\e57caf2.rbs

MD5 74dcfa63a7e16bd4011fd2a5fb927e91
SHA1 30f2c3fd9e6ce4543368e0be4572e9c17f579c5b
SHA256 84a90574b995db0a7db97adf956ad14c66c8eca8aebdd6e3b2f7171325a90a2b
SHA512 b87d583a396fd95979bd04ce1978341690547c68c3716b114900059309bc326c4ebd8e154a3c51dc1c32bf20fe62387fdd41d3e2d0fa0098d28f8bc0560bd99e

C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230628065218_001_vcRuntimeAdditional_x64.log

MD5 e8ab7da3a1e0420c6450aa3d68a5b818
SHA1 dc82b486e21dc13c214b831817cb37a7494f3078
SHA256 467ba36f91b948c1f0eb669a0ef20b355bfa346d45be79206d6abe909ac96316
SHA512 621cc7a330f6e0c0d039895e4e0888dc33f998705f943a0714b4aef01bd1f84288a1348ab3bff01f5cd8d4e8d508b31b9bd2ccb1853331630a6cadfe50d17e8a

C:\Config.Msi\e57caf9.rbs

MD5 8da24b422ae13555697cc010a36d880b
SHA1 e380616b49a3460f633719cb28fc0925f959aba5
SHA256 f129e96e2901d3171570053cd4e265b07e43b10d14790cd78c78d8caaa4d028b
SHA512 f91060652f639d013ed31b5ace397fe3a2dd39b1645dc5099d584defc62d993f0de6a8e8365aed940a8e9ba22244a4b2e2303b17dd327ba8092b87e7ef613c66

C:\Config.Msi\e57cb08.rbs

MD5 fe01fa86e016c7c7614b21c65008fa10
SHA1 93815057a8ec55b22f7bf44ea586d3ad141a897e
SHA256 a069f34b1f44ec575dc4234dcf988ed5f43bc8a5294dd69ec2dc6fe21689c313
SHA512 752b7338714f15b1c928e7ccb4bc97b4c892dae55bca6f03f7c012bc54ef97d6acf68263d0ae1f08b26c239a2bc1452a9f1afa491d70744b8c4bad1356350459

C:\Windows\Temp\{436E93DB-4FD6-443D-9514-70D652F572B1}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{436E93DB-4FD6-443D-9514-70D652F572B1}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe

MD5 848da6b57cb8acc151a8d64d15ba383d
SHA1 8f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA256 5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512 ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

C:\ProgramData\Package Cache\B5B1819CCA753B070181F50411375B80412860A3\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 26d558f92be15a50d59b8261123de56b
SHA1 b5b1819cca753b070181f50411375b80412860a3
SHA256 1b305b1ae89b2391a4411bb2c5edb6b059a7bf7955275c57b43d1f2a94ce3f62
SHA512 5eb1537295cdb513197419c311777229fd43af6cea0ef6134f9990b32b8ac26aa51139f2c0b63d9cdfb6d753dd9db6f243b887ec511f15866157aa9e127b5cea

C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{96380589-21A7-409F-B56E-14CC0E214284}\.cr\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\.be\windowsdesktop-runtime-6.0.5-win-x64.exe

MD5 987433e22c318ff3bfd596f6b7bb3d0d
SHA1 7b8b48d30370bf1cc8e1c2c68b96622a6051d08e
SHA256 ea4484732f4415318ad0a403f8768129f1d4e6f871602881f3d339bcf7a2fa73
SHA512 8dcf1535cb673983f916d2c6d255f9a0f2ff708d9a356c5d02e0e326ce967353878a1019e686db0cb7e88e6a8cf78e4c73949fb831ca885241e0c5bce3934d46

C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\state.rsm

MD5 faf2b0bc3d91d980ac2da3fcc4396ca1
SHA1 4aff5acf859628bbc8364e3ce4a444e5eb00ea6f
SHA256 3955b625e2a0330c9596d635a92d45ff7f7e2e8d31aa56c0078fcb440da59c55
SHA512 2873864f356563826c0ce2eaea6c0f3a041e5d162f502242617312bf4c4a1ff3b73f27a6dcc56a7b6d2cf3ee8bcea2a673eaedfc066ab05656b3cc4f08c4f9f3

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\dotnet_runtime_6.0.5_win_x64.msi

MD5 abf5dbc0196845d9c906189aa70d07ec
SHA1 4a6879976ca9d64a151e1679d0b08d975883a7b2
SHA256 f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1
SHA512 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\windowsdesktop_runtime_6.0.5_win_x64.msi

MD5 bf16e0cb45daf8f291ecfa351cb0c3c2
SHA1 1491de942eec40921a35f35aa377c2f8f7332c5b
SHA256 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c
SHA512 a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\dotnet_host_6.0.5_win_x64.msi

MD5 bdc10a6d27e4df71409c9cd8bc40d48c
SHA1 3cd9327008fc4bc8f76d9f8174bc6a1bbf4d7632
SHA256 ec6d27122faf6585fa4419284a95212102c54bbd7ee02bd56835a496039c70de
SHA512 c60196e4f34efcaa62ac3bb750205b701d7434872fe9eb866a5d80ccab6cef879b35aab0d09c19d25cdbf2a3e19c23a4170a16033ad2fbd008dccc9a6530b1c9

C:\Windows\Temp\{88EC1CC2-3B12-44B4-B9D2-1C72111A6B28}\dotnet_hostfxr_6.0.5_win_x64.msi

MD5 eef7d4eaa530df3288c03b8e6463aaa3
SHA1 4d94b0073d5afeb1642a2f0da5c178f5765857b3
SHA256 cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711
SHA512 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.5_(x64)_20230628065238_000_dotnet_runtime_6.0.5_win_x64.msi.log

MD5 f203174bd684c81cdbf36d8813c7148a
SHA1 ab674539f0b23a00ac626785215c5ad0b2c5fe21
SHA256 f83fb511d75f128fd453e488fd5c4edbe5067c880d766b6fd3e9e992968599c5
SHA512 fcee1cf8c09104e0695ba6c63c29c1a87013134652f4d1120b433aaa41d18e2839c2f409f30984b3e5469ae56b7ac97a90c245c2f8514f464f4f10af0b3cd63e

C:\Windows\Installer\MSI30A4.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSI30A4.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\e57cb0e.msi

MD5 abf5dbc0196845d9c906189aa70d07ec
SHA1 4a6879976ca9d64a151e1679d0b08d975883a7b2
SHA256 f8f96b0c0a444a391d1a5c02d217d530905c32895166251d16a1b5903b6815f1
SHA512 035fffdf011e5d30b06ca3b78b37ceb90c1773b08244efc0ca8f7e8b7c4ef83b1b0c5273431e752d0f7dc83a49ccf5fbb733f8235825bf5b8ded32f7b51939e3

C:\Config.Msi\e57cb0d.rbs

MD5 3a83bfb57c444578f6ce5f0d5b043c69
SHA1 df5258a023061a3a4ea4fd695a5f3363902f684b
SHA256 98ac882c096bccf6a5bdd78f052215df42579eb80fedb7eceeb2d3f89a99fe38
SHA512 93e681deef06026d38522def34d16e95ae06098c69c6a230888d54ee1bab2517b51d7e9b4ee8386deb51747c119c8048a3fc62221e2e43279122ee1293ca3b7f

C:\Windows\Installer\MSI516D.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\MSI5A28.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Windows\Installer\e57cb0f.msi

MD5 eef7d4eaa530df3288c03b8e6463aaa3
SHA1 4d94b0073d5afeb1642a2f0da5c178f5765857b3
SHA256 cbdda269bf97e5e990d909fc503149005e4cd70e68d565c0fd4fbed3222d7711
SHA512 2be6dbc2c4d2a8d68653ffd8cb56196178c4ecea2f247a8d6f6cf3061917a43ff814ce48ab2939b475ae0d69df8fe41e0864ebaa282adcfb3e578ca0da10f823

C:\Config.Msi\e57cb12.rbs

MD5 7dca594db7cdbcef607c00444abc0240
SHA1 8df7731b07b92c88f6edc800ee84f18569963a8f
SHA256 6c43f46b1bab05eec21e2adc3f014dfafed50aec8ce33043572a7c14e49eff87
SHA512 1837f0cb19ea284787b503a669b13b013112557e37c548e0d6082f9ee3aa912f6bb1456570f76588003e127df5431aa478f29569ca41f56bd7c073182a4b62e0

C:\Program Files\dotnet\LICENSE.txt

MD5 31c5a77b3c57c8c2e82b9541b00bcd5a
SHA1 153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA256 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512 ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

C:\Program Files\dotnet\ThirdPartyNotices.txt

MD5 f77a4aecfaf4640d801eb6dcdfddc478
SHA1 7424710f255f6205ef559e4d7e281a3b701183bb
SHA256 d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA512 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

C:\Config.Msi\e57cb17.rbs

MD5 4ed56f73cbc765854f47d73edb62273b
SHA1 32485de96f3da2fca9df5a2f1275c3b5aa563fb3
SHA256 da6fb2cff31fbc0177bdc93d3e93b87017bee3317084a468296d1e0de6b559bf
SHA512 933bc16c68562126f5cffa8267ef31265838332e31c4c8e2aea8ba3acac1c6527c67f67556589b997078c07e2df6190b2d276acc88010da8d0ddfdf9ac9b843b

C:\Windows\Installer\e57cb1d.msi

MD5 bf16e0cb45daf8f291ecfa351cb0c3c2
SHA1 1491de942eec40921a35f35aa377c2f8f7332c5b
SHA256 0c3b15d1e680e29377a08ec0577d87d222dda47b84c955f4e834497b59041f9c
SHA512 a69a495b265e6e16fbc4a06455a02baabe35c6ad4abf499ca99a4b5cc9dfe2bcf337b6a60d32bfb15eca03b4c08710a095111ec637b2fbef0279c26d9e9e9ae8

C:\Config.Msi\e57cb1c.rbs

MD5 0c0f2acd14dd389327e2c7520bd3a17b
SHA1 37962ebe61599aa57eaeef65eca6cf3109cc04f5
SHA256 7ff821b37521f269ed465d0404a0970f60b6f2677ae200d151f53aa08dbe234f
SHA512 ec2678630aaefe8a85b7f934f233233307301861fcb2735bfe5c8da44609d77ba6cc4e1a46b874e5757d7c6b1c638ed8a9a55f0574947c525b9e00b7984a66ea

C:\Windows\Installer\MSI9B61.tmp-\Newtonsoft.Json.dll

MD5 715a1fbee4665e99e859eda667fe8034
SHA1 e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256 c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512 bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

memory/4892-1459-0x0000000005520000-0x000000000554E000-memory.dmp

memory/4892-1461-0x0000000005570000-0x0000000005586000-memory.dmp

memory/4892-1463-0x0000000005560000-0x0000000005568000-memory.dmp

memory/4892-1465-0x00000000055B0000-0x00000000055C8000-memory.dmp

memory/4892-1468-0x0000000005600000-0x000000000561C000-memory.dmp

memory/4892-1470-0x00000000056D0000-0x0000000005740000-memory.dmp

memory/4892-1472-0x0000000005660000-0x0000000005680000-memory.dmp

memory/4892-1474-0x0000000005680000-0x000000000568A000-memory.dmp

memory/4892-1476-0x0000000005690000-0x000000000569C000-memory.dmp

C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5 405bf969e7e50ef47422e54fa33605c8
SHA1 4f3c5c8803212719ee74c60813b9ae08604684b3
SHA256 95a7c66abd60ba45a2020ac3d42702fd9823f7b6db2ceec6a37c9e9b0602fed1
SHA512 d04978227453e3341fbdc6a8730da193f1c5e19a2635e02cb5d6eb6fef7c3ea53cf7df5df16230c12693cdaaccc90add812c5ad0a6ed0749e8de75c03602502a

C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.DependencyInjection.dll

MD5 f2a9c263e730b94057d26d8e6562e342
SHA1 e36e4c8100585db5c7dbd07ff66f4adad8ccd37f
SHA256 d6de20035b25367a82da6180c45511d9077374c5f96f6cc5fedd2107d61efb9c
SHA512 976fff499e641484a176801ca904221270220d07a1ffe14c03a9b3f32372a264ebe25e704dc63ec18f1bc2a430afa6a098847c327d695a3d19359422a300d4e9

C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Bcl.AsyncInterfaces.dll

MD5 48efe61d6ca3054309907b532d576d2a
SHA1 f36403aabb16540c93fb35245ec0b4e435628aae
SHA256 295af2142d9214f3fd84eafe4778dca119be7e0229f14b6ba8d5269c2f1e2e78
SHA512 778e7c4675d8fde9e083230213d2efa19aa6924fe892ed74fa1ea2ec16743bb14b99b51856e75eaef632d57be7f36dd1bc7ce39a7c2b0435b2f3211bb19836a3

C:\Windows\Installer\MSI9B61.tmp-\System.Threading.Tasks.Extensions.dll

MD5 e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 2242627282f9e07e37b274ea36fac2d3cd9c9110
SHA256 4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
SHA512 da7ab8c0100e7d074f0e680b28d241940733860dfbdc5b8c78428b76e807f27e44d1c5ec95ee80c0b5098e8c5d5da4d48bce86800164f9734a05035220c3ff11

C:\Windows\Installer\MSI9B61.tmp-\Microsoft.Extensions.Logging.Abstractions.dll

MD5 1237591a98cea80b03eaa68dbbcb2176
SHA1 5761dfe8070d1e273c20bf6ce50eb46a8780e065
SHA256 ce8a3129430b92e206d59720adff91ebae0af7c8a808ba81b2ecf9ce680260e1
SHA512 1446308e87aaf15ac1b3f79d8f4620b2172fb4c5f34059df75fae0ab244015cae6ac46faa86a0ab91b71d51bf91476dc407f473016ed0b71526ff6e446bbda07

memory/4892-1583-0x00000000055D0000-0x00000000055E0000-memory.dmp

C:\Windows\Installer\MSIAEAD.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 1a5caea6734fdd07caa514c3f3fb75da
SHA1 f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256 cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512 a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

C:\Windows\Installer\MSIAEAD.tmp-\CustomAction.config

MD5 c9c40af1656f8531eaa647caceb1e436
SHA1 907837497508de13d5a7e60697fc9d050e327e19
SHA256 1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8
SHA512 0f7033686befa3f4acf3ed355c1674eaa6e349fba97e906446c8a7000be6876f157bc015bf5d3011fbbdc2c771bcbaea97918b8d24c064cbbd302741cc70cbc7

C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Client.Setup.CustomActions.dll

MD5 0518aa303bed2ba39cf6b76fd5249ba9
SHA1 8e4d5cd6efdc10324e2371952244f91be2222957
SHA256 772bbfb85778b49b690ccf793e1c64f850a94416af513086c6c3a8f819e5b356
SHA512 9bea6596f578a7bcf2f18f44d29542133a84baa16798ebbc43ed12e6ee57cc4ee6172f4ee60625b4f34caa063de311f09741a63b561b7c32354fc0c05d094ab4

C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Client.Setup.Shared.dll

MD5 7623867cddde1323a79f802e1eea56ef
SHA1 3136d7aa627d676a19c17914ba8de4944f3da9b8
SHA256 636ed49c603632e1bee61a8b9a7841bac3763fde8526c90a86b6d449fbf6b240
SHA512 bd5916239c9f5556554cab62385c7e512184f7b97c4672fce19707393954652db18096bb171b24c620b07ad39ebb7b38820e31904d9aef9e670c430ca7194a6b

C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Common.Logging.dll

MD5 da0642b5256b7df480e5a02707e76d55
SHA1 632683512a625ba829ac5b53597985713cea08bf
SHA256 85526c8326fc2b2d4dab0149d598643fe7e58090681fc9abe9662d4016131dd5
SHA512 da965c02578b98aa7a0c07e12087972f302855750301e5625c08ff5c36174f24113ff7fea7ae396a1ab8c32cfbcb89500ff4cfde0a91cf3fac37979a8fa0896c

C:\Windows\Installer\MSIAEAD.tmp-\ExpressVPN.Common.Shared.dll

MD5 d45c73829d570a333ba921a7e658825e
SHA1 48c0da5c9f175baeeb25939c68352815c4e380cb
SHA256 bb7c0c6cbe57b902dd0ecf21ca1e17c5445a81f02408100243bcaa1f9a354f91
SHA512 aa5e2764af24af330141deb6e087a34c47cfb0901810f9a319e2e346bf6af65c57bfbcbca7cacd6a10342bff40a7e3d05af60caff0eb87c87fb3ea0d66185c0a

C:\Windows\Installer\MSIAEAD.tmp-\WixSharp.dll

MD5 e6864833a176336f60a6f382aba65a8b
SHA1 abfcfadc0bf98908073f56c4f8e51690f9fb5014
SHA256 c9653a596f43fa8fe49b8a8f7a1a31647197950e3fefb02441a971639f33206e
SHA512 168de36aa221c31753d1e8b3ad30adfbe0c384264fd72fee8494e614b26e7ecdb3a649856c43b981be557b9888fc724f9df121fa8692e6bbcd92577bfa019f5e

C:\Windows\Installer\MSIAEAD.tmp-\ExpressVPN.Utils.dll

MD5 7f23183a8b7ab9913bd0e850a5a9e41f
SHA1 1c2670a178f577adeb2a900920a5588c6452cf21
SHA256 364885b338c0f103c7eb850d81b02563f23f37bc42fb2ff934818fa19d378c77
SHA512 4ac790971a1d415046fa7013d0a8f6e5420a1c0fdf5eed085094fec1100ae1aac2be8accc33a1585074e8b0c2a7bb9e85f195be63885d686dbfa8206d615bca0

C:\Windows\Installer\MSIAEAD.tmp-\ExpressVpn.Utils.Wmi.dll

MD5 67832019648e6ab6abb4b851b171abd4
SHA1 905fa420be05e05c2a46fd59f6a88785e0857495
SHA256 5a40afd875245dcabc813fc9fe0eccc54938126d91573050f883bfb55dab97ba
SHA512 6425d17e254f0d603104fd049bdffd025b8c6cb06c22adfdf3be2b36f03d648b0d438ffd674d5313bc03d165008b1fab451ff30b551d4210b2ea5faa0474f671

C:\Windows\Installer\MSIAEAD.tmp-\ExpressVPN.Client.Installer.dll

MD5 dd82f1f197129cb8cc78061db1da1890
SHA1 97b008840e76150410efac7a37e54a15148189d3
SHA256 6c53e247393cf089b92cb84f48e35ec99f52c21e966537404b79ff92ff2274f4
SHA512 3572b6bcbf4694d56b44dec8f44119930a71b4f9d6a4d499268c29631d38a7191fee7cd85317b116187d09d17ab2a884bedcdb9d827815857485d7d86bc9010e

memory/4324-1692-0x0000000002450000-0x0000000002460000-memory.dmp

memory/4324-1693-0x0000000002450000-0x0000000002460000-memory.dmp

C:\Windows\Installer\MSIBD26.tmp

MD5 2944325a10f55a48811f735d9ae1994c
SHA1 fc5333d3524fb19cb1edf294573d7b99c631ee9a
SHA256 24cd64abaf9ff9bf73b303766a6a3cd6240ca2eb200498f4d0b10dc4fedf93e5
SHA512 d9b0c28e46811b395df629c7bc9cccea306af82cd4290969d72a9aef9b5008f3568e1483b4ed8989e9edc6c919c9fbf4876d27422553e11d2993165b96d0bee4

C:\Windows\Installer\MSIBD26.tmp-\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

C:\Windows\Installer\MSIBD26.tmp-\Google.Protobuf.dll

MD5 25647dfce0e91490e97f8c6366b2632a
SHA1 8b812d8418143e0e8bc782e6687583dee13710bd
SHA256 da005e408ac85c4fafae30aa79ab7c18ddfa9fb5b23cd7fb2228a88413388c54
SHA512 5c0947cceb867f765ef4e77a73c2e2cea11f80ed83cdd43f3f5816ac2c27403fa74ea6a7edd648061d14d3e480d0f5e8271b754688d8da62e8653ae7581bb910

C:\Windows\Installer\MSIBD26.tmp-\Grpc.Core.Api.dll

MD5 33e82bfceee2a76c34edee46091bafc8
SHA1 55c8e27e8efa1e08e87f96424c574ec581335910
SHA256 1e6db7069217797180cf7664e555994a9993db0155c9761be8012860bb82f8a2
SHA512 2818f76c324cfa556c5c9b68cba712c57d12da2f1bf6cf6defd314c0a5dbe4f504e20c04deaf9b69be6a56b01f47fe341ffbca2a431df9a71b28d38c9e1ec6bc

C:\Windows\Installer\MSIBD26.tmp-\Grpc.Core.dll

MD5 832a45191b8711adc888d8d45b26f0f8
SHA1 a90d87c10f3e5ed48a80f8e1cf0e883a07830c8d
SHA256 873b7debc4411c2707b48de1454d2ff437d9d56d44ad603c6487a8fb69b4413c
SHA512 94fe9bad110671a1bd965f4847609ed20955f082f96c049b1679634fbc878b189edaf952914137316a3a7ee65996df020ed2c65dcce0b7ba55db853f48132ef4

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.CommandLine.dll

MD5 2d3b7a8112a2f148c75ed0820ee2a568
SHA1 e34f939e35591d03b982fe963a6532b427f6c844
SHA256 dabae732fa2b9cdb25bdd6e6f6c804fbd7c512380abcd1e0b8b0e3e32bfed7d9
SHA512 aa270196c7d56679ba47c9c8e0cf0a9e34fafbb15a7ccae2478f7b3410e5c9a4863d48b55fa6d4ca0c91b5563075ecc54969953c32808eec26385c2dc32ffc12

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.UserSecrets.dll

MD5 313cfefa5ac9c9f5d76382a4d738bf3c
SHA1 0bbcd9de636b6c9133a4030f42c0c04aaf51ddf1
SHA256 bc707ac67c82cbf3d7eefdcce641e061227267ddf7a66e08d68be37db5c896ee
SHA512 fc4c2dd62e85a0bb1e62c9702bd9fbec2b93388fc890da3265a13855fabd65b3a64032fa2e1e38bc6be3f1c450b85475843138a4716eefaf404aef8e112904f9

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.Json.dll

MD5 ae4d8069218e6a793e4cb461e09d4d9e
SHA1 cba0b162d94d80def76020a36c855543e8787ef9
SHA256 dfa8ce0bbd09c898957dc08ca9d3e1db2e87edd5d940c78f6b0becc6243d9d9e
SHA512 6c838cbba6623ec3f9168f79f27ba651073a96cda48cdce244883caba27004ac72f76c77f5012f0b044877fd3d90c1b9425465fc1782f0b5dc37d33c9f124e3e

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.FileProviders.Abstractions.dll

MD5 9b981dcb9329e9043987eb2c24371714
SHA1 c3c45b42a67525cbf8596cf6ef9a56d103bb70f9
SHA256 0706cedcd984a2478f10a9e57bb06e81bae2e0a1271507b26e91fb8f8c3413fe
SHA512 566bf7d258d3306742c3c585d04d19b338a8e1224e29ec7af35770e6827bf597a613775223cf93aa9afcb4ea3da0ca53b99493d9b3c6684da815907c8629b03e

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.FileExtensions.dll

MD5 8be2c97bbbe81795e3042602a21965e6
SHA1 cf89501075ac6713c091ca773dad2ba946b7c6ea
SHA256 385ec618612990af5b4d8ec6edffb13fbb5ff5a03e7786033b42ea061ee3976e
SHA512 d89a13ac0e3639acbb26f43739cd7a01ddb07fb03d7e0db5940dd28624d76014ba5e420b45f2d35b1acf0d9b3117a06f41f56109066fc95e9bb438d7516afc04

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

MD5 f502afa74d2f363e79f3cb93c07b3655
SHA1 5c3aadc3ee63e726f840d9f2c0ac44744dd0fa19
SHA256 5ee4134c25d7c95dadf2d3681949a8b61f72358542edcdb4f2a56fbb469a69ea
SHA512 3630e378e93548762fabfda06a2cb2189e450e16a67583b207c70fbe836e257e0551f829dec10f6ba040e7d95caaccbe3db576266c6e8fc6a3e59e623c6b81d8

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.dll

MD5 4ae4c4004b28a9c7286ce1b4f2bbf415
SHA1 423c11f0e71b51378f39eb275093aa223c49f848
SHA256 d5f7cd54e4aa3b02bd445bd5b8ff4786cb6463ec976cbfe820fced5e272ec572
SHA512 7bf95813a0c66425dcf3e4d7e0078f72e97a3df9baff9cc525f2292f5cdbbe1cb52fd674089d1be15516770f214b9e7bc937de314eb9042441bf0ef1be28b044

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.Binder.dll

MD5 b825099a89c81fe4127ee2628596d5d1
SHA1 8e69faa62f82dd042a51a345eea19b959442e985
SHA256 f2f6d158380c32a50bdb827b4d63f97c364f221813641daf74c257034484b507
SHA512 5c8dd2275702daa09bee2a8dac563d1292eef6735cd0a3a250f633afb3ac7823769435c4a29796b0b3522d72312497bac86b5ca71cbba2fbe31ce9cc24557068

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Configuration.Abstractions.dll

MD5 baa7644ed2f322d1d2c953220987c4a9
SHA1 3860c3d54413837fd23e9a7081c15d27ab2ed4f0
SHA256 5da295c08aba9257c8f27a39a3d21e0ee82c4e55c098794688305c270b4983b6
SHA512 034cb63f8a8ccf99d2cb182c72e7e5ad67cd23baaca376dff3444c13e9c0bb78e1e5643ed82999130e9398fbd643cd86a875249401a49438b7d7976329d2ac74

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.FileSystemGlobbing.dll

MD5 f8dc23b883576fb84eccd1b7b56490d3
SHA1 c447b48529380954c878f1d933a10ef1bc402bb6
SHA256 1acb904f6eee86f33b507a7e7cf8f2112d34d1b34daf1532df4d800795d328bc
SHA512 2604147c8a3664e2abeeafe9503cbed07866c763581c7587f59f8472718995c7d17782385826d70ab515a73bf4efc57e91ec5738d09363689305592c38fdb6db

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Hosting.dll

MD5 39d2e1cf94347200c4e2d0f5415dec53
SHA1 0c2e97003acd0c2c0bc516c5b4c892de382239de
SHA256 2c355909c0c6415de0a8a8cc09ee5d6a4538fc19ede1fcff8baab3b1bdf5242b
SHA512 ea6b8deb8e807f87e52d6e06eae62afe595a83d247566a6210155aec9dfa7f9602da789e0985ae87157a56ef26f57bd458bb77f6f3bc34752139f6633f6db712

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Hosting.Abstractions.dll

MD5 e4e839b5661a74bb03505202231b56d4
SHA1 31b10ca90a0e492945dbec6cf530389504a7a462
SHA256 601e2c40c930dcd582d421f8f887b62eeadf8a675b77aaa2f98f532d8d97e24b
SHA512 a304a0e18865edd8225ee25ff99ac72843acb9970089e2328cdea8d116a839998d98a58310956b1f8c03caf15e57b91fcf7c2e65672839892fca700fb33f54eb

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.FileProviders.Physical.dll

MD5 4e153e7492eae30cd0aa49a3140c1ebe
SHA1 55c123a2f3d1c7e24c4ed5edc54043cd9c37810a
SHA256 6bda4bddedfbb9023a5330dc1fd528e851cf2c869e53f3248e704927cec107cc
SHA512 ba25bbbba4c3e454f4ec064195f5f5e9d0cc4c217b9b4ee538fd31d138224a12c58c0b97c588ea4ea482b2303b0afa04125c30bed102b7c5f2aa645d8e7c03bf

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Http.dll

MD5 1129546f4edbff1a420986dd25bec97a
SHA1 d01664a6749cc7fdf4d5997abdf72951a45f487c
SHA256 70dab4e760c996a618bd86fd514061f76296c70dc9a9e0da327635ffe6ee88d5
SHA512 a219d16ff2c9b4a5acbb07169b081d4a684355201469591dd75fd5cdee5103e5158c4e11fa32b4f81318aefb6363fa4d2cb61dc39e1b07d01b2d02161fb86d9f

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Configuration.dll

MD5 2ca8343993aa0c8d6d619cc2dcab3539
SHA1 d6f6dca968ea17998b7c98585f9d04f2d60f615d
SHA256 92182678c59bff339c919c6d37c94e57904987ac2b1a7f8edbc7a198f0f802f7
SHA512 804337f7a9311d1a7ac364131a095a3c93784ec5c0dc147ee4abedc804170a742f8e3aba4b326c795ca18d43cab76113d9c231f2d0c6023a7a0ea44228984fef

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Console.dll

MD5 f8536e13697fc017c0c4038a4db6074a
SHA1 1cde865ebae9bd7d000bd29872d692a1d9dba0f0
SHA256 a7e1a4601fa280ad97e4a94069157b057c2d5158388e57058f87cd9f8915337c
SHA512 fd061d0ba67fc6983479bf579d7dba71ac8cf1f3372ee97438b2e455344d56111f6f8ef601e9769d9d9a18789a174a96d7a47f04ca719b189bb56b42922ec061

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.Debug.dll

MD5 523731ef0c75f3cf36d17e0c0f7c6ee7
SHA1 50e24c55d1399ea6550652e3de8d80de7d1d02f7
SHA256 ce241f96331ca11eacac64c683e11fe659e5ac157eaa224c9fe742d20b1ce983
SHA512 727539dbcacb28b23a21e037d439bc8c506ac2aaccf1d1a7a76f6d91c6739f0c317a3e1ee2e6bff3f3f1eee172daacbce21fd35b4bff3ad4459de405167cfa7e

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.dll

MD5 73eab96c0898a78a61d89782ef6fab83
SHA1 07541eed457b5977890c13622d4fc4cabebc67fb
SHA256 c4b2b98c21b24b88640bc0be5dcd335d82df129dcaa0dcc778d91a759a037524
SHA512 90e8b699f451667d18762cbeb0f050f5462e97186b2b495b5de737ae565a7e1667c0ae5d89442ad93c08f2b5db5459b7febb63b1667466e13908f24cf1e3c075

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.EventLog.dll

MD5 fc9949be824804ec4875dfcb0eda5057
SHA1 85a10da292711b68ed97d493bb04cf6552b7d998
SHA256 97f6d53966086a22da7cff8c6bfa38dd5469f8faed34cbaeb0922e5ba576421f
SHA512 13cb04ea01094fcb904640d7bcb552bc8f523581932a5dd2a5660e362e92e21dc73e285663ab91ee2128b0cdb4b067f3e2e3a8cc798df333fdc5fe5cacc29a91

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Logging.EventSource.dll

MD5 3a6dda95bb1aa1e413008d68b957bca2
SHA1 ac364ffc2cb711ffd43131ac9c6e86f1c408de65
SHA256 221c6c8fbdcf28e01aebd74ac8d39cdf230d9eb51138102b443b8c8cc1c0d74b
SHA512 2e4960640d3aaf7c4c9318f29fedfe3ca3c004681acbb69581c6a2b5803d57ea453a1db153a8c22482c2b490e58d721ebf32190abb4296df6f62466ee10272fd

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Options.dll

MD5 3ddea0033ead23660b51921146dda017
SHA1 5708c44aa5326da0a69072a9b0e48715112a4bdd
SHA256 c4673c6000602e76844bad63feecbe42d88fc72639b1fd64d2acde48955be970
SHA512 d57e25a2412f2685770e3fd1d6650ee433ed28d337221941841eb9589dbf3868a27efb0d488f960f75785e60357cd2914b0eece1da62aa9ffe77219340c03576

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Options.ConfigurationExtensions.dll

MD5 40a801619f536846ff777beadcd62f27
SHA1 5a3c722df02ffc81d813224d98af375ab7b09cf9
SHA256 9d38b26507120c8cbefacbf6d2ddb5e89a53db475efefcfde221685b8eed0803
SHA512 d2ad123ebe1e3c41a5ce58e54b3c7847236e99ca3d30ba92f75df432fd94276d185e982fc6d72c2cd2d4d22eff5094b92ddea7b9d5615df14c2d1aab90936a01

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.Logging.dll

MD5 a588b379588e876fd4332007a7b0b959
SHA1 5c4df46b6de81d96062eab5b9ef1d65132a03960
SHA256 e53c9d284acb1ea6d3e9f107e0f438d3254d4f773ea24b9258f6a7bec77a3652
SHA512 12b0f872a74d670ce0bd24b65817b75e99d0f79569ff18b50ae0f472410d70d58e74fa8f897dbaffa2f450bb461831c080f0530aa59817aef3272d48b7746604

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.JsonWebTokens.dll

MD5 7bd1e91ad4273dbcde6e373597fd83af
SHA1 b0b3b60aa2a7423f82464f69215c2e051cc7e940
SHA256 53164e2aeaff7159ac8ab382c932c9ff744478ac4012bd5652f70c7ae4829fb9
SHA512 0a4b04ef1eb85f74f19490c420a4434632e44c110abe427bf30d301f0bc633048bc3b52c480e14bccbe51afbd33413b84d948ba04d6af4261a8b390cb414d734

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.Abstractions.dll

MD5 4a33568984c97ab8db98b56f55b88b93
SHA1 368abcd3d56dbeaf66392575914f9bbd2e7cc85d
SHA256 2a621fb5b3c3dc83c989667527570c62a4f6e65bbd239753410ea0857777e1ac
SHA512 eea1e09319bd92d1e079b32779b9635d8d698a8785d05fcd2dfd1ec9bdba5cb866f4c9e4f4fd03a46dff68daf2ef872ac537f4b6fbee14059bbb7756b048ebef

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.Extensions.Primitives.dll

MD5 d833ddcb52e5c6d6da71bae25395a911
SHA1 17ce025ad7a0175c467f5a7108ca81a813e4ac21
SHA256 76152e774b2bd9c5a0d301e92e253d8bf55fa90e191d0155dfd86b2b84766ae8
SHA512 fd963a9fa5bdd10a1c54ce8fcba862b59786280ca5d668fa041b30b80d7fa2b84230d33b1c0541423534c764e7432213039d5f586d0427d542c0faf703081a79

C:\Windows\Installer\MSIBD26.tmp-\Microsoft.IdentityModel.Tokens.dll

MD5 6c80eaf13c1d1f82ebec05b199546940
SHA1 62d69b4d752e5d689bb8f9e413c911e796b0aa01
SHA256 dc7a38cbaa808bc20fd529d174cbfd83b66fc814cbb63704e2d9f350e7fe0bf5
SHA512 78b512313740ff15f12d4cfde7c3c06484db47661e26d959983acf5b8ef16ab347a8d5af0be9ccd6602823d3f6ec6d8b38ec545b2c17c7f9b3aba82814375c69

C:\Windows\Installer\MSIBD26.tmp-\System.Buffers.dll

MD5 ecdfe8ede869d2ccc6bf99981ea96400
SHA1 2f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256 accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA512 5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

C:\Windows\Installer\MSIBD26.tmp-\System.Collections.Immutable.dll

MD5 c598080fa777d6e63dfd0370e97ec8f3
SHA1 9d1236dcfb3caa07278a6d4ec751798d67d73cc2
SHA256 646d3b52a4898078f46534727bdb06ff23b72523441458b9f49ecc315bf3ef5c
SHA512 8a5b4afb4363732008c97d53f13ee430401e4a17677af37123da035f15f9e9409a2aeb74ae238379291fd5de07c3cd4e3de2778da5edf83a42649fa5b281cb32

C:\Windows\Installer\MSIBD26.tmp-\System.Diagnostics.DiagnosticSource.dll

MD5 ccb6a65fa77074cdb0cb00478a89aecc
SHA1 be6e62302419bfcd9fd9842a9084e64367580970
SHA256 599a79d25958eae655ddae7337477d16ebc4f013b6896bbd60719c85b37db88c
SHA512 0495c13ced63266fe1adbabc0e2c86e7d6ce1b1dc3065f42a40607239ae88c92c39eba07a02dc0c68e200883b65a8541fd7b5c3dea58cb4c6d494dee0946d605

C:\Windows\Installer\MSIBD26.tmp-\System.IdentityModel.Tokens.Jwt.dll

MD5 f82c0055ab6c947dc914e6590ebecc06
SHA1 a13340f024502a3a22cc29598ffcaa5c1b167be4
SHA256 552ed472029e12788877041719164261eccceaded535228933191449425e3870
SHA512 49360174e430fc35edcd4cc437ef93d4626896b1e652f5680b720424e5220a61a0d3a1cf1595eeaf19d58be5549860c4d9c9dced66414554a48bec1238e3c4fa

C:\Windows\Installer\MSIBD26.tmp-\System.Numerics.Vectors.dll

MD5 aaa2cbf14e06e9d3586d8a4ed455db33
SHA1 3d216458740ad5cb05bc5f7c3491cde44a1e5df0
SHA256 1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183
SHA512 0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

C:\Windows\Installer\MSIBD26.tmp-\System.Reactive.Core.dll

MD5 f20967beae947a5d54156b5cb40d0c04
SHA1 c5ea57f70835e22cbaf08ac5262716de3de16f2b
SHA256 ac464ea84539c60cbdb498dd787f6fb90b2f11067a5acc9e1ed4f8f62cb7bc7a
SHA512 7f1fd97ac58bfe5194e348a141595bb261870bed0cdab0e491aec40da7a930d2d821457aa2e44c80da276bbce98dd3a08e344de3539037367977815055a79435

C:\Windows\Installer\MSIBD26.tmp-\System.Reactive.Interfaces.dll

MD5 0a471405a43ace8273b6e266f819901f
SHA1 bb7c4d3930358fa574136248cc1da6c9bcf5f192
SHA256 c86b4625d3a35b6f600d8f0d129b82eb73928e5d4f9df1a028e527aac86ee4e4
SHA512 27da5c7d98cac39525b845f40f128cbbdec6a693c1f20be689a1bc2ec0a2fa33a1a82605dad06e410371cf069304663bd6bf1c4a5864d99921e0584243b33997

C:\Windows\Installer\MSIBD26.tmp-\System.Reflection.Metadata.dll

MD5 c4ea65bd802f1ccd3ea2ad1841fd85c2
SHA1 2364d6dd5dd3b566e06e6b1dc960533d2b3017b7
SHA256 46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f
SHA512 fc4c18ea6a6f38d8c4b4f2e02d3d077cc729b531ca08cf9602c65e22aadc0be770e441660cc980cbfed3b27bd783e65f793838532673e2845276390b4b22d730

C:\Windows\Installer\MSIBD26.tmp-\System.Reactive.Linq.dll

MD5 317dce13b2316abee548a2b013f26471
SHA1 3123573b2291a0f01badb10b149f741bcb9eb0f7
SHA256 21fad2983b4b2f95049e975c9f26a77bfe9281d8ed18e380c9017fc82137a1d9
SHA512 3444f813632f5f397b5c27e0314479a404b7ade058a5e6c540331fa4fd5fa798ba7352b1bf58d6f977e5e61912ed9620a1ec1350901d0b00fad2ace3eaeb6163

C:\Windows\Installer\MSIBD26.tmp-\System.Text.Encodings.Web.dll

MD5 e8cdacfd2ef2f4b3d1a8e6d59b6e3027
SHA1 9a85d938d8430a73255a65ea002a7709c81a4cf3
SHA256 edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30
SHA512 ee1005270305b614236d68e427263b4b4528ad3842057670fad061867286815577ec7d3ed8176e6683d723f9f592abcbf28d24935ce8a34571ab7f1720e2ffc5

C:\Windows\Installer\MSIBD26.tmp-\System.Text.Json.dll

MD5 38470ca21414a8827c24d8fe0438e84b
SHA1 1c394a150c5693c69f85403f201caa501594b7ab
SHA256 2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c
SHA512 079f7320cc2f3b97a5733725d3b13dff17b595465159daabca5a166d39777100e5a2d9af2a75989dfabdb2f29eac0710e16c3bb2660621344b7a63c5dbb87ef8

C:\Windows\Installer\MSIBD26.tmp-\System.ValueTuple.dll

MD5 23ee4302e85013a1eb4324c414d561d5
SHA1 d1664731719e85aad7a2273685d77feb0204ec98
SHA256 e905d102585b22c6df04f219af5cbdbfa7bc165979e9788b62df6dcc165e10f4
SHA512 6b223ce7f580a40a8864a762e3d5cccf1d34a554847787551e8a5d4d05d7f7a5f116f2de8a1c793f327a64d23570228c6e3648a541dd52f93d58f8f243591e32

memory/3900-2143-0x0000000002920000-0x0000000002930000-memory.dmp

memory/3900-2146-0x0000000002920000-0x0000000002930000-memory.dmp

memory/3900-2154-0x0000000005070000-0x00000000050E6000-memory.dmp

memory/3900-2155-0x0000000005100000-0x000000000511E000-memory.dmp

C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe

MD5 c7cd99398cfd1a02b8165d4a68bab14b
SHA1 2a11029ebbf9077574ba9aff76b449eab26ebd92
SHA256 e5146bc3279b581b9bcaa6612d1ed2a232d50e2b8de746fd255024ad659a7e79
SHA512 f1d2f4b455b5a12b50b2b2f2859049bf0085c7daee9dd86b3a48241b5f8c08fe897f230bb7d780f9461470860a2cd0c22c78e0f1143b539e7fef15a7222bd899

C:\Windows\Installer\MSIC797.tmp-\System.IO.FileSystem.AccessControl.dll

MD5 3409c581f0c5083f0c2a93a7a5ac9790
SHA1 18ea7bd41d31247148abf184527c9368a26f39e7
SHA256 e6026501ad4056ff2f1655b0afdfe8923bc6e8fbad67e1e9ef56e3002f49fbb9
SHA512 ae877c6fddad0e4133274e6372d783eaa4dd6bdcbbf40ab66302fb89bd2f76b215130001186b5c9a135abd16336c5bfd4d414177704d7d359539da91918e82ed

C:\Windows\Installer\MSIC797.tmp-\System.Memory.dll

MD5 6fb95a357a3f7e88ade5c1629e2801f8
SHA1 19bf79600b716523b5317b9a7b68760ae5d55741
SHA256 8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7
SHA512 293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

C:\Windows\Installer\MSIC797.tmp-\System.Runtime.CompilerServices.Unsafe.dll

MD5 c610e828b54001574d86dd2ed730e392
SHA1 180a7baafbc820a838bbaca434032d9d33cceebe
SHA256 37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512 441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

C:\Windows\Installer\MSIC797.tmp-\System.Security.AccessControl.dll

MD5 996aab294e1d369b148d732e5ec0dfdc
SHA1 28465fd34680a082506f160107f350b46140a1aa
SHA256 1fda491eebdb19ea0a83cf6c16ab5dd004a1bfdfc845ede017ebe0945beb927f
SHA512 5e6b172d2de5928915b38ec80c7b76f42430aac959f04aa3521c63495b6f3c4f82df139c275e9fc5024b1a0a4f307daade6130b6028779f98f456282ae8b61cd

C:\Windows\Installer\MSIC797.tmp-\System.Security.Principal.Windows.dll

MD5 be2962225b441cc23575456f32a9cf6a
SHA1 9a5be1fcf410fe5934d720329d36a2377e83747e
SHA256 b4d8e15adc235d0e858e39b5133e5d00a4baa8c94f4f39e3b5e791b0f9c0c806
SHA512 3f7692e94419bffe3465d54c0e25c207330cd1368fcdfad71dbeed1ee842474b5abcb03dba5bc124bd10033263f22dc9f462f12c20f866aebc5c91eb151af2e6

memory/3296-2365-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/4892-2362-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/3296-2375-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/3296-2377-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

C:\Windows\Installer\MSICC3C.tmp-\ExpressVpn.Client.Setup.CustomActions.pdb

MD5 99ba9a27930e20d5357e544c26993708
SHA1 d7e5d5c42ea64e50dbf05ccb72fdd0e11e9f5078
SHA256 b62db2dbfa954e4b60f05cc396b141398867d194fb3f477f70e17fbfc18bf9f4
SHA512 1a506b110e3f4c6e2d180ce68d207b92636996d707348a97eabe9a80032db46591141378e013ad2e32c38c46e9c61f7e123f15c6bbd318837713cc22fabb8f93

C:\Windows\Installer\MSICC3C.tmp-\DeviceId.dll

MD5 8b1f5955427f4887344ece41cd3bf480
SHA1 67cb7f5453c3588aa10cc5f213b4e59f525df072
SHA256 662bc1352c5bafd73b712f9620bd5d2db3982871135ebe7f9cca46c7f3c4a813
SHA512 cd362ce360433dea3270bf1a140340916526a99326fb9c51327ba891ed40e2b79bfc2be378b66ed51d26c4e3bdce0e6e7af8962fb7afcb79bc142843bd6f2097

C:\Windows\Installer\MSICC3C.tmp-\ManagedWifi.dll

MD5 933db161f981bc00f1fb0d0b893ea7e0
SHA1 36745bf6555d9782d0b11ccaf909c6a381459a23
SHA256 96ff74fb27125735346a992a07640b243bd97a3b8b045c4737abd3d6c0e88efb
SHA512 d70443109d5acc721aa22ee1f03976aacd9d22b7e0442f2776513c8d9acb885ea4d3703878357af36cef192b130eac6502fbc425dd1ff988438cca6efda4dc05

C:\Windows\Installer\MSICC3C.tmp-\log4net.dll

MD5 7e9edcab87980b3594526bed6dbbe221
SHA1 297c20b8fb7c47fa55e54d0f635965ed3049a45e
SHA256 e5572b59b3a531e1c00e190830687c08094b9f5b0d502fde6c0058ac38974d3a
SHA512 5f828ee2471ed1737601f8685330e5f136cf49c18a753aaa456e10244bc48f4ddcfd5ea584b89e29aa98a625eb1b755f3478858fe867559f294f140452577f35

C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.Logging.dll

MD5 045684bc4fb0da695a65a1880ae0304d
SHA1 29e451ee9acdcc7c11e0530a1a44d5c266a0330f
SHA256 c90fd7a10922e636a6a87a117b588243cb8551c27f4939ce91026a982fa8ae83
SHA512 8d513243a3997709811471dba11ac770933ed40fa77afae60bfbfd65e1da9f7dfa9bbbf460b68aba1860609d7317a87c299034a8323e290e3fff18b91fa704b6

C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.JsonStream.dll

MD5 cc8f6d878ac0ef88767a5d3d42d725ce
SHA1 fee5ce00666da92caa02e00afb6007d1a49fc02d
SHA256 c5698242f1f4537cb659c1b9f6cc26802aae725ebe07bbe20fdacbd1c306c397
SHA512 bc174f0849fb825a8c9a82d6cb565e150b2cdba942ddcb00cad99158c3574a3a094052cbdd15863e9bc080c097eee57e9c2e587d3491985229a81b61f254def1

C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.InternalSdk.dll

MD5 c76c3eb31fd22b3d5bec29d8d641617c
SHA1 12e83531a10c18e856026f6edf8390e4218cd628
SHA256 8f2de249e4198b9db6ec7da00039b9b9d02a773f2c81fc81c90ac5ddbb48fc97
SHA512 c38368085d75c440c7bf581ccab456299c5e12cca79e6f3eb0baa520f44a0ae36fabe55d9b97f64b43becfee4cbefe4e1e8caeaa4f5c9d150acc42c4bc04e489

C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.EventSource.dll

MD5 420198fc5e5f90be7feaa9c389b46489
SHA1 bccabdf3237638a7b6f57e0fb61745376126bb3b
SHA256 88b92da330c2c32916d8efa4ecc0a39aaa924ced90f808454ebe76e310b197c6
SHA512 1982a0ecc5782d7bc6af213565c1e14c34cef854763550c0a9c4054fec8a1bc9abf28493d32e67a63525fbf57614a1961d1c8a80dfcca2a3d4484fb52ff982aa

C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.CommonSdk.dll

MD5 2c6daf9516f465388f3d1e033c65bac3
SHA1 e893a82652bc56bda818a4cfe6db12f9e2ca50d6
SHA256 5f84bd643ecf7d9683339d364218b6089ecc00934a10a9015e9c164020f1d476
SHA512 9851b02d36991c5ddfd56f2d3746127fa475aac219400777f6e10fb375a7bf20b140d22d4e870763a5fc12d9c9c96bcf91587260408c0a3687dd8203136fb126

C:\Windows\Installer\MSICC3C.tmp-\LaunchDarkly.ClientSdk.dll

MD5 5f39090d2bf4cab44aba4d2645a75d4f
SHA1 08a04a905ecb1b78c53c7a50552b2a320c4ce509
SHA256 042ca131bcda11b9357e485f88a15ce5c0e99941d38e11b1bce255942bed059b
SHA512 3396db2254165883b5f7dbe8e5998297f21e696be842693a1bddf932646ab4241f08f39ce7c0746d7ba45c55388051fe5a6dd3bbf87cde587224014eb3ad0cf1

C:\Windows\Installer\MSICC3C.tmp-\Kape.Braze.dll

MD5 21743849fcee930538edb37be2651e76
SHA1 889d0ca886db2e9706d00988d80b48c58cf50498
SHA256 d46a00ba5f85a246eb41985d5abbfb185e3d98f53640ea295b5f5a85a76fa90a
SHA512 1baf4083a45d56e1008f97f1fec228883606f0b403b5fe7803b97e4d25169747d57c987225dcaf80db6fca8e975c6c6bc3008c64f6605eba97ec537ca6d62bc8

C:\Windows\Installer\MSICC3C.tmp-\DeviceId.Windows.Wmi.dll

MD5 e8e798a6142cdb270aab485f48971dfd
SHA1 36b8d28350fc92195b3e14653780dc16994762bf
SHA256 d8923285927695a25c33431c08fd67f2cbb45d1f4e301023f160fd88b57f156f
SHA512 5125bb34da09faad61d897e9e168adf7f0ed5db5bac08a28ae4657583ebc3540e3012e376b200eab68000efa64f96793c139434f8d06d1c7a09ea6f2846f9c2f

C:\Windows\Installer\MSICC3C.tmp-\DeviceId.Windows.dll

MD5 a8bdb6da5875c542f5acb8019ac34f03
SHA1 1321766a805869611961bd05d352a7a733a0943a
SHA256 9da4621201a77ca4d8980ad0d39b1f6a72417b042649698e85c52e613cff7400
SHA512 339c41e81d42346741df2663666ecb98974e504eb759aaef7509c2b6668cb4dd8e1a3c54906a855915e913c421f23ad55c5cbe392937aa56a03da3db0244ae7d

C:\Windows\Installer\MSICC3C.tmp-\MissingLinq.Linq2Management.dll

MD5 0d42ba5b2dde86f3648203166d5c5c4d
SHA1 b626a0ce4cdfcc3f42b20c53075d799ba8da0423
SHA256 bdcac26be9c24bb9853d9ff30e96373286f0c3d051f22a994b6d8283f992f62a
SHA512 79aa3b29f031cb199ad1b99babd4c06bcafb1fe1bab066bbb1f15b7b254d04e0e944b1663e415cd9635c04fcc01a1b9db0fb1c894a05e0ad5b86400ac4953d96

C:\Windows\Installer\MSICC3C.tmp-\NLog.dll

MD5 91f1a2d14e5e794bb9006783f0ccfe6a
SHA1 9e2e9515441f92030ec7f8a458fbab3d8f1c4aed
SHA256 b8540401b4dcb34da8d4103dd41c089968d8cd9d873af3f44a5f71e2512e74ad
SHA512 4777754111616d7dff6352c02c55852b36887b2d725cf869d53fd97dd9af00b9d43cdc43532e41a674e06f71dcee0c482bef6d79ca3e6768889373116ec6add5

C:\Windows\Installer\MSICC3C.tmp-\Polly.Contrib.WaitAndRetry.dll

MD5 33fbd8a8f66fd9ba06729c0c47c72353
SHA1 9757530f43ab92f7aaccd5084a95c121393c9806
SHA256 35e0c846962c7a29d715973c1ed8e634174b52414ad88ffe705fc427eeedc2ff
SHA512 46316963776ccf328440f0a5f0b0b92d77679667beda3383a0fd4ab2dc72274c75f2202cf5c83693af897e3e3e2a02b694930758f03539032deb68a591a188f2

C:\Windows\Installer\MSICC3C.tmp-\Sentry.Extensions.Logging.dll

MD5 a451f5639303b86e1d5d0c73042d417e
SHA1 392b5e6fcfc443e9e43ff4b92b1c3013301529c4
SHA256 25fb6b3d647777352062fff2918afd06a9d2b40bd95c50a5e2670ec2e4884fae
SHA512 056bb1e5a3db33438d749980186d50c9bcdbc6e96c2835da3f4b61080628f720adb72966ea0e6751ede37105b7976be363f03739ee6bf8a549070e6b2d0aff1a

C:\Windows\Installer\MSICC3C.tmp-\System.Management.Automation.dll

MD5 1af650b0fc0793690f28d7fb20e16fe0
SHA1 9a88bd53c31f05a222a385fdbe6909cfd1d5a2e9
SHA256 be67287971b51f55913d77a618730d0f37b6f5ef618a76d41686d74a3db90947
SHA512 9657df588fee7f913b4e0e3fb8054b6f4f92fc3e3510040e8821fcf272068ac8f75e31579cf8f42703ee65dffbb974ba905bff2e2c701c40ee7f74643b32cd83

C:\Windows\Installer\MSICC3C.tmp-\Sentry.dll

MD5 e8757986cb15124de6118ea5504cd130
SHA1 7ef745587938de99060399d18a32e8fce1ce123a
SHA256 7db3446081da02994615217e9deb78579630062f7eb8b0dc839db9c3be766174
SHA512 76a51b11c4e714a1dace41831eb20afa692a947acf373839365f50152c28d1b2a5723ffa4a346a7174bfa052ba273deb03f87ca386791b72c9c4cc4ef0a36bb1

C:\Windows\Installer\MSICC3C.tmp-\WixSharp.UI.dll

MD5 5f4a744b068f5ca87eaccf61b3b5791f
SHA1 1ac72d01806c1df59e77fa5d0e2fa998722795a8
SHA256 837f2187937db731f2f14585362a1dd7da3dbd3725a2617d4eb06ff06962842e
SHA512 31096584bc205bba085d6f9c9d8a40de97ddcc04c24d68668e89cd1840727cc9e701ba5d94dcd2dc37cee44a0b042f4f210c76461d539d3a14d0976161982fac

C:\Windows\Installer\MSICC3C.tmp-\WixSharp.Msi.dll

MD5 25aa1504a54b06d2bbd9bb1be2822cfc
SHA1 7ce8062ae9282a38db73d8e72e9a2ef4577647c8
SHA256 54e371526f79063d28c46531872f76111af2381164b43aabbe41763ef04198c4
SHA512 b08a4529d7ada9f70ae474a2775966aac59bb9d8ecfdbbeea3544153824271ffa7a6b90887b933672e44d6500e850ca5d9d634c21774b1317b94c8058143472a

C:\Windows\Installer\MSICC3C.tmp-\Polly.dll

MD5 9de72b96d9fc5537bd1664ce83907203
SHA1 7671411d739c7936a7fcd6e9e2261bf679a2ae1b
SHA256 957b412f5733ebe79574cf5f85256e090119e4fc945e29dfd8c1ea74f97ab0d4
SHA512 e05ed925c9c0bd10873818700ef689b9e83684fb92c37ca1614e25d54d767bd1d0de93908657575d1b0dd22d474cf215eefc401db95d1a50ecf79dc0ee25e181

memory/5028-2592-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/5028-2588-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/5028-2589-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/5028-2593-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/4856-2801-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

memory/4856-2802-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

memory/4856-2803-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

memory/4856-2804-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

memory/3216-3021-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/3216-3022-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/3216-3023-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/3216-3024-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/2296-3279-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/2296-3332-0x00000000026E0000-0x00000000026F0000-memory.dmp

memory/2296-3333-0x00000000026E0000-0x00000000026F0000-memory.dmp

C:\Windows\Installer\e57cb22.msi

MD5 4e70ff7a831e48ab45c70c3754d68b70
SHA1 e3e2aa31c73740fa4b86e98646d2701c92fe982c
SHA256 99d86ae18806781c9f2855c1e2a827e1919a6b85db2b097519a1208eef4d0912
SHA512 7b927cce79056361963eef287e89be01bc191f7e76d4b71592b32610a9e747697fe34e1f12d60aa6805bb42ca803c974c6cad15516a0a192e8d72d79dcd2a086

C:\ProgramData\ExpressVPN\Config\p3d0hfrs.bin

MD5 9cb124965575221e1cf33b2d232bdc0e
SHA1 5956bf205065c16e87f42becdae7c566f6e61525
SHA256 c20f2f7347b1d121d1ae3ca325a28e3d3cdb7a644871c3047a974924a300fcf8
SHA512 083b1ff8670f3d0ef22562ea47757e23ca876a3d1fac1f128237ffdef7c707ecc2bb912eedb8c7e4d653e65bcb930b9f2a4860818da78d67e79ad6b5e1cd2419

C:\Config.Msi\e57cb21.rbs

MD5 aebabb1360b7aa459380726ee67f2892
SHA1 873cc6865611f232ff61c9152213eec12a3118ba
SHA256 a3e781fc41fa83e92b07d396ef86d19b3447a2fb79aef22558a3f4867fc83c68
SHA512 90a64d2c183022e602d10c1c823f8990eee3dc7aa21670ee9b7964ed853738f2b1374716a89da721125ce04e95cc071355f39a8d660938901e5e3758fb2cbd4c

C:\Windows\Installer\MSIFC6C.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\Local\Temp\DEL1FC.tmp

MD5 8e03da8aa1af38b35eccdecef5275fc1
SHA1 dfd4a470498deff650aa5ced5a39cab3266b6e35
SHA256 42f9b0dc9d9c582fcbcd839ebb6d3e264d25445ea4013ed7e83e9160171042e3
SHA512 01c84101bfd2d496ef655befbacc98368ded039ec7df5263336a00bf873069f3767825766c5820fdbb9d28a60000f5c5c08d93d8522dca39fe58466dffe602a9

C:\Users\Admin\AppData\Local\Temp\DEL1FE.tmp

MD5 7030752e082569358c38af7d55f0e09b
SHA1 b876868cd2e6a02d6449cc70deebd7b9207de4a0
SHA256 326662d937b47e063aaa709f385c300c6bf096a81f3dc48255ff6601b0c6dedd
SHA512 6cf78bc60d9cb013862f524ffb16feac0ce867fd60bd5b7ca29e4ffb1a7d9def8577644f7dbdc457b0977f2393a25a437d5de65fbf035f03b04a5190ab34db69

C:\Users\Admin\AppData\Local\Temp\DEL1FD.tmp

MD5 f2e58ebf64836cb13255857c5aa3928d
SHA1 aec4007a55d1d26bbce778b80b99a9ba5e35ab86
SHA256 35390aafdc7b170a7ea52a72312e2a363bc44eaf90d056f420a83c673371285a
SHA512 8b45cd809ae6af63d28740905bb544b4d0b7840b24f4ec468224d7ea374b5f7d6e5d9bb35b5fb7eedae9c87248023bc48c68e3e526060c998ee56ff6df21ae6f

C:\Users\Admin\AppData\Local\Temp\DEL1EB.tmp

MD5 d0e13c9902ceda116a2da4e52f19d8d2
SHA1 d3b8dc458fe7f8b62ef67c5e792ab2a63135d739
SHA256 9efcfb62ec60c4d6cbaa7f4f345d48daf8d892a5b7fd1c2a004c276cb4c56025
SHA512 65aad37155404f79f2df315826e2e00f5b4d210ad9189e9ef8a3607fa7c7ea6d466473beea2a45f94dd72b81c829473417fa73b3eb6493c1c7139e97536e3d26

C:\Users\Admin\AppData\Local\Temp\DEL215.tmp

MD5 3689c949c8a9e50c4be0ad69e85b796b
SHA1 81b527ac5326fb1a8520f53473079f16bb9206b8
SHA256 a4ba0ad01375437bdd766af50417f29c27a97a6dcb5ce101341df9866bf6475f
SHA512 a117a1641832d1706211ac14941e2f620bdd08088fe0c0e0b1f6a8863df5cd3b2b0a0b736bbcceda50b4c45faf0d1b24bf42c20518293a09145de07937c6ed89

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\user.config

MD5 df2ea154c113c86c064714b3b0b5555a
SHA1 c0b1a1a0a78a372d9fdd7ba4a029cdee42a0de65
SHA256 c2cf2a4af9784fca26bb94e650209bfdf1decee29f02e1398b902ad49182588d
SHA512 c7cbbe4c79af3c2a246ba361842d1adcdd541e1eeadffa1ea55e9be75ce5099b90d020864def8f449b8fe472a3576454809f036533404e706b1baa142402a0fe

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\0gnnzczn.newcfg

MD5 26e3e068ccf44f130f40a158db8c4526
SHA1 c5f43d44ddadff0fd11a4f6285b54329196d668f
SHA256 18c2b162e66a3fe5edfb24eb6215dda7c075cc8afa9eb69cd2bcb0785f400e79
SHA512 7720c82b2464879668763cad16963de5d4ecc5ac377b641cc8675d113c91a462c46733396be023417be05ac3b3eca3a8749c1e91fe191bd697db092df14e6856

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\ocqkz32q.newcfg

MD5 286c05e5e213d7e97069184c0c44c85b
SHA1 009b760165d9332fc7af6bfa05a826fb87964f9e
SHA256 d29a7bc5b1f30f8d9dde55e417e89eb86b5339613910e293405b5aaf50fea7ed
SHA512 eaf3ebf413e08b111a6937947da7b29100737d6c1b4c21783392d1093db3ec9e28371f1afe203c3335f866bb09a213000d48a60e71a7c54d2750b1582c033b1c

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\urt3hhot.newcfg

MD5 0b5a51b4d5c666f5df3161ed1bc62511
SHA1 362568ee7b81c337f4abbc2179682346445785bb
SHA256 95eaf9af9ccb14c33daeb04c498cad14f7b4eca49e890cb0c6debdb189a0538c
SHA512 947d1717325db18bbd7782929b018ac54660a8465d52c9264fa0d4b2521682ffcadb15bcc93c9bd141ffa3c7d9ee3397b4b7fcae74a9511bb404d244eb660b12

C:\Users\Admin\AppData\Local\ExpressVPN\ExpressVPN.exe_Url_gwqkjzvdy3xpznw2dfneavuubxdnvnis\12.49.0.4\e1hatvyh.newcfg

MD5 ece5622be9ed08134db01639531f5a55
SHA1 0c9dd56d65aa06d0713676cc0a0441c97114f386
SHA256 2dfbda1f1c755a4ee30e33bf6be16a2e1a87737e537c76e82de82f9089871f26
SHA512 f96e8fb53a9cb626c24fb462fe5c88c65d207d44832ca417256b58f366b5059544ff317c8a20af2457081f2a8a3154ffbdb987f8837a68b5ff0bb2db4741a631

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c032c944f0c68db2f9bc2541ba822212
SHA1 a829f6cf1e7f3f796eeb68ef3525d7f3d177a38a
SHA256 1b4b0d7b255a79089375c9c200df8f48c8536ec99752f877e9090af9dd8e4127
SHA512 cc22cf70c068f1b5c518a8d3302cbb5a79a66929488cd34939f7743aaa999cba091f182701cdda5872b6b93cf89d396b809b0b7f6f2d5f6e7ad1b5102623cf7e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e0db402062b0af9ebbf6385372ca8d0b
SHA1 af778006b22dbafed0ffc708c2a08c75866173ef
SHA256 3496117f92c5f4f895aa007bdb10496eaf20edbc77be2abeef611fbc082c1827
SHA512 a38b4bcac17c451d7a34a90f3612436adf0d896e5c074de11af59fb1a8abe1bb4536b3efd3e00565fbfba296a59fa46415b7d0468ba6f00110ca605c9760eae0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d5f6e43b9bb30966d0bc507edaa766af
SHA1 f55430cdf8aac488b7e726277ff47551de8f6b3c
SHA256 26c3c700f69edb0a1ef22ad9cabc4c126967093a008638d4b9e91aea558f7053
SHA512 580548318c413a964558422b0cbd1b05cc46f9cba53b59e2818f768f8ee9f8e3838981d686b2e82f24b3b62145cb7f1240c7602adddfabef6356730413310713

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d940feae148786b510e927647683395f
SHA1 d8877beca30f49fab65ed11b44111c28d9803963
SHA256 5e9354cd68c42ec17bd2b9322f9016987411a138cfc3d23f19c77109a732fcb9
SHA512 b2abf1783ace27776d702874df8a8599692b5aff2a600da2489d8b46a9cbb692ba272d833ab97a21fd239b46c40c6fd46600119acbe835d9e85b2625168c3e8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

MD5 cef891fcf7beed219961d8b3b2cb4ff9
SHA1 b9155f9edf3f70feba056804a232437e85f2c2e2
SHA256 1fd6cee63b454893df121332a058894b78ef6aefd18cc5c3fde1518ac8631e70
SHA512 97f07d01af2fbda645847cf91a1bf1021c5adf270b5c1fe5259e245e7ac04f90a09a4377d532a415966705cfff6d34bbddbf4e998d15f8a17c49821c7f7d1c89

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 bd9fabb2e7434eb9ebab7b28e33ec6e3
SHA1 a1cac8dd06b30bbec8c1f4c7348dd25ad4849cf3
SHA256 f6711de5a380979c740e0e42170aa58a07e1ed63b31a606b77844fc8461a31ff
SHA512 2395c72fb091a739f132ea2fcf8a34c85d5dd7935a9bdb0803df900b108085e79689f240acce0174b89e14387d21f8ac9bc1de6e3e85a13da7e96a47b05c830d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c2815a00a361af3980c5807f36cbe839
SHA1 f8e746f2aef67715eaaa808da29fb1dea1ee9dbe
SHA256 c899296d21b81c5fb520c0c86f583a2803cee4480d1198abf726d68097ae3190
SHA512 ca049c6110494f75eb64cc76b892354728151b703aa05197d1e1f84d027ac8b056881c428744b9eed759056f6aab4dfc91b1a748187586457e22a0e7c5046c2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 870a198a3d6ced28ba68e521ef1c338a
SHA1 b68f45583a631591a3dee8b0d8e727797d49befd
SHA256 e153729b460f0bc5539ed877043087f18c76bd77e810057dbecefe4266252d7d
SHA512 7ede577844d2e46c37fcb3071a9c65fe7508c7f81be1af61056fffde2eafa0cc20da149c4b13f0a991c45faee82dd6b7e55833d9ae69c7c7e88781a4e5643922

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0b004fd8291124bae067b8f4be758da5
SHA1 884e0198288fbbd4d56217bd50679614786e972b
SHA256 b1fad3a3469b15c1bb73848dfaafb50d218447c8bdb0f3a3f8ef184549eba9ba
SHA512 1c08d69a3239d76fe58233ee2d3ab4aec0e2f2208b14f3e4e2d5e3aebbc160f9a67ed0706d1af1c3be6c5583c2d1e2c8774281593624e5eabc51f9725ea92088

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 08ec5969be8e3995de1976a77b350ccc
SHA1 938c9a5df356d118c9e435ced818d217d55f70ee
SHA256 3eba1c53e369cbeee335d13b78116c4a74b4d4ca79531e89f6250324ca253b0b
SHA512 34c17b46774153ee3e5d0598d5300f2b336afb1d5ebd472b8da831f6dde0efd2137bd0a95a034c98e11953bbc9b06f076a8e25239f516bd5a46b06be37a90f53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1d47d91047c1f2b6b276fb0262fa9959
SHA1 e297f1be843ad34e29d192b0e01a82e555496625
SHA256 bcec60e4d38c121d4fef2163d64ef602d233073261131a3075ff8f1d9e74e91c
SHA512 9db8d65c1d8350cce042f20e41fe4857ea50d46842b5d1fd9a395e73e47fbcb9547da1d1c9d9a34a61e7a8be85fb978939a9b3c941969e392847ab5e6c105c11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 70b994316a3187904def98789d259f7d
SHA1 1e84c59239978e5f9dc4828c8e32121ba4cef1ca
SHA256 99a6dbea696ec870bd83aa0125a015be9379a63b85e598f66a52e65d0a78c4d7
SHA512 724d9cfa5b11208288b386d4c27464301d4411e06d45536162a50820c3522f17925c9712fc31129a540aa8a0aa5728deb75d897cbcf23dfc44fd683dad80dcc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c5f6.TMP

MD5 11f99c7ae0c6e12d98aa326796906cc3
SHA1 6c55f266119295d06340aa381f3d519de5ea8d26
SHA256 f06bb7955d1e42a2a03cb681c43926f15bdf4dae0af15359be8b74637d7123f4
SHA512 c058273ca003236db632674bbf6845c503353dba1d2a5a831aa6f1e44e41a33933020e8d599b9e2a6cd44f2e0f849be452175a1a3af74f66ea0c8d15fb157499

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe59d586.TMP

MD5 42445d219eafeadc78f90714e218ef4a
SHA1 2f2c73f68dcec5afed3107da45045cae62a049a3
SHA256 de29aaa7ac7651fdca247854b28fb28880394c2a08515657d52d54a30ed04f9e
SHA512 2bd232448d2fd32d67c27ac6df6801f0fd3910d3fbb697f26b568cbd15117445560a94c1815e62dc0ebcdceb09bdf85e0376c4abdb37c10bc8fe0c7b7b4b5dcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 947196651da1b41beccb0abdf07a1828
SHA1 5e903acf00993383cfb79fb313c8115d4c79941a
SHA256 5555ffea34586d6ca4dab0f98df24db6665c254a22d93dc33c99452332de0af7
SHA512 6d612f5b2be5264b416aa16b8055fb4d61c51e22d7f12ef2af807d50d7313d9b1faa164ea16c6e245bf03a8e7033cf54096e2f4f1db319425c033b37229d5a7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2fa85f83ba1212f8d601967a0fa0f626
SHA1 c2520fecafbcc2874861c7ec36b36038da20c097
SHA256 10fca4accfb1c0f527ef185bbbdc537d2330049a0f6a28ca5575ea97275f7966
SHA512 c695ab226be07d5c2c1e9c41c13054e7c085f275289da1f968210f649fc39fd6b3ae01fdc3e69cb0b419e517435a452f3a72656d4603f56fa8b4e3d56d6983d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4b1393d4f34add3e01276dd626b966ef
SHA1 d973e2825d9425ec967c6562aac5cdbff6fadf94
SHA256 6e96afe2c4360df18e1f5f000f4f6feca31e36ca797ba649268e1d4de15f1bb7
SHA512 98c485383b2085dc89dabec9269dc09dcf6d1fc628945dd8c263dbd8f2808165367838dd9f4a4a6414ef90c800a45d59d06b17246cd2524b17521fa43c2779ce